[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 294
  • Last Modified:

sha1 Encrypt/Decript

Hi Expert,

I am starting a new application where I want my passwords encrypted. Since this is a brand new application, I would like to echo the encrypted string, so I can copy/paste in my database just to get started.

I am doing this by:

echo 'user = ' . sha1('user', 'pa$$12345') . '<br>';

This is generating:
user = ���k[�2#r��t���

where I expected to be a 40 or 60 characters string. What am I doing wrong?

My second question is how do I decrypt the string back to 'pa$$12345'

Thank you
0
APD_Toronto
Asked:
APD_Toronto
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
Ray PaseurCommented:
I can show you an encrypt / decrypt algorithm.  Not sure why you would want to decrypt a password - that sounds like a recipe for a security hole!  But in any case this is how it might be done.

Please also see the man page references here.  I don't believe this is reversible. But it's very old - 2001 - so there are probably many algorithms and libraries that facilitate cracking the code today.
http://php.net/manual/en/function.sha1.php
http://www.faqs.org/rfcs/rfc3174.html

<?php // demo/encrypt_decrypt.php
error_reporting(E_ALL);

// REF: http://php.net/manual/en/ref.mcrypt.php
// REF: http://php.net/manual/en/mcrypt.ciphers.php
// NOTE PARALLEL CONSTRUCTION IN THE mcrypt_XXcrypt() FUNCTIONS

class Encryption
{
    protected $key;

    public function __construct($key='quay')
    {
        // THE KEY MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = $key;
    }

    public function encrypt($text)
    {
        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);

        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // DECLOP NUL-BYTES BEFORE THE RETURN
        return trim($data);
    }
}

// INSTANTIATE AN ENCRYPTION OBJECT FROM THE CLASS
$c = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = $decoded = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["clearstring"]))
{
    $encoded = $c->encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS ENCODED ";
    var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $c->decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS DECODED ";
    var_dump($decoded);
}

// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM
<form method="post">
<input name="clearstring" value="$decoded" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="$encoded" />
<input type="submit" value="DECRYPT" />
</form>
FORM;

echo $form;

Open in new window

0
 
Dave BaldwinFixer of ProblemsCommented:
'sha1' is a 'hash' which is a one-way algorithm.  It is not encryption that can be decrypted.  Details and links here: http://php.net/manual/en/function.sha1.php   Here http://php.net/manual/en/function.hash.php is a more generalized 'hash' function with some good info.  And here http://php.net/manual/en/refs.crypto.php is the overview page for Cryptography Extensions.
0
 
Dave HoweCommented:
Dave is correct.

Sha1 (which incidentally is depreciated, so shouldn't be used for new code) can't be reversed, and will be in binary after use. common practice is to base64 encode the hash for human-readable output (and many libraries include that option) - in your code, you can see a base64_encode action so should output THAT rather than binary.

Common practice with hashed passwords is to re-hash the password submitted by the user, compare the two hashes, and if they match, *assume* the user got the password right :)
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
APD_TorontoAuthor Commented:
If sha-1 is depreciated, whats there?

I thought there's sha-2 and sha-3?
0
 
Dave BaldwinFixer of ProblemsCommented:
There are other methods in my links above including one that is actual encryption and not just a one-way hash..
0
 
Dave HoweCommented:
sha-2 and sha-3 yes. also a bunch of non-us-standard ones like whirlpool :)
0
 
APD_TorontoAuthor Commented:
So mcrypt is the way to go?
0
 
Ray PaseurCommented:
I would use md5().  You'll get many opinions about why this is a bad idea, or why someone else's idea is better.  You may want to see "An Afterword: About Storing Passwords" in this article:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

This cartoon also tells a part of the story.
http://xkcd.com/936/
0
 
Dave BaldwinFixer of ProblemsCommented:
I have a lot of sites using MD5 for password hashes.  But nobody is trying to break in.  I know, I check.  I don't use encryption/decryption on any sites.  Also... none of my sites store any kind of secrets or personal info, there's just nothing to get even if they did crack the passwords.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now