Encryption\Decryption, mcrypt_cfb ?

Anon

I've looked this up and after finding out that md5 only works one way, I found mcrypt, so I looked this up and due to a lack of basic knowledge I suspect hit a brick wall...

"mcrypt_cfb
Encrypt/decrypt data in CRB format

string mcyrpt_cfb (int cipher, string key, string data, int mode, string iv)

Mcrypt_cfb() encrypt or decrypts (depending on mode) the data with cipher and key in CFB cipher mode and returns the resulting string.

Cipher is one of the MYCRYPT_ciphername constants
Key is the key supplied to the algorithm. It must be kept secret.
Data is the data which shall be encrypted/decrypted
Mode is MCRYPT_ENCRYPT or MCRYPT_DECRYPT
IV is the initialization vector"

Okay, but what does all that mean!
What I'm looking for is a way so that when a table is filled in as well as inserting the name and all into a db the password is also put into the db, but encrypted first, and then when checked against the db, its decrypted so that passwords arn't sent in clear text over the net.

I got about this far...

$enc mcyrpt_cfb (int cipher, string key, $password, MCRYPT_ENCRYPT, string iv);

So I want to encrpyt $password into the $enc string using mcrypt_cfb, but I have no idea what to put for the rest, if I can figure this out I can just insert $enc into the database and then later on check it, I hope.

Thanks for any help with this.

James

jamie_webstart

If you want to have PHP get a plain password and encrypt it before it checks it against the database, you will have to send the plain text password from a form to the server for PHP to be able to encrypt, if you see what I mean... You would only be encrypting communication between PHP and the database, not the browser and PHP.

Also, why do you need to have a two way function? most password checking is done with a one way function - The password is MD5'd (or whatever algorythm) and put into the database encrypted. When you want to check the password for a login attempt, you MD5 the user input and compare that to what's in the database.

Hope some of that helps

Anon

ah, ic.
Just trying to limit the area over which the password is transmitted, I know literally nothing about hacking, just little bits, like sending around the password in plain text is bad 🙂

Never thought of md5 like that, ie that it encrypts the same password the same each time, guess its time to look up and see if I can get that working now then.

Thanks

jamie_webstart

No problem... I'm going to try and get a secure-ish login set up myself soon. The best thing you can do to stop hackers is only allow a set amount of wrong passes before you stop letting them try - I'm planning to allow 3 attempts before getting a lockout or requiring a confirmation email. That way you won't get script kiddies running a dictionary/brute force hack against your login. (then again, there's not much intelligence among most of them...)

Hope that helps

Anon

hehe, well, I've got part of it working, but after spending ages trying the other part I've hit a brick wall.

Basically I'm setting a cookie if the username and password are correct, I'm first adding this information on another page, its just messing about to sort out HOW to do it before I actually install it on the site. I'm having a few levels of security, so that people who need to update the news, can't delete half the site for example.

Anyways... (cut down version!)

<?php
$lv1 = "lv1";
// and so on

if (($user_name == "") || ($password == "") || ($level == "")) {echo "Please enter information";}

// table for entering real name, username, password, and level

<?php

$encpw=md5($password);
include ("connect.inc");

$query = "INSERT INTO table_name (real_name,user_name,password,level) VALUES ('$real_name','$user_name','$encpw','$level');";
$result = mysql_query($query);

mysql_close();

So that works great, I've looked at my table and see this hideously long string for password 🙂

So, now to put it into practice...

<?php
$password=md5($checkpw);
if ($general_access == "lv1") {include "http://www.blah.com";}

// elseif statement for other levels

else {
if ($submit) {
include "connect.inc";
$result=mysql_query("select * from table_name where user_name='$user_name'",$db)
or die ("User Doesnt Exist!");
while ($row=mysql_fetch_array($result)) {
if ($row["password"] == $password) {include "setcookie.inc";}
else {echo "Incorrect information entered, please re-enter information";
include "login.php";}
}
}
include "login_form.inc";
}
?>

login_form.inc is just a form asking for username and password, the password name is checkpw, which should be turned into an md5 hash, stored as $password, and then that compared to the one in the table, when they match, cookie set.
I've checked to make sure that the md5 string hash is the same for u6e and it is next time, ie doesn't change the encoding.
Just doesn't let me in!

Thanks for any help with this, I think I'm close, just can't make that last jump.

jamie_webstart

You've got 'if ($row["password"] == $password)' in there... should that not be 'if ($row["password"] == md5($password))'? or did you already convert the password elsewhere?

Anon

above at the top, I coverted it...

$password=md5($checkpw);

jamie_webstart

Ahh, sorry, just spotted it. I can't see what's going wrong there... sorry.

Anon

darn, okay, thanks anyways for pointing me in the right direction.

Anon

MD5 gives a 32 character hash, so if your varchar for password in MySQL is set to 30, then your a fool 🙂

hehe, damn thats simple!!!

Oh well, working after months anyways, thanks again.

jamie_webstart

Ahhhhh, all is clear. 🙂

Anon

hi, I'm trying to do authentication with php and MySql, where the password is already encryted on the database. the problem is when the box pops up to add u'r user and password it doesn't work. How do i go about writing an sql statement and php statment where it will recognize the encrypted password. this is my sql query:$sql = "SELECT * FROM auth WHERE
logon = '$PHP_AUTH_USER' AND
pass = password('$PHP_AUTH_PW')"

Can someone guide me here..