Encrypt password in PHP, decrypt in VB?

Gilles Ganault wrote:

I'd like to encrypt a customer's organization name to use this as
their password to launch our application, and decrypt it within our
VB5 application.

Er... You're mixing concepts here. Encrypted stuff is not a "password", it's
called "cyphertext". Are you saying that you want to use cyphertext as a
sort of password or license key?
In any case, you'll have to research into non-simmetrical encruption
algorithms. If you implemented a simmetrical one, then your users would
have both the cyphertext and the key to create new cyphertexts suited to
them.
--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Now listening to: Tone - Small Arm of Sea (2008) - [7] Undecided (3:28)
(74.500000%)

On Jul 1, 10:08*am, Gilles Ganault <nos...@nospam.comwrote:

* * * * I'd like to encrypt a customer's organization name to use this as
their password to launch our application, and decrypt it within our
VB5 application.

This is how I understand it:
Alice works at OrgaCorp. The string "OrgaCorp" will be encrypted, so
that it becomes "PshbDpsq". This will then be the password of Alice.
Alice logs in using Alice, PshdDpsq as her username and password and
this information is passed to a VB application, which then decodes the
company name to do something with it.

A simple way to encrypt a word is using XOR encryption. So you bitwise
XOR the company name with some other string. However, if a smart user
gets his hands on some passwords, he can deduce your encryption string
from it. XOR encryption is not particularly safe.

XOR encryption is a way of a symetrical encryption. The other poster
said you should use asymetrical encryption, which means that the key
to encrypt the data is another key than the one to decrypt the data.
It depends on your situation which one you should use.

Another solution could be to put username, company, password data in a
database, so that you can check the password and find the right
company for the user.

We will then use this information to print it on every page that the
application prints out. That way, even if some other user gives out
his password, it won't do any good, since the organization name will
be the original user's.

I don't understand this.

I guess there are two things I need to solve:
- how to to check that the password is valid, and not just some crap
an unlicensed user typed just to get past the logon dialog?

You have to encrypt some extra data which serves as a validity check.
For example, instead of encrypting OrgaCorp you can encrypt
GOODOrgaCorp. You then assume that if the decrypted string starts with
GOOD, the password is correct.

For safety reasons, you would not prepend a fixed string but some hash
of the word.

Maybe you are solving your problem the wrong way. Could you explain it
a little more in detail, maybe with an example?

On Tue, 1 Jul 2008 04:24:43 -0700 (PDT), Sjoerd <sj******@gmail.com>
wrote:

>You have to encrypt some extra data which serves as a validity check.
For example, instead of encrypting OrgaCorp you can encrypt
GOODOrgaCorp. You then assume that if the decrypted string starts with
GOOD, the password is correct.

Yup, that's what I had in mind.

>Maybe you are solving your problem the wrong way. Could you explain it
a little more in detail, maybe with an example?

It's not my line of business, so it's a bit fuzzy at this point but
the goal is two-fold:
1. make sure the user has bought a license, and doesn't use someone
else's
2. make sure the user has bought this year's license, and doesn't keep
using last year's.

So I was thinking of
1. taking the organization's name, eg. "Acme Inc.", and prepend it
with the current year, eg. "2008-Acme Inc."
2. encrypt/cypher this string
3. add a suffix to that cyphered string so that I know it looks real.
Obviously, any computer-savvy person who has access to two keys will
see that the last X bytes are similar, but our users are not
computer-savvy and this is a niche application
4. in the VB application, decypher this, check that the current year
is the same as the one in the key, and use the organization name in
all printouts, so that it's useless for "Widget Inc." to use "Acme
Inc.'"s key.

Am I totally off-base?

Thank you.

On Tue, 1 Jul 2008 Gilles Ganault <no****@nospam.comwrote:

Hello

I'd like to encrypt a customer's organization name to use this as
their password to launch our application, and decrypt it within our
VB5 application.

We will then use this information to print it on every page that the
application prints out. That way, even if some other user gives out
his password, it won't do any good, since the organization name will
be the original user's.

I guess there are two things I need to solve:
- how to to check that the password is valid, and not just some crap
an unlicensed user typed just to get past the logon dialog?

- find a light encryption/decryptiong algorithm that can be used in
PHP to create passwords on our web server, and the corresponding
decryption part to be implemented in VB5 (preferably as source code,
to void shipping another DLL).

Hi.

How about when someone logs in they provide username, company name, password.
Concatenate these and MD5 them. This MD5 string is then what is stored.
When someone logs into the VB app with the same details (and thereby providing
you the company name to display on print outs) you carry out the same
concatenation and MD5. If the two md5 strings match it's a valid login.
Otherwise it isn't.

D.
--
You don't stop playing games because you get old.
You get old because you stop playing games.