Php encrypt file with password
I did a series of research on this topic, but unfortunately I couldn't find a perfect way to encrypt and decrypt files in PHP. Which mean what I'm trying to do is find some way to encrypt & decrypt my items without worry of cracker knew my algorithm. If some algorithm that need to secrete & hide, it can't solve my problems while once the logic shared through anywhere, or they broke into my server and get the source file, then it should be some way to decrypt it using the same decryption algorithm. Previously I found several great posts on StackOverFlow website, but it still couldn't answer my question. Show
Obviously, this makes it impossible to decrypt while it's one-way hashing.
To
Are not it's just increasing the toughness to decrypt it but still crack-able while just time issue ?
It's still some stupid way to do while cracker got the access to the server and they can just use PHP to echo the GUID and do the decryption. Or if it works, a few years later my website will be in trouble. The reason is harddisc, processor never last forever. When the time my processor or harddisc down, it's a time when my website down and lost all the credential. Update
Can anyone please suggest on how should I overcome this issue ? Thanks.
asked Aug 20, 2012 at 4:16
14 Checkout this well documented article A reversible password encryption routine for PHP, intended for those PHP developers who want a password encryption routine that is reversible. Even though this class is intended for password encryption, you can use it for encryption/decryption of any text.
Caution: If you are using PHP version >= 5.3.3, then you have to change the class name from Reason:
Usage:
Update: Above class is not intended for encrypting files, but you can!!!
I've encrypted an image, decrypted back and saved to a new file!!! checkout the code.
answered Aug 24, 2012 at 7:06
rajukoyilandyrajukoyilandy 5,2112 gold badges17 silver badges31 bronze badges 4 Bear in mind that, in order to crack passwords, a hacker would have to have access to the encrypted passwords in the first place. In order to do that they would have to compromise the server's security, which should be impossible if the site is coded correctly (proper escaping or prepared statements). One of the strongest yet simplest forms of encryption is XOR, however it is entirely dependent on the key. If the key is the same length as the encoded text, then it is completely unbreakable without that key. Even having the key half the length of the text is extremely unlikely to be broken. In the end, though, whatever method you choose is secured by your FTP/SSH/whatever password that allows you to access the server's files. If your own password is compromised, a hacker can see everything. answered Aug 20, 2012 at 4:22
Your question leads to two different answers. It's an important difference, whether you need to decrypt the data later (like files), or if you can use a one way hash (for passwords). One-Way-HashIf you do not need to decrypt your data (passwords), you should use a hash function. This is safer, because even if an attacker has control over your server and your database, he should not be able to retrieve the original password. Since users often use their password for several websites, at least he doesn't gain access to other sites as well. As you already stated, one of the most recommended hash functions today, is bcrypt. Despite it's origin in the blowfish algorithm, it is in fact a hash function (not encryption). Bcrypt was designed especially to hash passwords, and is therefore slow (needs computing time). It's recommended to use a well established library like phpass, and if you want to understand how to implement it, you can read this article, where i tried to explain the most important points. EncryptionIf you need to decrypt your data later (files), you cannot prevent, that an attacker with control over your server, can decrypt the files as well (after all the server has to be able to decrypt it). All adds up to the question of where to store the secret key. The only thing you can do, is to make it harder to get the key. That means, if you store the key in a file, it should be outside the http root directory, so it can on no account be accessed from the internet. You could store it on a different server, so the attacker would need control over both servers, though then you face the problem of the secure communication between the servers. In every case, you can make theft harder, but you cannot prevent it completely. Depending on your scenario, you could encrypt the files locally on your computer, and only store the encrypted files on the server. The server would not be able to decrypt the files on it's own then, so they are safe. answered Aug 25, 2012 at 9:16
martinstoecklimartinstoeckli 22.5k4 gold badges54 silver badges85 bronze badges So you already know about salting and hashing, but you can also "stretch" your passwords, where instead of just hashing each password once, you hash it several thousand times. This will slow down brute force attacks and increase the lifespan of your hashing algorithm. Interestingly it works by intentionally slowing down your server... What I would recommend is writing your own custom hash function. First, you add salt to the password, then you pick a hash algorithm (say sha512, or perhaps a newer algorithm that is designed to be inefficient for this very purpose) and hash it, say, 10,000 times, then store it in the database. And as you already know, when a user logs in, instead of reversing the hash, you simply run their input through the same algorithm and see if it matches. The beauty of writing your own hash function is that when it comes time to update your hash algorithm because the old one has become vulnerable to brute force attacks, all you have to do is add to your hash function, taking the result of the old hash algorithm, re-salting it, and hashing it again using your new algorithm. You can use whatever hash algorithm is considered secure at the time. Then, you can simply re-hash every password already stored in your database with the new part of your hash function, thus ensuring backwards compatibility. Depending on how many users you have and how fast your server is, it might only take a couple of seconds to perform this update. There is still a vulnerability, however. If a hacker has an old copy of your database and cracks it, he still knows the passwords of any users who haven't changed their passwords yet. The only way around this is to require your users to occasionally change their passwords, which may or may not be suitable for your site depending on the nature of the information it contains. Some security professionals suggest that users only change their passwords if they are compromised because if the system makes it too difficult to manage passwords, they will begin doing insecure things like keeping their passwords under their keyboards, which for some organizations is a bigger threat than having users that never change their passwords. If your website is a forum or review site or something of that nature, you should consider how much users have to lose by having their account hacked, how easy it is to restore their data to the way it was before it was hacked, and whether they will consider your site worth updating their password for if your password policy is too annoying. One possible hash function:
Now, in order to update all the passwords already in your database, you would run them through this function:
I like to write my own hash functions because it's easier to keep track of what exactly is happening for when it comes time to update them. answered Aug 26, 2012 at 19:03
Adam11Adam11 4933 silver badges12 bronze badges After some study of PHP, particularly the random number generation, the only way to securely encrypt with PHP is by using an OpenSSL wrapper. Especially the creators of mcrypt are a bunch of morons, just look at the example of not how to perform cryptography in their sample:
Note that by default MCRYPT_RAND is not seeded well. Furthermore, there is at least about 5 mistakes in above code alone, and they won't fix it. [EDIT] See below for an ammended sample. Note that this sample is not very safe either (as explained above). Furthermore normally you should not encrypt passwords...
answered Aug 20, 2012 at 12:38
Maarten BodewesMaarten Bodewes 86.6k13 gold badges139 silver badges248 bronze badges 3 So far i know the best way to save password is with salted hash like used in joomla. You can also add extra keys to md5 hash along with traditional base64.I wrote a script like that sometime ago, tried to find it but can't. Joomla uses salted md5 passwords. Take the hashed password you gave: 30590cccd0c7fd813ffc724591aea603:WDmIt53GwY2X7TvMqDXaMWJ1mrdZ1sKb If your password was say 'password', then: md5('passwordWDmIt53GwY2X7TvMqDXaMWJ1mrdZ1sKb') = 30590cccd0c7fd813ffc724591aea603 So, take your password. Generate a random 32 character string. Compute the md5 of the password concatenated with the random string. Store the md5 result plus a : plus the random 32 character string in the database. answered Aug 24, 2012 at 21:03
1 How do you carry out password encryption in PHP?The process looks like so:. Generate a data encryption key (DEK). Encrypt the data using secret key encryption.. Send the unique encryption key (DEK) to Cloud KMS for encryption, which returns the KEK.. Store the encrypted data and encrypted key (KEK) side-by-side.. Destroy the generated key (DEK). Which command do you use to encrypt a password in PHP?PHP encompasses a hash algorithm to encrypt the password. For the most part it is used in functions for password encrypting are crypt(), password_hash() and md5().
Can PHP encrypt data?In PHP, Encryption and Decryption of a string is possible using one of the Cryptography Extensions called OpenSSL function for encrypt and decrypt. openssl_encrypt() Function: The openssl_encrypt() function is used to encrypt the data.
How PHP store encrypted password in database?How to convert normal password into encrypted form and save into MySQL db PhpMyAdmin.. Code for encrypted-password-page. php file.. Code for dbconfig. php file.. Screenshot of HTML input form :. Screenshot of PhpMyAdmin ( MySQL db ) :. |