Encryption and Decryption Problem - Help!

[Mko]

Hey all,

I'm currently trying to encrypt a string a user enters, and then on another file, have this string decrypted and compared.

 

Here's what I have for creating the encryption:

$pre_pro = fn_get();
$processed = mysqli_real_escape_string($database, $pre_pro);
    
$key = $processed;
$text = $_POST['string'];

$pin_enc = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $text, MCRYPT_MODE_CBC, md5(md5($key))));

 

Here's what I have for decryption:

$key = $db['key'];
$curr = $db['text'];
$dec1 = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($curr), MCRYPT_MODE_CBC, md5(md5($key))), "\0");

 

However, when I decrypt the string, using the values:

Key: TJs:4#tq9W_f-<|56=\'E==spoAO]H
String: apWWM/wTGNCqRZshaHo+XhXoD98hJr

 

I get:

 

 

Any help is very much appreciated!

 

 

Thanks again,

Mark

[xyph]

You need to check what values you're putting in at each step, and make sure they are the EXACT SAME

 

<?php

$string = 'magic carpet';
$key = 'foobar';

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_CBC, $iv);

echo $encrypted.'<br>';

$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);

echo $decrypted;

?>

 

Works fine.

 

Double MD5'ing your key isn't the proper way to create an IV, and defeats the purpose of having it completely

[Mko]

You need to check what values you're putting in at each step, and make sure they are the EXACT SAME

 

<?php

$string = 'magic carpet';
$key = 'foobar';

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_CBC, $iv);

echo $encrypted.'<br>';

$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);

echo $decrypted;

?>

 

Works fine.

 

Double MD5'ing your key isn't the proper way to create an IV, and defeats the purpose of having it completely

 

Thanks for the help. Although, I'm trying to generate an encrypted password (and key) and save both these values ALL in one file. Then, in another file, I am trying to call these values from a database and decrypt them.

 

I've tried storing the $iv value in the database, yet it doesn't seem to work.

 

Could you help me out as to what the correct way would be to use encryption/decryption between two files using contents from a database?

 

 

Thanks,

Mark

[MMDE]

You need to check what values you're putting in at each step, and make sure they are the EXACT SAME

 

<?php

$string = 'magic carpet';
$key = 'foobar';

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_CBC, $iv);

echo $encrypted.'<br>';

$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);

echo $decrypted;

?>

 

Works fine.

 

Double MD5'ing your key isn't the proper way to create an IV, and defeats the purpose of having it completely

 

Thanks for the help. Although, I'm trying to generate an encrypted password (and key) and save both these values ALL in one file. Then, in another file, I am trying to call these values from a database and decrypt them.

 

I've tried storing the $iv value in the database, yet it doesn't seem to work.

 

Could you help me out as to what the correct way would be to use encryption/decryption between two files using contents from a database?

 

 

Thanks,

Mark

Encryption usually implies that you can decrypt it too, which is not something you want.

[redarrow]

make your own your self i say......

 

example only very easy to create.

<?php

$password="john";

$mypassword=md5(sha1($password));

$encrypt_password=mysql_real_escape_string($_POST($mypassword));

$unencrypted_password=mysql_real_escape_string($_POST($password));

mysql="INSERT INTO("user_id","encrypt_password","unencrypted_password")
VALUES($user_id,$encrypt_password,$unencrypted_password)";


?>

[Mko]

Encryption usually implies that you can decrypt it too, which is not something you want.

 

Well, my main purpose is to try to do the following:

-Have a user enter a secret number

-Encrypt this number into the database

-Use this number as another security measure for changing passwords (as in, you must enter YOUR secret number to be able to change your password)

 

So, I'm trying to figure out how to have something encrypted into a database, from which later, I can draw information from to cross-reference what the user has inputted to say whether or not the user's input is matching or not.

[redarrow]

you don't need to no nothing they do.

 

 

and if they forget it then send them a email link to change the  number.

 

 

md5 and sha1 good for this.

 

 

also if you do keep records of security numbers you might be liable of things there getting up to , in court.

 

the user has to tel you on sign up there special number yea?

 

 

 

[xyph]

You shouldn't be using 2-way encryption for passwords. Check out the article in my signature for proper password handling.

 

Here's a working example of what you want to do though

 

<?php

function encrypt( $data, $key ) {
$iv = mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
return bin2hex( $iv . mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv) );
}

function decrypt( $encrypted_data, $key ) {
$encrypted_data = pack('H*', $encrypted_data);
$iv = substr($encrypted_data, 0, 32);
$data = substr($encrypted_data, 32);
return mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv);
}

$data = 'Hello World';
$key = 'foobar';

echo "Raw data: $data<br>";

$encrypted = encrypt($data,$key);

echo "Encrypted string with IV: $encrypted<br>";

$decrypted = decrypt($encrypted,$key);

echo "Decrypted string: $decrypted";

?>

 

The IV is stored beside the encrypted data. It's all converted to HEX to be storage-friendly.

 

make your own your self i say......

 

example only very easy to create.

<?php

$password="john";

$mypassword=md5(sha1($password));

$encrypt_password=mysql_real_escape_string($_POST($mypassword));

$unencrypted_password=mysql_real_escape_string($_POST($password));

mysql="INSERT INTO("user_id","encrypt_password","unencrypted_password")
VALUES($user_id,$encrypt_password,$unencrypted_password)";


?>

 

Don't follow this advice. It's terrible, and the code provided doesn't even function as intended.

 

Encryption usually implies that you can decrypt it too, which is not something you want.

 

Well, my main purpose is to try to do the following:

-Have a user enter a secret number

-Encrypt this number into the database

-Use this number as another security measure for changing passwords (as in, you must enter YOUR secret number to be able to change your password)

 

So, I'm trying to figure out how to have something encrypted into a database, from which later, I can draw information from to cross-reference what the user has inputted to say whether or not the user's input is matching or not.

 

Why does this second passnumber need to be decrypted? Why not just treat it like a password?

[Jessica]

Encryption usually implies that you can decrypt it too, which is not something you want.

 

Well, my main purpose is to try to do the following:

-Have a user enter a secret number

-Encrypt this number into the database

-Use this number as another security measure for changing passwords (as in, you must enter YOUR secret number to be able to change your password)

 

So, I'm trying to figure out how to have something encrypted into a database, from which later, I can draw information from to cross-reference what the user has inputted to say whether or not the user's input is matching or not.

 

You hash the password AND the PIN. Then when the user tries to do something that requires both password and PIN, you hash the given values. If the hashes match, it's valid. You never need to decrypt the values.

[Mko]

You hash the password AND the PIN. Then when the user tries to do something that requires both password and PIN, you hash the given values. If the hashes match, it's valid. You never need to decrypt the values.

 

Yeah, that's probably what I had intended to do, haha.

 

Though, I'm somewhat unfamiliar with the term. Is there an explanation and example you can show me so I can build off it and understand?

 

Thanks,

Mark

[xyph]

What term? Hash?

 

For the second time, please read the article in my signature.

[Mko]

What term? Hash?

 

For the second time, please read the article in my signature.

My bad, sorry

Anyways, thanks for that article. It's proving to be very helpful!

 

Thanks again,

Mark

[xyph]

Let us know if you have any questions afterwards. It's very in-depth

[Christian F.]

To anyone reading this thread: Do not do what php-real-degree posted. Not only doesn't it work, but it adds no security what so ever! Storing the password in cleartext should never be done, and defeats the whole point of hashing it in the first place.

 

php-real-degree: Please refrain from trying to help people with security, when you yourself doesn't know the first thing about it. You are only causing damage and spreading confusion.

I recommend that you too read the article in xyph's signature.