Jump to content


Photo

Standard function, error??


  • Please log in to reply
3 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 19 July 2006 - 09:12 PM

Ok this is a standard php function
crypt
It's not part of the mcrypt library it's just a standard php function, I studied this for awhile, and I was going to do this, but I don't know if it's documented but I think I might have found an error in this, I am going to report it as an error to php.net
based on the manual, and everyoen I have asked, the traditional way to use crypt is to have them create a username and password, at the beginning take the username and password, and salt the password with the first 2 letters of the username like this
note, this is assuming they already submitted the form, there username is whatever they choose, as well as there password
$salt = substr($username, 0, 2);
$password = crypt($password, $salt);
Ok this takes the password they entered, and encrypts it with the salt, then it stores it back into the password, then you feed that to the database, and it saves it.
Done with encryption.
Now you can't decrypt this, it's 1 way encryption.
But the way you are supposed to be able to authenticate the user, or check the password he enters against his password is when they try to sign in they enter a username and password
when you get the data, you do the following with whatever password they put in
$salt = substr($username, 0, 2);
$password = crypt($password, $salt);
The username is now the username they entered and the password is the encrypted form of the password they entered into the form, then you take that encrypted password, and username, run it against the database, if this encrypted password in non-encryption form was the same as there other passsword they match, if you crypt 2 words with the same salt, they are suppose to be the same, as far as the manual says.  Now so if they enter another password than there own, when it encrypts using those 2 letters it will be different than there original password, so it returns false.
I found a loophole, that I want to report, not sure if it's known or not
If you take some characters, and change it around it stillr eturns true, if you enter the same password for both, it returns to, great, then playing around if you change just 1 letter, or 2 letters, int eh right way, it changes it and makes it true anyway even though it wasn't suppose to be an exact match,
Just trying to leave a deep warning for people using crypt for authentification, you can even try it for yourself, make the first password you create when you register
952103902
then when you check it later in another script from the password, using the username try
952103902 and it returns true, then if you decide to go ahead and test it using a few different letters just throw a random letter at the end, or change one int eh middle it's still true, insstead of false like it should be
fair warning.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 19 July 2006 - 10:39 PM

As it clearly states in the manual.

You should pass the entire results of crypt() as the salt for comparing a
  password, to avoid problems when different hashing algorithms are used



#3 litebearer

litebearer
  • Members
  • PipPipPip
  • Advanced Member
  • 2,357 posts
  • Locationwhite lake michigan

Posted 20 July 2006 - 11:44 AM

Also from the manual

The standard DES-based encryption crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).



Which would seem to indicate that user:michaeljordan02 password: 123456789a  would ultimately give same result as user:michaeljordan99 password: 123456789bx3d

Or will it? (too early to set up a test script, coffee has NOT kicked in yet)


Lite...

all the brothers were valiant!

[br][br]The truely intelligent people are not those who create the dots; rather they are they ones with the ability to connect the dots into a coherent picture

#4 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 20 July 2006 - 12:49 PM

ah ok, thanks

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users