PHP and Encryption help

[Judahnator]

I need some help here.

 

In the website i am creating i need some help with encryption. I have a mix of things that need to be encrypted, then decrypted. And some stuff that dosnt need that.

 

I have everything that wont need decrypted encrypted with SHA512, but i need help with ways to decrypt things.

 

I have looked around, but i cant seem to figure anything out. I dont care much about the encryption strength, none of the information is too sensitive.

Does anyone know how to implement 3DES, AES, ect?

[alpenwasser]

I think mcrypt might be of interest here.

More specifically, take a look at mcrypt_encrypt and mcrypt_decrypt, but I also

recommend having a look at the rest of the mcrypt docs to make sure you don't

miss anything important. I've never worked with it myself, so I can't really

say what its potential pitfalls are.

[rashdanml]

If you're decrypting the data for the sake of comparison to a given input, a better option would be to encrypt the input using the same method and compare the encrypted data. 

If not, ignore me. 

[alpenwasser]

If you're decrypting the data for the sake of comparison to a given input, a better option would be to encrypt the input using the same method and compare the encrypted data.

Agreed. Just 'using' encryption/decryption somehow or actually deploying it well

are two vastly different things.

[Judahnator]

If you're decrypting the data for the sake of comparison to a given input, a better option would be to encrypt the input using the same method and compare the encrypted data. 

If not, ignore me. 

 

I would like to encrypt the persons first and last name so it isnt sent or stored in the cleartext. But, when they log in to my website i would like them to see:

 

Hi John Smith!

 

instead of:

 

Hi EF61A579C907BBED674C0DBCBCF7F7AF8F851538EEF7B8E58C5BEE0B8CFDAC4A !

 

So it cant be just one-way encryption.

 

 

I am looking into mcrypt now

[Shackleton]

I would like to encrypt the persons first and last name so it isnt sent or stored in the cleartext. But, when they log in to my website i would like them to see:

 

Hi John Smith!

 

instead of:

 

Hi EF61A579C907BBED674C0DBCBCF7F7AF8F851538EEF7B8E58C5BEE0B8CFDAC4A !

 

So it cant be just one-way encryption.

 

 

I am looking into mcrypt now

 

 

If mycrypt doesn't work for you, you can always just do an MD5 encrypt with a salt, and have it stored like that. Then when you go to decrypt you remove the salt and decrypt the MD5.

[Judahnator]

If mycrypt doesn't work for you, you can always just do an MD5 encrypt with a salt, and have it stored like that. Then when you go to decrypt you remove the salt and decrypt the MD5.

 

How do you decrypt md5?

[alpenwasser]

How do you decrypt md5?

Strictly speaking it's one-way (as hash-functions are supposed to be), but since

it's a rather weak hash function you could in theory find a rainbow table of names

and work with that.

But as far as I'm aware, that's the only way to 'decrypt' MD5 hashes, so to speak,

and I wouldn't really recommend it, since if somebody comes along with a name that's

not in your rainbow table table they'd not get their name displayed since you couldn't

look it up.

[MG2R]

I'd advise you to use PHPass if you're planning on storing passwords.

It features a work factor which decides how hard the cipher will be.

Couple that with blowfish crypt and you get a pretty decent protection.

 

EDIT: (I didn't really read the thread fully, yet)

 

All of the suggestions above are considered one-way cryptographic

techniques, meaning that they're not meant to be reversible. This

means that you won't be able to do what you're trying to.

 

To do what you want to do, you need encoding instead of encryption.

Something like base64 seems suited. However, I don't really see the

point in storing data like usernames in an encoded fashion. If it's login

credentials you're trying to store, you only need to encrypt the pass-

wordm it's perfectly safe to store the username in plain text.

[WanderingFool]

Sorry just going to chime in a bit to clear a few terminologies up.

 

Encryption is a form of encoding (Assuming the correct keys it should be reversible since it is one to one)

Things such as SHA-2, MD5 are hashing methods (In theory a perfect form would be non reversible, you could get common elements like 1234 to a hash, but for all you know asdfl;kjasdasdf could have the same hash)

 

@alpenwasser is right though, you can just use the mcrypt to encrypt the names and then decrypt them....if you need a link to implementation I would look at the answer on this page (http://stackoverflow.com/questions/9262109/php-simplest-two-way-encryption) it is simple and from my understanding works.

 

For my general rules of encryption vs hashing:

Never just encrypt passwords...passwords should be salted and hashed (Look up computerphiles on youtube, they have a great video about storing passwords... "How Not to store passwords!" for the name)

For usernames, it is unlikely you really need to waste server resources to protect these one (although it really doesn't hurt)

Personal information (First/Last names, CC info, Phone numbers, any other identifying materials...even maybe email address) should be encrypted if you are storing a lot of it.  The only reason I say this is if your database is compromised people can still do damage with this type of information.

[alpenwasser]

For my general rules of encryption vs hashing:

Never just encrypt passwords...passwords should be salted and hashed (Look up computerphiles on youtube, they have a great video about storing passwords... "How Not to store passwords!" for the name)

For usernames, it is unlikely you really need to waste server resources to protect these one (although it really doesn't hurt)

Personal information (First/Last names, CC info, Phone numbers, any other identifying materials...even maybe email address) should be encrypted if you are storing a lot of it.  The only reason I say this is if your database is compromised people can still do damage with this type of information.

Hehe, I see we share some tastes when it comes to YT vids.

And agreed, if ever your database gets compromised, it's a lot better (well, less bad)

to say to your customers/users their information is encrypted instead of just having to

go "Ooopsie, my bad, you better lock your credit cards and prepare for some spam mail."

or something like that.