Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in
the source. I often wondered, how this could be prevented.
So if you have a web-project, that is access-restricted, try the
following workaround:
include this snippet into your web-project:
function polyalph_encryp t($original, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase "]; // The access-key
//Make the key longer, if needed
$i = round( strlen($origina l)/strlen($key) );
for ($j=0;$j<$i;$j+ +)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($origina l); $i++) {
$sigma = 94 + ord( $original{$i} ) + ord( $key{$i} ) - 64;
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}
function polyalph_decryp t($secret, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase "]; // The access-key
//Make the key longer if needed
$i = round( strlen($secret)/strlen($key) );
for ($j=0;$j<$i;$j+ +)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($secret; $i++) {
$sigma = 94 + ord( $secret{$i} ) - ord ( $key{$i} );
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}
Of course, this will only function with ascii-passwords, but for most of
us, this should be enough. So with this trick, the encrypted passwords
can only be successfully decrypted, if the user enters the right
master-password (= Access-password).
Well, it is a little tricky and not 100% safe (as everything is):
- It wouldn't be a good idea to check the validity of the
access-password in plaintext. Instead try the following:
if ($_POST["user"] == "YOURUSERNA ME" && sha1($_POST["password"]) ==
"YOUR SHA1-HASHED PASSWORD")
$_SESSION["passphrase "] = $_POST["password"]
- of course this is only half-way safe if you have all more or less
"random" passwords.
- And in the end it can only prevent foolish webmasters from spying out
your database-passwords. But of course, the master-password is stored in
plaintext in the $_SESSION variable and this means it is also avaible in
plaintext somewhere on the computer.
jeremy 3 2463
Jeremy Deuel wrote: Just an Idea: In PHP, passwords for different purposes often are stored plaintext in the source. I often wondered, how this could be prevented.
Nice functions, and not that simple to decrypt.
People already thought about this, and came up with the following:
XOR "encryption ": A bitwise XOR (exclusive or, ^ operator) is done for
every character of the string. The key is repeated, as in your example.
The advantage is that encryption and decryption uses the same function:
Doing a XOR on a string twice will result in the original string.
ROT-13: Rotate the alphabet with 13 positions: A becomes N, B becomes
O, etc. Because there are 26 letters in the alphabet, doing a ROT-13
twice will result in the original string.
Also take a look at str_repeat(), which can repeat the key so that it
is long enough. You can use the % operator instead of fmod().
In article <11************ **********@g43g 2000cwa.googleg roups.com>,
"Sjoerd" <sj******@gmail .com> wrote: Jeremy Deuel wrote: Just an Idea: In PHP, passwords for different purposes often are stored plaintext in the source. I often wondered, how this could be prevented.
Nice functions, and not that simple to decrypt.
People already thought about this, and came up with the following: XOR "encryption ": A bitwise XOR (exclusive or, ^ operator) is done for every character of the string. The key is repeated, as in your example. The advantage is that encryption and decryption uses the same function: Doing a XOR on a string twice will result in the original string. ROT-13: Rotate the alphabet with 13 positions: A becomes N, B becomes O, etc. Because there are 26 letters in the alphabet, doing a ROT-13 twice will result in the original string.
Also take a look at str_repeat(), which can repeat the key so that it is long enough. You can use the % operator instead of fmod().
Thanks for str_repeat and the % operator. I didn't know them yet..
ROT-13 is not thaaaaaat safe... ;)
XOR would be very interesting, like this one could implement the
vernam-algorithm. How do I implement bitwise operations in PHP?
Jeremy Deuel wrote: Just an Idea: In PHP, passwords for different purposes often are stored plaintext in the source. I often wondered, how this could be prevented.
So if you have a web-project, that is access-restricted, try the following workaround:
<snip>
So:
ResourcePasswor ds = f(publicdata, MasterPassword)
publicdata = f'(ResourcePass words, MasterPassword)
Of course, this will only function with ascii-passwords, but for most of us, this should be enough. So with this trick, the encrypted passwords can only be successfully decrypted, if the user enters the right master-password (= Access-password).
Having a single password shared by multiple users is not exactly great
security on a multi-user system. While this system could be used on a
per-UserPassword basis to encrypt a single MasterPassword (which itself
encrypts multiple ResourcePasswor ds),
MasterPassword = f(publicdata[user], UserPassword[user])
publicdata[user] = f'(MasterPasswo rd , UserPassword[user])
subsequently changing the MasterPassword would be virtually impossible
without access to the unencrypted/hashed UserPasswords - another security
flaw.
But if you could use assymetric encryption to distribute the MasterPasswords
with the UserPasswords acting as passphrases to the UserPrivateKey, you
could leave the user key pair lying around on the server disk and you'd
then have a *secure* and *manageable* solution.
publicdata[user] = g'(MasterPasswo rd, UserPublicKey[user])
MasterPassword = g(publicdata[user], UserPrivateKey[user],
UserPassword[user])
C. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Chris |
last post by:
Hello all.
I'm currently working on a new site that encompasses the registration
of members. The registration is taking place through PHP interaction
with MySQL. The site is just going to be for my friends and I, but I
have run into an issue that I have often wondered about before. Any
insight would be appreciated.
The database contains semi-sensitive information. Not CC numbers, but
think more like usernames/passwords to other...
|
by: Joshua Beall |
last post by:
Hi All,
Up until now I have been storing passwords in the database as an sha1 hash.
I like doing it this way, but a problem arises with people who forget their
passwords - I cannot retrieve it for them.
The simplest option would be cleartext passwords. Easy enough. But what I
would prefer to do is some sort of two-way encryption, so I can encrypt the
passwords, store them in the database, and then get them back. Are there
any PHP...
|
by: Reimar Bauer |
last post by:
Hi all,
I would like to use a hierarchical group oriented encryption.
Is there something implemented or did you know something I could use?
For explanaition.
If you have a large building there are several keys available.
Each person has a key to open his/her room. Probably this key is able to
open rooms of the group of this person.
|
by: Hal Vaughan |
last post by:
I have no background in encryption, so I'm working with samples I've found
in various places and patching them together. I know Blowfish can use a 56
byte key. The version of this program in Perl has no problem with a 56
byte key, but this Java version has problems if I use a key that is any
length other than 8 bytes. Is there something I can do to enable 56 byte
keys and vectors? Here's what I'm doing:
//byte bRawData is already set...
|
by: Blake T. Garretson |
last post by:
I want to save some sensitive data (passwords, PIN numbers, etc.) to
disk in a secure manner in one of my programs. What is the
easiest/best way to accomplish strong file encryption in Python? Any
modern block cipher will do: AES, Blowfish, etc. I'm not looking for
public key stuff; I just want to provide a pass-phrase.
I found a few modules out there, but they seem to be all but abandoned.
Most seem to have died several years ago. ...
| |
by: Molly Gibson |
last post by:
Hi all,
I have recently installed Apache/1.3.28 +
mod_auth_pgsql-0.9.12
(http://www.giuseppetanzilli.it/mod_auth_pgsql/)
The only way I have been able to get it to
successfully authenticate against my postgres (7.3.4)
database is to turn Auth_PG_encrypted off & have
encryption turned off in postgresql.conf. I am really
uncomfortable with the idea of having unencrypted user
|
by: Bonj |
last post by:
I was in need of an encryption algorithm to the following requirements:
1) Must be capable of encrypting strings to a byte array, and decyrpting
back again to the same string
2) Must have the same algorithm work with strings that may or may not be
unicode
3) Number of bytes back must either be <= number of _TCHARs in *
sizeof(_TCHAR), or the relation between output size and input size can be
calculated simply. Has to take into account the...
|
by: newbie |
last post by:
Hello,
I face a practical problem with encryption.
I've read examples for encrypting a file with the DES algorythm. The
algorythm uses a key and a IV value. Both are 8 bytes if I'm correct, and
can be generated by the system or specified by me at design time.
How can I then do DES encryption with a password?
pwd: 8charact
|
by: hohans |
last post by:
Hi all,
I have an encryption class that encrypts and decrypts password using
TripleDESCryptoServiceProvider. It was written originally in framework
1.0 and been working fine. And those passwords are stored in my SQL
server.
Now I need to migrate my application to framework 2.0. I use this same
class with framework 2.0 library to decrypt the passwords from database
(of course, they were encrypted in 1.0) but getting "Bad Data"
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |