?
Solved

sha1 Encrypt/Decript

Posted on 2015-02-19
9
Medium Priority
?
276 Views
Last Modified: 2015-02-20
Hi Expert,

I am starting a new application where I want my passwords encrypted. Since this is a brand new application, I would like to echo the encrypted string, so I can copy/paste in my database just to get started.

I am doing this by:

echo 'user = ' . sha1('user', 'pa$$12345') . '<br>';

This is generating:
user = ���k[�2#r��t���

where I expected to be a 40 or 60 characters string. What am I doing wrong?

My second question is how do I decrypt the string back to 'pa$$12345'

Thank you
0
Comment
Question by:APD_Toronto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 668 total points
ID: 40620358
I can show you an encrypt / decrypt algorithm.  Not sure why you would want to decrypt a password - that sounds like a recipe for a security hole!  But in any case this is how it might be done.

Please also see the man page references here.  I don't believe this is reversible. But it's very old - 2001 - so there are probably many algorithms and libraries that facilitate cracking the code today.
http://php.net/manual/en/function.sha1.php
http://www.faqs.org/rfcs/rfc3174.html

<?php // demo/encrypt_decrypt.php
error_reporting(E_ALL);

// REF: http://php.net/manual/en/ref.mcrypt.php
// REF: http://php.net/manual/en/mcrypt.ciphers.php
// NOTE PARALLEL CONSTRUCTION IN THE mcrypt_XXcrypt() FUNCTIONS

class Encryption
{
    protected $key;

    public function __construct($key='quay')
    {
        // THE KEY MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = $key;
    }

    public function encrypt($text)
    {
        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);

        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // DECLOP NUL-BYTES BEFORE THE RETURN
        return trim($data);
    }
}

// INSTANTIATE AN ENCRYPTION OBJECT FROM THE CLASS
$c = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = $decoded = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["clearstring"]))
{
    $encoded = $c->encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS ENCODED ";
    var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $c->decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS DECODED ";
    var_dump($decoded);
}

// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM
<form method="post">
<input name="clearstring" value="$decoded" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="$encoded" />
<input type="submit" value="DECRYPT" />
</form>
FORM;

echo $form;

Open in new window

0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 668 total points
ID: 40620407
'sha1' is a 'hash' which is a one-way algorithm.  It is not encryption that can be decrypted.  Details and links here: http://php.net/manual/en/function.sha1.php   Here http://php.net/manual/en/function.hash.php is a more generalized 'hash' function with some good info.  And here http://php.net/manual/en/refs.crypto.php is the overview page for Cryptography Extensions.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 664 total points
ID: 40620848
Dave is correct.

Sha1 (which incidentally is depreciated, so shouldn't be used for new code) can't be reversed, and will be in binary after use. common practice is to base64 encode the hash for human-readable output (and many libraries include that option) - in your code, you can see a base64_encode action so should output THAT rather than binary.

Common practice with hashed passwords is to re-hash the password submitted by the user, compare the two hashes, and if they match, *assume* the user got the password right :)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:APD_Toronto
ID: 40621589
If sha-1 is depreciated, whats there?

I thought there's sha-2 and sha-3?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40621606
There are other methods in my links above including one that is actual encryption and not just a one-way hash..
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40621617
sha-2 and sha-3 yes. also a bunch of non-us-standard ones like whirlpool :)
0
 

Author Comment

by:APD_Toronto
ID: 40621671
So mcrypt is the way to go?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40622262
I would use md5().  You'll get many opinions about why this is a bad idea, or why someone else's idea is better.  You may want to see "An Afterword: About Storing Passwords" in this article:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

This cartoon also tells a part of the story.
http://xkcd.com/936/
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40622271
I have a lot of sites using MD5 for password hashes.  But nobody is trying to break in.  I know, I check.  I don't use encryption/decryption on any sites.  Also... none of my sites store any kind of secrets or personal info, there's just nothing to get even if they did crack the passwords.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
This article discusses how to implement server side field validation and display customized error messages to the client.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question