Jump to content

Archived

This topic is now archived and is closed to further replies.

Ninjakreborn

Standard function, error??

Recommended Posts

Ok this is a standard php function
crypt
It's not part of the mcrypt library it's just a standard php function, I studied this for awhile, and I was going to do this, but I don't know if it's documented but I think I might have found an error in this, I am going to report it as an error to php.net
based on the manual, and everyoen I have asked, the traditional way to use crypt is to have them create a username and password, at the beginning take the username and password, and salt the password with the first 2 letters of the username like this
note, this is assuming they already submitted the form, there username is whatever they choose, as well as there password
[code]$salt = substr($username, 0, 2);
$password = crypt($password, $salt);[/code]Ok this takes the password they entered, and encrypts it with the salt, then it stores it back into the password, then you feed that to the database, and it saves it.
Done with encryption.
Now you can't decrypt this, it's 1 way encryption.
But the way you are supposed to be able to authenticate the user, or check the password he enters against his password is when they try to sign in they enter a username and password
when you get the data, you do the following with whatever password they put in
[code]$salt = substr($username, 0, 2);
$password = crypt($password, $salt);[/code]
The username is now the username they entered and the password is the encrypted form of the password they entered into the form, then you take that encrypted password, and username, run it against the database, if this encrypted password in non-encryption form was the same as there other passsword they match, if you crypt 2 words with the same salt, they are suppose to be the same, as far as the manual says.  Now so if they enter another password than there own, when it encrypts using those 2 letters it will be different than there original password, so it returns false.
I found a loophole, that I want to report, not sure if it's known or not
If you take some characters, and change it around it stillr eturns true, if you enter the same password for both, it returns to, great, then playing around if you change just 1 letter, or 2 letters, int eh right way, it changes it and makes it true anyway even though it wasn't suppose to be an exact match,
Just trying to leave a deep warning for people using crypt for authentification, you can even try it for yourself, make the first password you create when you register
952103902
then when you check it later in another script from the password, using the username try
952103902 and it returns true, then if you decide to go ahead and test it using a few different letters just throw a random letter at the end, or change one int eh middle it's still true, insstead of false like it should be
fair warning.

Share this post


Link to post
Share on other sites
As it clearly states in the manual.

[quote]You should pass the entire results of crypt() as the salt for comparing a
  password, to avoid problems when different hashing algorithms are used[/quote]

Share this post


Link to post
Share on other sites
Also from the manual

[quote]
The standard DES-based encryption crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
[/quote]

Which would seem to indicate that user:michaeljordan02 password: 123456789a  would ultimately give same result as user:michaeljordan99 password: 123456789bx3d

Or will it? (too early to set up a test script, coffee has NOT kicked in yet)


Lite...

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.