This question already has answers here:
Php change a number into another number that can be changed back to the original
(2 answers)
Closed 8 years ago.
there are lot of number starting from 0-....
and we don't wanna show this ordered id to anyone
and we have to give unique number somewhere so
how to encode number to another number.
and each encoded number nust represent just one number. just like encryption not hashing.
we also need uniqueness means if 56 give 842 then no else should give 842.
here similar quetions for C#
Encrypt a number to another number of the same length
but how can we do that in php
thanks.
I have no idea why people overcomplicate things by inventing own encryption systems which may either be not good or unnecessary.
PHP offers you mcrypt:http://de3.php.net/mcrypt
A good way to encrypt and decrypt something in a cryptographically strong way.
Note: Base64 is not a good solution as this is no encryption
Edit: Again relying on some user created encryption is not recommended. It is not well tested and relies partially on security by obscurity.
Albeit mcrypt requires some calls to the mcrypt api it allows you to use cryptographically strong systems like MCRYPT_RIJNDAEL_256, MCRYPT_TWOFISH256 etc.
I do not know anything about your security requirements but NEVER invent the wheel again. When you make a mistake in such things you won't notice as a malicious user won't tell you that but simply exploit your system.
See https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own
You can use base64_encode & base64_decode in case of PHP.
For Example:
<?php
$order_id = "123";
$enc=base64_encode($order_id);//MTIz
echo base64_decode($enc);//123
?>
Related
This question already has answers here:
Is it possible to decrypt MD5 hashes?
(24 answers)
Closed 6 years ago.
I have a hashed MD5 password saved in a MySQL database. Is there anyway to find out how many characters were in the original password?
I don't think there is because from what I've read it's difficult to decrypt a hashed password anyway.
Anyway I can do this?
EDIT: Because of the serious amount of backlash!! I'm not interested in decrypting a hash, because I know thats not a great idea from what I've read.
The reason I ask is because.
I am migrating an old system including historic database to a new updated application. All users, many thousands have their password saved in the database MD5, but most with less than 8 characters, so I just wanted to know if there was a way to know if their original password was over 8 characters, then I can bcrypt it or force users to change their password.
But I'll have to force all users to change their passwords by the looks of it
From OP's comment:
i was just purely asking to save forcing all users to ti change their passwords if their password was below a certain character limit – frobak
The answer to this then is to use strlen():
http://php.net/manual/en/function.strlen.php
As for MD5, don't use it it's totally unsafe. A lot of water has gone under the bridge in over 30 years.
Use password_hash():
http://php.net/manual/en/function.password-hash.php
As for decrypting a hash; it can't be done/reversed; that's why it's called a hash and not encrypted.
There are what's called "Rainbow tables":
https://en.wikipedia.org/wiki/Rainbow_table
But I'll have to force all users to change their passwords by the looks of it
Consult the following: Converting md5 password hashes to PHP 5.5 password_hash()
That way you can "hit two posts with one stone".
However, MD5 is 32-length. You will need to increase that to 60+ in order to have the proper length when using password_hash() and as Jay Blanchard stated in his comment, otherwise that may fail "silently" later on when using password_verify().
Nope. You can generate random strings and hash those until you find a match and measure the length of that (this will take an extremely long time, and may actually be incorrect because of collisions, don't do it), but outside of that, it's impossible.
The answer is already given and is worth upvoting, nevertheless I would like to share another view on the problem.
Is it possible to find out the character length?
No actually there is no way to tell the number of characters in the original password from a MD5 hash.
Is it possible to find the passwords with less than 8 characters?
Unfortunately yes. Since cracker tools can brute-force about 20 Giga Md5 per second it is possible to test all 7 character password combinations (a-z A-Z 0-9) in only 3 minutes!
Please note that this is not what I recommend to do, since it would be illegal, it is just to show how unsafe such hashes are. Instead you can calculate a second hash from the stored MD5 hash, I described this in another answer.
We were making kind of a simple game,
in which:
Users receive the next number of play as an encrypted string Before they play
After they play, the encryption password is provided to them to check the play number was correct.
Each encrypted string is only valid for 1-2 hours and number of play , verificating string and encrypted string is regenerated again after that time
The encrypted string includes a verification (5 char) code so both users and we can make sure Decryption process was successful
Sample Character to get Encrypted (QQ9LU is random verification code provided to user before the play):
Next Play Number: 8 - Verify String: QQ9LU
Sample Encrypted String (provided to user before play):
NXRykKOv3B6kuu4Ke3svp7HH3enNiqIZrJSXJiF54QkHHjtXgqpUXxyuP7YUNICeFLg==
Sample Password (provided after play):
Please note this is generated randomly for each encryption
FA00RDjA77hlOzcOzH6kuGcc29CyM7Hw
We use CodeIgniter 2.2.2 Encryption Class to encrypt/decrypt strings
Encryption Method Info:
Function Used: $this->encrypt->encode($msg, $pass); with random pass each time
Cipher is CodeIgniter 2 default MCRYPT_RIJNDAEL_256
Mcrypt mode is MCRYPT_MODE_CBC
My Questions are:
Can i trust that users cannot break the encrypted string (and know the number of play before they get the password) in 1-2 hours (aside from getting lucky)
Is placing random verification code Verify String: T3YH4 in there good or bad? does is affect security? (this is to verify decryption result was successful, also we added it because the only variable in each string was a single digit, for example only number 8 changes to 7, so we wanted to add more variable characters to the string to possibly have a better security)
Any other suggestion is appreciated
Short answers:
From a technical POV, what you're doing is unsafe, although it might be enough for just a 2-hour timeframe.
What you're trying to do here is called "message authentication", but that's not how it should be done, which in turn does impact security. You should use a HMAC instead.
My advice would be to upgrade to CodeIgniter 3 (CI2 will stop receiving even security updates in a few months) as soon as possible, and use its new Encryption library instead. That will make it safe for years, not hours.
Long answer:
The encryption library should do both encryption and authentication for you, but unfortunately the CI_Encrypt class itself is badly written and lacking a lot of functionality (such as authentication), which is why it was DEPRECATED and is being replaced by a new (CI_Encryption) library in CodeIgniter 3.
Explaining all the flaws in here would be quite the task, so I'd rather link you to an external article (not self-promoting, don't worry), which does that quite nicely if you're interested in the low-level details.
No matter which library you use however, one thing must be noted - a password is not the same thing as an encryption key.
Passwords have a varying length and are used by humans, which means that they must be readable by humans, and that in turn limits them to a certain set of characters.
Encryption keys on the other hand have a fixed length (each encryption algorithm is designed to work with a specific key length; for Rijndael-256 that's 32 bytes, which you seem to match) and are not limited to human-readable characters (which means more entropy and therefore more security) - they represent raw binary data.
Anything else can be controlled (and therefore automatically done) by a library, but if you pass a password instead of a key - that's what the library will use, so you should take care of that.
The best and simple way to do that is to use the filesystem functions to create a simple text file for each user in non public path with two lines, the first of them is a unique random string (long string varied in length) and the second is the number.
Then using sha1_file get the hash value of the file then store it in the database related to its path and creating time, then send this hash to the user.
After the user has played, check the value by another script that get the value of the hash from the database, then read the file and parse its second line to display the number.
By this way, you have gave the user a hash not for a string, but it for a file and cracking it to get the file back is not simple as to be done in two hours.
You are giving your Encryption/Decryption logic to client side. Hacker will easily identify how your password and encryption strings are being match.
Many framework have their own password creationg and compare logics. Yii using SALT and other features like SHA1 etc...
Keep it simple and keep all things at your end. Generate your encryption things and store at your end. Follow simple steps,
Generate encryption password (using SALT and/or other encryption tools) and store at your end
Ask client (user) to enter their password (key) and get at server side
Convert your password (key) to encryption password and compare
CPasswordHelper will be helpful for you. Try to download Yii source code and put out their logic for you.
Hope that helps !!
Sounds like a fun game!
I am assuming you are creating these strings in files on a filesystem. If you were hosting them on some web application that would assume different techniques to break the string.
Adding a code to the end of the string is called salting the string. While this makes the string harder to guess, if you are adding a hardcoded salt instead of a randomly generated salt it can still be easily broken by brute force methods.
I would try using a one-way hashed string for the password and storing that in a database. The user is unable to decrypt the string and has to just provide a matching password to gain access to your string. It is possible for programs to break one-way hashed strings but I find it unlikely someone will be smart enough to do that if they are in college and only have two hours. It takes alot of domain knowledge and experience to start generating one-way hashed strings to brute force it.
In addition you are probably safe with the method you are doing currently, students will not likely be able to break a string in 2 hours unless they are familiar with advanced encryption hacking scripts that take some work to find. I am guessing they will do trial and error, using different decryption libraries similar to the example you provide and hoping they get lucky with the library of strings they are trying to match against yours.
Also information is important with any type of encryption. Telling someone you are adding a 5 code salt to your string, will give them some insight into how your encryption algorithm works. They can then try methods of breaking it based on the information you give them. Try the same thing with your own algorithm and leave the students in the dark, I doubt anyone will break anything in the time alotted. Alot of hacking techniques involve going through an information gathering process where the hacker scopes out or maps a system before trying to attack it.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Secure hash and salt for PHP passwords
I saw someone coding a password hash like this,
md5(uniqid(mt_rand('password', 15), true));
is that a secured way to do this? is that even worked out?
No it isn't a safe way. It is crackable and, in your example, it is not repeatable. You would have to store the random value long with the hash itself. If th DB is compromised, then it becomes extremely simple to bruteforce the hash.
You should know that MD5 and SHA1 are two of the weakest hashing algorithms, that are available in PHP.
Much better is to use crypt() function, with CRYPT_BLOWFISH or PBKDF2.
update
Also, as PeeHaa mentioned, it does not work. The mt_rand('password', 15) will cause Warning: mt_rand() expects parameter 1 to be long, string given on line X.
Not only is that not secure, it doesn't even work.
mt_rand takes 2 parameters, a min value and a max value.
mt_rand('password', 15)
This converts 'password' to an int (0), then returns a random number between 0 and 15.
uniqid(mt_rand('password', 15), true)
This then generates a unique ID, and prepends the random number from the previous step to it: calculating something like this:
144ffb22886d58e1.82100749
That string is then md5'd.
As you may be able to see, this code is 100% useless. The original password is converted to 0 and lost forever, so all you're doing is hashing random numbers, which is pointless. Now that you have your hash, there is no way to verify it again. Since the password is converted, whatever the user enters doesn't matter.
So, no, this code is not secure, do not use it.
Personally, I use the phpass library. It's secure, and simple to use.
To be honest I wouldn't even use md5 as a hashing algorithm for storing passwords. I would look into using something like bcrypt. Also I don't even get how your example would work, but in any case if you want to secure it then stay away from md5, sha1 at the minimum and learn from others mistakes and use a salt.
This question already has answers here:
Is it possible to decrypt MD5 hashes?
(24 answers)
Closed 10 years ago.
I have this hash generated with crypt function in php:
$1$jV3.NS/.$JLVMBWe0N/W0Rbft4NgPV.
I know $1$ is MD5's hash, jV3.NS/. is the salt and the other text is the encrypted string.
Is possible decrypt this hash if I know the salt?
No. That's the point of a cryptographic hash. It's easy to compute but computationally infeasible to invert.
No. That is the primary purpose for a hash. It is a one way mathematical operation.
A hash is a function designed to be easy to run forward, but exceedingly expensive/painful to reverse. Think of it like a sausage grinder. You can put practically anything you want in going forward but it's near impossible to turn the grinder backwards and get the original components back out
No, MD5 and other hashing functions are considered to be one way algorithms to prevent people from doing exactly what you're looking to do. However it IS possible to do a look-up against a library of precompiled words/passwords/etc. And find a match. (commonly called a rainbow table attack).
However the addition of a salt value means you will most likely have to brute force it, which will take a while. Though if you have the setup, there are some GPU accelerated programs that are REALLY fast.
This should get you started.
OphCrack: http://ophcrack.sourceforge.net/
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to use PHP to encrypt and decrypt?
For my project I want to store password in encrypted format,
so i have stored it using md5('password'), but my project requirement is that we should be able to decrypt the password, and as you all know we can not decrypt md5 encrypted string.
so i have choose it to encode using base64_decode('password') and decode it using base64_decode('encodedpassword').
but i want to know that is it a best practice to use base64_encode ? or is there any other encryption decryption technique with PHP?
First off, md5('password') is not encryption. You cannot recover the original password after you hash the data. NB for technical readers: a brute force attack will not recover the password either, since there are a finite number of hashes and an infinite number of different strings.
Now, base64_encode('password') is also not encryption, except possibly in the very loosest sense of the word. Anyone can look at the Base64 text and recover the original password.
Encryption as it is generally known consists of a plaintext and a private key of some sort. An example of an encryption algorithm would be AES-256 ("Rijndael" is the name of the algorithm which won the AES contest and thus the title). AES-256 uses a 256-bit key and is generally considered very secure when properly implemented.
Cryptography is not a topic which should be approached lightly. It is extremely difficult to get right and the consequences when you do not are, although this seems contradictory, both subtle and severe.
You should very carefully evaluate whether you need to be able to recover the password. In 99.9999999% of all cases, the answer is "no". In fact, I cannot think of a case where the plain-text of the password would matter to you.
After you are done evaluating whether you need to be able to recover the password, decide that you do not need to be able to recover the password.
After that step, if you still believe you need to be able to recover the password, look at already-written crypto libraries for PHP. OpenSSL is a well-tested generally-accepted crypto framework which implements pretty much every popular encryption standard, but it may be a little on the difficult-to-use side. mcrypt is very commonly installed and generally easier to use.
I usually just go w/ sha-1 + a salt.., take a look at the crypt function.
For PHP version 5.3+
You would use Bcrypt, which is the strongest hash I have ever known.
But the problem is that it is slower than other encryptions.
I recommend AES256 which is faster than bcrypt and safe as well