Jump to content

Encryption and Decryption Problem - Help!


Mko

Recommended Posts

Hey all,

I'm currently trying to encrypt a string a user enters, and then on another file, have this string decrypted and compared.

 

Here's what I have for creating the encryption:

$pre_pro = fn_get();
$processed = mysqli_real_escape_string($database, $pre_pro);
    
$key = $processed;
$text = $_POST['string'];

$pin_enc = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $text, MCRYPT_MODE_CBC, md5(md5($key))));

 

Here's what I have for decryption:

$key = $db['key'];
$curr = $db['text'];
$dec1 = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($curr), MCRYPT_MODE_CBC, md5(md5($key))), "\0");

 

However, when I decrypt the string, using the values:

Key: TJs:4#tq9W_f-<|56=\'E==spoAO]H
String: apWWM/wTGNCqRZshaHo+XhXoD98hJr

 

I get:

ylj1D.png

 

 

Any help is very much appreciated! :)

 

 

Thanks again,

Mark

Link to comment
Share on other sites

You need to check what values you're putting in at each step, and make sure they are the EXACT SAME

 

<?php

$string = 'magic carpet';
$key = 'foobar';

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_CBC, $iv);

echo $encrypted.'<br>';

$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);

echo $decrypted;

?>

 

Works fine.

 

Double MD5'ing your key isn't the proper way to create an IV, and defeats the purpose of having it completely

Link to comment
Share on other sites

You need to check what values you're putting in at each step, and make sure they are the EXACT SAME

 

<?php

$string = 'magic carpet';
$key = 'foobar';

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_CBC, $iv);

echo $encrypted.'<br>';

$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);

echo $decrypted;

?>

 

Works fine.

 

Double MD5'ing your key isn't the proper way to create an IV, and defeats the purpose of having it completely

 

Thanks for the help. Although, I'm trying to generate an encrypted password (and key) and save both these values ALL in one file. Then, in another file, I am trying to call these values from a database and decrypt them.

 

I've tried storing the $iv value in the database, yet it doesn't seem to work.

 

Could you help me out as to what the correct way would be to use encryption/decryption between two files using contents from a database?

 

 

Thanks,

Mark

Link to comment
Share on other sites

You need to check what values you're putting in at each step, and make sure they are the EXACT SAME

 

<?php

$string = 'magic carpet';
$key = 'foobar';

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_CBC, $iv);

echo $encrypted.'<br>';

$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);

echo $decrypted;

?>

 

Works fine.

 

Double MD5'ing your key isn't the proper way to create an IV, and defeats the purpose of having it completely

 

Thanks for the help. Although, I'm trying to generate an encrypted password (and key) and save both these values ALL in one file. Then, in another file, I am trying to call these values from a database and decrypt them.

 

I've tried storing the $iv value in the database, yet it doesn't seem to work.

 

Could you help me out as to what the correct way would be to use encryption/decryption between two files using contents from a database?

 

 

Thanks,

Mark

Encryption usually implies that you can decrypt it too, which is not something you want.

Link to comment
Share on other sites

make your own your self i say......

 

example only very easy to create.

<?php

$password="john";

$mypassword=md5(sha1($password));

$encrypt_password=mysql_real_escape_string($_POST($mypassword));

$unencrypted_password=mysql_real_escape_string($_POST($password));

mysql="INSERT INTO("user_id","encrypt_password","unencrypted_password")
VALUES($user_id,$encrypt_password,$unencrypted_password)";


?>

Link to comment
Share on other sites

Encryption usually implies that you can decrypt it too, which is not something you want.

 

Well, my main purpose is to try to do the following:

-Have a user enter a secret number

-Encrypt this number into the database

-Use this number as another security measure for changing passwords (as in, you must enter YOUR secret number to be able to change your password)

 

So, I'm trying to figure out how to have something encrypted into a database, from which later, I can draw information from to cross-reference what the user has inputted to say whether or not the user's input is matching or not.

Link to comment
Share on other sites

you don't need to no nothing they do.

 

 

and if they forget it then send them a email link to change the  number.

 

 

md5 and sha1 good for this.

 

 

also if you do keep records of security numbers you might be liable of things there getting up to , in court.

 

the user has to tel you on sign up there special number yea?

 

 

 

Link to comment
Share on other sites

You shouldn't be using 2-way encryption for passwords. Check out the article in my signature for proper password handling.

 

Here's a working example of what you want to do though

 

<?php

function encrypt( $data, $key ) {
$iv = mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
return bin2hex( $iv . mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv) );
}

function decrypt( $encrypted_data, $key ) {
$encrypted_data = pack('H*', $encrypted_data);
$iv = substr($encrypted_data, 0, 32);
$data = substr($encrypted_data, 32);
return mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv);
}

$data = 'Hello World';
$key = 'foobar';

echo "Raw data: $data<br>";

$encrypted = encrypt($data,$key);

echo "Encrypted string with IV: $encrypted<br>";

$decrypted = decrypt($encrypted,$key);

echo "Decrypted string: $decrypted";

?>

 

The IV is stored beside the encrypted data. It's all converted to HEX to be storage-friendly.

 

make your own your self i say......

 

example only very easy to create.

<?php

$password="john";

$mypassword=md5(sha1($password));

$encrypt_password=mysql_real_escape_string($_POST($mypassword));

$unencrypted_password=mysql_real_escape_string($_POST($password));

mysql="INSERT INTO("user_id","encrypt_password","unencrypted_password")
VALUES($user_id,$encrypt_password,$unencrypted_password)";


?>

 

Don't follow this advice. It's terrible, and the code provided doesn't even function as intended.

 

Encryption usually implies that you can decrypt it too, which is not something you want.

 

Well, my main purpose is to try to do the following:

-Have a user enter a secret number

-Encrypt this number into the database

-Use this number as another security measure for changing passwords (as in, you must enter YOUR secret number to be able to change your password)

 

So, I'm trying to figure out how to have something encrypted into a database, from which later, I can draw information from to cross-reference what the user has inputted to say whether or not the user's input is matching or not.

 

Why does this second passnumber need to be decrypted? Why not just treat it like a password?

Link to comment
Share on other sites

Encryption usually implies that you can decrypt it too, which is not something you want.

 

Well, my main purpose is to try to do the following:

-Have a user enter a secret number

-Encrypt this number into the database

-Use this number as another security measure for changing passwords (as in, you must enter YOUR secret number to be able to change your password)

 

So, I'm trying to figure out how to have something encrypted into a database, from which later, I can draw information from to cross-reference what the user has inputted to say whether or not the user's input is matching or not.

 

You hash the password AND the PIN. Then when the user tries to do something that requires both password and PIN, you hash the given values. If the hashes match, it's valid. You never need to decrypt the values.

Link to comment
Share on other sites

You hash the password AND the PIN. Then when the user tries to do something that requires both password and PIN, you hash the given values. If the hashes match, it's valid. You never need to decrypt the values.

 

Yeah, that's probably what I had intended to do, haha.

 

Though, I'm somewhat unfamiliar with the term. Is there an explanation and example you can show me so I can build off it and understand?

 

Thanks,

Mark :)

Link to comment
Share on other sites

To anyone reading this thread: Do not do what php-real-degree posted. Not only doesn't it work, but it adds no security what so ever! Storing the password in cleartext should never be done, and defeats the whole point of hashing it in the first place.

 

php-real-degree: Please refrain from trying to help people with security, when you yourself doesn't know the first thing about it. You are only causing damage and spreading confusion.

I recommend that you too read the article in xyph's signature.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.