0

I've been using base64 encoding for a while & it isn't secure because some decoders can easily identify it.

So is it a good idea to develop my own mechanism to protect data or make my encryption algorithm, if yes then how does self made encryption code look like?

hakre
  • 193,403
  • 52
  • 435
  • 836
user1477731
  • 13
  • 2
  • 9
  • 3
    The entire assumption of your question is flawed. You haven't employed security in the past because base64 is a method for encoding data, binary or otherwise, and has nothing to do with security. Your question doesn't explain what you are trying to secure or why. – gview Dec 31 '12 at 17:58
  • 2
    Base64 ***is not*** an encryption method. It is an encoding to encode binary data in a stream that only contains printable characters. – dualed Dec 31 '12 at 18:00
  • i meant to say , how can secure data in cookies ? – user1477731 Dec 31 '12 at 18:00
  • Once I read a good article about this topic but I can't find it right now - [start from here](http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology) anyway. – moonwave99 Dec 31 '12 at 18:00

3 Answers3

4

No, it is not a good idea to develop your own mechanism to protect data or make your own encryption algorithm.

You have to leave that to the experts. That is also the reason why we see you asking that question here. Listen to your inner voice, trust yourself to not trust yourself in this case.

(I don't want to say that you can not do whatever pleases you and I don't want to stop your from learning, just for the practical guideline in production environments, encryption, especially developing your own algorithm, is not only a high-art in it's own, it's also always the question how to ensure to not do any silly mistakes that can happen so often.)

hakre
  • 193,403
  • 52
  • 435
  • 836
  • but if its our code then no one can break it , else if we use the predefined functions they are still vulnerable – user1477731 Dec 31 '12 at 17:59
  • 1
    What makes you think no one can break it? –  Dec 31 '12 at 18:00
  • @user1477731: Not if you use encryption. What you actually used here is hashing, not encryption. That is a beginners first mistake in that area, see [Difference between Hashing ... and Encrypting](http://stackoverflow.com/q/326699/367456) and similar. – hakre Dec 31 '12 at 18:02
  • how can you know what mechanism have i used or what functions or anything . its impossible to guess it & so you want to say one should go for those predefined functions ? – user1477731 Dec 31 '12 at 18:02
  • 8
    @user1477731 Considering you believed you were securing data with base64, I don't believe you are very clear on security or cryptography concepts – gview Dec 31 '12 at 18:02
  • @Martin Barker: The experts you trust. If it turned out that the experts you trusted so far are not trustworthy, review your experts first and check your own documentation so that you can remove their impact. – hakre Sep 23 '13 at 22:33
0

Now that you've clarified you want to encrypt data in cookies, the first question to be asked is why? Is this data that could be kept in a session variable instead?

About the only thing I can think of that makes sense would be if you were storing a remember me password or some other sensitive credential that you wanted to be entirely sure could not be read out of the cookie. If your concern is security in transport (someone could sniff the data from the network) then you should be using HTTPS.

With that said, php has mcrypt which is a wrapper around many different types of proven ciphers. With these, a general rule of thumb is that the more bits you use the better, and you want to employ CBC mode and avoid ECB.

Start by reading about the mcrypt-encrypt function, and mcrypt-decrypt to decrypt the value.

gview
  • 14,876
  • 3
  • 46
  • 51
-1

Anybody could build an Encoder in php there are several types chipers are the most simple to understand however they are easy to break and would not be recommended to be used saying that if you just trying to protect something from a simple user or you wish to learn how to build some security in that it makes it a little harder to identify you could look into cypers or modulating cypers for a bit of security.

Just recently i was talking to someone who wanted to understand the basic's so i built one based on binary value manipulation,

DO NOT USE THIS FOR ANYTHING MORE THAN PLAYING OR LEARNING A LITTLE

class binChar{
    function __construct(){
        $this->pats = array('0', '1', '00', '11', '000', '111', '0000', '1111', '00000', '11111');
    }

    function encrypt($str){
        $str = str_replace(array("\r", "\n", "\t", " "), array('\r', '\n', '\t', '\s'), $str);
        $strN = str_split($str);
        $bin = "";
        foreach($strN as $char){
            $charC = decbin(ord($char));
            $count = count((string)$charC);
            while($count < 8){
                $chars = "0".$charC;
                $count++;
            }
            $bin .= $chars;
        }
        echo "Given \r\n ".$str." \r\n Binary\r\n".$bin."\r\n";
        foreach($this->pats as $key => $pat){
            $bin = str_replace($pat, $key, $bin);
        }
        return $bin;
    }

    function decrypt($bin){
        foreach($this->pats as $key => $pat){
            $bin = str_replace($key, $pat, $bin);
        }
        $str = "";
        $chars = str_split($bin, 8);
        foreach($chars as $char){
            $str .= chr(bindec($char));
        }
        $str = str_replace(array('\r', '\n', '\t', '\s'), array("\r", "\n", "\t", " "), $str);
        return $str;
    }
}

$enc = new binChar();
$test = $enc->encrypt("Hello World");
echo "Encrypted\r\n".$test;
echo "\r\nDecrypted\r\n".$enc->decrypt($test);

I Repeat i would never recommend you used this for anything other than playing with and testing / learning how it works it's just a basic example of some obfuscation.

And i know using AES in php is not easy to understand and it's not a simple function call however using it your data will be secured far better.

Barkermn01
  • 6,781
  • 33
  • 83
  • Cipher is two way encryption so you encrypt to it and back if you get exactly what you put in then it works – Barkermn01 Dec 31 '12 at 18:10
  • 1
    There is NO reason to ever develop your own algorithms, outside of "just a learning exercise". The AES process took every cryptographer in the world, millions of dollars, and the combined resources of NIST, the NSA, and input from security vendors. It's unlikely that you can "make sure you have tested it properly". – mfanto Dec 31 '12 at 21:50
  • "Cipher is two way encryption so you encrypt to it and back if you get exactly what you put in then it works " the null cipher would be a good fit then, it performs no encryption at all, so you don't even have to decrypt! – Maarten Bodewes Jan 04 '13 at 15:03
  • mfanto and owlsted i was saying why read an answer before posting bull, if some one was ever to get into my mysql server anything that was private is using 2 way encryption so its not in plain English and i can get it to english for display i was supporting the it should not be made argument explaining the only time i have ever done it and what it was for – Barkermn01 Jan 10 '13 at 15:42
  • not secure claims you try breaking into a system that does not have a public encryption method you would not know where to start the problem with the big ones like AES is loads of different things use them so there are thousands of hackers trying to break them if you build a private one for your own system (as in small system) no hacker / code breaker is going to waste there time on it when they don't know what they could get out of it, just remember the enigma was 2 way and could not be broken the UK had to steal a machine and how many years was that war going one before that happened – Barkermn01 Jan 10 '13 at 15:52
  • The controversy is over Dual_EC_DRBG, not AES. And it's still more secure than anything anyone can do on their own. – mfanto Sep 23 '13 at 15:19
  • why, why could one person not make something more secure that loads of people your logic is flawed, and AES is still one that NSA helped make witch means if they messed with one they would mess with them all. security is thousands of people knowing how it works make no sense i bet you think SSL is perfect when SSL on a server – Barkermn01 Sep 23 '13 at 16:00
  • Oh and your wrong it is covering AES i just could not find the proof to argue with you http://www.zdnet.com/has-the-nsa-broken-ssl-tls-aes-7000020312/ Even one of the designers of SSL thinks that AES/TLS and others are already broken so it's not just Dual_EX_DRBG – Barkermn01 Sep 23 '13 at 16:22
  • You're all over the place conflating different ideas and issues. The NSA didn't help "make" AES, it simply provided analysis and opinion. AES is the result of a public contest with the winner being a pair of Belgium cryptographers. You're asking why someone that isn't an expert in cryptanalysis couldn't design a secure algorithm? There are hundreds of attacks against modern ciphers, and unless you're familiar with them, it seems unlikely you could resist them. SSL and TLS have plenty of issues (see the CRIME and BREACH) attacks. That doesn't mean AES is broken however. – mfanto Sep 23 '13 at 18:00
  • @mfanto "The AES process took every cryptographer in the world, millions of dollars, and the combined resources of NIST, the NSA, and input from security vendors" that's from you tit wanna revise your last statment As to your last part AES is part of SSL, TLS and AES are used for SSL – Barkermn01 Sep 24 '13 at 15:14
  • I'm done engaging you, it's clear you're not interested in having a reasonable discussion. AES was a public contest with 15 submissions from various sources around the world. After multiple years and three rounds of analysis, with input from cryptographers, government agencies (including the NSA), and industry, Rijndael (submitted by two Belgium cryptographers) was selected as the winner. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process – mfanto Sep 24 '13 at 15:25
  • I'm sorry but you're very mistaken in almost all your comments. "As to your last part AES is part of SSL, TLS and AES are used for SSL". AES is a cipher that is supported in most SSL and TLS implementations, but that is not a requirement. I think some servers even prefer RC4 over AES for performance reasons. It's entirely possible to use SSL and TLS without ever using AES (http://www.openssl.org/docs/apps/ciphers.html) – mfanto Sep 24 '13 at 15:40
  • Sorry your the one contradicting your self, if it is not possible for 1 person to make an Encryption system better or as good as AES why can only 2 people do it and not 1 person, as i have said i have made a modulating cipher same as AES dose admittedly it wont be as secure but it's a good place to start but then mine was a PHP implementation so no way could i have made it as secure as AES but the fact is it could be done it's look at leonardo da vinci he made ciphers that have taken untill now to break so it is possible all be it rare but possible. – Barkermn01 Sep 24 '13 at 15:45
  • And most (if not all now) Root CA Companies supported by browsers/OSes (so it's not invalid) use AES so it SSL and RC4 is now more of a burden on CPU than AES http://crypto.stackexchange.com/questions/853/google-is-using-rc4-but-isnt-rc4-considered-unsafe but my argument is still valid one person could make a better system than AES all be it rare but the point is still valid if 2 people could make AES then 1 person could make one better than it it just depends how good they are and if they did make it do they want it public i could think of plenty of reasons for an alternative – Barkermn01 Sep 24 '13 at 15:51
  • Another Point is that NDA have had access to AES longer than the public so the point is they could have broken it if you were doing something illegal much better to have your own and make them have to break it than something they could quite possibly have broken as ii have said why trust in thousands when you can do it your self if you good you could do it, and you don't need to be a cryptographers could just be a math expert and devise a good one being that all information on a computer is number related – Barkermn01 Sep 24 '13 at 15:56
  • I have added an example of a simple version however i still remain with the others dont use this for anything more than a simple test or if you only want to protected data on your home PC should some one steal it even then if they stole it to obtain your data this wont stop them it might slow them down a little – Barkermn01 Jul 28 '14 at 22:48