When I pass the clear password to check the login of the user and apply a md5() on the string, the md5 hash is equal to the md5 hash stored in the MySQL database (Login succeed).
But I don't want to transfert the user password in clear inside my POST function, so I decided to use cryptoJS to only send the key and then decrypt the password on the PHP server side.
The problem is, when I'm using the decrypted password, the md5 is different. This is weird because the clear password string is the same than the decrypted password, and the md5 hash is different.
By doing:
var_dump($clearPassword); //Hello.
var_dump($decryptedPassword); //Hello.
But:
var_dump(md5($clearPassword)); //3ea484671d7b00a1df4734ded1aa379c1.
var_dump(md5($decryptedPassword)); //470a1ad08cbdebe075214591ea20fec9.
As you can see, it's exactly the same string but the md5 hash is different, I've noticed that var_dump() give as an output:
string(16) for the $clearPassword;
string(32) for the $decryptPassword;
I tried to change the string encoding but there's no luck. Anyone can explain me why md5() behave like that with those same passwords string? thanks again.
the decrypted password IS NOT the same as the original. Check the length of the two strings, check the encoding, do a byte to byte comparison. "Hello\0" and "Hello \0" seems identical but they are not. Even "Hello\0" and "Hello\0\0\0" are not the same. Maybe the decryption algorithm gives a string length of 32 bytes.
I'm probably going to do like #fpierrat said, just encrypt in the client side and do a straight comparison of md5 hash in the PHP server.
Related
$password=PREFIXE.hash("sha256",$_POST['Password']).SUFFIXE;
How to decode Hash password to string in SHA 256
As Frederico says you cant really encrypt but maybe a database could be of use in individual cases, google "sha256 database".
Note: using these kind of websites can pose a security risk e.g. if you enter a secure passwords in plain text into the encoding form they will save it and the corresponding hash to grow their database.
I know the PHP function, password_hash outputs the algorithm, cost, salt, and hash all in one string so password_verify can check a password.
Sample output from PHP page:
$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a
so the $2y$ represents the algorithm, the 10 represents cost.
But how does password_verify separate the salt from the hash? I don't see any identifier separating the two afterwards.
For the bCrypt version of Password Hash.
Bcrypt has a fixed-length salt value. The crypt function which is what PHP calls internally when you're utilizing password_hash()/password_verify() with the default algorithm has a a 16 byte salt. This is given as a 22 characters of the custom base64 alphabet A-Za-z/. then it decodes the string into bytes as 22 B64 characters encode 16.5Bytes there is an extra nibble of data that is not taken into account.
For all other hashes the salt value is a defined set of bytes which are of course encoded into ASCII safe b64 and put after the $ sign and then the verifying function would only have to split the string into parts via the delimiter $ and then go for the third set of characters get the substr(0,B64_ENCODED_HASH_ALGORITHM_SALT_LEN). After that it would then pass the parameters it also got from the split string and pass those back into the password_hash function along with the password to check.
The string it gives you is defined by the hashing algorithm's standard in most cases but is almost always something to the pattern of
$<ALGORITHM_ID>$<COST_IN_FORMAT>$<BASE64_ENCODED_SALT><BASE64_ENCODED_HASH>$
Is there a way in PHP to test if a string has been encrypted using mcrypt_encrypt?
You have not written what you're actually concerned about specifically, but:
Whether or not some data has been encrypted is not dependent on which encryption function has been used but which encryption algorithm. Say, if somebody has encrypted something in PERL or in PHP - you can't tell by having the encrypted string.
So as this applies, you can't tell for mcrypt_encrypt. That function does not leave any sign inside the encrypted data.
However, if you have the key and the original text (plain) as well as the algorithm, you can reverse what mcrypt_encrypt does with mcrypt_decrypt. You can then compare the plains and if they match you can say that the plain was encrypted with the specific key and algorithm.
As we're talking about encryption, this is normally not the case, you don't have the plain.
However, you can create a checksum of the plain and encrypt it as well. Then you can decrypt it later on and compare it with a checksum of the plain you encrypted as well to tell if the data was successfully decrypted. But as this shows, this is actually additional information next to the encrypted data.
If you add more information what you're looking for, it might be possible to give more helpful suggestions.
when encrypting add some static text to your string ; when cheking use mcrypt_encode again with static text this time without original string see if encrypted static text exist in encrypted string . it should work
Presumably you mean mcrypt_encrypt()? There is no mcrypt_encode() function.
No. A properly encrypted string should be indistinguishable from random garbage. The only way to test a crypted string to see if it's crypted is to decrypt it.
I am encrypting values of variables that I am sending through hyper link such that it is not easily editable by user..Suppose I have list of values that are shown in hyper link.
<?=$row['p_name'] ?>
Now I want to navigate to view.php where I want to get back value of $row['p_id'] from the title. Is their any way to do So? What are other functions that encrypt on manage.php and decrypt again view.php page?
You appear to be confusing encryption and integrity assessment.
Integrity assessment:
If your purpose is detect when the user modified the values passed on the URL, a hash code (sometimes known as a Message Digest or a Checksum), such as one produce with SHA256 can suffice.
Simply add the URL an extra parameter value with a hash code. This hash code value can be produced by feeding the hash algorithm with the values which integrity you wish to assert, maybe along an extra secret "key" value (aka "salt"). Upon receiving a request, first verify that the hash produced by the values on the URL matches the hash of the URL; if it doesn't at least one value on the URL was altered.
Encryption:
If your purpose is to hide from the user and others what kind of data/values are passed on the URL, encryption is necessary. Unlike a hash, Encryption algorithms can be reversed and produce back the original input from the encrypted text.
In most cases, encryption can also provide data integrity validation, because it is difficult for someone to alter the encrypted text in a way that it can be decrypted to a structurally valid text. Many encryption algorithms are such that altering even just one or two bytes in the encrypted text, results in producing "gibberish" at decryption time.
Practical suggestions with PHP:
for hashing, use one of: crc32(), md5() and the like. (or also hash() as shown in the question's code snippet).
for encryption, use mcrypt_encrypt() / mcrypt_decrypt() from the MCrypt module
depending on the algorithms used, remember to convert the encrypted output base64 or other format so that it can be part of a URL (many hashing and encryption methods produce binary data that include many characters susceptible of "breaking" urls)
if you don't need more secret encrypt ,try using base64_encode/base64_decode
If you only need the data to be tamper proof you could use hash_hmac
I was wondering if I use PHP's hash() function to generate sha512 hashes how would my MySQL table field look like in-order to be capable of holding the hashed password.
Here is my current MySQL password field layout
char(40)
A sha512 hash is represented as a 128 characters-long string.
For example, the following portion of code :
$sha512 = hash('sha512', "Hello, World!");
echo strlen($sha512);
Will give this output :
128
Which means your char(40) is far too small, and that you should use a char(128).
Another solution would be to store it in a binary form, and not a string -- which would mean 64 bytes.
But note it might be harder to deal with that representation, in some cases, I suppose.