Thread: Php Blowfish Encryption/Decryption

Results 1 to 7 of 7
  1. #1 Php Blowfish Encryption/Decryption 
    KNOWLEDGE IS POWER

    OG KingFox's Avatar
    Join Date
    Dec 2006
    Age
    33
    Posts
    1,683
    Thanks given
    628
    Thanks received
    1,062
    Rep Power
    750
    Learned this some time ago and have been using it for a while now for password encryption.

    The first method will encrypt and string. You can encrypt the same thing more than once, and it will product different results each time.

    Code:
    function encrypt($data, $key) {
    	$size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);
    	$iv = mcrypt_create_iv($size, MCRYPT_RAND);
    	$crypt = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $data, MCRYPT_MODE_CBC, $iv);
    	return bin2hex($iv . $crypt);
    }
    This second method, can decrypt the string or data as long as the same key is used that encrypted the data:

    Code:
    function decrypt($data, $key) {
    	$iv = pack("H*", substr($data, 0, 16));
    	$x = pack("H*", substr($data, 16));
    	$res = mcrypt_decrypt(MCRYPT_BLOWFISH, $key, $x, MCRYPT_MODE_CBC, $iv);
    	return $res;
    }
    So if we do this:
    Code:
    $encrypted = encrypt("Some Text To Encrypt", "3a39!-%8");
    $decrypted = decrypt($encrypted, "3a39!-%8");
    
    echo 'Encrypted: '.$encrypted.'<br>';
    echo 'Decrypted: '.$decrypted;
    we end up with this:
    Code:
    Encrypted: f2ec23ba6136e698ad6111c202d58d9cd5dfe297b3b901a499b7e61d6d508742
    Decrypted: Some Text To Encrypt
    Note how the key on encrypt and decrypt is the same. if you provide an invalid key, you get a bunch of invalid characters.
    Also, each time you encrypt a string, you will get a unique encryption. Example:

    So if we were to run this in a loop like so:
    Code:
    for ($i = 0; $i < 3; $i++) {
    	$encrypted = encrypt("Some Text To Encrypt", "3a39!-%8");
    	$decrypted = decrypt($encrypted, "3a39!-%8");
    
    	echo 'Encrypted: '.$encrypted.'<br>';
    	echo 'Decrypted: '.$decrypted.'<br><br>';
    }
    We've encrypted it the same way, with the same key, but the encryption comes out differently each time:

    Code:
    Encrypted: e730d58041e6136b9ec923bfd695fd95b654e48d08b3ab3c4724c473dad8abde
    Decrypted: Some Text To Encrypt
    
    Encrypted: 110742f9211e8c64e90d180d93b12d4028186835830502c64e0b2a367e5678c0
    Decrypted: Some Text To Encrypt
    
    Encrypted: 10f0c65669409bd6e2ec95a42086c0ff2d21f81404a5709fee63d552e00bb282
    Decrypted: Some Text To Encrypt
    as long as you provide the same key to decrypt, as you did encryption, you get the same decryption.

    Hope this helps

    Attached image
    Reply With Quote  
     

  2. Thankful users:


  3. #2  
    Registered Member
    Anthony`'s Avatar
    Join Date
    Sep 2008
    Age
    29
    Posts
    763
    Thanks given
    75
    Thanks received
    164
    Rep Power
    204
    If you encrypt passwords where are you storing the private keys?
    Reply With Quote  
     

  4. #3  
    Rukin sux

    Sieg's Avatar
    Join Date
    May 2009
    Posts
    1,041
    Thanks given
    223
    Thanks received
    281
    Rep Power
    244
    Seems useless. If your database gets compromised they can just decrypt all the passwords.

    When working with passwords it would be best to just hash & salt

    Reply With Quote  
     

  5. Thankful user:


  6. #4  
    KNOWLEDGE IS POWER

    OG KingFox's Avatar
    Join Date
    Dec 2006
    Age
    33
    Posts
    1,683
    Thanks given
    628
    Thanks received
    1,062
    Rep Power
    750
    Quote Originally Posted by Sub-Zero View Post
    Seems useless. If your database gets compromised they can just decrypt all the passwords.

    When working with passwords it would be best to just hash & salt
    Do you realize that can still be decrypted because they have to be stored in the database.....

    If you dont store the key in the database they can't be decrypted. Use the same key for every password, even if they get the passwords, storing them online wont do much good without the keys because each encryption would be unique.

    And theres no problems with defining the key as a variable. Shouldnt have an insecure website to begin with >..>

    Edit: hell, you could even encrypt a user-key and store it on the database and have it decrypted with a master key as a variable, then use the user key to decypt the user password. you could then generate unique keys per user. >..>

    would be much more secure cause if in mda sha, each encryption comes out the exact same

    Attached image
    Reply With Quote  
     

  7. #5  
    Registered Member
    Anthony`'s Avatar
    Join Date
    Sep 2008
    Age
    29
    Posts
    763
    Thanks given
    75
    Thanks received
    164
    Rep Power
    204
    Quote Originally Posted by King Fox View Post
    Do you realize that can still be decrypted because they have to be stored in the database.....

    If you dont store the key in the database they can't be decrypted. Use the same key for every password, even if they get the passwords, storing them online wont do much good without the keys because each encryption would be unique.

    And theres no problems with defining the key as a variable. Shouldnt have an insecure website to begin with >..>

    Edit: hell, you could even encrypt a user-key and store it on the database and have it decrypted with a master key as a variable, then use the user key to decypt the user password. you could then generate unique keys per user. >..>

    would be much more secure cause if in mda sha, each encryption comes out the exact same
    I don't think you understand what a hash function is. Hashes are designed so they CAN'T be reversed, which implies you can't decrypt a hash. The only way to get the source string (the raw password) is if you figure out a flaw in the algorithm; but you, nor I, will ever have the mathematical capabilities to do such things -- we're talking about advanced cryptography here. People don't often figure out flaws in such hash functions, so they bruteforce them by having a GPU calculate hashes from a dictionary and compare it to the hashed string (rainbow tables, etc.). This is why you shouldn't use SHA or MD5 as your hash since they're fast...

    tl;dr Don't encrypt paswords.... use a hash like the real professionals do.
    Reply With Quote  
     

  8. Thankful user:


  9. #6  
    Registered Member

    Join Date
    May 2016
    Age
    26
    Posts
    281
    Thanks given
    162
    Thanks received
    64
    Rep Power
    96
    What Anthony said^
    Wouldn't feel safe having my password stored in a rsps database where passwords weren't hashed.
    I've seen leaks of databases before, some servers with their accounts in the thousands stored passwords in plain text. It's nuts that some servers sell player files after they close too tbh.
    Reply With Quote  
     

  10. Thankful user:


  11. #7  
    Web Developer & Designer

    IlluZive's Avatar
    Join Date
    Mar 2014
    Age
    28
    Posts
    305
    Thanks given
    163
    Thanks received
    202
    Rep Power
    404
    For ppl who're still using this, for the love of god use phpass to hash your passwords in php. It uses bcrypt.
    Reply With Quote  
     


Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. Encrypting/Decrypting Strings custom way
    By Wildskiller in forum Snippets
    Replies: 4
    Last Post: 08-10-2013, 07:25 AM
  2. How to get rid of Encrypted Rats and Decrypted
    By Pokemon in forum Software
    Replies: 8
    Last Post: 12-29-2012, 11:29 AM
  3. 718 SHA-1 Encrypted Algorithm Decrypt
    By Verdictus in forum Help
    Replies: 1
    Last Post: 09-26-2012, 03:16 AM
  4. Text Encrypting/Decrypting
    By Vastiko in forum Requests
    Replies: 9
    Last Post: 04-26-2010, 08:55 PM
  5. Programming for cash - Java / PHP
    By Jeebals in forum RS2 Server
    Replies: 4
    Last Post: 10-29-2007, 10:27 AM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •