Page 1 of 1
PHP MD5 Question...
Posted: Sat Mar 21, 2009 12:16 am
by GT500_Grad
I am working on a site where I'm implemented a SSO from another site. The other site is sending the userID encrypted by an MD5 algorithm, MD5 Key, and a time stamp. I'm a bit new to the PHP encryption. I've read that MD5 is not really irreversible, and I haven't been able to find any where how to use the key. I figured I would have to take my information, that is not encrypted, and encrypt it and then compare it to the information being sent. I know PHP has a MD5 built in function, but it does not have a Key parameter. So how do I use this Key to regenerate the information?
Thanks in advance!
Re: PHP MD5 Question...
Posted: Sat Mar 21, 2009 6:26 am
by Hannes2k
Hi,
no MD5 implementation has a key paramater, because, md5 just caculates the hash value from a message (from one input).
The secret is, that you concatenate a key and a message in any way and then caculate the md5 value from this concatenation.
A simple example:
md5($key.$message);
But there are many ways to concatenate a key and a message, it is also possible to do this in this way:
md5( ($key ^ $opad).md5( ($key ^ $ipad).$message));
(
HMAC use this concatenation)
So you need to know how the other site caculates the md5 value from the key, the userId and the timestamp. There is no standardized way.
Re: PHP MD5 Question...
Posted: Sat Mar 21, 2009 9:13 am
by kaisellgren
GT500_Grad wrote:userID encrypted by an MD5 algorithm
MD5 is not an encryption algorithm.
GT500_Grad wrote:I know PHP has a MD5 built in function, but it does not have a Key parameter.
Because it is not an encryption algorithm.
The other site probably concatenates the key and the timestamp into the preimage just like
Hannes2k showed above.
Also, you may want to use SSL/TLS for encrypting the connection, which sends the hash over the Internet. However, this would mean that the other site needs to use SSL/TLS since the other site is the one who sends the data.
Re: PHP MD5 Question...
Posted: Tue Mar 24, 2009 5:36 am
by sujithtomy
Hello,
if you could use mysql with php, there is
AES_DECRYPT(crypt_str,key_str) which uses a key to encrypt. using the same key decrypt will work.
---------
Regards,
Sujith
Re: PHP MD5 Question...
Posted: Tue Mar 24, 2009 7:08 am
by kaisellgren
sujithtomy wrote:if you could use mysql with php, there is
AES_DECRYPT(crypt_str,key_str) which uses a key to encrypt. using the same key decrypt will work.
Are you suggesting that both sites share same MySQL server?
Re: PHP MD5 Question...
Posted: Wed Mar 25, 2009 7:32 am
by sujithtomy
Hello,
No need to be shared MySql, but both should have MySql... thats enough.

Re: PHP MD5 Question...
Posted: Wed Mar 25, 2009 7:58 am
by kaisellgren
sujithtomy wrote:No need to be shared MySql
If the MySQL server is not shared, then the whole idea behind (en/de)crypting on MySQL makes no sense to me.