encryption and decryption

[Ninjakreborn]

There has to be someone here with atleast some mcrypt experience.
I have the thing set up on one page, it encrypts the data, decrypts it properly, but when I put it in the database encrypted, and decrypt it on the otehr page it's not working, here is my encryption
encrypt
[code]srand((double)microtime()*1000000 );
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, '');
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
$ks = mcrypt_enc_get_key_size($td);
$key = substr(sha1('bullshit'), 0, $ks);
mcrypt_generic_init($td, $key, $iv);
$password = mcrypt_generic($td, $password);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);[/code]
decrypt
[code]<?php
$connect = mysql_connect("localhost", "#####", "####");
$select = mysql_select_db("elostand_general");
$select = "SELECT username, password FROM userinfo WHERE username = 'joyel';";
$query = mysql_query($select);
$rows = mysql_num_rows($query);
while($array = mysql_fetch_array($query)) {
extract($array);
srand((double)microtime()*1000000 );
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, '');
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
$ks = mcrypt_enc_get_key_size($td);
$key = substr(sha1('bullshit'), 0, $ks);
mcrypt_generic_init($td, $key, $iv);
$decrypteddata = mdecrypt_generic($td, $password);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
echo "{$decrypteddata}";
}

?>[/code]the key is just an example.
What's wierd is it works on the same page, together, but when it's on different pages it's not decrypting the data, am I setting up something wrong.  i like php, I am doing everything with it, even insecure stuff, I already played with cookies, I am learning sessions today or tomorrow, the only thing is, I want to use some of these libraries, I know this is heavy encryption, I also saw it on php.net, this is very heavy encryption, any 2 way forms can be decrypted by a hacker but there not easy, and php does not support assimetrical encryption, meaning keeping a private key, and giving a public key away to someone, allowing them to encrypt it with that key, and you decrypt it wiht your key, but there key can only encrypt, not decrypt, php doesn't support this, it only supports symmetrical, and 1 way encryption, I want 2 way symmetrical encryption, it works perfectly on the same page, what is keeping this from working in different pages.

[trq]

I just dont see the whole point here, why do you think you need all this encryption / decryption overhead?

[Ninjakreborn]

Think about this, it pulls features with one way encryption, no remind you of the password, no what is your secret question for retrieving your password.  The other thing, think about what happens when you 1 way encrypt credit card numbers, social security numbers, session id's how do you expect to pull the information, this isn't for passwords, I don't even care about the passwords, I could do an mdhash on that, but that's not going to help me later on in this project, when i Have to record credit card numbers.  That is why i am trying to get this to work.

[trq]

Are you seriously thinking about storing credit card numbers?

[Ninjakreborn]

How else do you expect to do online processing, you have to have a credit card to do that, are you going to call the person each time, and say hey what is your credit card number, I need to give it to my credit card processor here so I can charge you, but we have to call to recieve that.  I don't htink my client has that time, yes credit card numbers ALWAYS get stored on e-commerce websites where credit card transactions take place, that is the only way.  And even if you don't use it in the database, they have to enter it, and when it goes back and forth from teh server, it can be detected if not encrypted so either way it needs to be encrypted.  The same with social security numbers, working on high profile sites, that is the best form of identification to take.

[trq]

There ARE merchant account solutions that will let you do you establish recurring billing. Verisign's PayFlowPro will let you store your customer's credit card info on [i]their[/i] servers.

I would, never make myself or any of my clients responsible for storing credit card numbers, its just not needed. Have you read any financial companies requirements (PCI statements) for doing such? Really, if your here asking these questions... you dont wont the headache.

Maybe you will enjoy [url=http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf]this[/url] read.

[Ninjakreborn]

Ah very good point thank you, I had no idea such a thing exists, so now i have choosen what I am going to do about that, I will do external processing, now the last thing, what about other stuff, I still need to get this to work, 2 way encryption/decryption, social security numbers, and passwords, and if nothing else session id's.  I still need to get it to encrypt, send to database, pull from database, decrypt, but it's not decrypting, and thanks for enlightenment, now I understand about the credit cards, I will study up on that later.

[Ninjakreborn]

also paypal emails, I want to encrypt those, maybe even emails just for fun.

[nogray]

There is a great tutorial for encryption and decryption in this site

http://www.phpfreaks.com/tutorials/128/0.php

You always can store cc numbers, just always make sure it very secure and encrypted.

[Ninjakreborn]

I already went over that tutorial 6-7 times
there are 2 problems I am having, when I run my functions together, on the same page, it encrypts it, decrypts it, and shows the output of both.  When I encrypt on one page, $password, then enter it into the database, it's encrypted in the database, it even shows it, but hten when I pull anotehr page up, pull the data, decrypt it, it stays encrypted anyone, I use what I showed above, I don't understand why it's not decrypting?

[nogray]

The key and iv you generate are different in every page, so the encryption will be different. You should generate the key and iv and store them in an include file (or something similar) then use them when you need.

Or you can use the encryption class from the tutorial and it'll do all the work for you.

[Ninjakreborn]

perfect finally someone who had something to say about the mcrypt library, perfect, this should fix all my problems, I was thinking it had something to do with that, if that doesn't work then I am taking off the srand at the top and trying it that way, thanks.

[Ninjakreborn]

ok I need a little more assistance if you can, I redid a lot of my script, I even took out the srand, I thought it was making it a little too complicated to handle.  It's easier without it, it runs smoother, I have the keys included on each page, but it's not decrypting properly, here is my include page now
[code]<?php
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
$ks = mcrypt_enc_get_key_size($td);
$key = substr(sha1('bullshit'), 0, $ks);
?>[/code]

here is my page that I am encrypting on, and where I am including the file at
[code]$td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, '');
include '../includes/key.inc.php';
mcrypt_generic_init($td, $key, $iv);
$password = mcrypt_generic($td, $password);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);[/code]
That is just a cut out of my field, I still do everything else and add the password into the database, I can see it stored in the database, then I pull it out on another page, and can see the password encrypted, but it doesn't decrypt, this is what I have
[code]$select = "SELECT username, password FROM userinfo WHERE username = 'joyel';";
$query = mysql_query($select);
$rows = mysql_num_rows($query);
while($array = mysql_fetch_array($query)) {
extract($array);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, '');
include './includes/key.inc.php';
mcrypt_generic_init($td, $key, $iv);
$password = mdecrypt_generic($td, $password);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
echo $password;
}[/code]
it remains encrypted and does not decrypt.

[Ninjakreborn]

ah I found my problem, how do I securely store the key, this is hte problem, every time it runs through my code, it creates 1 key, if I ran the same code, even if it's the same secret sentence or word, it creates a brand new key every single time, I have to store the 1 key permanently, somewhere, and be able to pull it for the password, I need advice?  It creates 1 key per run, it encrypts each one with a different key, how do I keep these key's

[nogray]

ok, let's say you generated the key (encrypt your string and save the output), and saved it in a config file (enc_config.php)

You'll need to put the file below the public_html folder (so it's not accessible via a browser), set the permissions to the file so only php files from you server can access it, and finally encrypt that file using a php encryption program (you can google for that). This way you have an encrypted key in an encrypted file which make it almost impossible for someone to steel your data.

[Ninjakreborn]

ok, atleast I know how now. 
THe other thing is, I am doin gpasswords, reading what I should do for encryption, I am not going through all of that for that, if I ever do do credit card, or social security or whatever maybe, but for now, I know that mdhas, or sha will work, I can also use that on my sessions id's what matters is I am 72 hours smarted in encryption, I know all the types assymmetrical, symmetrical, hash, I know about mdhash, or the hash library for new functions, I know about 1 way 2way key encryption(assymmetrical, symmetrical), and hash, and about key's and saving keys, and using the htaccess to authenticate if I needed, or letting apache do it, I am general intermediate now when it comes to encryption, so I can use this knowledge later to do what I need quicker when I start, now I will hash my passwords, after I do some research on what hash functions are the best, then match it against the password, I will do the same with my sessions id's
Thanks for all the help.  by the way would there be any other way to save these keys instead of having to do that. 

[Ninjakreborn]

wierd thing here, I was using php's crypt function
I did this
I started with salt, the username, cut up like
$salt = substr($username, 0, 2);
Then I ran it through crypt
$password = crypt($password, $salt)
When I try to authenticate it, it's generally correct, but there are some inconsistensies, I picked a random password
952103902 and when I ran it, it matched, but if I do
95210390 it doesn't match, which is hte way it's suppose to do
bt if I use
9521039025 and 1 extra letter it returns true, is this miscalculation a random occurence or something to be concern about