Results 1 to 10 of 10
  1. #1
    Join Date
    Mar 2003
    Posts
    16

    Unanswered: How to store the encrypted data

    hi,
    i took the varchar data type and inserting the encryted data in to the table with all varchar type. while inseting iam putting the string with in single quotes (bcz of the string), but the encrypted data it self having the single quotes so string isnt inserting.
    later i change all the single quotes(') with backslash single quote (\'). now the problem is that as expected decrypted string isnt matching. i beleave its bcz of string replacing for single quote.
    is there any data type for encrypted data instead of varchar, if not how to solve my problem

    thant U
    :-)

  2. #2
    Join Date
    Apr 2003
    Location
    Tunisia
    Posts
    192

    Thumbs up Try

    You must convert / and \ into other caracters or set an other encryptation method with does not use special caracters.
    Open up
    Take a look to my Blog http://www.rundom.com/karim2k

  3. #3
    Join Date
    Dec 2002
    Posts
    65
    You might want to think of storing the password as an MD5 hash as that will not contain any special characters, however if you're already tied to a specific type of encryption that needs to be reversible look into mime encoding / base64encoding, otherwise ' chars aren't the only problems you'll run into as sometimes when encrypting chars will get mapped to \0 (null) which may cause other problems as well.

    -b
    (I'm only available at the email address provided in my profile on weekdays, if you have questions or advice, during off hours use AIM). Also any views I provide here or on my website are mine and not representative of any views of my work, family, friends and sometimes even myself.

    http://www.bcyde.com

  4. #4
    Join Date
    Apr 2003
    Location
    Tunisia
    Posts
    192

    Thumbs up Cool

    the analysis is excellent , but we want to get a solution man
    Open up
    Take a look to my Blog http://www.rundom.com/karim2k

  5. #5
    Join Date
    Dec 2002
    Posts
    65
    karim2k,
    actually my solutions were:
    -either MD5 the passwords before storing them
    -mime encode the passwords before storing them and unencode them later when authenticating.

    -b
    (I'm only available at the email address provided in my profile on weekdays, if you have questions or advice, during off hours use AIM). Also any views I provide here or on my website are mine and not representative of any views of my work, family, friends and sometimes even myself.

    http://www.bcyde.com

  6. #6
    Join Date
    Apr 2003
    Location
    Tunisia
    Posts
    192

    Thumbs up Thanks

    Yep, I've understood , but we need a full long explanation, can you write more than 50 pages to explain that
    Open up
    Take a look to my Blog http://www.rundom.com/karim2k

  7. #7
    Join Date
    Mar 2003
    Posts
    16

    Arrow thanku for active participation

    thank You for active participation.
    I used the add slashes before inserting to database and stripslashes afer retrieving data from database, then decrypting it.

    i got another question?
    i want to delete a record having all encrypted fields including primary key. How can i delete that record if i have the primary key data in pain text.
    problem is that every time encryption algorithm returning different text. so encrypting the plain text and comparing with the database isnt fetching the results.
    i need to get all primary key fields from table decrypt it and then compare with plain text all these things will take much time when we are handling big tables.
    did u come across any best practices regarding this area, if so let me or else give any good resources that i can access through net

  8. #8
    Join Date
    Apr 2003
    Location
    Tunisia
    Posts
    192

    Question What key ?

    What's type is your key ?? int, serial char ??
    Open up
    Take a look to my Blog http://www.rundom.com/karim2k

  9. #9
    Join Date
    Mar 2003
    Posts
    16

    all chars

    all chars a to z and special chars and numbers

    i suppose iam using the RC4. I took this algo from this forums i suppose. iam posting the algo. iam using the "e-3" to encrypt and "d-3" to decrypt the data. its supporting three types of encryption and corresponding decryption


    function encrypt($d,$action,$p=$~!#(')
    { $ivcl= 10;
    $N = 1;
    static $randset = 0;
    if($action == "d-1")
    { $k = substr($d, 0, $ivcl);
    $d = substr($d, $ivcl);
    }
    elseif($action == "d-2" || $action =="d-3")
    { $d = base64_decode($d);
    $k = substr($d, 0, $ivcl);
    $d = substr($d, $ivcl);
    }
    elseif($action == "e-1" || $action == "e-2" || $action == "e-3")
    { $k="";
    if($ivcl>0)
    { while(strlen($k)<$ivcl)
    { switch(mt_rand(1,3))
    {
    case 1:
    $k.=chr(mt_rand(48,57));
    break;
    case 2:
    $k.=chr(mt_rand(65,90));
    break;
    case 3:
    $k.=chr(mt_rand(97,122));
    break;
    }
    }
    }
    }
    if($action == "e-3")
    { $d = serialize($d);
    }

    $p .= $k;

    for ($i=0; $i < 255; $i++)
    $S[$i] = $i;

    $j = 0;
    $t = strlen($p);

    for ($i=0; $i < 255; $i++)
    { $K[$i] = ord(substr($p,$j,1));
    $j = ($j + 1) % $t;
    }

    $j=0;
    for ($kk=0; $kk < $N; $kk++)
    { for ($i = 0; $i < 255; $i++)
    { $j = ($j + $S[$i] + $K[$i]) & 0xff;
    $t = $S[$i];
    $S[$i] = $S[$j];
    $S[$j] = $t;
    }
    }

    $i=0;
    $j=0;
    $ii=0;
    $ret = '';

    $dlen = strlen($d);
    for ($ii=0; $ii < $dlen; $ii++)
    { $c=$d{$ii};
    $i = ($i + 1) & 0xff;
    $j = ($j + $S[$i]) & 0xff;
    $t = $S[$i];
    $S[$i] = $S[$j];
    $S[$j] = $t;
    $t = ($S[$i] + $S[$j]) & 0xff;
    $ret .= chr($S[$t]) ^ $c;
    }
    if($action == "d-1" || $action == "d-2")
    { return $ret;
    }
    elseif($action == "d-3")
    { $ret = unserialize(stripslashes($ret));
    return $ret;
    }
    elseif($action == "e-1")
    { return $k .= $ret;
    }
    elseif($action == "e-2" || $action == "e-3")
    { return base64_encode($k .= $ret);
    }
    }

  10. #10
    Join Date
    Oct 2002
    Location
    Baghdad, Iraq
    Posts
    697

    Re: all chars

    Originally posted by itsvasu
    all chars a to z and special chars and numbers

    i suppose iam using the RC4. I took this algo from this forums i suppose.
    Don't trust some algorithm you grabbed off a forum to do crypto. Get a real library to do this stuff, like OpenSSL. If it doesn't matter that much, don't bother with all the hassle of encrypting it.

    The earlier poster's suggestion of using MD5 (or SHA) is much better. You need to understand what a message digest actually is, and how one-way functions work. The algorithm works like this:

    Two columns: SALT and CRYPT.

    Salt is some random bits. You can grab some bits off /dev/rand, or use openssl rand:

    openssl rand -base64 -out salt 20

    The base64 is just to make sure there aren't problems with text encoding. 20 means 20 bytes which is the same size as the SHA1 digest.

    Then you need to append the password to the salt. Exactly how you do it doesn't matter, it just needs to be bit identical each time.

    So, suppose we use:

    cat salt password > saltedpassword

    The salting is important because otherwise people with identical passwords (and there are plenty) will get the exact same digest, which would be bad.

    We'll store the digest in the database:

    openssl sha1 saltedpassword > crypt

    So finally, you put the contents of "crypt" and "salt" in the database and throw out password and saltedpassword.

    To verify a user's authenticity, you do the exact same thing:

    Get the password the user entered and the salt from the database.

    Again:

    cat salt password > saltedpassword
    openssl sha1 saltedpassword > crypt

    Now, just compare the crypt you just generated to the one in the database. If they're the same, the password must be correct.

    (Note that if you encrypt data using a symmetric algorithm, you *still* need an "initialization vector" which is just a fancy term for salt. The salt doesn't need to be encrypted itself, btw.)

    Quickest solution, IMHO, would be to write a function in PL/Perl, rather than calling openssl each time. Just do sudo perl -MCPAN -e shell and type i /crypto/ to see Perl's rather extensive crypto libraries.
    Last edited by sco08y; 06-08-03 at 23:48.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •