Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in
the source. I often wondered, how this could be prevented.
So if you have a web-project, that is access-restricted, try the
following workaround:
include this snippet into your web-project:
function polyalph_encrypt($original, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase"]; // The access-key
//Make the key longer, if needed
$i = round( strlen($original)/strlen($key) );
for ($j=0;$j<$i;$j++)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($original); $i++) {
$sigma = 94 + ord( $original{$i} ) + ord( $key{$i} ) - 64;
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}
function polyalph_decrypt($secret, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase"]; // The access-key
//Make the key longer if needed
$i = round( strlen($secret)/strlen($key) );
for ($j=0;$j<$i;$j++)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($secret; $i++) {
$sigma = 94 + ord( $secret{$i} ) - ord ( $key{$i} );
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}
Of course, this will only function with ascii-passwords, but for most of
us, this should be enough. So with this trick, the encrypted passwords
can only be successfully decrypted, if the user enters the right
master-password (= Access-password).
Well, it is a little tricky and not 100% safe (as everything is):
- It wouldn't be a good idea to check the validity of the
access-password in plaintext. Instead try the following:
if ($_POST["user"] == "YOURUSERNAME" && sha1($_POST["password"]) ==
"YOUR SHA1-HASHED PASSWORD")
$_SESSION["passphrase"] = $_POST["password"]
- of course this is only half-way safe if you have all more or less
"random" passwords.
- And in the end it can only prevent foolish webmasters from spying out
your database-passwords. But of course, the master-password is stored in
plaintext in the $_SESSION variable and this means it is also avaible in
plaintext somewhere on the computer.
jeremy 3 2446
Jeremy Deuel wrote: Just an Idea: In PHP, passwords for different purposes often are stored plaintext in the source. I often wondered, how this could be prevented.
Nice functions, and not that simple to decrypt.
People already thought about this, and came up with the following:
XOR "encryption": A bitwise XOR (exclusive or, ^ operator) is done for
every character of the string. The key is repeated, as in your example.
The advantage is that encryption and decryption uses the same function:
Doing a XOR on a string twice will result in the original string.
ROT-13: Rotate the alphabet with 13 positions: A becomes N, B becomes
O, etc. Because there are 26 letters in the alphabet, doing a ROT-13
twice will result in the original string.
Also take a look at str_repeat(), which can repeat the key so that it
is long enough. You can use the % operator instead of fmod().
In article <11**********************@g43g2000cwa.googlegroups .com>,
"Sjoerd" <sj******@gmail.com> wrote: Jeremy Deuel wrote: Just an Idea: In PHP, passwords for different purposes often are stored plaintext in the source. I often wondered, how this could be prevented.
Nice functions, and not that simple to decrypt.
People already thought about this, and came up with the following: XOR "encryption": A bitwise XOR (exclusive or, ^ operator) is done for every character of the string. The key is repeated, as in your example. The advantage is that encryption and decryption uses the same function: Doing a XOR on a string twice will result in the original string. ROT-13: Rotate the alphabet with 13 positions: A becomes N, B becomes O, etc. Because there are 26 letters in the alphabet, doing a ROT-13 twice will result in the original string.
Also take a look at str_repeat(), which can repeat the key so that it is long enough. You can use the % operator instead of fmod().
Thanks for str_repeat and the % operator. I didn't know them yet..
ROT-13 is not thaaaaaat safe... ;)
XOR would be very interesting, like this one could implement the
vernam-algorithm. How do I implement bitwise operations in PHP?
Jeremy Deuel wrote: Just an Idea: In PHP, passwords for different purposes often are stored plaintext in the source. I often wondered, how this could be prevented.
So if you have a web-project, that is access-restricted, try the following workaround:
<snip>
So:
ResourcePasswords = f(publicdata, MasterPassword)
publicdata = f'(ResourcePasswords, MasterPassword)
Of course, this will only function with ascii-passwords, but for most of us, this should be enough. So with this trick, the encrypted passwords can only be successfully decrypted, if the user enters the right master-password (= Access-password).
Having a single password shared by multiple users is not exactly great
security on a multi-user system. While this system could be used on a
per-UserPassword basis to encrypt a single MasterPassword (which itself
encrypts multiple ResourcePasswords),
MasterPassword = f(publicdata[user], UserPassword[user])
publicdata[user] = f'(MasterPassword , UserPassword[user])
subsequently changing the MasterPassword would be virtually impossible
without access to the unencrypted/hashed UserPasswords - another security
flaw.
But if you could use assymetric encryption to distribute the MasterPasswords
with the UserPasswords acting as passphrases to the UserPrivateKey, you
could leave the user key pair lying around on the server disk and you'd
then have a *secure* and *manageable* solution.
publicdata[user] = g'(MasterPassword, UserPublicKey[user])
MasterPassword = g(publicdata[user], UserPrivateKey[user],
UserPassword[user])
C. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Chris |
last post by:
Hello all.
I'm currently working on a new site that encompasses the registration
of members. The registration is taking place through PHP interaction
with MySQL. The site is just going to be...
|
by: Joshua Beall |
last post by:
Hi All,
Up until now I have been storing passwords in the database as an sha1 hash.
I like doing it this way, but a problem arises with people who forget their
passwords - I cannot retrieve it...
|
by: Reimar Bauer |
last post by:
Hi all,
I would like to use a hierarchical group oriented encryption.
Is there something implemented or did you know something I could use?
For explanaition.
If you have a large building...
|
by: Hal Vaughan |
last post by:
I have no background in encryption, so I'm working with samples I've found
in various places and patching them together. I know Blowfish can use a 56
byte key. The version of this program in Perl...
|
by: Blake T. Garretson |
last post by:
I want to save some sensitive data (passwords, PIN numbers, etc.) to
disk in a secure manner in one of my programs. What is the
easiest/best way to accomplish strong file encryption in Python? ...
|
by: Molly Gibson |
last post by:
Hi all,
I have recently installed Apache/1.3.28 +
mod_auth_pgsql-0.9.12
(http://www.giuseppetanzilli.it/mod_auth_pgsql/)
The only way I have been able to get it to
successfully authenticate...
|
by: Bonj |
last post by:
I was in need of an encryption algorithm to the following requirements:
1) Must be capable of encrypting strings to a byte array, and decyrpting
back again to the same string
2) Must have the same...
|
by: newbie |
last post by:
Hello,
I face a practical problem with encryption.
I've read examples for encrypting a file with the DES algorythm. The
algorythm uses a key and a IV value. Both are 8 bytes if I'm correct,...
|
by: hohans |
last post by:
Hi all,
I have an encryption class that encrypts and decrypts password using
TripleDESCryptoServiceProvider. It was written originally in framework
1.0 and been working fine. And those...
|
by: DolphinDB |
last post by:
Tired of spending countless mintues downsampling your data? Look no further!
In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: jfyes |
last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
|
by: ArrayDB |
last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
|
by: Defcon1945 |
last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
|
by: Shællîpôpï 09 |
last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
|
by: af34tf |
last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
| |