Solved

sha1 Encrypt/Decript

Posted on 2015-02-19
9
242 Views
Last Modified: 2015-02-20
Hi Expert,

I am starting a new application where I want my passwords encrypted. Since this is a brand new application, I would like to echo the encrypted string, so I can copy/paste in my database just to get started.

I am doing this by:

echo 'user = ' . sha1('user', 'pa$$12345') . '<br>';

This is generating:
user = ���k[�2#r��t���

where I expected to be a 40 or 60 characters string. What am I doing wrong?

My second question is how do I decrypt the string back to 'pa$$12345'

Thank you
0
Comment
Question by:APD_Toronto
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 167 total points
ID: 40620358
I can show you an encrypt / decrypt algorithm.  Not sure why you would want to decrypt a password - that sounds like a recipe for a security hole!  But in any case this is how it might be done.

Please also see the man page references here.  I don't believe this is reversible. But it's very old - 2001 - so there are probably many algorithms and libraries that facilitate cracking the code today.
http://php.net/manual/en/function.sha1.php
http://www.faqs.org/rfcs/rfc3174.html

<?php // demo/encrypt_decrypt.php
error_reporting(E_ALL);

// REF: http://php.net/manual/en/ref.mcrypt.php
// REF: http://php.net/manual/en/mcrypt.ciphers.php
// NOTE PARALLEL CONSTRUCTION IN THE mcrypt_XXcrypt() FUNCTIONS

class Encryption
{
    protected $key;

    public function __construct($key='quay')
    {
        // THE KEY MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = $key;
    }

    public function encrypt($text)
    {
        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);

        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // DECLOP NUL-BYTES BEFORE THE RETURN
        return trim($data);
    }
}

// INSTANTIATE AN ENCRYPTION OBJECT FROM THE CLASS
$c = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = $decoded = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["clearstring"]))
{
    $encoded = $c->encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS ENCODED ";
    var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $c->decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS DECODED ";
    var_dump($decoded);
}

// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM
<form method="post">
<input name="clearstring" value="$decoded" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="$encoded" />
<input type="submit" value="DECRYPT" />
</form>
FORM;

echo $form;

Open in new window

0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 167 total points
ID: 40620407
'sha1' is a 'hash' which is a one-way algorithm.  It is not encryption that can be decrypted.  Details and links here: http://php.net/manual/en/function.sha1.php   Here http://php.net/manual/en/function.hash.php is a more generalized 'hash' function with some good info.  And here http://php.net/manual/en/refs.crypto.php is the overview page for Cryptography Extensions.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 166 total points
ID: 40620848
Dave is correct.

Sha1 (which incidentally is depreciated, so shouldn't be used for new code) can't be reversed, and will be in binary after use. common practice is to base64 encode the hash for human-readable output (and many libraries include that option) - in your code, you can see a base64_encode action so should output THAT rather than binary.

Common practice with hashed passwords is to re-hash the password submitted by the user, compare the two hashes, and if they match, *assume* the user got the password right :)
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 

Author Comment

by:APD_Toronto
ID: 40621589
If sha-1 is depreciated, whats there?

I thought there's sha-2 and sha-3?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40621606
There are other methods in my links above including one that is actual encryption and not just a one-way hash..
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40621617
sha-2 and sha-3 yes. also a bunch of non-us-standard ones like whirlpool :)
0
 

Author Comment

by:APD_Toronto
ID: 40621671
So mcrypt is the way to go?
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 40622262
I would use md5().  You'll get many opinions about why this is a bad idea, or why someone else's idea is better.  You may want to see "An Afterword: About Storing Passwords" in this article:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

This cartoon also tells a part of the story.
http://xkcd.com/936/
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40622271
I have a lot of sites using MD5 for password hashes.  But nobody is trying to break in.  I know, I check.  I don't use encryption/decryption on any sites.  Also... none of my sites store any kind of secrets or personal info, there's just nothing to get even if they did crack the passwords.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question