9

Possible Duplicate:
Best way to use PHP to encrypt and decrypt passwords?

I've been doing a lot with PHP recently and want to make my first login/registration system. As such I've been doing a lot of reading online to figure out the best method(s) for doing this. I've come across a couple of guides and I'm confused on a few instances and I'd like to be sure before I start down this road.

My question is how exactly do I use blowfish? I've read that crypt() will auto select blowfish if an appropriate salt is provided. If that is the case, What makes a salt blowfish appropriate?

Right now, I have a script that makes a salt out of the date and time, a random number, then hash that for the salt. Is that something I can use with blowfish or not?

Benjamin Loison
  • 3,782
  • 4
  • 16
  • 33
sharf
  • 2,123
  • 4
  • 24
  • 47
  • 1
    For understanding you could have a look at the comments of this [example code](http://www.martinstoeckli.ch/php/php.html#bcrypt), for using it, i would strongly recommend to use ircmaxell's excellent api. It is misleading that the second parameter of `crypt()` is called salt, actually it contains all crypt parameters including the salt. – martinstoeckli Dec 11 '12 at 09:58

3 Answers3

12

In short: don't build it yourself. Use a library.

In PHP 5.5, there will be a new API available to make this process easier on you. Here's the RFC for it.

I've also created a backwards-compatibility library for it here: password-compat:

$hash = password_hash($password, PASSWORD_BCRYPT);

And then to verify:

if (password_verify($password, $hash)) {
    /* Valid */
} else {
    /* Invalid */
}

And if you want another library, check out phpass

In short, don't do it yourself. There's no need. Just import the library and be done with it...

ircmaxell
  • 163,128
  • 34
  • 264
  • 314
  • I've read that, and will probably use that in the long run, but I like to understand how to do things myself. Thanks for the tip, but it doesn't answer my question. – sharf Dec 10 '12 at 18:33
  • 2
    @sharf: look at what the libraries do (the compat one should be pretty easy to read). That should give you insight on how it all works... – ircmaxell Dec 10 '12 at 18:43
  • That still doesn't answer my question. – sharf Dec 10 '12 at 19:29
  • This is not exactly what the OP asks, but this is the answer the OP needs – Ronni Skansing Feb 02 '14 at 14:15
  • @BenDuffin: You actually just proved my point with your comment. `crypt()` can do bcrypt. But it is easy to screw up. It is easy to wind up in a situation where you kill security. Which is why I did not recommend actually using it directly, but using a library. Because cryptography is hard, and you shouldn't do it yourself if you have an alternative. And there are alternatives. – ircmaxell Feb 02 '14 at 14:20
6

Take a look at http://php.net/manual/en/function.crypt.php

If you scroll down about 1/3, you should see the heading: Example #3 Using crypt() with different hash types. Hopefully this will help! and your salt should be fine!

ABC
  • 718
  • 8
  • 23
  • 3
    I have seen that but I'm still confused. Do I just tack $2a$07$ to the front of my salt (and another $ to the end) to make it use blowfish? Also, what is the 07 in that example, the number of rounds? – sharf Dec 10 '12 at 18:25
  • Yes exactly, with the 07, the higher number, the more rounds and the longer it takes – ABC Dec 10 '12 at 22:30
-4

Try this - its untested, I just whipped it up to show how to use the BLOWFISH algo with PHP

<?php
class cipher {
private static $mode = 'MCRYPT_BLOWFISH';
private static $key = 'q!2wsd#45^532dfgTgf56njUhfrthu&^&ygsrwsRRsf';

public static function encrypt($buffer){
    $iv                 = mcrypt_create_iv(mcrypt_get_iv_size(constant(self::$mode), MCRYPT_MODE_ECB), MCRYPT_RAND); 
    $passcrypt  = mcrypt_encrypt(constant(self::$mode), self::$key, $buffer, MCRYPT_MODE_ECB, $iv); 
    $encode         = base64_encode($passcrypt); 
    return $encode; 
}

public static function decrypt($buffer){
    $decoded        = base64_decode($buffer); 
    $iv                 = mcrypt_create_iv(mcrypt_get_iv_size(constant(self::$mode), MCRYPT_MODE_ECB), MCRYPT_RAND); 
    $decrypted  = mcrypt_decrypt(constant(self::$mode), self::$key, $decoded, MCRYPT_MODE_ECB, $iv);
    return $decrypted;
}
}
?>

IMPORTANT!! CHANGE THE $key VALUE TO ANOTHER RANDOM STRING!

Usage:

To Encrypt:

$mystring = 'a quick brown fox jumped over the lazy llama'; $mystring = cipher::encrypt($mystring);

To Decrypt:

$mystring = cipher::decrypt($myencryptedstring);

Ben Duffin
  • 1,066
  • 10
  • 16
  • 2
    A few points: 1. The question is about the password hashing algorithm (see the passwords and crypt tags). 2. You're using ECB. Bad developer, no donut. 3. You're using a static, hard-coded key. Again, bad. 4. You're not storing the IV on encryption, meaning that decrypt will NEVER work (for non-ECB modes)... – ircmaxell Dec 10 '12 at 22:06
  • helpful comment - could you rewrite it to suit the conditions you specify please? Although I disagree about the off-question part - the chap wanted to know about how to encrypt with blowfish did he not? Not knowing his code I simply tried to give him a utility to allow him to encrypt and decrypt given data with the blowfish algo. What does non-ECB mode mean as I use quite similar code in some large apps and have had no trouble with it - am i missing something? :S hope not! – Ben Duffin Dec 10 '12 at 22:24
  • 1
    First, no, he was not talking about [encryption, he asked about hashing](http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms/4948393#4948393). So it's definitely off-topic. As far as the other issues, it's insecure: [One](http://en.wikipedia.org/wiki/ECB_mode#Electronic_codebook_.28ECB.29), [Two](http://stackoverflow.com/questions/3275833/which-encryption-mode-ecb-cbc-cfb), [Three](http://www.adayinthelifeof.nl/2010/12/08/encryption-operating-modes-ecb-vs-cbc/). – ircmaxell Dec 10 '12 at 22:57
  • And if you want more feedback, post it to http://codereview.stackexchange.com/ – ircmaxell Dec 10 '12 at 23:00
  • mcrypt will be deprecated on php 7.1 in favor of OpenSSL – emiliopedrollo Dec 02 '16 at 01:42