PHP - Problem With Encryption Function ?

Dear All respective friend,

I'm asking for help. during I know how to code in php. I alway use md5() but I had some problem with abit.

can anyone introduce me with persona code encryption without using md5()?

Your ideal are very important to me especially small example code.

Looking forward from you soon.

Kindly Regards,
Steve.

Hey, I'm a bit stuck. I'm looking for a simple yet secure way to encrypt a string (not hash, I need to retrieve it later) so that I can store legally sensitive data which I need to use again later. I am aware that any kind of reversable data is by nature not properly secure, but it's not my decision. I'd rather see if there's a pre-built function or class for this rather than just writing my own, which wouldn't be too good

Thanks in Advance
Gareth

Is there any tutorial or book where i can learn about how to do the encryption?? thanks in advance

Hy 2 all,

I have some questions about password security that I haven't been able to find an answer yet.   
Hopefully you guys know.

Here it goes:

1. Is it better to hash(sha2) the password and then salt it or salt it and than hash it ?
2. I'm guessing that using a random salt is better than the same salt used for every password.
3. How can you generate a different random salt for each password ? I mean how will the login page know which random salt to mix with the hashed user inserted password and then to compare it with the password stored in the db. (an example would be great(for both: generating and authentication)
4. I saw some codes in which the salt and/or hash and/or password was split into two (ex: hash.salt1a.password.salt1b  or  password1a.salt.password1b  or  salt.hash1a.password.hash1b  etc.) Is this a good idea ? Is it really more secure ? If so which would be more secure (splitting the password, the hash or the salt) ?
5. Is double hashing (ex: (sha1(md5($password))) any good ?
6. I've been reading something about password salt and pepper ?? What exactly is pepper ? Is it some sort of second salt ?

If somebody could enlighten me about these questions, that would be great.

Thanks in advance!

I would like to add md5 encryption into the create and login functions but I'm having difficulties with the process.

user.php - create user and login functions
Code: [Select]
<?php
function create_user($params)
{
 db_connect_posts();
 $query = sprintf("INSERT INTO users 
SET
users.screen_name = '%s',
users.user_email = '%s',
users.user_pwd = '%s',
users.image = '%s',
created_at = NOW()"
, mysql_real_escape_string($params['screen_name']),
mysql_real_escape_string($params['user_email']),
mysql_real_escape_string($params['user_pwd']),
mysql_real_escape_string($params['image'])
);
 $result = mysql_query($query);
 if(!$result)
 {
return false;
 }
 else
 {
return true;
 }
}

function login($username, $password)
{
 db_connect_posts();
 $query = sprintf("SELECT * FROM users
WHERE 
user_email = '%s' AND
user_pwd = '%s'"
, mysql_real_escape_string($username),
mysql_real_escape_string($password)
);
 $result = mysql_query($query);
 $number_of_posts = mysql_num_rows($result);
 if($number_of_posts == 0)
 {
return false;
 }

 $row = mysql_fetch_array($result);

 $_SESSION['user'] = $row;

 return true;
}
?>
Register form:
Code: [Select]
<form action="<?php echo '/'.APP_ROOT.'/'; ?>sessions/signup" method="post">
  <fieldset>
    <legend>Register</legend>
    <div>
      <label>Screen Name</label>
      <input name="user[screen_name]" size="40" type="text" />
    </div>
   
    <div>
      <label>E-mail</label>
      <input name="user[user_email]" size="40" type="text" />
    </div>
   
    <div>
      <label>Password</label>
      <input name="user[user_pwd]" size="40" type="password" />
    </div>
   
    <div>
      <label>Image</label>
      <input name="user[image]" size="40" type="text" />
    </div>
    <input type="submit" name="Register" value="Register" />
  </fieldset>
</form>
Login form:
Code: [Select]
<form action="<?php echo '/'.APP_ROOT.'/'; ?>sessions/login_user" method="post">
  <fieldset>
    <legend>Login</legend>
    <div>
      <label>E-mail</label>
      <input name="user[user_email]" size="40" type="text" />
    </div>
   
    <div>
      <label>Password</label>
      <input name="user[user_pwd]" size="40" type="password" />
    </div>
    <input type="submit" value="Login" />
  </fieldset>
</form>

I am looking for a way to encrypt a string using PKCS7. I have seen openssl_pkcs7_encrypt() but this involves the creation of temporary files which I don't really need. Is there a way to do this?

Hi,

Im using this code:
Code: [Select]
function encryptdata($data_input,$key){     

    $td = mcrypt_module_open('cast-256', '', 'ecb', '');
    $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $key, $iv);
    $encrypted_data = mcrypt_generic($td, $data_input);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    $encoded_64=base64_encode($encrypted_data);
    return $encoded_64;
}   


function decryptdata($encoded_64,$key){
    $decoded_64=base64_decode($encoded_64);
    $td = mcrypt_module_open('cast-256', '', 'ecb', '');
    $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $key, $iv);
    $decrypted_data = mdecrypt_generic($td, $decoded_64);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return $decrypted_data;
}

To try to encrypt and decrypt some data, However the decrypted password has the first 2 letters missing. Whatever length string i put in its always the first 2 letters that go missing. I have tried multiple pieces of code over the internet with the exact same problem.

Example: (Original Password, Encrypted Password, Decrypted Password)
BEBw3nJ9rT y3CdmtNeTmhO3Jrq/00YOA== Bw3nJ9rT

Any help?
Thanks.

P.s Yes i am using the same key for the encryption and decryption.

Hello,
I have one line that I can't understand of PHP code used to encrypt strings:
$temp = ord(substr($str,$i,1)) ^ 203;
I understand everything but this " ^203 "
Can you explain me what it does?

Good day all, I need some help with a piece of code I wrote.
I have a 16 digit hex value whic I encrypt (3DES) with another 16 digit hex value. The result is a 32 digit hex value. The problem is I need to store the result in a 16 digit hex value to transport it to a host which will do the decryption.

$data = "3e5fa17b6ab1b1b1";
$key   = "0123456789abcdef";
$enc = mcrypt_cbc (mcrypt_3des, $key, $data, mcrypt_encrypt);  --> this results in 16 position raw binary data
$enc = bin2hex($enc);  --> I get a 32 digit hex value, but the space available will only fit a 16 digit hex value.

If i'm going about this totally wrong please let me know, this has been buggin me for some time now.
Any help would be grately appreciated.
Thank you.

I am trying to decrypt a code encrypted with XTEA. I have been using a script found here, http://goo.gl/xCpgs and it works within its own encrypt/decrypt example. The problem is that it will not decrypt a code given to me by my client. In the code examples description it says the "key" is 16 characters, but the key I have from my client is 32 characters so I think this may be part of the problem, but I cannot find out in the code how to make it work with a 32 char key (if that is even the issue).

Below is the class from the link above and below that are sample encrypt and decrypt strings. If anyone can provide help or a better solution, it is greatly appreciated. My guess is that it is only allowing 16 of my 32 char key. I tried to use a 32 char key, but the code still seemed to only want 16. Help!

I also read something about XTEA only working within the same code language each side of the crypt was made. Can anyone validate this?

Code: [Select]
<?php
/* PHP Implementation of XTEA (www.php-einfach.de)
*
* XTEA was designed in 1997 by David Wheeler and Roger Needham
* of the Cambridge Computer Laboratory.
* It is not subject to any patents.
*
* It is a 64-bit Feistel cipher, consisting of 64 rounds.
* XTA has a key length of 128 bits.
*
*
* ***********************
* Diese Implementierung darf frei verwendet werden, der Autor uebernimmt keine
* Haftung fuer die Richtigkeit, Fehlerfreiheit oder die Funktionsfaehigkeit dieses Scripts.
* Benutzung auf eigene Gefahr.
*
* Ueber einen Link auf www.php-einfach.de wuerden wir uns freuen.
*
* ************************
* Usage:
*
* include("xtea.class.php");
*
* $xtea = new XTEA("secret Key");
* $cipher = $xtea->Encrypt("Hello World"); //Encrypts 'Hello World'
* $plain = $xtea->Decrypt($cipher); //Decrypts the cipher text
*
* echo $plain;
*
*/

class XTEA {

   //Private
var $key;

// CBC or ECB Mode
// normaly, CBC Mode would be the right choice
var $cbc = 1;

   function XTEA($key) {
      $this->key_setup($key);
   }

   //encrypt
   function encrypt($text) {
      $n = strlen($text);
      if($n%8 != 0) $lng = ($n+(8-($n%8)));
      else $lng = 0;

      $text = str_pad($text, $lng, ' ');
      $text = $this->_str2long($text);

      //Initialization vector: IV
      if($this->cbc == 1) {
         $cipher[0][0] = time();
         $cipher[0][1] = (double)microtime()*1000000;
      }

      $a = 1;
      for($i = 0; $i<count($text); $i+=2) {
         if($this->cbc == 1) {
            //$text with last ciphertext XOR
            //$text is XORed with the previous ciphertext
            $text[$i] ^= $cipher[$a-1][0];
            $text[$i+1] ^= $cipher[$a-1][1];
         }

         $cipher[] = $this->block_encrypt($text[$i],$text[$i+1]);
         $a++;
      }

      $output = "";
      for($i = 0; $i<count($cipher); $i++) {
         $output .= $this->_long2str($cipher[$i][0]);
         $output .= $this->_long2str($cipher[$i][1]);
      }

      return base64_encode($output);
   }




   //decipher
   function decrypt($text) {
      $plain = array();
      $cipher = $this->_str2long(base64_decode($text));

      if($this->cbc == 1)
         $i = 2; //Message start at second block
      else
         $i = 0; //Message start at first block

      for($i; $i<count($cipher); $i+=2) {
         $return = $this->block_decrypt($cipher[$i],$cipher[$i+1]);

         //Xor Linkage of $return and ciphertext from the last two blocks or sections
         //XORed $return with the previous ciphertext
         if($this->cbc == 1)
            $plain[] = array($return[0]^$cipher[$i-2],$return[1]^$cipher[$i-1]);
         else          //EBC Mode
            $plain[] = $return;
      }

      for($i = 0; $i<count($plain); $i++) {
         $output .= $this->_long2str($plain[$i][0]);
         $output .= $this->_long2str($plain[$i][1]);
      }

      return $output;
   }

   //Prepare the key to decrypt ver / front
   function key_setup($key) {
if(is_array($key))
       $this->key = $key;
else if(isset($key) && !empty($key))
$this->key = $this->_str2long(str_pad($key, 16, $key));
else
$this->key = array(0,0,0,0);
   }


//Performs a benchmark
function benchmark($length=1000) {
//1000 Byte String
$string = str_pad("", $length, "text");


//Key-Setup
$start1 = time() + (double)microtime();
$xtea = new XTEA("key");
$end1 = time() + (double)microtime();

//Encryption
$start2 = time() + (double)microtime();
$xtea->Encrypt($string);
$end2 = time() + (double)microtime();



echo "Encrypting ".$length." bytes: ".round($end2-$start2,2)." seconds (".round($length/($end2-$start2),2)." bytes/second)<br>";


}

//verify the correct implementation of the blowfish algorithm
function check_implementation() {

$xtea = new XTEA("");
$vectors = array(
array(array(0x00000000,0x00000000,0x00000000,0x00000000), array(0x41414141,0x41414141), array(0xed23375a,0x821a8c2d)),
array(array(0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f), array(0x41424344,0x45464748), array(0x497df3d0,0x72612cb5)),

);

//Correct implementation?
$correct = true;
//Test vectors, see http://www.schneier.com/code/vectors.txt
foreach($vectors AS $vector) {
       $key = $vector[0];
$plain = $vector[1];
$cipher = $vector[2];

$xtea->key_setup($key);
$return = $xtea->block_encrypt($vector[1][0],$vector[1][1]);

if((int)$return[0] != (int)$cipher[0] || (int)$return[1] != (int)$cipher[1])
$correct = false;

}

return $correct;

}



/***********************************
Some internal functions
 ***********************************/
   function block_encrypt($y, $z) {
   $sum=0;
   $delta=0x9e3779b9;


   /* start cycle */
   for ($i=0; $i<32; $i++)
      {
      $y      = $this->_add($y,
                        $this->_add($z << 4 ^ $this->_rshift($z, 5), $z) ^
                            $this-> _add($sum, $this->key[$sum & 3]));

      $sum    = $this->_add($sum, $delta);

      $z      = $this->_add($z,
                        $this->_add($y << 4 ^ $this->_rshift($y, 5), $y) ^
                              $this->_add($sum, $this->key[$this->_rshift($sum, 11) & 3]));

      }

   /* end cycle */
   $v[0]=$y;
   $v[1]=$z;

   return array($y,$z);

   }

   function block_decrypt($y, $z) {
   $delta=0x9e3779b9;
   $sum=0xC6EF3720;
   $n=32;

   /* start cycle */
   for ($i=0; $i<32; $i++)
      {
      $z      = $this->_add($z,
                 -($this->_add($y << 4 ^ $this->_rshift($y, 5), $y) ^
                   $this->_add($sum, $this->key[$this->_rshift($sum, 11) & 3])));
      $sum    = $this->_add($sum, -$delta);
      $y      = $this->_add($y,
                          -($this->_add($z << 4 ^ $this->_rshift($z, 5), $z) ^
                                    $this->_add($sum, $this->key[$sum & 3])));

      }
   /* end cycle */

   return array($y,$z);
    }




   function _rshift($integer, $n) {
        // convert to 32 bits
        if (0xffffffff < $integer || -0xffffffff > $integer) {
            $integer = fmod($integer, 0xffffffff + 1);
        }

        // convert to unsigned integer
        if (0x7fffffff < $integer) {
            $integer -= 0xffffffff + 1.0;
        } elseif (-0x80000000 > $integer) {
            $integer += 0xffffffff + 1.0;
        }

        // do right shift
        if (0 > $integer) {
            $integer &= 0x7fffffff;                     // remove sign bit before shift
            $integer >>= $n;                            // right shift
            $integer |= 1 << (31 - $n);                 // set shifted sign bit
        } else {
            $integer >>= $n;                            // use normal right shift
        }

        return $integer;
    }


    function _add($i1, $i2) {
        $result = 0.0;

        foreach (func_get_args() as $value) {
            // remove sign if necessary
            if (0.0 > $value) {
                $value -= 1.0 + 0xffffffff;
            }

            $result += $value;
        }

        // convert to 32 bits
        if (0xffffffff < $result || -0xffffffff > $result) {
            $result = fmod($result, 0xffffffff + 1);
        }

        // convert to signed integer
        if (0x7fffffff < $result) {
            $result -= 0xffffffff + 1.0;
        } elseif (-0x80000000 > $result) {
            $result += 0xffffffff + 1.0;
        }

        return $result;
    }


   //Einen Text in Longzahlen umwandeln
   //Covert a string into longinteger
   function _str2long($data) {
       $n = strlen($data);
       $tmp = unpack('N*', $data);
       $data_long = array();
       $j = 0;

       foreach ($tmp as $value) $data_long[$j++] = $value;
       return $data_long;
   }

   //Longzahlen in Text umwandeln
   //Convert a longinteger into a string
   function _long2str($l){
       return pack('N', $l);
   }

}
?>

Customer data is encrypted using OpenSSL, and then stored in mySQL varbinary column on a server.
It's now supposedly super safe -- because it can only be read using the secret key hidden right next to it.

Question: What if I encrypted that key?
And that key could only be decrypted with a passphrase submitted from my own dedicated computer?

Then I would be the only one able to read the encrypted customer data on my server, even if that server got hacked.

Obviously that would not work, because the server needs the untampered secret key in order to encrypt the data for mySQL.

Although this seems insurmountable, it feels more like a logic problem....where if you think about it long enough, the answer will come.

Any thoughts on this?

Thank you.

 

I'm sorry if this seems like a stupid question, but I'm having trouble with this encryption and I'm a real noob at PHP.

This is for a registration form going into a mysql DB for integration with a gaming server that must use a Whirlpool Salt Hash encryption.

These are the variables for my form:

userPassword
userName
userEmail

This was my original encryption script (MD5)
Code: [Select]
$_POST['userPassword'] = md5($_POST['userPassword']);

This is the function that I am given to integrate into my website system:
Code: [Select]
function encryptPassword($password) {
$salt = substr(hash('whirlpool', uniqid(rand(), true)), 0, 12);
$hash = hash('whirlpool', $salt . $password);
$saltPos = (strlen($password) >= strlen($hash) ? strlen($hash) : strlen($password));
return substr($hash, 0, $saltPos) . $salt . substr($hash, $saltPos);
}
I've tried inserting the variable $_POST['userPassword'] in place for $password, but it gives me errors...

I'm stuck here, could someone show me how to properly integrate this? I think the problem isn't getting the password into the function but catching the returned variable

Sorry for my noobishnness,
-Nolam


EDIT:

I'm also given this for the login page to check the hash. If you could help me with this it would be greatly appreciated to. Thanks!!!

Code: [Select]
function checkPassword($realPass, $checkPass) {
//check for old encryption (md5 or whirlpool)
if (strlen($realPass) == 32 || strlen($realPass) == 128) {
$hash = (strlen($realPass) == 32 ? md5($checkPass) : hash('whirlpool', $checkPass));
if ($realPass == $hash) {
// change password to new encryption?
return true;
} else
return false;
}

// xAuth 2 encryption
$saltPos = (strlen($checkPass) >= strlen($realPass) ? strlen($realPass) : strlen($checkPass));

// extract salt
$salt = substr($realPass, $saltPos, 12);

$hash = hash('whirlpool', $salt . $checkPass);
return substr($hash, 0, $saltPos) . $salt . substr($hash, $saltPos) == $realPass;
}

I have never worked with des encryption before and have searched through internet getting 3 des and acb - tested multiple code but cant get encrypted the same as in c#

 

public string EncryptQueryString(string stringToEncrypt)

 

public string EncryptQueryString(string stringToEncrypt)
        {
            byte[] key = { };
            byte[] IV = { 0x01, 0x12, 0x23, 0x34, 0x45, 0x56, 0x67, 0x78 };
            try
            {
                key = Encoding.UTF8.GetBytes(KEY);
using (DESCryptoServiceProvider oDESCrypto = new DESCryptoServiceProvider())
                {
                    byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
                    MemoryStream oMemoryStream = new MemoryStream();
                    CryptoStream oCryptoStream = new CryptoStream(oMemoryStream,
                    oDESCrypto.CreateEncryptor(key, IV), CryptoStreamMode.Write);
                    oCryptoStream.Write(inputByteArray, 0, inputByteArray.Length);
                    oCryptoStream.FlushFinalBlock();
                    return Convert.ToBase64String(oMemoryStream.ToArray());
                }
            }
            catch
            {
                throw;
            }
        }

i followed this ph example but think i am way of course

 

<?php
 
class DES
{
      protected $method;
      protected $key;
        protected $output;
        protected $iv;
     protected $options;
    const OUTPUT_NULL = '';
    const OUTPUT_BASE64 = 'base64';
    const OUTPUT_HEX = 'hex';
 
    public function __construct($key, $method = 'DES-ECB', $output = '', $iv = '', $options = OPENSSL_RAW_DATA | OPENSSL_NO_PADDING)
    {
        $this->key = $key;
        $this->method = $method;
        $this->output = $output;
        $this->iv = $iv;
        $this->options = $options;
    }
 
  
    public function encrypt($str)
    {
        $str = $this->pkcsPadding($str, 8);
        $sign = openssl_encrypt($str, $this->method, $this->key, $this->options, $this->iv);
 
        if ($this->output == self::OUTPUT_BASE64) {
            $sign = base64_encode($sign);
        } else if ($this->output == self::OUTPUT_HEX) {
            $sign = bin2hex($sign);
        }
 
        return $sign;
    }
    public function decrypt($encrypted)
    {
        if ($this->output == self::OUTPUT_BASE64) {
            $encrypted = base64_decode($encrypted);
        } else if ($this->output == self::OUTPUT_HEX) {
            $encrypted = hex2bin($encrypted);
        }
 
        $sign = @openssl_decrypt($encrypted, $this->method, $this->key, $this->options, $this->iv);
        $sign = $this->unPkcsPadding($sign);
        $sign = rtrim($sign);
        return $sign;
    }
 
    private function pkcsPadding($str, $blocksize)
    {
        $pad = $blocksize - (strlen($str) % $blocksize);
        return $str . str_repeat(chr($pad), $pad);
    }
 
 
    private function unPkcsPadding($str)
    {
        $pad = ord($str{strlen($str) - 1});
        if ($pad > strlen($str)) {
            return false;
        }
        return substr($str, 0, -1 * $pad);
    }
 
}
 
$key = 'key123456';
$iv = 'iv123456';
 

$des = new DES($key, 'DES-CBC', DES::OUTPUT_BASE64, $iv);
echo $base64Sign = $des->encrypt('Hello DES CBC');
echo "\n";
echo $des->decrypt($base64Sign);
echo "\n";
 
$des = new DES($key, 'DES-ECB', DES::OUTPUT_HEX);
echo $base64Sign = $des->encrypt('Hello DES ECB');
echo "\n";
echo $des->decrypt($base64Sign);
 

 

Edited May 31 by Paulqvz
made les cluttered

I am reworking some code from a password authentication I did a long long time ago.  The original code is using SHA1() function to encrypt the passwords for storage in the MySQL database.

Is that still considered the way to go, or should I be using a different method for encrypting the little buggers?

Thanks