Portal Home > Knowledgebase > Articles Database > php crypt() issue and limitations?
php crypt() issue and limitations?
| Posted by OpenInternet-Vince, 07-26-2009, 04:11 AM |
| I'm using the crypt() with salt to encode some string.
Here are my codes.
Script 1
Output: asxJ139jmpMHA
asxJ139jmpMHA
Script 2
Output: asxJ139jmpMHA
asxJ139jmpMHA
Script 3
Output: asXGO7q4x7rG.
asCDy3vzgrgFY
Script 4
Output: asV8OnjuWdApc
asTZsH0eavwTI
As you can see the string to be encoded is different in script 1 and 2, but the output is still the same
And with script 3 and 4, both outputs are different.
So is there a maximum string limit when using crypt ? Any opinion on this ?
Edit: The standard DES-based encryption crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str , so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
Last edited by OpenInternet-Vince; 07-26-2009 at 04:24 AM.
|
| Posted by OpenInternet-Vince, 07-26-2009, 04:28 AM |
| Now that I figured out the limitation, anybody could suggest other ways that I could do a two-pass encryption system with a salted string?
Before I was doing crypt(input) -> md5(salted input)
Last edited by OpenInternet-Vince; 07-26-2009 at 04:33 AM.
|
| Posted by MontaSEO, 07-26-2009, 05:47 AM |
| You could consider using the hash function, which could be more secure them MD5, depending on the algorithm you use.
http://php.net/manual/en/function.hash.php
|
| Posted by MontaSEO, 07-26-2009, 06:08 AM |
| This of cause wouldn't be an issue when using salt, since its included "somewhere" in the hash, and hence it makes it impossible to guess where, unless you have the source code.
I would simply use md5, and then create my own function to store the salt. It doesn't matter that the string gets longer then normally, because potential attackers wouldn't know where in the string the hash is located.
|
| Posted by Dark Light, 07-26-2009, 06:52 AM |
| With the crypt() function, the salt defines the type of encryption to use when hashing your password. Your salt does not match any of the four applicable salt formats (see http://php.net/crypt see the "Description" section for the four salt formats) and so is reverting to the default CRYPT_STD_DES type format (which only uses the first two characters of your salt) - and which only takes the first eight characters of your string so will produce the same output when using the same salt, as you said.
Use another salt format if you still want to use crypt; if you want to use another salt format, use a nine character salt for the EXT DES type, a prefix of $1$ for MD5 or $2$ for blowfish.
Alternatively, use another hashing method such as hash() if your PHP version allows it.
|
Add to Favourites 
Print this Article
Also Read
