md5 - Reversing the value?

[Solarpitch]

Hey,

 

I use md5 to store password in the database. I have a script that sends a user his password via a mail if they forgot it. However it sends the 32 bit encrypted value as I am using...

 

//... Connect to db ...

$query = "select * from members where
              email = '$email_to'";
		   

    $result = mysqli_query( $mysql, $query );


    if(!$result)
    {
      $message = 'Cannot run query.';
      exit;
    }
    //$row = mysqli_fetch_row( $result );

$count = mysqli_num_rows($result);


if ( $count > 0 ){

$rows=mysqli_fetch_array($result);


$your_password = $rows['user_password'];
$your_username = $rows['username'];



// Send mail form...

 

Is there anyway to return the user's "real" password from the database and store it in $your_password rather than it retrieving the 32bit encryption?

[chigley]

That's not really possible. MD5 is a one way decryption, so you either use MD5 and send them an email with a link to reset their password, or you store the passwords in plain text and the script is insecure.

[Timma]

Just need to find a nice secretive place to hide the real passwords.

[taith]

yup! md5() is "not" decyrptable... well... not in any standard method... lol

[Timma]

It's a hash, so if you wanted to decrypt it you would have to make some hash dictionaries to attempt finding the password, but then you might not even find the password. As hash dictionaries only work for simple ones.

[Solarpitch]

Ummm . . ok, well I think the "change password" option will probably be the best. Or . . just get them to log in with their 32bit encrypted password, that would be fun!

[per1os]

Yea, most sites run where if you forget your password you just get a new one sent to you and the old one is just trashed.

 

There is a way to get an md5 like encryption and be able to decrypt it. I think it is in the usercomments at www.php.net/md5

 

Alexander Valyalkin

30-Jun-2004 01:41

Below is MD5-based block cypher (MDC-like), which works in 128bit CFB mode. It is very useful to encrypt secret data before transfer it over the network.

$iv_len - initialization vector's length.

0 <= $iv_len <= 512

 

<?php

 

function get_rnd_iv($iv_len)

{

    $iv = '';

    while ($iv_len-- > 0) {

        $iv .= chr(mt_rand() & 0xff);

    }

    return $iv;

}

 

function md5_encrypt($plain_text, $password, $iv_len = 16)

{

    $plain_text .= "\x13";

    $n = strlen($plain_text);

    if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16));

    $i = 0;

    $enc_text = get_rnd_iv($iv_len);

    $iv = substr($password ^ $enc_text, 0, 512);

    while ($i < $n) {

        $block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv));

        $enc_text .= $block;

        $iv = substr($block . $iv, 0, 512) ^ $password;

        $i += 16;

    }

    return base64_encode($enc_text);

}

 

function md5_decrypt($enc_text, $password, $iv_len = 16)

{

    $enc_text = base64_decode($enc_text);

    $n = strlen($enc_text);

    $i = $iv_len;

    $plain_text = '';

    $iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512);

    while ($i < $n) {

        $block = substr($enc_text, $i, 16);

        $plain_text .= $block ^ pack('H*', md5($iv));

        $iv = substr($block . $iv, 0, 512) ^ $password;

        $i += 16;

    }

    return preg_replace('/\\x13\\x00*$/', '', $plain_text);

}

 

/******************************************/

$plain_text = 'very secret string';

$password = 'very secret password';

echo "plain text is: [${plain_text}]<br />\n";

echo "password is: [${password}]<br />\n";

 

$enc_text = md5_encrypt($plain_text, $password);

echo "encrypted text is: [${enc_text}]<br />\n";

 

$plain_text2 = md5_decrypt($enc_text, $password);

echo "decrypted text is: [${plain_text2}]<br />\n";

 

?>

[taith]

ya... thats... not md5... every time you refresh it, it gives you a new hash... and it doesnt work, if you dont put the origional text in...

[per1os]

Nope you miss-read the function. The $password is sort of like the "salt" you use that and it is secret to the site so no one else can take the hash and use this function to decrypt it.

 

=)

[taith]

ya... but it doesnt keep the same hash every time you refresh... which is 100% useless for testing passwords... lol

 

ok... think i found a use for it... perhapss... licencing? so you install on one server, goes to your sever, checks to make sure licence is valid, then will install... but not for passwords...

[per1os]

Not necessarily. Remember you can decrypt it.

 

<?php
session_start();
function get_rnd_iv($iv_len)
{
    $iv = '';
    while ($iv_len-- > 0) {
        $iv .= chr(mt_rand() & 0xff);
    }
    return $iv;
}

function md5_encrypt($plain_text, $password, $iv_len = 16)
{
    $plain_text .= "\x13";
    $n = strlen($plain_text);
    if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16));
    $i = 0;
    $enc_text = get_rnd_iv($iv_len);
    $iv = substr($password ^ $enc_text, 0, 512);
    while ($i < $n) {
        $block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv));
        $enc_text .= $block;
        $iv = substr($block . $iv, 0, 512) ^ $password;
        $i += 16;
    }
    return base64_encode($enc_text);
}

function md5_decrypt($enc_text, $password, $iv_len = 16)
{
    $enc_text = base64_decode($enc_text);
    $n = strlen($enc_text);
    $i = $iv_len;
    $plain_text = '';
    $iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512);
    while ($i < $n) {
        $block = substr($enc_text, $i, 16);
        $plain_text .= $block ^ pack('H*', md5($iv));
        $iv = substr($block . $iv, 0, 512) ^ $password;
        $i += 16;
    }
    return preg_replace('/\\x13\\x00*$/', '', $plain_text);
}

/******************************************/
$plain_text = 'very secret string';
$password = 'very secret password';
echo "plain text is: [${plain_text}]
\n";
echo "password is: [${password}]
\n";

$enc_text = md5_encrypt($plain_text, $password);
echo "encrypted text is: [${enc_text}]
\n";

if (!isset($_SESSION['enc'])) {
$_SESSION['enc'] = $enc_text;
}else {
$plain_text2 = md5_decrypt($_SESSION['enc'], $password);
echo "decrypted text is: [${plain_text2}]
\n";
}
?>

 

Meaning that anytime a user enters their login/password on the form, you just have to decrypt the hash from the database to check against the password. An extra step, yes but if you want to have decryption functionality that is how it has to be done.

 

Anyhow, it works just may not be the securest but allows for decryption functionality while also providing a tougher encryption method than just the base64 alone.