Encrypt/Decrypt Functions

scross · Feb 2, 2006

I found that there is no good encryption/decryption functions (with keys) built into php, so I decided to put together my own. I got some feedback on another forum, which helped me improve it and now, even my hacker friend on there can't decrypt it. My only worries are that it is bloated, and I could speed it up with losing security. Anyway, here is how to use it:

$crypt = new crypt; //sets up an instance of the class
$crypt->crypt_key('test_key'); //assigns an encryption key to the instance
$encrypted = $crypt->encode('test_data'); //encrypts the data using the key
$decrypted = $crypt->decode($encrypted); //decrypts the data using the key

The great thing about it is how easy it is to use it. It is quite secure though, and should hopefully baffle any hacker, whether they access to the source code or not. It uses base64 alot, generally to expand the key, as well as to widen the output from md5 and sha1 to a larger 64 set. At the end of the encrypt function and at the start of the decrypt function there is base64 , this is to make sure the encrypted text contains only general characters. I also use base64 before encrypting, this is to try to prevent any sort of dictionary attack on the data.

class crypt {
	var $keys;

function crypt_key($ckey){
	$this->keys = array();

	$c_key = base64_encode(sha1(md5($ckey)));
	$c_key = substr($c_key, 0, round(ord($ckey{0})/5));

	$c2_key = base64_encode(md5(sha1($ckey)));
	$last = strlen($ckey) - 1;
	$c2_key = substr($c2_key, 1, round(ord($ckey{$last})/7));

	$c3_key = base64_encode(sha1(md5($c_key).md5($c2_key)));
	$mid = round($last/2);
	$c3_key = substr($c3_key, 1, round(ord($ckey{$mid})/9));

	$c_key = $c_key.$c2_key.$c3_key;
	$c_key = base64_encode($c_key);

	for($i = 0; $i < strlen($c_key); $i++){
		$this->keys[] = $c_key[$i];
	}
}

function encrypt($string){
	$string = base64_encode($string);
	$keys = $this->keys;
	for($i = 0; $i < strlen($string); $i++){
		$id = $i % count($keys);
		$ord = ord($string{$i});
		$ord = $ord OR ord($keys[$id]);
		$id++;
		$ord = $ord AND ord($keys[$id]);
		$id++;
		$ord = $ord XOR ord($keys[$id]);
		$id++;
		$ord = $ord + ord($keys[$id]);
		$string{$i} = chr($ord);
	}
	return base64_encode($string);
}

function decrypt($string){
	$string = base64_decode($string);
	$keys = $this->keys;
	for($i = 0; $i < strlen($string); $i++){
		$id = $i % count($keys);
		$ord = ord($string{$i});
		$ord = $ord XOR ord($keys[$id]);
		$id++;
		$ord = $ord AND ord($keys[$id]);
		$id++;
		$ord = $ord OR ord($keys[$id]);
		$id++;
		$ord = $ord - ord($keys[$id]);
		$string{$i} = chr($ord);
	}
	return base64_decode($string);
}
}

Anyway, what do you think??

laserlight · Feb 3, 2006

I found that there is no good encryption/decryption functions (with keys) built into php, so I decided to put together my own.

That's true, but the [man]mcrypt[/man] library provides strong encryption facilities that can be used from PHP.

I got some feedback on another forum, which helped me improve it and now, even my hacker friend on there can't decrypt it.

You should engage the services of a professional cryptanalyst, not some 'hacker friend'.

It is quite secure though, and should hopefully baffle any hacker, whether they access to the source code or not.

The thing is, if one really needs a cryptosystem as a component in a secure system, using a tried and tested algorithm like one of those implemented in mcrypt would be safer than going for an algorithm whose designer claims is secure, but may well be snake oil. Perhaps you could keep to your interface, but implement one of the finalists of the AES competition?

scross · Feb 3, 2006

laserlight wrote:
That's true, but the [man]mcrypt[/man] library provides strong encryption facilities that can be used from PHP.

You should engage the services of a professional cryptanalyst, not some 'hacker friend'.

The thing is, if one really needs a cryptosystem as a component in a secure system, using a tried and tested algorithm like one of those implemented in mcrypt would be safer than going for an algorithm whose designer claims is secure, but may well be snake oil. Perhaps you could keep to your interface, but implement one of the finalists of the AES competition?

I see what you mean, I need a pro to make sure it is secure. The mcrypt is a good library, and I was well aware of it for a long time before I used this function.

What I am thinking, however, is that this kind of function would be useful for a php project which would be used by lots of different users, with lots of different setups.

At the end, I am slightly confused, do you mean implementing an AES algorithm in pure php? It might be a good idea, but I wouldn't want to be the one to do it. To start with, it would probably be very difficult and secondly it would be slow, taking up time; something I don't have much of. However, do you know of any AES algorithms already coded in php?

Thanks for your comments laserlight

laserlight · Feb 4, 2006

At the end, I am slightly confused, do you mean implementing an AES algorithm in pure php?

Not necessarily, but if you keep to what you're doing now, yes.

To start with, it would probably be very difficult and secondly it would be slow, taking up time; something I don't have much of.

That's true, and it will likely be slow to run as well. But that's the price of writing it in PHP instead of making it an extension written in say, C.

However, do you know of any AES algorithms already coded in php?

Unfortunately, no, but then the mcrypt extension does make such implementations unnecessary most of the time.

scross · Feb 4, 2006

laserlight wrote:
Not necessarily, but if you keep to what you're doing now, yes.

That's true, and it will likely be slow to run as well. But that's the price of writing it in PHP instead of making it an extension written in say, C.

Unfortunately, no, but then the mcrypt extension does make such implementations unnecessary most of the time.

yeh, mcrypt would be best, but do you think this function would be ok in a cms? the cms is planned to be large, not mambo large but textpattern large

Weedpacket · Feb 5, 2006

There is an implementation of RC4 on PEAR; there are also earlier threads giving PHP code for the algorithm here and here. As ever, it pays to read the threads rather than just copy&pasting code, otherwise you might miss bug reports or implementation flaws (there's no point having cryptography if the surrounding security protocol is vulnerable).

slumbermann · Feb 24, 2006

i would like to ask some opinion regarding my encryption...


<?php

if (!eregi("admin.php", $_SERVER['PHP_SELF'])) {
    die ("You can't access this file directly...");
}

session_start();
if(!$_SESSION['is_login']) { exit(Sila_Login); }

$loop = 5;

?><br>
	<br>
		<p><center><H3>Pin Number Submission Center</H3></center></p>


<?php

if ($submit) {

include 'config.php';

/******************************************/


function md5_encrypt($plain_text, $iv_len = 16)	{
	   $plain_text .= "\x13";
	   $n = strlen($plain_text);
	   if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16));
	   $i = 0;
	   $enc_text = get_rnd_iv($iv_len);
	   while ($i < $n) {
		   $block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv));
		   $enc_text[] .= $block;
		   $i += 16;
	   }
	   return base64_encode($enc_text);
	}

function get_rnd_iv($iv_len)		{
	   $iv = '';
	   while ($iv_len-- > 0) {
		   $iv .= chr(mt_rand() & 0xff);
	   }
	   return $iv;
	}

for ( $i = 0 ; $i <$loop ; $i++ ) {

$plain_text = $card[$i];
}


$enc_text = md5_encrypt($plain_text);

for ( $i = 0 ; $i < $loop ; $i++ ) {
	$enc_texts = $enc_text[$i];
		$sql ="INSERT into simpanan (date,status,card) VALUES(NOW(),'0','$enc_texts')";
		$result=mysql_query($sql);
	next($enc_texts);
}
}
else{
  // display form


?>
<form method="post" action="<?php echo $PHP_SELF?>"><? for($i=1; $i<=$loop; $i++){?>
	<table bordercolor='#ff9900' border='0' size='70%'>
  <tr><td><font color="#000000" size="2" face="Verdana, Arial, Helvetica, sans-serif"><b>Pin Number</b><td><input type="Text" name="card[]" style="font-family: verdana; font-size: 8pt; background-color: #C8D7F2"></tr><? } ?>
  </table>
  <br>
  <input type=hidden name=loop value=$loop>
  <input type="Submit" name="submit" value="Submit">
  </center>
  </form>
<?
}


?>

this is the code... i try to loop it... without looping i can encrypt or decrypt the input without a problem... but that for one data... but i need to insert multiple data into same table at same time... so i'm run out of idea rite now.... if someone can give an idea... that would be great...

what i want to do is...

we have multiple text input data for the pin numbers
after we click submit, all the multiple data will be encrypted and INSERT into the table...

normally we loop the query, but i really confuse how can we loop the encryption of the multiple data input...

hopefully this explain everything... thanks a lot up front

Encrypt/Decrypt Functions

Sscross

laserlight

Sscross

laserlight

Sscross

Weedpacket

Sslumbermann