Re: [PHP] Studying mcrypt

2011-08-04 Thread Donovan Brooke

Alex Nikitin wrote:
[snip]

Also you shouldn't actually encrypt passwords, the proper way to store them
is hashed, so that if someone grabs your database, they dont have your
passwords, even if they have the key.



Hello, since this thread is about studying mcrypt...

In another language, for a top security with the ability to retrieve 
data situation, I use a method that stores an encrypted key, but then 
also, the entire pages are encrypted as well, with a separate utility, 
where I only know the key. Think of it as compiling your software, only 
it is not compiling, it's encrypting, and it's then

able to run as if it were compiled.

The end result is that the key to any encrypted sensitive info does not 
reside on the server, it resides with me on my local system... thus the

passwords are safely encrypted, yet I can retrieve them manually.

I don't know that PHP has the ability to run in compiled or encrypted 
form.. does it? If not, I guess a 1 way, non-key encryption would be the 
only way to be absolutely secure with saved data in PHP (such as a hash).


Donovan



--
D Brooke

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Studying mcrypt

2011-08-04 Thread Alex Nikitin
On Thu, Aug 4, 2011 at 10:31 AM, Donovan Brooke li...@euca.us wrote:

 Alex Nikitin wrote:
 [snip]

  Also you shouldn't actually encrypt passwords, the proper way to store
 them
 is hashed, so that if someone grabs your database, they dont have your
 passwords, even if they have the key.



 Hello, since this thread is about studying mcrypt...

 In another language, for a top security with the ability to retrieve data
 situation, I use a method that stores an encrypted key, but then also, the
 entire pages are encrypted as well, with a separate utility, where I only
 know the key. Think of it as compiling your software, only it is not
 compiling, it's encrypting, and it's then
 able to run as if it were compiled.

 The end result is that the key to any encrypted sensitive info does not
 reside on the server, it resides with me on my local system... thus the
 passwords are safely encrypted, yet I can retrieve them manually.

 I don't know that PHP has the ability to run in compiled or encrypted
 form.. does it? If not, I guess a 1 way, non-key encryption would be the
 only way to be absolutely secure with saved data in PHP (such as a hash).

 Donovan



 --
 D Brooke

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


You can have multiple ways to encrypt data and store it pretty securely. For
example i had a system that would encrypt passwords for other services and
store them in the database along with an iv, the key was hard coded into the
application and salt came from the user and was never stored, this way even
if someone got my database and code which would be a feat not for the faint
of heart, they still wont be able to get the data decrypted...

What makes your local system any less vulnerable of a point than your
server, of anything, its more vulnerable and failure-prone, so unless i'm
not getting something, that seems like a poor design decision (i'm sorry)

There is code obfuscation with PHP, and you can compile it into C++ with
HipHop for php for example...

--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray


Re: [PHP] Studying mcrypt

2011-08-04 Thread Donovan Brooke

Alex Nikitin wrote:
[snip]

What makes your local system any less vulnerable of a point than your
server, of anything, its more vulnerable and failure-prone, so unless i'm
not getting something, that seems like a poor design decision (i'm sorry)

[snip]


In the model I profiled, it is a system design that * requires * the 
ability to retrieve secured data. For my solution, they would have to 
have physical entry into the premises that hold the key/s (local 
encryption done offline).


Donovan



--
D Brooke

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Studying mcrypt

2011-08-04 Thread Donovan Brooke

Alex Nikitin wrote:
[snip]

There is code obfuscation with PHP, and you can compile it into C++ with
HipHop for php for example...

[snip]


Of course, obfuscation is never a great security solution. Compiling it 
into C++ is interesting... the question would be if the code could be 
de-compiled.. if so, then probably not a great solution either.


Donovan

--
D Brooke

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Studying mcrypt

2011-08-04 Thread Alex Nikitin
On Thu, Aug 4, 2011 at 12:23 PM, Donovan Brooke li...@euca.us wrote:

 Alex Nikitin wrote:
 [snip]

  There is code obfuscation with PHP, and you can compile it into C++ with
 HipHop for php for example...

 [snip]


 Of course, obfuscation is never a great security solution. Compiling it
 into C++ is interesting... the question would be if the code could be
 de-compiled.. if so, then probably not a great solution either.


 Donovan

 --
 D Brooke

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


It's never a good idea to store all your keys in code, that is why we have
an iv, and a salt that you can use... neither is program encryption, since i
can dump it in it's executing form out of memory fairly easily; this is why
hard drive encryption without a controller that does crypto off the main
system is fairly pointless...

--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray


Re: [PHP] Studying mcrypt

2011-08-04 Thread Donovan Brooke

Alex Nikitin wrote:
[snip]



It's never a good idea to store all your keys in code,



True, but in the system I was referring to, only the closed source
app knows how to see the key in the encrypted templates and there is 
no way for another to know how to decrypt the encrypted templates to see 
any of the other keys in the code... It's a unique solution for this 
type of topic. I don't want to go into too many details because it's not 
about PHP and my intention with bringing it up was to see if others knew 
of a similar solution within PHP.. which I'm thinking there is not.



that is why we have

an iv, and a salt that you can use... neither is program encryption, since i
can dump it in it's executing form out of memory fairly easily;



Well, not with the situation/app I was talking about..


this is why

hard drive encryption without a controller that does crypto off the main
system is fairly pointless...



I'm not exactly sure what you are saying here.. but there are good 
reasons to have built the system that I was referring to... safe 
retrieval of secured data being the main idea.


Look, I agree that in a typical online passphrase type of setup, 
creating a hash to be matched for access is a great solution under 
sensitive situations. You don't need to retrieve the pass as the owner 
can change it if they forget... however, encryption is absolutely not 
worth nothing and the O.P. stated he was trying to learn about PHP's 
mcrypt.


Much of the time, a spec requires the access retrieval of secured data 
and a developer will have no choice anyway ;-). Not all sensitive data 
is at the same sensitivity level either... so mcrypt has its place.


Cheers,
Donovan


--
D Brooke

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Studying mcrypt

2011-08-03 Thread Alex Nikitin
Yes, since it's trying to represent in characters some purely binary data,
it is not unlikely that you will get VERY weird characters (and you do).

Also you shouldn't actually encrypt passwords, the proper way to store them
is hashed, so that if someone grabs your database, they dont have your
passwords, even if they have the key.

Best way to check is to decrypt it and verify...

--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray



On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote:

 Hello Php,

  It's my first time I use mcrypt.
 I've done everything like it's written in the php manuals, here is the
 code:

 ?php
 $d=mcrypt_module_open(rijndael-256, , ofb, );
 $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM);
 $ks=mcrypt_enc_get_key_size($d);
 $key=substr(md5(Secret key), 0, $ks);
 mcrypt_generic_init($d, $key, $iv);
 $cpass=mcrypt_generic($d, $_POST['opass']);
 mcrypt_generic_deinit($d);
 mcrypt_module_close($d);
 ?

 And here's what I get:
 Original password: asdfasdfasdf
 Encrypted password: Q�  j�*

 Question: Is it normal to have such strange characters in the encrypted
 string?
 I'm hosted at http://godaddy.com/, shared hosting, if it does matter.
 Thanks!

 --
 With best regards from Ukraine,
 Andre
 Skype: Francophile
 Twitter: http://twitter.com/m_elensule
 Facebook: http://facebook.com/menelion


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Studying mcrypt

2011-08-03 Thread Andre Polykanine
Hello Alex,

Thanks for the tip. I'm not storing it in the database (you see, it's 
asdfasdf and the key string is secret key), I'm just studying mcrypt's 
possibilities :-).

-- 
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion

 Original message 
From: Alex Nikitin niks...@gmail.com
To: Andre Polykanine
Date created: , 9:27:42 PM
Subject: [PHP] Studying mcrypt


  Yes, since it's trying to represent in characters some purely binary data,
it is not unlikely that you will get VERY weird characters (and you do).

Also you shouldn't actually encrypt passwords, the proper way to store them
is hashed, so that if someone grabs your database, they dont have your
passwords, even if they have the key.

Best way to check is to decrypt it and verify...

--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray



On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote:

 Hello Php,

  It's my first time I use mcrypt.
 I've done everything like it's written in the php manuals, here is the
 code:

 ?php
 $d=mcrypt_module_open(rijndael-256, , ofb, );
 $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM);
 $ks=mcrypt_enc_get_key_size($d);
 $key=substr(md5(Secret key), 0, $ks);
 mcrypt_generic_init($d, $key, $iv);
 $cpass=mcrypt_generic($d, $_POST['opass']);
 mcrypt_generic_deinit($d);
 mcrypt_module_close($d);
 ?

 And here's what I get:
 Original password: asdfasdfasdf
 Encrypted password: Q�  j�*

 Question: Is it normal to have such strange characters in the encrypted
 string?
 I'm hosted at http://godaddy.com/, shared hosting, if it does matter.
 Thanks!

 --
 With best regards from Ukraine,
 Andre
 Skype: Francophile
 Twitter: http://twitter.com/m_elensule
 Facebook: http://facebook.com/menelion


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Studying mcrypt

2011-08-03 Thread Ashley Sheridan
On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote:

 Hello Alex,
 
 Thanks for the tip. I'm not storing it in the database (you see, it's 
 asdfasdf and the key string is secret key), I'm just studying mcrypt's 
 possibilities :-).
 
 -- 
 With best regards from Ukraine,
 Andre
 Skype: Francophile
 My blog: http://oire.org/menelion (mostly in Russian)
 Twitter: http://twitter.com/m_elensule
 Facebook: http://facebook.com/menelion
 
  Original message 
 From: Alex Nikitin niks...@gmail.com
 To: Andre Polykanine
 Date created: , 9:27:42 PM
 Subject: [PHP] Studying mcrypt
 
 
   Yes, since it's trying to represent in characters some purely binary 
 data,
 it is not unlikely that you will get VERY weird characters (and you do).
 
 Also you shouldn't actually encrypt passwords, the proper way to store them
 is hashed, so that if someone grabs your database, they dont have your
 passwords, even if they have the key.
 
 Best way to check is to decrypt it and verify...
 
 --
 The trouble with programmers is that you can never tell what a programmer is
 doing until it’s too late.  ~Seymour Cray
 
 
 
 On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote:
 
  Hello Php,
 
   It's my first time I use mcrypt.
  I've done everything like it's written in the php manuals, here is the
  code:
 
  ?php
  $d=mcrypt_module_open(rijndael-256, , ofb, );
  $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM);
  $ks=mcrypt_enc_get_key_size($d);
  $key=substr(md5(Secret key), 0, $ks);
  mcrypt_generic_init($d, $key, $iv);
  $cpass=mcrypt_generic($d, $_POST['opass']);
  mcrypt_generic_deinit($d);
  mcrypt_module_close($d);
  ?
 
  And here's what I get:
  Original password: asdfasdfasdf
  Encrypted password: Q�  j�*
 
  Question: Is it normal to have such strange characters in the encrypted
  string?
  I'm hosted at http://godaddy.com/, shared hosting, if it does matter.
  Thanks!
 
  --
  With best regards from Ukraine,
  Andre
  Skype: Francophile
  Twitter: http://twitter.com/m_elensule
  Facebook: http://facebook.com/menelion
 
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 
 
 
 


Please don't top-post :)

You can use base64_encode() on it to convert it into something that's
printable and storable in the DB without having to resort to a binary
blob


-- 
Thanks,
Ash
http://www.ashleysheridan.co.uk




Re: [PHP] Studying mcrypt

2011-08-03 Thread Alex Nikitin
I have a neat class you can play with...

--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray



On Wed, Aug 3, 2011 at 2:27 PM, Alex Nikitin niks...@gmail.com wrote:

 Yes, since it's trying to represent in characters some purely binary data,
 it is not unlikely that you will get VERY weird characters (and you do).

 Also you shouldn't actually encrypt passwords, the proper way to store them
 is hashed, so that if someone grabs your database, they dont have your
 passwords, even if they have the key.

 Best way to check is to decrypt it and verify...

 --
 The trouble with programmers is that you can never tell what a programmer
 is doing until it’s too late.  ~Seymour Cray




 On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote:

 Hello Php,

  It's my first time I use mcrypt.
 I've done everything like it's written in the php manuals, here is the
 code:

 ?php
 $d=mcrypt_module_open(rijndael-256, , ofb, );
 $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM);
 $ks=mcrypt_enc_get_key_size($d);
 $key=substr(md5(Secret key), 0, $ks);
 mcrypt_generic_init($d, $key, $iv);
 $cpass=mcrypt_generic($d, $_POST['opass']);
 mcrypt_generic_deinit($d);
 mcrypt_module_close($d);
 ?

 And here's what I get:
 Original password: asdfasdfasdf
 Encrypted password: Q�  j�*

 Question: Is it normal to have such strange characters in the encrypted
 string?
 I'm hosted at http://godaddy.com/, shared hosting, if it does matter.
 Thanks!

 --
 With best regards from Ukraine,
 Andre
 Skype: Francophile
 Twitter: http://twitter.com/m_elensule
 Facebook: http://facebook.com/menelion


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php





Re: [PHP] Studying mcrypt

2011-08-03 Thread Andre Polykanine
Hi Ash,


 Please don't top-post :)

*Huge sigh* OK, OK! But still it's too uncomfortable to read bottom-posting! :P

 You can use base64_encode() on it to convert it into something that's
 printable and storable in the DB without having to resort to a binary
 blob

Thanks, will try!)



-- 
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Studying mcrypt

2011-08-03 Thread Andre Polykanine
  Hello Alex,

  
 I have a neat class you can play with...

Could you give me the link, please?)
-- 
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Studying mcrypt

2011-08-03 Thread Alex Nikitin
On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan 
a...@ashleysheridan.co.ukwrote:

 **
 On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote:

 Hello Alex,

 Thanks for the tip. I'm not storing it in the database (you see, it's 
 asdfasdf and the key string is secret key), I'm just studying mcrypt's 
 possibilities :-).

 --
 With best regards from Ukraine,
 Andre
 Skype: Francophile
 My blog: http://oire.org/menelion (mostly in Russian)
 Twitter: http://twitter.com/m_elensule
 Facebook: http://facebook.com/menelion

  Original message 
 From: Alex Nikitin niks...@gmail.com
 To: Andre Polykanine
 Date created: , 9:27:42 PM
 Subject: [PHP] Studying mcrypt


   Yes, since it's trying to represent in characters some purely binary 
 data,
 it is not unlikely that you will get VERY weird characters (and you do).

 Also you shouldn't actually encrypt passwords, the proper way to store them
 is hashed, so that if someone grabs your database, they dont have your
 passwords, even if they have the key.

 Best way to check is to decrypt it and verify...

 --
 The trouble with programmers is that you can never tell what a programmer is
 doing until it’s too late.  ~Seymour Cray



 On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote:

  Hello Php,
 
   It's my first time I use mcrypt.
  I've done everything like it's written in the php manuals, here is the
  code:
 
  ?php
  $d=mcrypt_module_open(rijndael-256, , ofb, );
  $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM);
  $ks=mcrypt_enc_get_key_size($d);
  $key=substr(md5(Secret key), 0, $ks);
  mcrypt_generic_init($d, $key, $iv);
  $cpass=mcrypt_generic($d, $_POST['opass']);
  mcrypt_generic_deinit($d);
  mcrypt_module_close($d);
  ?
 
  And here's what I get:
  Original password: asdfasdfasdf
  Encrypted password: Q�  j�*
 
  Question: Is it normal to have such strange characters in the encrypted
  string?
  I'm hosted at http://godaddy.com/, shared hosting, if it does matter.
  Thanks!
 
  --
  With best regards from Ukraine,
  Andre
  Skype: Francophile
  Twitter: http://twitter.com/m_elensule
  Facebook: http://facebook.com/menelion
 
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 
 




 Please don't top-post :)

 You can use base64_encode() on it to convert it into something that's
 printable and storable in the DB without having to resort to a binary blob


   --
 Thanks,
 Ash
 http://www.ashleysheridan.co.uk



Isn't that a bit counterproductive though, storing it in binary?

Purely storage-related:
Say we are storing a 128byte result of encryption.
Storing it in a varbin would mean that you would use up 128+1 bytes of
storage, where as if you were to base64 encode it, data length would be 170
or so bytes, +1byte or 171bytes...  42 bytes difference...


This was a crypto class i wrote for something, i cant even recall exactly
what project it was for, it is making it's way into the framework, but for
now, i've changed it to be normal again

Hopefully it should be pretty straight forward:

http://pastebin.com/TFn468dM

--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray


Re: [PHP] Studying mcrypt

2011-08-03 Thread Ashley Sheridan
On Wed, 2011-08-03 at 15:35 -0400, Alex Nikitin wrote:

 On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan 
 a...@ashleysheridan.co.ukwrote:
 
  **
  On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote:
 
  Hello Alex,
 
  Thanks for the tip. I'm not storing it in the database (you see, 
  it's asdfasdf and the key string is secret key), I'm just studying 
  mcrypt's possibilities :-).
 
  --
  With best regards from Ukraine,
  Andre
  Skype: Francophile
  My blog: http://oire.org/menelion (mostly in Russian)
  Twitter: http://twitter.com/m_elensule
  Facebook: http://facebook.com/menelion
 
   Original message 
  From: Alex Nikitin niks...@gmail.com
  To: Andre Polykanine
  Date created: , 9:27:42 PM
  Subject: [PHP] Studying mcrypt
 
 
Yes, since it's trying to represent in characters some purely binary 
  data,
  it is not unlikely that you will get VERY weird characters (and you do).
 
  Also you shouldn't actually encrypt passwords, the proper way to store them
  is hashed, so that if someone grabs your database, they dont have your
  passwords, even if they have the key.
 
  Best way to check is to decrypt it and verify...
 
  --
  The trouble with programmers is that you can never tell what a programmer is
  doing until it’s too late.  ~Seymour Cray
 
 
 
  On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote:
 
   Hello Php,
  
It's my first time I use mcrypt.
   I've done everything like it's written in the php manuals, here is the
   code:
  
   ?php
   $d=mcrypt_module_open(rijndael-256, , ofb, );
   $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM);
   $ks=mcrypt_enc_get_key_size($d);
   $key=substr(md5(Secret key), 0, $ks);
   mcrypt_generic_init($d, $key, $iv);
   $cpass=mcrypt_generic($d, $_POST['opass']);
   mcrypt_generic_deinit($d);
   mcrypt_module_close($d);
   ?
  
   And here's what I get:
   Original password: asdfasdfasdf
   Encrypted password: Q�  j�*
  
   Question: Is it normal to have such strange characters in the encrypted
   string?
   I'm hosted at http://godaddy.com/, shared hosting, if it does matter.
   Thanks!
  
   --
   With best regards from Ukraine,
   Andre
   Skype: Francophile
   Twitter: http://twitter.com/m_elensule
   Facebook: http://facebook.com/menelion
  
  
   --
   PHP General Mailing List (http://www.php.net/)
   To unsubscribe, visit: http://www.php.net/unsub.php
  
  
 
 
 
 
  Please don't top-post :)
 
  You can use base64_encode() on it to convert it into something that's
  printable and storable in the DB without having to resort to a binary blob
 
 
--
  Thanks,
  Ash
  http://www.ashleysheridan.co.uk
 
 
 
 Isn't that a bit counterproductive though, storing it in binary?
 
 Purely storage-related:
 Say we are storing a 128byte result of encryption.
 Storing it in a varbin would mean that you would use up 128+1 bytes of
 storage, where as if you were to base64 encode it, data length would be 170
 or so bytes, +1byte or 171bytes...  42 bytes difference...
 
 
 This was a crypto class i wrote for something, i cant even recall exactly
 what project it was for, it is making it's way into the framework, but for
 now, i've changed it to be normal again
 
 Hopefully it should be pretty straight forward:
 
 http://pastebin.com/TFn468dM
 
 --
 The trouble with programmers is that you can never tell what a programmer is
 doing until it’s too late.  ~Seymour Cray


The beauty of encoding something into base64 is that you can then easily
move that data around to systems that can't handle binary. You can pass
a base64 image down to the browser to display, without requiring a
second script to create the image used in the img tag. Javascript can
manipulate base64 data making it an alternative to json where json won't
work. Command line environments won't be able to deal with binary
arguments, but base64 is fine. It all depends on what you want to do
with it at the end of the day.
-- 
Thanks,
Ash
http://www.ashleysheridan.co.uk




Re: [PHP] Studying mcrypt

2011-08-03 Thread Alex Nikitin
On Wed, Aug 3, 2011 at 4:05 PM, Ashley Sheridan 
a...@ashleysheridan.co.ukwrote:

 **
 On Wed, 2011-08-03 at 15:35 -0400, Alex Nikitin wrote:

 On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan 
 a...@ashleysheridan.co.ukwrote:

  **
  On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote:
 
  Hello Alex,
 
  Thanks for the tip. I'm not storing it in the database (you see, 
  it's asdfasdf and the key string is secret key), I'm just studying 
  mcrypt's possibilities :-).
 
  --
  With best regards from Ukraine,
  Andre
  Skype: Francophile
  My blog: http://oire.org/menelion (mostly in Russian)
  Twitter: http://twitter.com/m_elensule
  Facebook: http://facebook.com/menelion
 
   Original message 
  From: Alex Nikitin niks...@gmail.com
  To: Andre Polykanine
  Date created: , 9:27:42 PM
  Subject: [PHP] Studying mcrypt
 
 
Yes, since it's trying to represent in characters some purely binary 
  data,
  it is not unlikely that you will get VERY weird characters (and you do).
 
  Also you shouldn't actually encrypt passwords, the proper way to store them
  is hashed, so that if someone grabs your database, they dont have your
  passwords, even if they have the key.
 
  Best way to check is to decrypt it and verify...
 
  --
  The trouble with programmers is that you can never tell what a programmer is
  doing until it’s too late.  ~Seymour Cray
 
 
 
  On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote:
 
   Hello Php,
  
It's my first time I use mcrypt.
   I've done everything like it's written in the php manuals, here is the
   code:
  
   ?php
   $d=mcrypt_module_open(rijndael-256, , ofb, );
   $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM);
   $ks=mcrypt_enc_get_key_size($d);
   $key=substr(md5(Secret key), 0, $ks);
   mcrypt_generic_init($d, $key, $iv);
   $cpass=mcrypt_generic($d, $_POST['opass']);
   mcrypt_generic_deinit($d);
   mcrypt_module_close($d);
   ?
  
   And here's what I get:
   Original password: asdfasdfasdf
   Encrypted password: Q�  j�*
  
   Question: Is it normal to have such strange characters in the encrypted
   string?
   I'm hosted at http://godaddy.com/, shared hosting, if it does matter.
   Thanks!
  
   --
   With best regards from Ukraine,
   Andre
   Skype: Francophile
   Twitter: http://twitter.com/m_elensule
   Facebook: http://facebook.com/menelion
  
  
   --
   PHP General Mailing List (http://www.php.net/)
   To unsubscribe, visit: http://www.php.net/unsub.php
  
  
 
 
 
 
  Please don't top-post :)
 
  You can use base64_encode() on it to convert it into something that's
  printable and storable in the DB without having to resort to a binary blob
 
 
--
  Thanks,
  Ash
  http://www.ashleysheridan.co.uk
 
 
 
 Isn't that a bit counterproductive though, storing it in binary?

 Purely storage-related:
 Say we are storing a 128byte result of encryption.
 Storing it in a varbin would mean that you would use up 128+1 bytes of
 storage, where as if you were to base64 encode it, data length would be 170
 or so bytes, +1byte or 171bytes...  42 bytes difference...


 This was a crypto class i wrote for something, i cant even recall exactly
 what project it was for, it is making it's way into the framework, but for
 now, i've changed it to be normal again

 Hopefully it should be pretty straight forward:
 http://pastebin.com/TFn468dM

 --
 The trouble with programmers is that you can never tell what a programmer is
 doing until it’s too late.  ~Seymour Cray


 The beauty of encoding something into base64 is that you can then easily
 move that data around to systems that can't handle binary. You can pass a
 base64 image down to the browser to display, without requiring a second
 script to create the image used in the img tag. Javascript can manipulate
 base64 data making it an alternative to json where json won't work. Command
 line environments won't be able to deal with binary arguments, but base64 is
 fine. It all depends on what you want to do with it at the end of the day.

   --
 Thanks,
 Ash
 http://www.ashleysheridan.co.uk



That's why i prefaced it with purely storage-related.

base64 is awesome, i use it as a hack to get around xss and sql injection,
it works beautifully :)

--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray