NYCPHP Meetup

[pswebcode, nyc]

/*
encryption decryption technique. 
must have libmcrypt installed. 
store these two functions in a *.php include file. 
the key value is used to seed the encryption and is needed during encryption
and decryption.  
the key is stored in the key file. 
store key file as ingeniously and safely as you may improvise.
*/

function getKey(){
	//DEFINE ("key_contents","7TrLMB5" ); // for testing process
	$key_loc = "<pathtofile>\<keyfile>"; 
	$keyread = fopen ($key_loc, "r"); 
	$key_contents = fread($keyread, filesize($key_loc)); 
	fclose($keyread); 
	return trim($key_contents);

}


function enc($text, $cryp) {
	//encrypted data is base64_encoded before storing in the mysql db
	//to prevent mysql from possibly mangling unorthodox characters
created by encryption
	$key = getKey();
	if ($cryp == 'encryp') {
		return base64_encode(mcrypt_cbc(MCRYPT_TripleDES, ($key),
$text, MCRYPT_ENCRYPT));
	} elseif($cryp == 'decryp') {
		return mcrypt_cbc(MCRYPT_TripleDES, ($key),
base64_decode($text), MCRYPT_DECRYPT); 
	} else {
		err_msg();
	}
}

$test_data = "&%45the";

//encrypt
$encrdata = enc($test_data, 'encryp');

//decrypt
$decrdata = enc($encrdata, 'decryp');


MD5 is a one-way hash suitable for passwords. Above is a decent encryption
approach for when you must encrypt and decrypt the stored value. Hope this
helps.

PSaw



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Hans Zaunere
Sent: Thursday, July 17, 2003 9:36 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Secure Data




Rudy Gamberini wrote:

> I need to collect sensitive information on one of my web pages.  I 
> have
> established a secure session https:// utilizing my hosting service's 
> certificate.  Now that the session is secure I need to be sure the 
> collected data is secure.  While I could encrypt the data before storing 
> it in the MySQL database, I need to be able to decrypt it eventually to 
> process the orders.  I've used MD5 hash function to encrypt passwords I 
> store in cookies but that approach would not work here.

Technically, MD5 isn't encryption - it's a one way digest, ie, you can't
determine the original data from the digest.  And as Dan pointed out, easily
hijacked (but you're using SSL, so it's much better, but still suseptible to
cookie browsing if someone has local machine access).

> I need to hold
> the key locally, meaning on a machine outside the web-server that will 
> be able to decrypt the information after retrieving it.
>  
> I like the idea that the database only stores encrypted data that way
> should the database be compromised the information stored there will be 
> of little value. 

MySQL 4.x series supports some things that may help:

http://www.mysql.com/doc/en/Miscellaneous_functions.html  (search for
variations of 'encrypt') http://www.mysql.com/doc/en/Secure_connections.html


But keep in mind; if the server on which the key resides is compromised, the
game's over.  Encryption like this is a vicious circle; just be sure your
server isn't cracked :)

H


_______________________________________________
talk mailing list
talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk