Hi, how can I encrypt and decrypt passwords using PHP 4 and Win NT? I don't want to use one way encryption like MD5, because if a user forgets its password I'll have to send it, so I need to be able to decrypt it.
Can anyone help me please?
Encrypt / decrypt ?
Roger,
If the only reason you want a two way decryption program is if users forget their passwords, I suggest that you stick with md5 and simply reset a users password to their user name if they forget it. You could also give the user a temporary password and force them to change it on their next login. (This is of course you are sure that the user is authentic).
Rogerio Brito wrote:
Hi, how can I encrypt and decrypt passwords using PHP 4 and Win NT? I don't want to use one way encryption like MD5, because if a user forgets its password I'll have to send it, so I need to be able to decrypt it.
Can anyone help me please?
Thanks Kirk, that's a good idea, I think I'll do it. But I wonder if is there any way I could do a good two way encrytion on NT? I might need it in other applications.
If you are intent on two way encryption then why dont you just use SSL? Its whole purpose is to provide the secure enviroment you are talking about, and you would not require the extra php code for the encryption process.
Alternately you could write an encryption module similair to the way SSL works with public and private encryption keys. However the problem you would probablly run into is writting the "client/browser" version of the module, which obviously cannot be written in PHP. I investigated this looking to use random BIG primary numbers as the basis for my encryption keys. I found problems with Javascript as it could not generate random BIG prime numbers quick enough. In my own personal opinion, it is not possible to
write such secure connections without using some form of specialsed client or physically modifying the users browser. In such case you are only reinventing the wheel....
SSL only provides encryption from the browser to the server.
There is no point in using SSL if you store information in your database in plain text.
We use the hash for storing passwords but use PGP/GNUPG for encrypting data. This allows encryption and decryption.
Regards
Darren
http://www.php4hosting.com $
http://www.php4hosting.co.uk £
I apologise if I am wrong here, but once the SSL is applied is it not the case that all data is encrypted in transit? Therefore if you switch to https at login time, user details are automatically encrypted/decrypted anyway? Therefore all textual or otherwise data in the db is also going to be encrypted when transfered? Obviously SSL/https is not any use when you are using applications not based on http. However, if I was going to go for the quickest, most secure solution for browser to server http communication (such as php pages) then SSL would be my choice.
Yes its encrypted but not when is saved in the database. If you have information stored in a database unless its encrypted its unsecure. As anyone who gains access to the database can read the unencrypted data
SSL is only a small part of a secure system
Darren
Obviously, unencrypted data is more insecure than encrypted data. But I ask myself, what sort of security intensive data would I be wanting to store on what is initially a public access web site? When it comes down to it, if it is so critical then I wouldn't provide a web portal/connection to it! However, if it is a simple case of username & passwords, coupled with credit card stuff etc. then why not use SSL and then concentrate all other efforts on making the db unaccessable from any other source point than "localhost" etc. If at this point we are going to say that the actual server could be insecure then surely we have gone a bit off topic. This thread was initally about the simple transferring of passwords.
Hi guys, thanks for your help.
I agree when you say that for simple passwords I can use one way encryption to store the data in the database, however I believe that are some applications where I must use encrytion to store the data and still be able to retrieve it.
Where can I find some documentation on how to implement PGP/GNUPG?
Thanks a lot.
Hi
PGP is not free (not for comercial use anyway) http://www.pgpi.org/
GNUPG is however http://www.gnupg.org/
I use GNUPG on our servers and PGP on workstations as this works very well with outlook. Even a single workstation license is only around $80
Darren
Storing data unencrypted in a database is asking for trouble. If its encrypted its protected. Even by restricting access its still not secure.
And many people can't afford the cost of dedicated machines etc...
I would recommend encrypting data of all types, e-mails, names, addresses etc...
This is the only way to guarantee your customers privacy.
Just by assuming your database or server is secure is a bad attitude.
Darren
a month later
I am using SSL to securly transmit data/documents from my clients to my web server. However, I need to store data/documents on the server in an encrypted format.
You mentioned you use PGP for encrypting data. How do you encrypt the data then decrypt it to send it to a client when they request the document/data. (i.e. I place a encrypted word document on my web site. My client then requests the document.) How do I decrypt it to send it to him so that he can view it?
If the private decrypt key is on the server (that i need to decrypt the document) then it is pointless to encrypt the document.
Any suggestions you have on this would be very helpful!
Thanks!
If they have PGP installed then you encrypt it using their public key.
They can then download it and view it.
Darren
http://www.php4hosting.com/
This is exactly what i am trying to do. Store all my data encrypted on the server. However being new to encryption I am not sure how to do this.
If I encrypt the data I need a key to decrypt it.... if my user is accessing the data via a web browser he has no way to provide the decryption key thus it needs to be available on the server correct? If its avialable on the server then I might as well not encrypted it.
Maybe i am missing something here? I appreciate any suggestions you have!
If you want to encrypt the data but be able to decrypt it as well as your client, you can share a key.
You both have a copy of the private key and then encrypt the data using the public key
Darren
I do understand that we both need the key. My concern is the clients are not very technical savy.... I can not require them to use PGP or anything that requires them downloading the document then decrypting it.
It needs to be seemless to the client. (They should be able to click on the document in a browser/download it and view it.)
Is there a way to automate this process? Either decrypting the PGP document before I send using SSL, or auto decrypting once recieved by the client?
This is the real problem I am having.....
How do you encrypt your web site visitors data store it in a database and then decrypt it when necessary? If the web site visitor has the key on their local machine how do you use it to decrypt their data???
a month later
shan .... have u got the soultion of the problem u r talking about...i.e.If the private decrypt key is on the server then it is pointless to encrypt the document.
i also want to do the same thing that u r talking about...i.e. i want to encrypt the data and store it in the database and later at some point of time i'll take the data from the databse and decrypt it...if some body has some suggestions regarding this...pls let me know...thanks a lot
Shan wrote:
I am using SSL to securly transmit data/documents from my clients to my web server. However, I need to store data/documents on the server in an encrypted format.
You mentioned you use PGP for encrypting data. How do you encrypt the data then decrypt it to send it to a client when they request the document/data. (i.e. I place a encrypted word document on my web site. My client then requests the document.) How do I decrypt it to send it to him so that he can view it?
If the private decrypt key is on the server (that i need to decrypt the document) then it is pointless to encrypt the document.
Any suggestions you have on this would be very helpful!
Thanks!
5 months later
Hi
I noticed your message on the support groups. I have a very similar problem, and I wondered how you solved yours? The thread seems to disappear off into something else entirely.
First of all I am not using a secure connection, we want to encrypt the data in php, send it down the telephone line to a client (it will all be safely encrypted) and then decrypt it using another program.
The tricky bit (or one of them at least) seems to me to be how on earth do we know how to decrypt it since we won't be using php?
Any ideas?
Thanks
Elizabeth
Hi Elizabeth.
Sorry, I haven't implemented anything like that yet, I am still using MD5 for passwords. But I think you can do it with PGP.
Rogerio