473,320 Members | 1,821 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Polyalphabetic encryption for Passwords

Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in
the source. I often wondered, how this could be prevented.

So if you have a web-project, that is access-restricted, try the
following workaround:

include this snippet into your web-project:

function polyalph_encrypt($original, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase"]; // The access-key
//Make the key longer, if needed
$i = round( strlen($original)/strlen($key) );
for ($j=0;$j<$i;$j++)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($original); $i++) {
$sigma = 94 + ord( $original{$i} ) + ord( $key{$i} ) - 64;
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}

function polyalph_decrypt($secret, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase"]; // The access-key
//Make the key longer if needed
$i = round( strlen($secret)/strlen($key) );
for ($j=0;$j<$i;$j++)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($secret; $i++) {
$sigma = 94 + ord( $secret{$i} ) - ord ( $key{$i} );
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}

Of course, this will only function with ascii-passwords, but for most of
us, this should be enough. So with this trick, the encrypted passwords
can only be successfully decrypted, if the user enters the right
master-password (= Access-password).

Well, it is a little tricky and not 100% safe (as everything is):
- It wouldn't be a good idea to check the validity of the
access-password in plaintext. Instead try the following:
if ($_POST["user"] == "YOURUSERNAME" && sha1($_POST["password"]) ==
"YOUR SHA1-HASHED PASSWORD")
$_SESSION["passphrase"] = $_POST["password"]
- of course this is only half-way safe if you have all more or less
"random" passwords.
- And in the end it can only prevent foolish webmasters from spying out
your database-passwords. But of course, the master-password is stored in
plaintext in the $_SESSION variable and this means it is also avaible in
plaintext somewhere on the computer.

jeremy
Feb 17 '06 #1
3 2446
Jeremy Deuel wrote:
Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in
the source. I often wondered, how this could be prevented.


Nice functions, and not that simple to decrypt.

People already thought about this, and came up with the following:
XOR "encryption": A bitwise XOR (exclusive or, ^ operator) is done for
every character of the string. The key is repeated, as in your example.
The advantage is that encryption and decryption uses the same function:
Doing a XOR on a string twice will result in the original string.
ROT-13: Rotate the alphabet with 13 positions: A becomes N, B becomes
O, etc. Because there are 26 letters in the alphabet, doing a ROT-13
twice will result in the original string.

Also take a look at str_repeat(), which can repeat the key so that it
is long enough. You can use the % operator instead of fmod().

Feb 17 '06 #2
In article <11**********************@g43g2000cwa.googlegroups .com>,
"Sjoerd" <sj******@gmail.com> wrote:
Jeremy Deuel wrote:
Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in
the source. I often wondered, how this could be prevented.


Nice functions, and not that simple to decrypt.

People already thought about this, and came up with the following:
XOR "encryption": A bitwise XOR (exclusive or, ^ operator) is done for
every character of the string. The key is repeated, as in your example.
The advantage is that encryption and decryption uses the same function:
Doing a XOR on a string twice will result in the original string.
ROT-13: Rotate the alphabet with 13 positions: A becomes N, B becomes
O, etc. Because there are 26 letters in the alphabet, doing a ROT-13
twice will result in the original string.

Also take a look at str_repeat(), which can repeat the key so that it
is long enough. You can use the % operator instead of fmod().


Thanks for str_repeat and the % operator. I didn't know them yet..

ROT-13 is not thaaaaaat safe... ;)
XOR would be very interesting, like this one could implement the
vernam-algorithm. How do I implement bitwise operations in PHP?
Feb 17 '06 #3
Jeremy Deuel wrote:
Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in
the source. I often wondered, how this could be prevented.

So if you have a web-project, that is access-restricted, try the
following workaround:
<snip>

So:
ResourcePasswords = f(publicdata, MasterPassword)
publicdata = f'(ResourcePasswords, MasterPassword)
Of course, this will only function with ascii-passwords, but for most of
us, this should be enough. So with this trick, the encrypted passwords
can only be successfully decrypted, if the user enters the right
master-password (= Access-password).


Having a single password shared by multiple users is not exactly great
security on a multi-user system. While this system could be used on a
per-UserPassword basis to encrypt a single MasterPassword (which itself
encrypts multiple ResourcePasswords),

MasterPassword = f(publicdata[user], UserPassword[user])
publicdata[user] = f'(MasterPassword , UserPassword[user])

subsequently changing the MasterPassword would be virtually impossible
without access to the unencrypted/hashed UserPasswords - another security
flaw.

But if you could use assymetric encryption to distribute the MasterPasswords
with the UserPasswords acting as passphrases to the UserPrivateKey, you
could leave the user key pair lying around on the server disk and you'd
then have a *secure* and *manageable* solution.

publicdata[user] = g'(MasterPassword, UserPublicKey[user])
MasterPassword = g(publicdata[user], UserPrivateKey[user],
UserPassword[user])

C.

Feb 18 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Chris | last post by:
Hello all. I'm currently working on a new site that encompasses the registration of members. The registration is taking place through PHP interaction with MySQL. The site is just going to be...
8
by: Joshua Beall | last post by:
Hi All, Up until now I have been storing passwords in the database as an sha1 hash. I like doing it this way, but a problem arises with people who forget their passwords - I cannot retrieve it...
2
by: Reimar Bauer | last post by:
Hi all, I would like to use a hierarchical group oriented encryption. Is there something implemented or did you know something I could use? For explanaition. If you have a large building...
2
by: Hal Vaughan | last post by:
I have no background in encryption, so I'm working with samples I've found in various places and patching them together. I know Blowfish can use a 56 byte key. The version of this program in Perl...
34
by: Blake T. Garretson | last post by:
I want to save some sensitive data (passwords, PIN numbers, etc.) to disk in a secure manner in one of my programs. What is the easiest/best way to accomplish strong file encryption in Python? ...
3
by: Molly Gibson | last post by:
Hi all, I have recently installed Apache/1.3.28 + mod_auth_pgsql-0.9.12 (http://www.giuseppetanzilli.it/mod_auth_pgsql/) The only way I have been able to get it to successfully authenticate...
113
by: Bonj | last post by:
I was in need of an encryption algorithm to the following requirements: 1) Must be capable of encrypting strings to a byte array, and decyrpting back again to the same string 2) Must have the same...
5
by: newbie | last post by:
Hello, I face a practical problem with encryption. I've read examples for encrypting a file with the DES algorythm. The algorythm uses a key and a IV value. Both are 8 bytes if I'm correct,...
4
by: hohans | last post by:
Hi all, I have an encryption class that encrypts and decrypts password using TripleDESCryptoServiceProvider. It was written originally in framework 1.0 and been working fine. And those...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.