encrypt - decrypt

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
bloodl
Forum Commoner
Posts: 48
Joined: Thu Jun 21, 2007 12:33 am

encrypt - decrypt

Post by bloodl »

Hi,

I was wanting to encrypt / decrypt some password for my php cms. I am aware that php has its own function, but you can also get scripts which do a fine job.

I know that these ares are available as part of the php system...
  • CRYPT_STD_DES - Standard DES-based encryption
  • CRYPT_EXT_DES - Extended DES-based encryption
  • CRYPT_MD5 - MD5 encryption
  • CRYPT_BLOWFISH - Blowfish encryption
... but being part of the system makes it a bit vulnerable doesn't it?

If you take the approach of using a script with a key, all someone needs to do is grab find the key. But at the same time, I would image that trying to decrypt a password that is made with a non-system script would be a touch harder?

Can anyone shed some light on what the best method is? Im a bit of a newbe

Cheers,
Doug
Last edited by Benjamin on Mon May 18, 2009 9:43 am, edited 1 time in total.
Reason: Fixed List BB code.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: encrypt - decrypt

Post by Apollo »

You should NOT write an encryption algorithm yourself, or use some obscure library instead of the default implementations. First of all 'security through obscurity' is a bad idea. Second, you will make mistakes, most likely resulting in security holes.

There's absolutely nothing wring with using common, known, standard encryption methods. In fact, the more known and used, the better, because it means they have been thoroughly tested and proven in the field.

The strength of all major common encryption methods is that they're open, clean, simple, and known to be hard (as in, not in a lifetime) to crack.
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: encrypt - decrypt

Post by Paul Arnold »

I know what you're saying , but like Apollo says, use something tried and tested.
bloodl
Forum Commoner
Posts: 48
Joined: Thu Jun 21, 2007 12:33 am

Re: encrypt - decrypt

Post by bloodl »

great! thanks guys, what you say makes sense. I found your input very interesting and very valuable.

I think ill stick with MD5 for now then! Seems easy to use as well.

Cheers,
Doug
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: encrypt - decrypt

Post by Paul Arnold »

The thing about MD5 is that it's a hashing algorithm rather than 2 way encryption.

This means what you input gets 'hashed' into a string that you can then compare the original value to. There's theoretically no way to recover this value from the string alone.

I think what you need is actual encryption and decryption.
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: encrypt - decrypt

Post by Darhazer »

If you are going to use md5 to store password for example, do not rely only on MD5
* Use the so called HMAC md5 instead (md5 with a key, you will find easily implementations of this, or P.M. me and I'll send you)
* Or just concatenate the md5() with some random string, that is also saved in the database, and save md5() of the resulting string

In this way you not only protect passwords from being decrypted (as md5 is one-way crypting, known as hashing), but from brute-force as well.
Post Reply