Encryption & Decryption using a pass key

[Camron]

Hey guys,

Just wondering if this would be enough so that some script kiddie/or maybe advanced hacker can't decrypt this. Looking to do some massive encryption for a user system I am creating. Is this enough? And when I mean enough, I mean so that hackers will take one look and say not worth it - meaning it will be very hard/impossible to decrypt without the pass key.

 <?php
$key = "some pass code";
$input = "the text needing encryption";

    $td = mcrypt_module_open('tripledes', '', 'ecb', '');
    $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $key, $iv);
    $encrypted_data = mcrypt_generic($td, $input);
	echo "$encrypted_data";
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);

    // now to decrypt it here (will use same pass key above, but the admin section will request the pass key before showing the decrypted data)

    $td2 = mcrypt_module_open('tripledes', '', 'ecb', '');
    $iv2 = mcrypt_create_iv (mcrypt_enc_get_iv_size($td2), MCRYPT_RAND);
    mcrypt_generic_init($td2, $key, $iv2);
    $encrypted_data2 = mdecrypt_generic($td2, $encrypted_data);
	echo "<br><br>Decrypted Data: $encrypted_data2";
    mcrypt_generic_deinit($td2);
    mcrypt_module_close($td2);
?>

I'm no good with encryption and decryption when it comes to php, I know very little in this area of php, everything else I am fine at. Is this really enough?

The above script works fine, but for some reason it shows question marks after the decrypted data. Not sure if I'm doing something wrong, but I guess I can discard those unless the user has his/her password ending with a question mark. If anyone knows another way that's better than this, let me know.

Any inputs are appreciated :tu:

 

[TwistMyArm]

It's all good 'in theory': in reality, however...

The problem is that even though the data is protected, the rest of the script is not. Now, that's normally not a problem but here the problem is that a 'hacker' could just edit your script to write the password out once it has been retrieved and then have access to it forever...

Unless, of course, I'm missing something!

 

[Peter]

To be honest if the data is to be sent over a http connection then it does not matter how well you encrypt the data on the server. All the hacker would need to do is sniff the traffic in and out of the server and then never needing the decrypt key.

So therefore doing something like this is going to be useless unless you are going to use a secure transfer like https.

Encrypting and decrypting are quite expensive in terms of server resources so unless there is a real need to do it I would advise against it.

 

[monaco]

Another idea is to just do what hushmail does and use a clientside applet to do the decryption for you. That way, only the ciphertext is ever sent over the network, and the plaintext stays on your machine.

 

[Camron]

It's all good 'in theory': in reality, however...

The problem is that even though the data is protected, the rest of the script is not. Now, that's normally not a problem but here the problem is that a 'hacker' could just edit your script to write the password out once it has been retrieved and then have access to it forever...

Unless, of course, I'm missing something!

Of course, I would protect it using zend anyways.

To be honest if the data is to be sent over a http connection then it does not matter how well you encrypt the data on the server. All the hacker would need to do is sniff the traffic in and out of the server and then never needing the decrypt key.

So therefore doing something like this is going to be useless unless you are going to use a secure transfer like https.

Encrypting and decrypting are quite expensive in terms of server resources so unless there is a real need to do it I would advise against it.

I already have a SSL cert (https), the only part I wanted to cover was the encryption, not the rest. I have everything else in place.

Another idea is to just do what hushmail does and use a clientside applet to do the decryption for you. That way, only the ciphertext is ever sent over the network, and the plaintext stays on your machine.

I'm not sure how I would do that, but it sure is a great idea.

 

[iNod]

Thats quite alot of mcrypt.. Which is quiet server extensive.. Why not just do simple md5? Add a md5 to a md5..

Like
Passkey: test
MD5: 098f6bcd4621d373cade4e832627b4f6
Password: cheese
MD5 = cheese + 098f6bcd4621d373cade4e832627b4f6
= 20bc20dcf0cbaa43bef6fdaa8e3da5bb

Mind you this is total and utter usless lol.. I am just saying if you want to make it look like it does something.. or better yet make your VERY OWN encrypting system.. But you need to be quite the math dude for that..

If you have a SSL Cert.. Normal MD5 is all you need.. A hacker will get in one way or another.. And any encryption method has a way of decrypting it.. Even hash.. it might take them 30 years to find the equation.. But it can still be done..

If you want credit card.. The best bet would be to encrypt a math equation to the credit card number

Like your CC number is
4111111111111111
Than an equation could be as simple as
round(965552365 * 4257781.6182047371402792845937465) = 4111111111111111

A hacker will see this equation and might not think it has anything to do with it. Mind you rounding can cause issues lol.. But this is just an example

- Steve

 

[Camron]

Thats quite alot of mcrypt.. Which is quiet server extensive.. Why not just do simple md5? Add a md5 to a md5..

Like
Passkey: test
MD5: 098f6bcd4621d373cade4e832627b4f6
Password: cheese
MD5 = cheese + 098f6bcd4621d373cade4e832627b4f6
= 20bc20dcf0cbaa43bef6fdaa8e3da5bb

Mind you this is total and utter usless lol.. I am just saying if you want to make it look like it does something.. or better yet make your VERY OWN encrypting system.. But you need to be quite the math dude for that..

If you have a SSL Cert.. Normal MD5 is all you need.. A hacker will get in one way or another.. And any encryption method has a way of decrypting it.. Even hash.. it might take them 30 years to find the equation.. But it can still be done..

If you want credit card.. The best bet would be to encrypt a math equation to the credit card number

Like your CC number is
4111111111111111
Than an equation could be as simple as
round(965552365 * 4257781.6182047371402792845937465) = 4111111111111111

A hacker will see this equation and might not think it has anything to do with it. Mind you rounding can cause issues lol.. But this is just an example

- Steve

Yes, but md5 is one way hashing, and I need to be able to pull up the encrypted data at one point.

 

[iNod]

:O Well than you have a few choices. base 64, mcrypt and crypt.. No matter how you do it, it will always be hackable..

- Steve

 

[Dan]

You could try converting it to Spanish, then binary..








What you did is good enough.. just go with it.

 

[Hitch]

How would it get "decrypted", connecting to another server?

Where will the connection be made, in the script?
How long will it take to remove that code...?

Want to encrypt that code too...though you need to decrypt it first.

You should really tell us more details how the code is going to be executed.

 

[Camron]

:O Well than you have a few choices. base 64, mcrypt and crypt.. No matter how you do it, it will always be hackable..

- Steve

The above is using mcrypt. Base 64 is way to easy to crack because there is a base 64 decode :p, that's why I need a password on the encryption.

 

[beaver6813]

It's a shame there isn't a way to emulate mcrypt in client side scripts like Javascript or Java.. that way you could use https and only ever need to send encrypted data over the network, so it can be decrypted using their desired key their end. But really to make it a really good encryption, you need to know what data you will be storing and how it will be accessed etc.

Oh and encrypting it in Zend will not stop any persistant hacker, there are many decryption services floating around on the web...

 

[Camron]

It's a shame there isn't a way to emulate mcrypt in client side scripts like Javascript or Java.. that way you could use https and only ever need to send encrypted data over the network, so it can be decrypted using their desired key their end. But really to make it a really good encryption, you need to know what data you will be storing and how it will be accessed etc.

Oh and encrypting it in Zend will not stop any persistant hacker, there are many decryption services floating around on the web...

Yeah, I was thinking of having a passkey for the passkey (and so on)

Hackers are known to be lazy/sloppy, I don't think they would want to decrypt something then find another encrypted item. I think I will use the above, it should be enough.

 

[Dan]

I was thinking about making something before.. so here it goes.

Have a column in your database which will have some numbers in it, like "2 3 1".
Then have the data column be split into three chunks in its column. "n D a". (Of course this would be a larger chunk of data and maybe mcrypted/base64_encoded, too.)

Then based on the number column, you could get the data in the right order. The first chunk is the 2nd group (D), then the third group (a), then the first . You'd then have "D a n". Then you could strip the spaces and decrypt it with whatever you use.

(And maybe even have a numbers column for the numbers column? )

Iuno. :tri:

 

[Camron]

I was thinking about making something before.. so here it goes.

Have a column in your database which will have some numbers in it, like "2 3 1".
Then have the data column be split into three chunks in its column. "n D a". (Of course this would be a larger chunk of data and maybe mcrypted/base64_encoded, too.)

Then based on the number column, you could get the data in the right order. The first chunk is the 2nd group (D), then the third group (a), then the first . You'd then have "D a n". Then you could strip the spaces and decrypt it with whatever you use.

(And maybe even have a numbers column for the numbers column? )

Iuno. :tri:

Hmm, great idea Dan! Never thought of something like that, probably would be too hard to decrypt for the hackers. Maybe even have some weird named column too instead of having them numbered in order, but only I would know the correct order.

Hmm, interesting idea. Will have to give it a try :great:

 

[artofmobile]

Why don't you do a MD5 hashing using javascript?

Check this link:
http://pajhome.org.uk/crypt/md5/auth.html

 

[Dan]

Why don't you do a MD5 hashing using javascript?

You can't decrypt MD5 and he needs to be able to decrypt it.

 

[Ray]

Why don't you do a MD5 hashing using javascript?

You can't decrypt MD5 and he needs to be able to decrypt it.

wrong... rainbow tables

 

[iNod]

Oh thats an awesome idea Dan.. Split your text up into symbols to repersent letters.

Like

) = A
$ = P

That way they get this %(#(%#* %(#*$!@($&@*$&)@&%&@)(%%@ and think it is still encoded..

- Steve

 

[Dan]

iNod, I didn't mean it as each number is each letter. The letters were supposed to be chunks of data, like a third of the base64_encode'd string.

"2 1 3"
"J5cHRpbmcgc2 SSdtIGVuY3 9tZXRoaW5nLg=="

Then when you see that the first part of the real string is the 2nd chunk, you would take SSdtIGVuY3 first. Then you'd take J5cHRpbmcgc2; then 9tZXRoaW5nLg==.

You'd be left with SSdtIGVuY3J5cHRpbmcgc29tZXRoaW5nLg== and now you can base64_decode it.

$order = explode(" ", $row['order']);
 $data  = explode(" ", $row['data']);
 $rdata = '';
 foreach ($order as $number)
 {
	 $rdata .= $data[$number-1];
 }
 $rdata = base64_decode($rdata);
 echo $rdata;

I'm just using base64 as the example because it's easy for me. I'd still mcrypt it or something for the real script.