Simple Cipher / encryption

sicks84

I'm on a time crunch and I'm not an advanced scripter by any means... So I'm asking for some help.

I want to create a simple, general, temporary password-protected area. I only want to allow access to this section for a set period of time and don't want to keep a database of user/pass, so I thought a cipher & key would work best. The username would be the person's last or company name, the password is a ciphered version of that, based on that week's key.

The username gets checked against the key which qualifies the password like so:

u = a
s = b
e = c
r = d

so when I enter "user" as my username, my password should be "abcd".

I'd like this to be alphanumeric (A-Z, 0-9) and would manually generate a new key one a week or month or whatever I feel is necessary.

Basically, what I want to do is take:
a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9

And randomize/cipher it.

Somebody out there must have already written something... Any help would be much appreciated!!!

Jason_Batten

Use an array, have the keys as numbers and use the random function perhaps?

justsomeone

it doesn't strike me as very secure, though. It should be easy for people to peep into each other's accounts.

eg if my username is "HotelBooker" and I know that my competitor "HotHotels" uses your system, I know his password...

Jason_Batten

No you won't, as he described there is a key or scrambler which is changed weekly the user would not know this... making it pretty secure. Nothing is full-proof 😉

justsomeone

It may be changed weekly, but once I get my new pass, it wouldn't take long for anyone so inclined to spot that there is always a relationship between username and password.

If my username starts and ends with the same letter (for example), and I notice that my automatically assigned password also starts and ends with the same character, and is the same length as the username, it doesn't take a professional cracker to work out what's going on.

I'm not saying that this method isn't good enough for this application - I don't know what this application is. but if it's public-facing and contains sensitive information, I'd be reluctant to use this method. That's all I'm syaing 🙂

Jason_Batten

Yeah it is crackable, pretty easily if you wish to work it out, probably would only take a few hours perhaps. It is always good to use layers of encryption. I do agree that it might not be enough, don't get me wrong 🙂 but as like you said it depends on the content and how long they will be there.

If the users aren't known to the public they really don't have a starting point though.

*shrugs, www.php.net/md5 does the trick most of the time.

sicks84

if I were going for true security, I'd do a full-on user/pass db. It's hidden content more than anything that I can't show publically but can show to anyone I want if somewhat protected with a disclaimer (legal issue). If someone cracks the code, so be it. It'll change next week and it may even help business if more people see it. 🙂

Given the content, though, I'm not fearing anything malicious. Nor do I feel like I'm dealing with genius hackers here--we're talking corporate people here.

I just want something that my sales team can generate passwords easily that change - so people can't share passwords for a great length of time and to maintain some knowledge of who/when they're logging in or, if they send an email to update, how interested they are in the content.

justsomeone

Sounds like you've acheived a satisfactory balance between security and usability then 🙂

Brit

I've knocked up the following script which does what the originator of this thread asked for.

First off, save the following as a script that you will be passing your user login variables to - specifically, "username" and "password".

<?PHP

# Simple Cypher / Encryption script
# 18.11.2005
# Author - Brit 
# PHPBuilder thread ID - 10312506
# REQUIREMENTS: You must ensure you can read the key file"
# VARIABLES: This script expects to be passed POST variables "username" and "password"

/* The following should be altered as required. */

/* 1. The path to the keyfile which will hold the current key data (put trailing slash!) */
DEFINE("KEY_FILE","/path/to/docroot/");

/* 2. The name of the file you will use to store the key data */
DEFINE("KEY_FILE_NAME","keyfile.txt");

/* 3. The length of time, in hours, that a key is valid for */
DEFINE("EXPIRATION","72");

/* 4. Where does a user who successfully authenticates get sent to? */
DEFINE("REDIRECT_ON_SUCCESS","/thankyou.html");

/* 5. Administrative email options */
DEFINE("ADMIN_EMAIL","your@email.com");
DEFINE("ADMIN_SUBJECT","Message from simple cypher script");
DEFINE("ADMIN_FROM","Your server");
DEFINE("ADMIN_REPLY","do-not-reply@your-server.com");

/* 6. Send email if key file has expired and someone tries to use it? */
DEFINE("SEND_ADMIN_EMAIL",true);

/* 7. The error message displayed when a username and password combination fails */
DEFINE("ERROR_MSG","Error!");

/* 8. Output actual encrypted values to screen, for information */
DEFINE("SHOW_OUTPUT",false);

/*************************************************************************************/
/* The rest of the script which you shouldn't need to change, happens below this break
/*************************************************************************************/

/*************************/
/* Send email if enabled 
/*************************/

function sendAdminEmail($msg)
{
	/* Send an email to the nominated administrative contact, if this is enabled */
	if(SEND_ADMIN_EMAIL)
	{
		$headers = sprintf("From: %s <%s>\r\n",ADMIN_FROM,ADMIN_REPLY); 
		mail(ADMIN_EMAIL,ADMIN_SUBJECT,$msg,$headers);
	}
}

/*************************/
/* Check the key file 
/*************************/

function checkKeyFile()
{
	/* Make sure the file exists, and we can read it. */
	if(!is_file(KEY_FILE.KEY_FILE_NAME) || !is_readable(KEY_FILE.KEY_FILE_NAME))
	{
		$msg = sprintf("Fatal error: cannot find/read key file at %s!\n",KEY_FILE.KEY_FILE_NAME);
		sendAdminEmail($msg); /* Send email */
		echo substr($msg,0,38);		
		die;
	}
	/* Make sure the key file is still valid. */
	else
	{
		$key_file_modified = filemtime(KEY_FILE.KEY_FILE_NAME);
		$key_file_expires = ((EXPIRATION*60*60)+$key_file_modified);
		$time_now = date("U");

	/* Key file has expired */
	if($key_file_expires < $time_now)
	{
		$msg = "Fatal error: current key file has expired!";
		sendAdminEmail($msg);
		echo $msg;
		die;
	}
	/* Key file is valid */
	else
	{
		authenticateUser();
	}
}
}

/*************************/
/* Encrypt a letter based on keyfile value 
/*************************/

function returnLetterPosition($letter)
{
	/* Open the key file and get the position marker */
	$key_data = parse_ini_file(KEY_FILE.KEY_FILE_NAME);
	$key_data_value = $key_data[key_value];
	$key_data_fallback_value = $key_data[key_fallback];

/* Find the position of $letter in the array */
$character_array = array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9");
$character_position = array_search($letter,$character_array);

/* This entire section now deals with the replacement of each $letter */

/* First just add the array position and the new key value */
$character_new_position = (($character_position-1)+$key_data_value);

/* If we're outside the array, go the other way instead */
if($character_new_position > count($character_array))
{
	$character_new_position = ($character_position-$key_data_value);
}

/* If we're in the negatives, go back up again */
if($character_new_position < 0)
{
	$character_new_position = (($character_new_position/$key_data_fallback_value)-$character_new_position);
}

/* Return the replacement letter */
return $character_array[$character_new_position];
}

/*************************/
/* Authenticate a user 
/*************************/

function authenticateUser()
{
	/* Make the POST data safe, strip tags and external white space */
	foreach($_POST as $key => $val)
	{ 
		$_data[$key] = trim(strip_tags($val));
	}	

/* If we have both the username and password, check them */
if(isset($_data["username"]) && isset($_data["password"]) && strlen($_data["username"]) > 1 && strlen($_data["password"]) > 1)
{

	/* Get the 'encrypted' version of the username */
	$user_length = strlen($_data["username"]);
	for($i=0;$i<$user_length;$i++)
	{
			$encrypted_username .= returnLetterPosition(substr($_data["username"],$i,1));
	}

	/* Show output at this stage for information, if option is true */
	if(SHOW_OUTPUT)
	{
		$output = sprintf("<pre>Encrypted value for username %s is %s</pre>",$_data["username"],$encrypted_username);
		echo $output;
		die;
	}

	/* If the encrypted username matches the password, user is OK */
	if($encrypted_username == $_data["password"])
	{
		header(sprintf("Location:%s",REDIRECT_ON_SUCCESS));
		die;
	}
	/* If it doesn't, die. */
	else
	{
		echo ERROR_MSG;
		die;
	}
}
/* If we're here, we were not given both username and password - so die. */
else
{
	echo ERROR_MSG;
	die;
}

}

/*************************/
/* Start everything off  

/*************************/

checkKeyFile();

?>

Next, put a plain text file somewhere on your server, and make sure it looks like this (ensure that you name the file whatever you have defined KEY_FILE_NAME as):

** KEYFILE. THIS MUST BE A NUMBER BETWEEN 2 AND 45.  **
** If you use a value of 1, no encryption will happen **

key_value = 45;

** Put a value between 2 and 10 here, it is used as a fallback measure later **

key_fallback = 4;

Next, simply point a form that takes the variables "username" and "password" at the main PHP script, and its done.

Some features of this script are:

Automatic expiration; (Define EXPIRATION) you can define how long keys are valid for, by entering the relevant number of hours.
Output mode; (Define SHOW_OUTPUT) which allows you to see the password for a given username.
Email to admin in case of expiration or missing key data file.

It should be fairly self explanatory!

Regards,

Brit.