Jump to content

password encryption and decryption

arathi

By arathi
in PHP Coding Help

 Share

Recommended Posts

dooper3 Member

dooper3

Posted
Posted

Not sure about other methods, but I can tell you you can't decrypt md5 very easily. But you never should anyway, the way you should use it is all user passwords should be saved in md5 encrypted form and then when a user types in their password to log in, you md5 what they type in then compare it to the md5'd one you've got on record.

Link to comment
Share on other sites
DeadEvil Newbie

DeadEvil

Posted
Posted

I found this code on the internet and it works...

 

<?
#crypt.class.php
class crypt {
var $keys;

function crypt_key($ckey){
	$this->keys = array();

	$c_key = base64_encode(sha1(md5($ckey)));
	$c_key = substr($c_key, 0, round(ord($ckey{0})/5));

	$c2_key = base64_encode(md5(sha1($ckey)));
	$last = strlen($ckey) - 1;
	$c2_key = substr($c2_key, 1, round(ord($ckey{$last})/7));

	$c3_key = base64_encode(sha1(md5($c_key).md5($c2_key)));
	$mid = round($last/2);
	$c3_key = substr($c3_key, 1, round(ord($ckey{$mid})/9));

	$c_key = $c_key.$c2_key.$c3_key;
	$c_key = base64_encode($c_key);

	for($i = 0; $i < strlen($c_key); $i++){
		$this->keys[] = $c_key[$i];
	}
}

function encrypt($string){
	$string = base64_encode($string);
	$keys = $this->keys;
	for($i = 0; $i < strlen($string); $i++){
		$id = $i % count($keys);
		$ord = ord($string{$i});
		$ord = $ord OR ord($keys[$id]);
		$id++;
		$ord = $ord AND ord($keys[$id]);
		$id++;
		$ord = $ord XOR ord($keys[$id]);
		$id++;
		$ord = $ord + ord($keys[$id]);
		$string{$i} = chr($ord);
	}
	return base64_encode($string);
}

function decrypt($string){
	$string = base64_decode($string);
	$keys = $this->keys;
	for($i = 0; $i < strlen($string); $i++){
		$id = $i % count($keys);
		$ord = ord($string{$i});
		$ord = $ord XOR ord($keys[$id]);
		$id++;
		$ord = $ord AND ord($keys[$id]);
		$id++;
		$ord = $ord OR ord($keys[$id]);
		$id++;
		$ord = $ord - ord($keys[$id]);
		$string{$i} = chr($ord);
	}
	return base64_decode($string);
}
}

# Sets up an instance of the class
$crypt = new crypt;
?>

 

<?
#test_crypt.php
require_once('crypt.class.php);
$crypt = new crypt; //sets up an instance of the class

$or_ccno = '4123456789012345;

print $crypt->crypt_key($or_ccno)."<br>"; //assigns an encryption key to the instance
print "Enc: ".$encrypted = $crypt->encrypt($or_ccno)."<br>"; //encrypts the data using the key
print "Dec: ".$decrypted = $crypt->decrypt($encrypted); //decrypts the data using the key
?>

Link to comment
Share on other sites
MadTechie Regular Member

MadTechie

Posted
Posted

you can NOT "decrypt" MD5..

 

you can have a database with all the decrypted values.. this is NOT decrypting..

also the "lookup" will fail with a simple change ie

$password = "Hello";

$hash = md5($password."1"); //thats a very time change

 

 

as for password you should use MD5 + salt (like the appending of the 1)

 

instead of decrypting it you get the password the user has entered (to login) and MD5 it and compare that to the MD5 password in the database

 

 

EDIT: as a side note sha1 is more secure but slightly slower

Link to comment
Share on other sites
phat_hip_prog Member

phat_hip_prog

Posted
Posted

The point of using 'one way functions' such as md5/sha/ripe etc is that you convert the plain text with the ability to then save it in plain sight (e.g. try # cat /etc/shadow). When you want to check the password, you put it through the same routine as before and then compare it to the saved one. If you want to save a password (or other doc) you should use either symmetric or asymmetric encryption algorithms, either way you'll have to save passwords (key sets) for these, for which you'll probably do the same as before.

Link to comment
Share on other sites
dbo Member

dbo

Posted
Posted

Anything can be cracked if your database gets compromised and someone has the time... and desire to do it.

 

I'd suggest against using encrypt/decrypt method all together. The md5 method is the best one... you just need to make sure you salt it.

 

So then when you are comparing the value in the DB you add your salt to the user input and encrypt it and compare encrypted vs encrypted. There is no need to ever be able to reverse passwords.

Link to comment
Share on other sites
MadTechie Regular Member

MadTechie

Posted
Posted

i don't see the reason for the encrypted part!! ???

it will take alittle longer will little (if anyone) benefit!

i understand the idea but not the reason.. one way protection is designed for this encryption isn't..

 

you could use 2 salts which can be random and stored in the database with the username etc..

ie

md5(md5("pass"."salt1").md5("pass"."salt2"))

 

but at some point its going to be overkill

 

also always remember the weakest point in the protection is never at the frontdoor, its normally the backdoor/window!

 

creating a over complex login system is usless if you don't maintain the security once they have logged inn..

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.