Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 314
  • Last Modified:

sha1 Encrypt/Decript

Hi Expert,

I am starting a new application where I want my passwords encrypted. Since this is a brand new application, I would like to echo the encrypted string, so I can copy/paste in my database just to get started.

I am doing this by:

echo 'user = ' . sha1('user', 'pa$$12345') . '<br>';

This is generating:
user = ���k[�2#r��t���

where I expected to be a 40 or 60 characters string. What am I doing wrong?

My second question is how do I decrypt the string back to 'pa$$12345'

Thank you
0
APD Toronto
Asked:
APD Toronto
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
Ray PaseurCommented:
I can show you an encrypt / decrypt algorithm.  Not sure why you would want to decrypt a password - that sounds like a recipe for a security hole!  But in any case this is how it might be done.

Please also see the man page references here.  I don't believe this is reversible. But it's very old - 2001 - so there are probably many algorithms and libraries that facilitate cracking the code today.
http://php.net/manual/en/function.sha1.php
http://www.faqs.org/rfcs/rfc3174.html

<?php // demo/encrypt_decrypt.php
error_reporting(E_ALL);

// REF: http://php.net/manual/en/ref.mcrypt.php
// REF: http://php.net/manual/en/mcrypt.ciphers.php
// NOTE PARALLEL CONSTRUCTION IN THE mcrypt_XXcrypt() FUNCTIONS

class Encryption
{
    protected $key;

    public function __construct($key='quay')
    {
        // THE KEY MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = $key;
    }

    public function encrypt($text)
    {
        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);

        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // DECLOP NUL-BYTES BEFORE THE RETURN
        return trim($data);
    }
}

// INSTANTIATE AN ENCRYPTION OBJECT FROM THE CLASS
$c = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = $decoded = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["clearstring"]))
{
    $encoded = $c->encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS ENCODED ";
    var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $c->decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS DECODED ";
    var_dump($decoded);
}

// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM
<form method="post">
<input name="clearstring" value="$decoded" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="$encoded" />
<input type="submit" value="DECRYPT" />
</form>
FORM;

echo $form;

Open in new window

0
 
Dave BaldwinFixer of ProblemsCommented:
'sha1' is a 'hash' which is a one-way algorithm.  It is not encryption that can be decrypted.  Details and links here: http://php.net/manual/en/function.sha1.php   Here http://php.net/manual/en/function.hash.php is a more generalized 'hash' function with some good info.  And here http://php.net/manual/en/refs.crypto.php is the overview page for Cryptography Extensions.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Dave is correct.

Sha1 (which incidentally is depreciated, so shouldn't be used for new code) can't be reversed, and will be in binary after use. common practice is to base64 encode the hash for human-readable output (and many libraries include that option) - in your code, you can see a base64_encode action so should output THAT rather than binary.

Common practice with hashed passwords is to re-hash the password submitted by the user, compare the two hashes, and if they match, *assume* the user got the password right :)
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
APD TorontoAuthor Commented:
If sha-1 is depreciated, whats there?

I thought there's sha-2 and sha-3?
0
 
Dave BaldwinFixer of ProblemsCommented:
There are other methods in my links above including one that is actual encryption and not just a one-way hash..
0
 
Dave HoweSoftware and Hardware EngineerCommented:
sha-2 and sha-3 yes. also a bunch of non-us-standard ones like whirlpool :)
0
 
APD TorontoAuthor Commented:
So mcrypt is the way to go?
0
 
Ray PaseurCommented:
I would use md5().  You'll get many opinions about why this is a bad idea, or why someone else's idea is better.  You may want to see "An Afterword: About Storing Passwords" in this article:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

This cartoon also tells a part of the story.
http://xkcd.com/936/
0
 
Dave BaldwinFixer of ProblemsCommented:
I have a lot of sites using MD5 for password hashes.  But nobody is trying to break in.  I know, I check.  I don't use encryption/decryption on any sites.  Also... none of my sites store any kind of secrets or personal info, there's just nothing to get even if they did crack the passwords.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now