Solved

sha1 Encrypt/Decript

Posted on 2015-02-19
9
235 Views
Last Modified: 2015-02-20
Hi Expert,

I am starting a new application where I want my passwords encrypted. Since this is a brand new application, I would like to echo the encrypted string, so I can copy/paste in my database just to get started.

I am doing this by:

echo 'user = ' . sha1('user', 'pa$$12345') . '<br>';

This is generating:
user = ���k[�2#r��t���

where I expected to be a 40 or 60 characters string. What am I doing wrong?

My second question is how do I decrypt the string back to 'pa$$12345'

Thank you
0
Comment
Question by:APD_Toronto
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 167 total points
ID: 40620358
I can show you an encrypt / decrypt algorithm.  Not sure why you would want to decrypt a password - that sounds like a recipe for a security hole!  But in any case this is how it might be done.

Please also see the man page references here.  I don't believe this is reversible. But it's very old - 2001 - so there are probably many algorithms and libraries that facilitate cracking the code today.
http://php.net/manual/en/function.sha1.php
http://www.faqs.org/rfcs/rfc3174.html

<?php // demo/encrypt_decrypt.php
error_reporting(E_ALL);

// REF: http://php.net/manual/en/ref.mcrypt.php
// REF: http://php.net/manual/en/mcrypt.ciphers.php
// NOTE PARALLEL CONSTRUCTION IN THE mcrypt_XXcrypt() FUNCTIONS

class Encryption
{
    protected $key;

    public function __construct($key='quay')
    {
        // THE KEY MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = $key;
    }

    public function encrypt($text)
    {
        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);

        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, $text, MCRYPT_MODE_ECB);

        // DECLOP NUL-BYTES BEFORE THE RETURN
        return trim($data);
    }
}

// INSTANTIATE AN ENCRYPTION OBJECT FROM THE CLASS
$c = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = $decoded = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["clearstring"]))
{
    $encoded = $c->encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS ENCODED ";
    var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $c->decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS DECODED ";
    var_dump($decoded);
}

// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM
<form method="post">
<input name="clearstring" value="$decoded" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="$encoded" />
<input type="submit" value="DECRYPT" />
</form>
FORM;

echo $form;

Open in new window

0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 167 total points
ID: 40620407
'sha1' is a 'hash' which is a one-way algorithm.  It is not encryption that can be decrypted.  Details and links here: http://php.net/manual/en/function.sha1.php   Here http://php.net/manual/en/function.hash.php is a more generalized 'hash' function with some good info.  And here http://php.net/manual/en/refs.crypto.php is the overview page for Cryptography Extensions.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 166 total points
ID: 40620848
Dave is correct.

Sha1 (which incidentally is depreciated, so shouldn't be used for new code) can't be reversed, and will be in binary after use. common practice is to base64 encode the hash for human-readable output (and many libraries include that option) - in your code, you can see a base64_encode action so should output THAT rather than binary.

Common practice with hashed passwords is to re-hash the password submitted by the user, compare the two hashes, and if they match, *assume* the user got the password right :)
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 

Author Comment

by:APD_Toronto
ID: 40621589
If sha-1 is depreciated, whats there?

I thought there's sha-2 and sha-3?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40621606
There are other methods in my links above including one that is actual encryption and not just a one-way hash..
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40621617
sha-2 and sha-3 yes. also a bunch of non-us-standard ones like whirlpool :)
0
 

Author Comment

by:APD_Toronto
ID: 40621671
So mcrypt is the way to go?
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 40622262
I would use md5().  You'll get many opinions about why this is a bad idea, or why someone else's idea is better.  You may want to see "An Afterword: About Storing Passwords" in this article:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

This cartoon also tells a part of the story.
http://xkcd.com/936/
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40622271
I have a lot of sites using MD5 for password hashes.  But nobody is trying to break in.  I know, I check.  I don't use encryption/decryption on any sites.  Also... none of my sites store any kind of secrets or personal info, there's just nothing to get even if they did crack the passwords.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now