what's the difference between 1 way encryption and 2 way encryption with php and MySQL?
One-way cannot be reversed. Two-way can be.
MD5 and SHA1 are examples of one-way "encryption" (hashing, really). AES_ENCRYPT is an example of two-way encryption.
PHP's crypt() function is also one way which is some what misleading because encryption generally means two way. But crypt effectively does the same thing as hashing (1 way), it just saves the salt with the output.
Related
Given that the rule of thumb is to store salted hashes of the password string, not the encrypted form of it, why does the PHP crypt() function use the DES-based algorithms? Isn't DES an encryption algorithm? The manual says
... crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system ...
What I understand from here is that crypt() only uses the algorithm as implemented by the system. And surely DES is implemented as an encryption algorithm rather than a custom hashing algorithm for crypt.
PS - I know that DES was way back in the past and nobody should use it anymore.
The idea of DES-based password hashing is, basically, to encrypt a block of zeroes with the password and passed salt for some number of rounds. Any half-decent encryption makes key recovery hard even in the face of known plaintext, so that’s why it’s possible to make strong password hashes out of encryption functions.
I think the PHP default is compatible with this scheme.
I have a small problem. In fact, I have a string crypted with the PHP function crypt(), with only one parameter (without the salt parameter).
I would like to know if it is possible to decrypt the password if it was crypted that way?
Thank you in advance!
No, this is impossible, because simply crypt() is a One-way string hashing.
You can, however, use brute force but it will be too bad if the password is lengthly...
Function crypt() uses a one-way algorithm, there is no decrypt function.
Well, crypt returns the digest of a hash algorithm which by design can't be reversed. Whether or not you posses the salt is irrelevant in this case.
You can try online Rainbow Tables like those at CrackStation to possibly look the hash up. Your only other alternative is to brute force the hash.
I know that hashing functions such as SHA1 and MD5 are one-way encryption systems.
But is there a hashing method which is 'dehashable'?
Like, it produces an x-character string, which can then be 'dehashed' into the original string.
Is there such a hashing method? It will be appreciated if it was PHP compatible.
UPDATE: What I mean by a hashing function is an encryption method which produces an x-character string, which can be decrypted. Sorry for the confusion.
hashing functions such as SHA1 and MD5 are one-way encryption systems.
Not quite - they are as you say hashing functions. They are often used together with encryption systems, e.g. for password hashing algorithms, but they are not encryption systems or encryption algorithms.
But is there a hashing method which is 'dehashable'?
No, it would not be a hash function then, since a hash function maps a larger data set to a smaller data set. This has the side effect that you can get the same hash value out of different input data, which makes calculating the original data from the hash key impossible. What it does allow is, for instance, to check if the original data has been modified - you apply the same hash function to the original data again and compare the calculated hash keys. If they are different, the original data was modified - if they are the same, the original data is (at least very very likely) unmodified.
What you are looking for is probably either a compression/decompression algorithm or an encryption/decryption algorithm.
Hashing is not (one-way) encryption, as a hash value can never be decrypted to the original value; this is by design.
Also, hash functions are designed to make it very hard to come up with a data set the will match a given hash value (cf. collision)
As Andreas suggests, you are looking for compression or crypto functions.
My question is how do I get the same result from mcrypt as I would get from crypt, with respect to blowfish?
I am wanting to use the phpass framework for password hashing and verifying. Which works really well as long has you have PHP 5.3 because blowfish is included with crypt().
My host is running PHP 5.2.x with the mcrypt library.
Going through the docs and googling about blowfish with crypt, it appears that the result is '$a2$', the two character iteration value, '$', the salt ( padded or cut to 22 characters ), then a 32 base64 string representing the hash.
My problem is I can't find explanations of the MCRYPT_MODE_modenames that make sense to me. And how do I feed mcrypt() the number of iterations I want? Or are the two functions using different forms of blowfish that dont cross translate?
Mcrypt, and crypt() are two totally different functions. Mcrypt is two-way encryption, whereas crypt is one-way encryption. As far as I am aware crypt() is inside of php 5.2. Also, if I was you I'd just reference crypt() itself. And I'd also use bcrypt from it.
$hashed_password=crypt($password_to_be_hashed,'$2a$04$saltstringhere');
Finally, just change the two digit cost factor inside of the two digits after the $2a$. That will allow you to change the amount of cputime that is going to be required for it. Remember it goes up logarithmically(if i remember correctly). The default value is 07.
Finally crypt_blowfish is the two-way encryption algorithm of blowfish that takes keys up to 448 bits. The blowfish inside of crypt is bcrypt, is based upon blowfish but was designed for storing passwords as it hashes them. This is known as one-way encryption.
Are DES Encryption called "One Way Encryption" or "two way Encryption" ?
Are there a PHP class or method to decrypt the DES Encryption ?
The php crypt function is a one-way hashing function, if you want to be able to decrypt, take a look at the mcrypt extension which supports a range of algorithms
It should be noted that there are (and have always been) questions surrounding the DES algorithm. It's been widely in use for a long time, but since it was originally specified with only a 56 bit key, it's questionable whether it's secure enough for any important uses at this point. Triple DES is generally better, but there are some known theoretical attacks. If you have a choice of cipher, you might want to look at AES instead.
DES can be reversed, so it's a two-way encryption (if you meant that).
DES is a pretty well known encryption standard so it should be available in PHP too.
One-way encryption is a secure form of hashing: the plaintext is changed into an apparently random sequence of data, often of fixed length, in such a way that the original plaintext (theoretically) cannot be retrieved without a brute-force effort.
Two-way encryption, or reversible encryption is what we normally mean by the term encryption: the plaintext is transformed into apparently random data, but in a way that relies on a "key" that allows the original plaintext to be retrieved.
DES is a form of reversible encryption that is relatively weak by today's standards, as it relies on a 56-bit key (14 hex characters). It has been superseded by 3DES, or triple-DES, which is essentially the same algorithm with a longer key.
You don't mention your application, but if you need only to compare the data and not retrieve it, hashing is considered more secure. For example, you can store hashed passwords; then, when a user authenticates, perform the same hash on the entered text and compare it with the stored hashed value. If they match, the correct password was entered.
A significant advantage to hashing is that you don't need to store a decryption key.
I am not familiar with the "one way encryption" or "two way encryption" terms. There is a term "one time password" (totally irrelevant for DES), and there are "symmetric" and "assymetric" encryption algorithms, meaning whether the same key is used for encryption and decryption (symmetric) or a set of two different keys is used one for encryption and another for decryption (assymetric). DES is a symmetric algorithm. As for PHP, crypt() since to be doing the job:
http://us2.php.net/crypt
I Think you probably mean a one-way function [1]. In cryptography one distinguishes between symmetric and asymmetric cryptography. Symmetric cryptography uses the same key to encrypt and decrypt (DES is symmetric). Asymmetric Cryptography is used for key exchange and a public key is used to encrypt the message, while the private key is used to decrypt it. An example of Asymmetric Cryptography is AES [2]. Asymmetric cryptography uses one way functions.
[1] http://en.wikipedia.org/wiki/One-way_function
[2] http://en.wikipedia.org/wiki/AES