Page 1 of 1

encrypt - decrypt

Posted: Tue May 12, 2009 9:14 pm
by bloodl
Hi,

I was wanting to encrypt / decrypt some password for my php cms. I am aware that php has its own function, but you can also get scripts which do a fine job.

I know that these ares are available as part of the php system...
  • CRYPT_STD_DES - Standard DES-based encryption
  • CRYPT_EXT_DES - Extended DES-based encryption
  • CRYPT_MD5 - MD5 encryption
  • CRYPT_BLOWFISH - Blowfish encryption
... but being part of the system makes it a bit vulnerable doesn't it?

If you take the approach of using a script with a key, all someone needs to do is grab find the key. But at the same time, I would image that trying to decrypt a password that is made with a non-system script would be a touch harder?

Can anyone shed some light on what the best method is? Im a bit of a newbe

Cheers,
Doug

Re: encrypt - decrypt

Posted: Wed May 13, 2009 3:28 am
by Apollo
You should NOT write an encryption algorithm yourself, or use some obscure library instead of the default implementations. First of all 'security through obscurity' is a bad idea. Second, you will make mistakes, most likely resulting in security holes.

There's absolutely nothing wring with using common, known, standard encryption methods. In fact, the more known and used, the better, because it means they have been thoroughly tested and proven in the field.

The strength of all major common encryption methods is that they're open, clean, simple, and known to be hard (as in, not in a lifetime) to crack.

Re: encrypt - decrypt

Posted: Wed May 13, 2009 5:10 am
by Paul Arnold
I know what you're saying , but like Apollo says, use something tried and tested.

Re: encrypt - decrypt

Posted: Sun May 17, 2009 9:33 pm
by bloodl
great! thanks guys, what you say makes sense. I found your input very interesting and very valuable.

I think ill stick with MD5 for now then! Seems easy to use as well.

Cheers,
Doug

Re: encrypt - decrypt

Posted: Mon May 18, 2009 4:42 am
by Paul Arnold
The thing about MD5 is that it's a hashing algorithm rather than 2 way encryption.

This means what you input gets 'hashed' into a string that you can then compare the original value to. There's theoretically no way to recover this value from the string alone.

I think what you need is actual encryption and decryption.

Re: encrypt - decrypt

Posted: Tue May 19, 2009 2:22 pm
by Darhazer
If you are going to use md5 to store password for example, do not rely only on MD5
* Use the so called HMAC md5 instead (md5 with a key, you will find easily implementations of this, or P.M. me and I'll send you)
* Or just concatenate the md5() with some random string, that is also saved in the database, and save md5() of the resulting string

In this way you not only protect passwords from being decrypted (as md5 is one-way crypting, known as hashing), but from brute-force as well.