I was trying to rewrite a python registration page of a game server to PHP,
before inserting the password to database it is encrypted with the following function
hash = binascii.b2a_hex(self.cipher.encrypt(binascii.a2b_hex(hash)))
I'm not familiar with encryption and have no clue how to translate this to PHP
OK, let's do this step by step.
Initially, the hexadecimal hash is converted to binary using the binascii's function a2b_hex. The PHP equivalent of that would be hex2bin.
Then, you're using cipher's encrypt function to, supposedly, encrypt the previously obtained value. This is one of your classes, so I can't really guess what it does. Go find out.
Finally, just use the reverse equivalent of PHP's hex2bin: bin2hex().
PS: this hashing procedure looks really, really, weird to me...
Related
I would like to know if there is a Javascript counterpart to the PHP oppenssl_encrypt and openssl_decrypt functions.
I have developed a unique combination of PHP and AJAX where a user can log in to a website using their username and password and be authenticated without the username or password even being transmitted to the server. The point is, both the server and the user have a never-transmitted secret key that can be used as an encryption key.
I mention this because many of the "answers" I have found here are arguments about why anyone needs to do this, because "any secret key that you use will have to be transmitted". Not the case here, so please don't comment if you are a naysayer.
What I am really looking for is two sets of string encryption/decryption functions that are compatible between PHP and Javascript, using a secret key. Any thoughts?
Ok.. I don't know about openssl_... things, but you can download a js to encrypt / decrypt things with blowfish algorithm. Blowfish is in php too (mcrypt contains this algorithm by defualt).
I googled and found a link
http://dren.ch/js_blowfish/
You can always google things, you may find the same for openssl too!!
Check out the first comment on openssl_decrypt() for the PHP bit, and then you can get the Gibberish Javascript bit here.
I have gotten a code from php.net. http://php.net/manual/en/book.mcrypt.php
Problem is when you encrypt something, the next time the ecrypted one isn't the same as the first one. I need to get the exact same hash using sha512 or sha256. I also need to decrypt it because the function will be used for encrypting customer's name and other data.
Thanks in advance!
I shared my crypt wrapper at https://stackoverflow.com/a/173764/17404. Try using that.
Instead of using mcrypt for hashing, consider using the hash() function instead.
Remember, hashes is one-way methods and cannot be 'decrypted'.
Looking for encryption/decryption I would recommend you look at AES encryption - either through MySQL if you have your data stored in the database, otherwise mcrypt() can also manage AES.
I'd like to know is there a string hashing function that would produce identical results both in JavaScript and PHP, just to avoid text transmissions in cases when some textual data coming from the client side needs to be verified on the server side for being the same as expected?
Yes, See this md5 hashing function for JS. Here is sha1.
You'd find more in http://PHPjs.org
There are a variety of string hashing algorithms you can select from. Google will give you lots of choices. One popular algorithm is MD5 which I'm sure you can find implementations for in both javascript and PHP. Here's one reference on MD5 with javascript code and here's a second reference for javascript.
MD5 has the characteristic you are seeking that the same string always produces the same hash value and it can be implemented in any language.
I don't know PHP myself, but it appears that PHP might already have a function called md5() built in. See here for a reference.
If you use MD5 hashing, you will get the same result in both javascript and PHP
PHP MD5 Hash
JQuery MD5 plugin
or Without JQuery MD5 function
I was wondering if there is a python cognate to PHP's crypt() function that performs in a similar way, generating a random salt and embedding it within the saved string.
I have a table of hashed passwords that were created using the $5$ string key to setup a SHA256 based salted cryptogram. These hashes had some additional recorded entropy attached to both ends at a fixed interval, but splitting these characters off the string and getting the core hash is trivial and not a problem at all.
I've looked at the python documentation and can't find any methods in hashlib that seem to utilize the same syntax from php's crypt(). Is the approach utilized in PHP (the input format split with dollar signs between salt, algo and rounds) unique to the language?
Thanks.
EDIT:
It looks as though the revised version of python's own native crypt function is going to utilize procedures similar to that of PHP. From the 3.3 pre-release documentation:
http://docs.python.org/dev/library/crypt.html
EDIT:
Finally found Passlib, a library that provides this functionality in pure python.
http://packages.python.org/passlib/index.html
I realize that this question is old, however I found it while I was trying to implement a login algorithm in Python that was originally written in PHP. The crypt function in PHP uses any of a handful of somewhat insecure DES algorithms, including bcrypt. It depends on what you hash your string with. Passlib is pretty much your best bet for replicating the functionality your application is currently getting from PHP crypt. Take one of your hashed passwords, and look at the front of the string. You should see something like $2a$, $3$, $6$ (or similar). Note that if this string does not exist, you are more than likely using standard DES hashing.
Take that info to this link:
http://pythonhosted.org/passlib/modular_crypt_format.html#mcf-identifiers
Then, match it up to the algorithm you need to implement in Python. The Scheme identifiers are links to the passlib documentation regarding that hashing algorithm. At this point, you should have all the info you need to complete your reimplementation.
It certainly looks very similar to FreeBSD's crypt (see "modular crypt" in the manpage). I don't really recall if it's the same way in Linux or other but this seems to indicate it's not unique.
There's no direct equivalent in Python as far as I know, but it shouldn't be too hard to roll your own since the encryption algorithms themselves should be supported in hashlib.
I mean, crypt()'s return is always different.
So how do websites like 4chan do to give a permanent tripcode to a password?
Are they stored in a database?
4chan's tripcodes are created using a specific formula, and are a shorter version of a hash. You can achieve the same effect by using MD5 or SHA1.
Encrypt string to MD5 (PHP):
$md5 = md5("$string");
Encrypt string to SHA1 (PHP):
$sha1 = sha1("$string");
There is no way to reverse the hashing process (just like tripcodes), but with time and power they can be "bruteforced" back to plain text.
It's quite common to salt a password, then hash it using DES, MD5, SHA, or newer hashes. The salt is then stored as part of the password.
PHP's crypt works this way, although the exact algorithm it uses to hash the password may be different between versions of PHP... and even between operating systems, although the latter supposedly changed in PHP 5.3. (PHP now includes its own hashing library instead of relying on the OS library, which is really, really important if you're using Windows, as crypt function on Windows only supported DES with 2-byte salt prior to this)
Edit:
Note: crypt has an optional second argument. Passing the encrypted password as the second argument will usually get PHP to detect the salt and algorithm used to originally hash the password, namely because everything other than DES start with $#$ where # is a number.
You pass the salt to crypt() as the second argument. This causes the output to use that salt instead of generating one on the fly.
The salt being randomly generated is why crypt("something") returns different results each time. If I run crypt("something", "ab"), it'll be identical every time. I don't have PHP here to check what the value is, though.
Wikipedia has an article about Tripcodes.
I think there's a table "tripcodes" where tripcodes were generated with the Wikipedia's and they are associated with strings they come from, no?
Yes password are stored in a database but without the use of crypt(). They use sha1() or encryption database function like AES_ENCRYPT() in mysql.