Jump to content


Photo

md6, decryptable?


  • Please log in to reply
6 replies to this topic

#1 ignace

ignace
  • Moderators
  • Now mod flavored
  • 6,431 posts
  • LocationBelgium

Posted 05 August 2006 - 05:08 PM

Md5 is decryptable, sha-1 is decryptable, I am really worrying now about how safe my data is? And because I'm not an expert of any kind, am I asking you guys how safe the following function really is? I called it md6 because it is based upon the md5 encryption.

function md6($Input, $Extract) {
   $sReturn = md5($Input);
   return substr($sReturn, 0, strlen($sReturn) - $Extract);
}

Ofcourse $Extract will need to remain the same all the time, so whenever a user logs in or register's a certain number of characters is being extracted from the total length of the encrypted (pass)word. And md5 is now only used as an "commission agent". I think this make the encrypted data more secure because a number of characters is missing, making it somehow impossible to correctly decrypt it.. (I never say never ofcourse)

P.S.: My native language is dutch, and when I translated the word is was looking for by altavista I got commision agent.. wrong choice of words, I know, but I found it quiet amusing and even funny..

#2 beamerrox

beamerrox
  • Members
  • PipPipPip
  • Advanced Member
  • 35 posts
  • LocationGrimshaw, Alberta, Canada

Posted 05 August 2006 - 05:37 PM

sha1(md5($data));

#3 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 05 August 2006 - 05:50 PM

md5/sha1 uses one way encryption meaning it cannot be decrypted, however it can with brute force and cannot be done easily. Dont use md5 on its own. Use it with salt. If you add salt to your passwords it can become even harder for a hacker to brute force the password.

#4 ignace

ignace
  • Moderators
  • Now mod flavored
  • 6,431 posts
  • LocationBelgium

Posted 05 August 2006 - 05:57 PM

Meaning I should not use the above mentioned function? Now then on to the next question how do I add salt? (Just get it in the kitchen?, probably not..) or do you mean, something like md5($word) . md5(uniqid(rand(), true));

#5 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 05 August 2006 - 06:02 PM

Yeah, thats about right. this article explains/teahces how beef up password hashing

#6 ignace

ignace
  • Moderators
  • Now mod flavored
  • 6,431 posts
  • LocationBelgium

Posted 05 August 2006 - 06:12 PM

thank you, another great site, to put in my php website collection.. (in other words I'm putting it in my favorites)

#7 phporcaffeine

phporcaffeine
  • Members
  • PipPipPip
  • Advanced Member
  • 361 posts
  • LocationOhio, USA

Posted 05 August 2006 - 06:25 PM

Firstly, encrypt / decrypt implies "Encryption".  By definition, encryption is, "obscurity created by method".  Meaning that which is encrypted was done so by a particular method, in our case "salt" or "key".  This also lends to reason that it can be reversed or, "decrypted".

md5 is a hash mechinisim, meaning that there isn't a "salt" or "key" to generate the obscurity.  A hash is a system where a fixed object is believed to consistantly produce a like object on another plane or dimension.

So if I say

md5 ("test");

and it produces 828rgr435t9br54452

so long as I remembered that "test" = 828rgr435t9br54452 as an md5 hash then it wouldn't be secure, the idea though is that hashes are so long with no recognizable patteren that humans cannot or at least find it very difficult to commit to memory in a moments glance (which is all most hackers have).

It's not to the novice to know that 828rgr435t9br54452 is an md5 hash just by looking at it either; to see a hash string at it's value and know what generated it is another story altogether.


Thanks,

Ryan Huff
President & Founder, MyCodeTree
support@mycodetree.com | http://mycodetree.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users