Prev: How to know which PHP is used by Apache
Next: Apache rule/directive to stop serving PHP pages from /var/www/includes/
From: APseudoUtopia on 1 Apr 2010 16:15
On Thu, Apr 1, 2010 at 4:05 PM, Ashley Sheridan
<ash(a)ashleysheridan.co.uk> wrote:
> On Thu, 2010-04-01 at 16:04 -0400, Paul M Foster wrote:
>
>> On Thu, Apr 01, 2010 at 08:45:53PM +0100, Ashley Sheridan wrote:
>>
>> > On Thu, 2010-04-01 at 15:47 -0400, Paul M Foster wrote:
>> >
>> >     Folks:
>> >
>> >     If I wanted to encrypt a file in PHP and then write it out to disk
>> >     (one-way encryption, requiring a password), what PHP built-ins might you
>> >     recommend to encrypt the contents of the file before writing it out to
>> >     disk?
>> >
>> >     Paul
>> >
>> >     --
>> >     Paul M. Foster
>> >
>> >
>> >
>> > I don't think you want one-way encryption, that would mean you can't unencrypt
>> > it!
>>
>> Then "one-way encryption" would be something no one would do. I must be
>> using the wrong term. What I mean is that it needs a password, which is
>> used to encrypt and decrypt the file.
>>
>> >
>> > What about the usual functions for encrypting strings in PHP? Couldn't you
>> > encrypt the file as a string and output that? Or did you want the file to
>> > request a password when it was opened? What about a password-protected
>> > compressed archive file?
>>
>> Well, when you say, "usual functions for encrypting strings in PHP",
>> what are my options there? And which are the best (most secure) methods?
>> It looks like mcrypt_*() will do the job, but there are 20-30
>> algorithms, and I have no idea which are the most secure. Or would
>> something else be better (than mcrypt_*())?
>>
>> Paul
>>
>> --
>> Paul M. Foster
>>
>
>
> There's a good reason for one-way encryption. The crypt function in PHP
> is one-way, and the use case is to compare an entered password without
> the encrypted password ever being unencryptable.
>
> Thanks,
> Ash

Technically, "one-way encryption" is called hashing, as encryption by
definition is two-way.
From: Kevin Kinsey on 1 Apr 2010 16:18
Paul M Foster wrote:
> Folks:
>
> If I wanted to encrypt a file in PHP and then write it out to disk
> (one-way encryption, requiring a password), what PHP built-ins might you
> recommend to encrypt the contents of the file before writing it out to
> disk?
>
> Paul

Here's a very generic mcrypt example. IANAE
where security is concerned, but from what I've
read, BLOWFISH should be a fairly decent algorithm
for most applications. This isn't my work, can't
remember whose ... uses 3DES.

KDK


<?php
$plaintext = "Four score and seven years ago";
$cipher = MCRYPT_TRIPLEDES;
$mode = MCRYPT_MODE_ECB;
$rand_src = MCRYPT_DEV_RANDOM; //MCRYPT_DEV_RANDOM
$password = 'Extra secret password';

print ("Plaintext: $plaintext\n");

// OK, let's encrypt the data
$handle = mcrypt_module_open ($cipher, '', $mode, '');
if (!$handle)
die ("Couldn't locate open mcrypt module for '$cipher' algorithm");
$iv_size = mcrypt_enc_get_iv_size ($handle);
$ivector = mcrypt_create_iv ($iv_size, $rand_src);
if (mcrypt_generic_init ($handle, $password, $ivector) == -1)
die ("Error: mcrypt_generic_init() failed.");
$ciphertext = mcrypt_generic ($handle, $plaintext);
mcrypt_generic_end ($handle);

echo "<br> Ciphertext: " . bin2hex ($ciphertext) . "\n";

// Now let's decrypt it
$handle = mcrypt_module_open ($cipher, '', $mode, '');
if (!$handle) die ("Couldn't locate open mcrypt module for '$cipher' algorithm");

if (mcrypt_generic_init ($handle, $password, $ivector) == -1)
die ("Error: mcrypt_generic_init() failed.");
$plaintext = mdecrypt_generic ($handle, $ciphertext);
mcrypt_generic_end ($handle);

echo "<br> Plaintext: $plaintext\n");
?>
From: Adam Richardson on 1 Apr 2010 21:57
>
> Then "one-way encryption" would be something no one would do. I must be using
> the wrong term. What I mean is that it needs a password, which is used to
> encrypt and decrypt the file.


*Symmetric* encryption uses the same key to encrypt and decrypt the text
(what you're talking about, and example algorithms include blowfish, AES.)

*Asymmetric* encryption uses separate keys, allowing anyone to send you an
encrypted message with a public key, but only allowing you to decrypt it
with your private key (https uses this as the initial stage to exchange the
key to be used for the subsequent exchanges of text using symmetric
encryption because symmetric encryption is much faster, and example
algorithm is RSA.)

Adam

--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
First  |  Prev  | 
Pages: 1 2
Prev: How to know which PHP is used by Apache
Next: Apache rule/directive to stop serving PHP pages from /var/www/includes/