Crypt() - Understanding Encrypting Using This Function

[timothyarden]

Hi Everyone,

I just had a few questions about the encryption function crypt(). If I was to do

crypt($_POST['password'],CRYPT_BLOWFISH)

, assuming I had just sent through a password from the form on the previous page it would return an Blowfish encrypted string. If I then used mysql to write it to my database, how, when the user logs in, would I compare the password that they have entered in the login form to the password in the database. If I compared password to the query result from the database I assume it would return that the strings do not match.

 

My question is how would I go about comparing these two values? Is there a decrypt function that I could use to unencrypt the information from the database so that I could compare the given password with the password in the database?

 

Thanks in advance for any help, advice or ideas!

Timothy

[kicken]

Using crypt()

[timothyarden]

Thanks for the link kicken.

 

I think I have figured it out. Please correct me if I am wrong.

 

When on signup a user enters a password and my script encrypts it and stores it in the database using crypt($signuppassword,CRYPT_BLOWFISH) to then compare the two I would compare crypt($loginattemptpassword,CRYPT_BLOWFISH) with the $databasepasswordresult for that user and if true log in else fail.

 

Please advise me of whether this is correct.

 

Thanks heaps!

Timothy

[Muddy_Funster]

the script in my sig uses a combination of blowfish and whirlpool - whirlpool to generate the salt and blowfish to generate the final encryption. using it as an example, you would run the form input through it and store the returned value in the database at signup, and then run the form value through it and compare the returned value against the value in the database on login.

[kicken]

... stores it in the database using crypt($signuppassword,CRYPT_BLOWFISH) 

 

CRYPT_BLOWFISH is a constant that will indicate if the blowfish algorithm is available for use or not.  It is not something you pass into the crypt() function.  You have to generate a specific salt string for the second parameter, and the format of that string indicates which algorithm you want to use.

 

For blowfish that salt string needs to be in the format of:

..."$2a$", "$2x$" or "$2y$", [followed by] a two digit cost parameter, [followed by] "$", [followed by] 22 digits from the alphabet "./0-9A-Za-z".

 

EG: $2y$19$abcdefghij1234567890ab

[cpd]

the script in my sig uses a combination of blowfish and whirlpool - whirlpool to generate the salt and blowfish to generate the final encryption. using it as an example, you would run the form input through it and store the returned value in the database at signup, and then run the form value through it and compare the returned value against the value in the database on login.

 

Your signature password hash seems pretty solid but I don't know why you haven't forced the parameter; that seems like a flaw to me. Out of curiosity why do you lop of the first 12 characters from the final string?

[Muddy_Funster]

Your signature password hash seems pretty solid but I don't know why you haven't forced the parameter; that seems like a flaw to me. Out of curiosity why do you lop of the first 12 characters from the final string?

I take a substing out of habbit, as I don't like to have the salt anywhere in the final stored hash (I don't think it's a concern with blowfish, but other algorithms I have used in the past did attach the raw salt to the hash). The param is not forced because I had to bulk set a generic password when I wrote this the first time and had a string set in there for it, I elected to remove the string but leave the empty set option so that if anyone wants to lift the code and try it out they can just echo the result with minimum effort. I only put it up to try to encourage people to use something a bit stronger than md5() and show how easy it can be. I would like to think that anyone taking it would change the cost and substring returned to something a bit more personal.

[timothyarden]

CRYPT_BLOWFISH is a constant that will indicate if the blowfish algorithm is available for use or not. It is not something you pass into the crypt() function. You have to generate a specific salt string for the second parameter, and the format of that string indicates which algorithm you want to use.

 

For blowfish that salt string needs to be in the format of:

 

 

EG: $2y$19$abcdefghij1234567890ab

 

 

 

Okay, but I think that you can do it either way: either

crypt($password,CRYPT_BLOWFISH);
//or
crypt($password,'$2a$'.$twodigitcostparameter.'$'.$22lettersalt);

 

When I did the first I ran

crypt('hello world',CRYPT_BLOWFISH);

 

it returned: 1$uOkE54mmKc

 

Thats why I think you can do it either way.

 

Thanks for your help Muddy Funster, Ill look at your code using whirpool and crypt and try to do something similar.

 

Thanks for everyone's help!

Timothy

Edited December 28, 2012 by timothyarden

[kicken]

Okay, but I think that you can do it either way: either

 

No, you can't do it either way.  Using CRYPT_BLOWFISH as the salt parameter results in an invalid salt value since it doesn't match any of the specified algorithm salts.  What happens in the case of an invalid salt is crypt() uses some default settings which is dependent on the platform PHP is running on (ie, not portable and will likely break if you move from one system to another).

 

If you want to use a specific algorithm such as blowfish, you have to give it the proper salt value in the correct format for it to work.

 

[timothyarden]

Okay, thanks for explaining.

Timothy

[cpd]

No you can't. Read the php.net website where I think you'll find your use of blow_fish is causing crypt to fail and return a salt.