2-way encryption

[rasmuspalm]

Evening gents. And ladies ;)

In my quest for securing peoples personal life against.. well, myself, i´ve decided to encrypt all user data in my database with the password they use for their account. (For you curious people i've made a calendar, and i don´t want to have peoples lives spelled out in plaintext in my database)
Soooooo..
I need an encryption function for php. I´d like:

Something tried, tested and strong like blowfish, 3DES or AES
Something simple (blowfish_crypt($plaintext,$pass),blowfish_decrypt($ciphertext,$pass))
Something easy (It's hosted at one.com and they don´t seem too keen on installing anything)

Oh, and one.com does not have either PEAR or Mccrypt installed.

Pleased to meet you, im sure this is the right place to ask.
Have a fabulous evening
- Rasmus

[dbo]

Any encryption you do needs to be with a non-changing salt. Typically users are able to change their password making this an unacceptable alternative.

What you can do is use a concatenation of the row id in your database and a username to make each user have a unique salt value for encryption, this helps add an extra layer. What type of data is it you are storing anyways?

First question that comes into play: do you really need to be storing the data?

If the answer is yes, is the data something that needs to be reversed once encrypted?

If the answer is no some flavor of a non-reversable cryptography function is the best bet. Something like md5 hashing for passwords (though this isn't 100%...) should never store passwords clear text.

If the answer to that question was yes then what type of threat are you trying to protect against? Sounds like just a compromised database. Have you looked at your database cryptography functions?

Whatever you decide make sure you don't store the salt values in a public_html directory where exposed sourcecode would allow an intruder to find your algorithm.

Would also suggest exchanging information over SSL so that it cannot be easily sniffed.

All that being said will try to provide more detailed answer if you have a more precise question. That rant was just on some general security thoughts/precautions.

[rasmuspalm]

[quote]Typically users are able to change their password making this an unacceptable alternative.[/quote] Good point! In future versions i'll include a change of passwords function that decrypts all data with the old password, sets the new one and encrypts it back. Thanks.
[quote]First question that comes into play: do you really need to be storing the data?[/quote] Yes. It'd be silly to ask if i didn't
[quote]is the data something that needs to be reversed once encrypted?[/quote] Thus the title, yes.
[quote]what type of threat are you trying to protect against? Sounds like just a compromised database. Have you looked at your database cryptography functions?[/quote] Indeed, a compromised database is the threat scenario. That and i'd like to give my users that extra feeling of security.
[quote]where exposed sourcecode would allow an intruder to find your algorithm.[/quote] Luckily strong encryption does not rely on the lack of knowledge of the algorithm. Whitepapers are a must for even considdering any algorithm's strength
[quote]All that being said will try to provide more detailed answer if you have a more precise question[/quote]
How can i be more presice. I know exactly what i want..
I want a link, to a php file i can download and include() so that i have either of those 3 encryption algorithms at my fingers.

[rasmuspalm]

Bumpeti bump :)

[fert]

XOR encryption is reversible and nearly unbreakible

[rasmuspalm]

Yup.. only problem is that i'll need a key as long as the plaintext  ;)
Can it really be true that no decent crypt algorithms has been translated into php?

[corbin]

You could like base64_encode it using salt or something... That takes more space than the original text though... And if the salt was discovered it would be pointless...

[Orio]

[quote author=rasmuspalm link=topic=120275.msg493440#msg493440 date=1167443497]Can it really be true that no decent crypt algorithms has been translated into php?[/quote]

That's why you have the mycrypt library... More than 40 encryption functions.
That's the best option for you, but you say you cant install it?

Orio.

[rasmuspalm]

Yea one.com does not have it installed and does not feel like installing it  :-\
I've been looking into [url=http://blog.sc.tri-bit.com/archives/101]Stone's safecrypt[/url], but i can't make it work?
Does it require PEAR or something else i missed?
I've set the salt, uploaded the files but the test.php won't work ???

EDIT: Yarr, it seems stone's need MCcrypt as well..