Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PHP 5.3.3. Crypt function

Posted on 2013-12-25
10
Medium Priority
?
1,343 Views
Last Modified: 2013-12-26
I am trying to create an authentication mechanism using the crypt funtion.
In the php.net it says the following example:

<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}
?>

My assumption that you will generate the hashed password in the first command, and later you retrieve it from a db and use the second command to verify it, but that doesn't work, but furthermore even the script as above did not work with me as every time the crypt is running it generates a different hash because it is using a randomly generated salt.

So instead I found this script is working with me:

<?php
$hashed_password = crypt('mypassword',$salt); // Use the same salt always
if (crypt($user_input, $salt) == $hashed_password) {
   echo "Password verified!";
}
?>

My question is me understanding is correct? or I am misusing the function which might cause a security hole in my mechanism?
0
Comment
Question by:Ashraf Hassanein
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 400 total points
ID: 39739712
You are sort of correct but there is more to it.  See this page: http://www.php.net/manual/en/function.crypt.php  The wrapper function password_hash()  may be more suitable.

MD5 http://www.php.net/manual/en/function.md5.php and SHA http://www.php.net/manual/en/function.sha1.php are still frequently used though this page http://www.php.net/manual/en/faq.passwords.php recommends against them.

It depends as much on how much it is worth it to break into your system or web site.  Brute force cracking MD5 and SHA1 hashes still requires a fair amount of computer power.  If there is real money to be made or military and/or industrial secrets to be had, then the most powerful methods should be used.  Of course, you might not be using PHP in those cases anyway.
0
 
LVL 79

Expert Comment

by:arnold
ID: 39739723
There are several options. One deals with you storing the php hashed password in the database. On login, the hashed password you stored in the database is the salt for validation of the user provided password during subsequent logins.
You seem in your initial part rehashing presumably the stored hashed password which is the reason it did not work.
The other option is to rely on the encryption mechanisms that exist in the database server.


The second option means the password is stored in plain text within the database.

To illustrate the first option. During account creation/password changes
You would hash the password and then write the result into the database.
When a user attempts to login, you would retrieve the hashed password from the database and then within php and your comparison will be to compare $database_hashed_password == crypt($userprovidedpassword,$database_hashed_password)

If you use mysql you can validate via a single select
I.e. If a record is returned the info provided was correct. ( you use the mysql_real_escape_string() for both username and password from the page method to encode user input to avoid sql injection
select * from list_users where username=$username and password=PASSWORD($user_provided_password,password)


http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html
0
 

Author Comment

by:Ashraf Hassanein
ID: 39739736
Hi Dave thanks, I was planning to use the password_hash but it is not available in my php5.3.3 also I tried to upgrade to 5.5 to use this feature but 5.5 is not available on the standard centos repository yet and I'm not so much in favor for this upgrade yet not to mess with the othe php plugins , so I used crypt.
Hi Arnold, thanks for the explanation but I am really trying to store the password in hash format and then retrieve and compare it with the user input, but my problem that crypt ($ user_input,$ hashed_pass) will never give a value of $ hashed_pass where in my case the  $ user_input is the flat inpu to of the user comming from the login form and $ hashed_pass is the initial hashed password stored in the db, and I don't know why, however the only thing I noticed that crypt ("my_password") is always giving different value unless you use with it the salt, what do you think? , by the way I am using pgdb.
0
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1600 total points
ID: 39739930
Here is my teaching example showing how to encrypt and decrypt information, as well as how to encode it for safe transport over binary-sensitive interfaces, such as the internet or the SQL server.  You might also be interested in this article about PHP client authentication.

Please see http://www.laprbass.com/RAY_encrypt_decrypt.php

<?php // RAY_encrypt_decrypt.php
error_reporting(E_ALL);

// MAN PAGE: http://php.net/manual/en/ref.mcrypt.php

class Encryption
{
    protected $key;

    public function __construct($key='quay')
    {
        // THE KEY MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = $key;
    }

    public function encrypt($text)
    {
        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $this->key, $text, MCRYPT_MODE_ECB);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);

        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $this->key, $text, MCRYPT_MODE_ECB);

        // DECLOP NUL-BYTES BEFORE THE RETURN
        return trim($data);
    }
}

// INSTANTIATE AN ENCRYPTION OBJECT FROM THE CLASS
$c = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = '';
$decoded = '';

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["clearstring"]))
{
    $encoded = $c->encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS ENCODED ";
    var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $c->decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS DECODED ";
    var_dump($decoded);
}

// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM
<form method="post">
<input name="clearstring" value="$decoded" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="$encoded" />
<input type="submit" value="DECRYPT" />
</form>
FORM;

echo $form;

Open in new window

HTH, ~Ray
0
 

Author Comment

by:Ashraf Hassanein
ID: 39740004
Thanks Ray, you are always providing great support, but I can see from script that this is a 2 way encryption, and not like hashing which can not be decoded, don't you think that this is a little bit unsecured? what do you advise?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39740015
Security is a relative term.  If you want my take on it, you can find a discussion at the end of this article.  Search the text for "An Afterword: About Storing Passwords"
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

As we have now learned from the RSA disclosures, encryption of the sort used to protect internet messages was deliberately crippled by RSA in exchange for payments from the US Government.  I don't think you can ever reach a state that implies "completely secure."  Best practices are promulgated through OWASP.  This is good: https://www.owasp.org/index.php/Top_10_2013-Top_10
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39740026
In the category of "security by obscurity" this looks interesting.
http://www.php.net/manual/en/function.base64-encode.php#85831

Perhaps a red-herring could be added to any encrypted data string, much like a "salt" can be added to the md5() string.
0
 

Author Comment

by:Ashraf Hassanein
ID: 39740177
Thanks for your support that was extremely helpful issue solved as usual :-)
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39740201
Thanks for using EE! ~Ray
0
 
LVL 79

Expert Comment

by:arnold
ID: 39740252
Your PHP code was rehashing a password.
crypt 's salt can be new or the hashed password, the only issue crypt may have a different order of (salt, password) or (password,salt)
the two first characters in the response will tell you whether, as I have before, placed the items in the wrong order.

you only posted the code for php handling, so I have no idea what was going wrong.

what characters are you allowing in the password?  the mysql_real_escape.. would encode different characters

in future debug, out put the data to screen this way you can see what is going on with php processing.
i.e. an example of a person's password was sfdde3$d% after the real_escape it turned up as "sfdde3\$\%"
if you then rehash it, it may deviate from the entered password hash.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question