Home > Archive > PHP Language > May 2004 > crypt function in PHP different from Perl's crypt?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
crypt function in PHP different from Perl's crypt?
|
|
| Lars Plessmann 2004-05-25, 7:44 pm |
| Why returns the crypt function a longer strin than Perls crypt?
I need the same length (8 chars) for a password field link its used in
the .htpasswd files of apache.
In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
instead of "Td2.gm2."
Why?
are there any parameters for crypt, to get only the neccesairy part?
thanks a lot,
Lars
| |
| Shane Lahey 2004-05-25, 7:44 pm |
| this probably has to do with the user supplied salt your giving.... ??
either that or CRYPT_STD_DES is unsupported on your server???
to check if your system supports it, first try:
<?php
if (CRYPT_STD_DES == 1)
echo "Standard DES-based encryption is supported\n";
else echo "Error: Standard DES-based encryption is not supported\n";
?>
Information about crypt() is located at
http://ca2.php.net/manual/en/function.crypt.php
The standard DES-based encryption crypt() returns the salt as the
first two characters of the output. It also only uses the first eight
characters of str , so longer strings that start with the same eight
characters will generate the same result (when the same salt is used).
On systems where the crypt() function supports multiple encryption
types, the following constants are set to 0 or 1 depending on whether
the given type is available:
CRYPT_STD_DES - Standard DES-based encryption with a two character
salt
CRYPT_EXT_DES - Extended DES-based encryption with a nine character
salt
CRYPT_MD5 - MD5 encryption with a twelve character salt starting with
$1$
CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt
starting with $2$
Note: There is no decrypt function, since crypt() uses a one-way
algorithm.
On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
<Lars.Plessmann@gmx.de> wrote:
>Why returns the crypt function a longer strin than Perls crypt?
>I need the same length (8 chars) for a password field link its used in
>the .htpasswd files of apache.
>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>instead of "Td2.gm2."
>
>Why?
>
>are there any parameters for crypt, to get only the neccesairy part?
>
>
>thanks a lot,
>
>Lars
| |
| Lars Plessmann 2004-05-26, 3:34 am |
| Shane Lahey wrote:
> this probably has to do with the user supplied salt your giving.... ??
> either that or CRYPT_STD_DES is unsupported on your server???
>
> to check if your system supports it, first try:
>
> <?php
> if (CRYPT_STD_DES == 1)
> echo "Standard DES-based encryption is supported\n";
> else echo "Error: Standard DES-based encryption is not supported\n";
> ?>
>
>
>
> Information about crypt() is located at
> http://ca2.php.net/manual/en/function.crypt.php
>
>
> The standard DES-based encryption crypt() returns the salt as the
> first two characters of the output. It also only uses the first eight
> characters of str , so longer strings that start with the same eight
> characters will generate the same result (when the same salt is used).
>
> On systems where the crypt() function supports multiple encryption
> types, the following constants are set to 0 or 1 depending on whether
> the given type is available:
>
> CRYPT_STD_DES - Standard DES-based encryption with a two character
> salt
>
> CRYPT_EXT_DES - Extended DES-based encryption with a nine character
> salt
>
> CRYPT_MD5 - MD5 encryption with a twelve character salt starting with
> $1$
>
> CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt
> starting with $2$
>
> Note: There is no decrypt function, since crypt() uses a one-way
> algorithm.
>
>
>
> On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
> <Lars.Plessmann@gmx.de> wrote:
>
>
>
>
Hi!
thanks.
I get the "Standard DES-based encryption is supported" message.
Thats the "short" string tells the documentation. But it isn't!
I don't enter the salt parameter, so it should use a random 2 character
string that delivers me a CRYPT_STD_DES crypt string.
But why do I get the long password?
In perl I get with the same apache the 8 character passwortd string
without any "$" prefixes.
| |
| shortbackandsides.no@spam.hairdresser.net 2004-05-26, 9:34 am |
| Although the returned string is longer than that from using Perl to
generate a password, it may not matter.
You say it is for use in an .htpasswd file.
..htpasswd appears to work OK with either short or long passwords, I
have one which includes some of both types in it like this:
user1:$1$hSbU8fhz$vk.jwLUCx2AQSgqMpjpjR0
user2:1HH/7oEU7wTkY
I can log on OK as either user1 or user2 so whilst it is interesting
to understand why PHP is giving a longer result it may not matter once
you come to use it.
Or have I misunderstood something?
On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
<Lars.Plessmann@gmx.de> wrote:
>Why returns the crypt function a longer strin than Perls crypt?
>I need the same length (8 chars) for a password field link its used in
>the .htpasswd files of apache.
>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>instead of "Td2.gm2."
>
>Why?
>
>are there any parameters for crypt, to get only the neccesairy part?
>
>
>thanks a lot,
>
>Lars
| |
| Shane Lahey 2004-05-26, 11:34 am |
| i'll be damned, you need to pass a 2 char salt to get a DES crypt()
...... here's a simple solution simply call: des_crypt([password]).....
<?php
returns a completely random character from the $asc string.
function random_ch()
{
$asc =
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM
NOPQRSTUVWXYZ0123456789./';
list($usec, $sec) = explode(' ', microtime());
mt_srand((float) $sec + ((float) $usec * 100000));
return $asc[ (mt_rand() % strlen($asc)) ];
}
// return a DES encrypted $pass using a random 2char salt.
function des_crypt($pass)
{
$salt = random_ch() . random_ch();
return crypt($pass, random_ch);
}
?>
On Wed, 26 May 2004 08:45:53 +0200, Lars Plessmann
<Lars.Plessmann@gmx.de> wrote:
>Shane Lahey wrote:
>
>
>Hi!
>
>thanks.
>I get the "Standard DES-based encryption is supported" message.
>Thats the "short" string tells the documentation. But it isn't!
>I don't enter the salt parameter, so it should use a random 2 character
>string that delivers me a CRYPT_STD_DES crypt string.
>
>But why do I get the long password?
>In perl I get with the same apache the 8 character passwortd string
>without any "$" prefixes.
| |
| Lars Plessmann 2004-05-26, 4:32 pm |
| shortbackandsides.no@spam.hairdresser.net wrote:
> Although the returned string is longer than that from using Perl to
> generate a password, it may not matter.
>
> You say it is for use in an .htpasswd file.
>
> .htpasswd appears to work OK with either short or long passwords, I
> have one which includes some of both types in it like this:
>
> user1:$1$hSbU8fhz$vk.jwLUCx2AQSgqMpjpjR0
> user2:1HH/7oEU7wTkY
>
> I can log on OK as either user1 or user2 so whilst it is interesting
> to understand why PHP is giving a longer result it may not matter once
> you come to use it.
>
> Or have I misunderstood something?
>
> On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
> <Lars.Plessmann@gmx.de> wrote:
>
>
>
>
I don't want to reserve so much fields for the password in the database.
So a 8 char password would be much better like the apache .htpasswd version.
| |
| Lars Plessmann 2004-05-26, 4:32 pm |
| Shane Lahey wrote:
> i'll be damned, you need to pass a 2 char salt to get a DES crypt()
>
> ..... here's a simple solution simply call: des_crypt([password]).....
>
> <?php
>
> returns a completely random character from the $asc string.
> function random_ch()
> {
> $asc =
> 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM
NOPQRSTUVWXYZ0123456789./';
> list($usec, $sec) = explode(' ', microtime());
> mt_srand((float) $sec + ((float) $usec * 100000));
> return $asc[ (mt_rand() % strlen($asc)) ];
> }
>
>
> // return a DES encrypted $pass using a random 2char salt.
> function des_crypt($pass)
> {
> $salt = random_ch() . random_ch();
> return crypt($pass, random_ch);
> }
>
> ?>
>
>
>
>
> On Wed, 26 May 2004 08:45:53 +0200, Lars Plessmann
> <Lars.Plessmann@gmx.de> wrote:
>
>
>
>
Well okay. this way brings me 13 char passwords. thats okay I think...
So, I will do it in this way!
thanks a lot, Shane!
-Lars
| |
| Shane Lahey 2004-05-26, 5:31 pm |
| >
>I don't want to reserve so much fields for the password in the database.
>So a 8 char password would be much better like the apache .htpasswd version.
just so you know... the MD5 hashed passwords are MUCH more secure than
the DES encrypted passwords, so using the longer passwords would make
cracking passwords much much harder if your database were ever
comprimised... sometimes the few extra bytes are just worth it :D
| |
| Lars Plessmann 2004-05-26, 6:31 pm |
| Shane Lahey wrote:
> i'll be damned, you need to pass a 2 char salt to get a DES crypt()
>
> ..... here's a simple solution simply call: des_crypt([password]).....
>
> <?php
>
> returns a completely random character from the $asc string.
> function random_ch()
> {
> $asc =
> 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM
NOPQRSTUVWXYZ0123456789./';
> list($usec, $sec) = explode(' ', microtime());
> mt_srand((float) $sec + ((float) $usec * 100000));
> return $asc[ (mt_rand() % strlen($asc)) ];
> }
>
>
> // return a DES encrypted $pass using a random 2char salt.
> function des_crypt($pass)
> {
> $salt = random_ch() . random_ch();
> return crypt($pass, random_ch);
> }
>
> ?>
>
>
>
>
> On Wed, 26 May 2004 08:45:53 +0200, Lars Plessmann
> <Lars.Plessmann@gmx.de> wrote:
>
>
>
>
Oh it doesn't work, because password A and password B are now not equal.
The same passwords encrypred with the des_crypt() function do not
concur. whats the problem?
by the way, I changed
> $salt = random_ch() . random_ch();
> return crypt($pass, random_ch);
to
$salt = random_ch() . random_ch();
return crypt($pass, $salt);
I think it was that what you meant?
I hope you can help?
Lars
| |
| Shane Lahey 2004-05-26, 7:31 pm |
| On Wed, 26 May 2004 23:55:07 +0200, Lars Plessmann
<Lars.Plessmann@gmx.de> wrote:
>Oh it doesn't work, because password A and password B are now not equal.
>The same passwords encrypred with the des_crypt() function do not
>concur. whats the problem?
>
>by the way, I changed
>
>
>to
>
> $salt = random_ch() . random_ch();
> return crypt($pass, $salt);
>
>
>I think it was that what you meant?
>
>I hope you can help?
>
>
>Lars
hehe, simple
it's because the seed is random.
you will need to seed the provided password with the first two letters
of the stored password
.....
easier for me to give an example
say you have a database with user MisterX and encrypted password
xZX3RQm9R4w3.
when checking if MisterX is providing the same password in the future
you will need to take the first two letters from the stored encrypted
password (in this case 'xZ') and use that as the salt to encrypt the
new password, then compare the two hashes..... DES encryption is a
ONE-WAY hash, it' can't exactally be de-crypted, just compared.
hope this makes sense....
For my example: xZX3RQm9R4w3. is the word 'password' crypt()'ed with
the seed 'xZ'
|
|
|
|
|