Reply to Polyalphabetic encryption for Passwords

Your name:

Reply:


Posted by Jeremy Deuel on 02/17/06 09:31

Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in
the source. I often wondered, how this could be prevented.

So if you have a web-project, that is access-restricted, try the
following workaround:

include this snippet into your web-project:

function polyalph_encrypt($original, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase"]; // The access-key
//Make the key longer, if needed
$i = round( strlen($original)/strlen($key) );
for ($j=0;$j<$i;$j++)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($original); $i++) {
$sigma = 94 + ord( $original{$i} ) + ord( $key{$i} ) - 64;
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}

function polyalph_decrypt($secret, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase"]; // The access-key
//Make the key longer if needed
$i = round( strlen($secret)/strlen($key) );
for ($j=0;$j<$i;$j++)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($secret; $i++) {
$sigma = 94 + ord( $secret{$i} ) - ord ( $key{$i} );
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}

Of course, this will only function with ascii-passwords, but for most of
us, this should be enough. So with this trick, the encrypted passwords
can only be successfully decrypted, if the user enters the right
master-password (= Access-password).

Well, it is a little tricky and not 100% safe (as everything is):
- It wouldn't be a good idea to check the validity of the
access-password in plaintext. Instead try the following:
if ($_POST["user"] == "YOURUSERNAME" && sha1($_POST["password"]) ==
"YOUR SHA1-HASHED PASSWORD")
$_SESSION["passphrase"] = $_POST["password"]
- of course this is only half-way safe if you have all more or less
"random" passwords.
- And in the end it can only prevent foolish webmasters from spying out
your database-passwords. But of course, the master-password is stored in
plaintext in the $_SESSION variable and this means it is also avaible in
plaintext somewhere on the computer.

jeremy

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация