NYCPHP Meetup

NYPHP.org

[nycphp-talk] so-called triple md5

David Sklar sklar at sklar.com
Tue Sep 2 09:32:29 EDT 2003


Don't use this algorithm. It "encrypts" things by just XORing plaintext with
the MD5 hash of a key. This has many problems, including the fact that since
the output of md5() is a string that contains only the characters [a-e0-9],
there's only 16 possible values that each piece of ciphertext needs to be
xor'ed with to produce plaintext.

If you need to encrypt data that needs to be decrypted later, use an
algorithm designed by a known, qualified cryptosystem designer and (more
importantly) that has stood up to lots of testing and attempts to break it.
For example, Blowfish (http://www.counterpane.com/blowfish.html), which is
available in the mcrypt extension. There are also versions available in
other languages (http://www.counterpane.com/blowfish-download.html) and you
could probably write a (slow) native PHP implementation.

David

On Tuesday, September 02, 2003 12:47 AM,  wrote:

> I picked up the simple encryption scheme below a couple years ago
> from a comment in the PHP manual. I'm a little curious about its
> origins -- I've seen it referred to as "triple md5", but Google
> doesn't have much to say about that, and I suspect it was a
> euphemism. The original comment has since been deleted.
>
> Does anyone recognize this, or care to comment on its ability to
> withstand anything more than casual snooping? It has the advantage of
> being available in setups without mcrypt support, but a false sense of
> security is worse than none at all.
>
> And by the way, what method do -you- recommend for encrypting data
> that needs to be decrypted later?
>
>> function keyED($txt,$encrypt_key) {
>>     $encrypt_key = md5($encrypt_key);
>>     $ctr=0;
>>     $tmp = "";
>>     for ($i=0;$i<strlen($txt);$i++) {
>>         if ($ctr==strlen($encrypt_key)) $ctr=0;
>>         $tmp.= substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1);
>>         $ctr++; }
>>     return $tmp;
>>     }
>>
>> function hex2bin($data) {
>>     $len = strlen($data);
>>     for($i=0;$i<$len;$i+=2) {
>>         $newdata .= pack("C",hexdec(substr($data,$i,2)));         }
>>     return $newdata;
>>     }
>>
>> function encrypt($txt, $key="") {
>>     srand((double)microtime()*1000000);
>>     $encrypt_key = md5(rand(0,32000));
>>     $ctr=0;
>>     $tmp = "";
>>     for ($i=0;$i<strlen($txt);$i++) {
>>         if ($ctr==strlen($encrypt_key)) $ctr=0;
>>         $tmp.= substr($encrypt_key,$ctr,1) . (substr($txt,$i,1) ^
>>         substr($encrypt_key,$ctr,1)); $ctr++;
>>         }
>>     return bin2hex(keyED($tmp,$key));
>>     }
>
>> function decrypt($text, $key="") {
>>     $bin= hex2bin($text);
>>     $txt = keyED($bin,$key);
>>     $tmp = "";
>>     for ($i=0;$i<strlen($txt);$i++) {
>>         $md5 = substr($txt,$i,1);
>>         $i++;
>>         $tmp.= (substr($txt,$i,1) ^ $md5);
>>         }
>>     return $tmp;
>>     }
>
>
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk




More information about the talk mailing list