Encrypt - Decrypt Code Scheme - Help Needed - PHP Server Side Scripting forum at WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

Encrypt - Decrypt Code Scheme - Help Needed

blaketar

7:04 pm on Aug 18, 2005 (gmt 0)

I am attempting to think up a scheme to encrypt simple numbers but then need the ability to decrypt the number at a later time.

The problem with some of the solutions is of course Server Specific. If I take the program to a different server the encryption hex is different.

The problem is simple but the solution difficult. I pass database id's in the url string. It is simple for a person to come up with the next id of course (1,2,3,4,5, etc.)

What I would like to do is simply encrypt or somehow alter the id ($key = "keycode" number_encrypt(4,$key) - Output: 921A5) for example. Then using a decrypt function I can pass it the number_decrypt(921A5,$key) and the script will give me back 4.

Again, it sounds simple but when you factor in the ability to transfer scripts, move servers, encryption standard upgrades the current pool just doesn’t work...

Any ideas?

jatar_k

8:48 pm on Aug 19, 2005 (gmt 0)

maybe this might help
Mcrypt Encryption Functions [php.net]

blaketar

9:04 pm on Aug 19, 2005 (gmt 0)

Thanks for the reply! I was getting worried no one would know any answers....

That function provides one of the problems I am having. If I was to move the script to another server the Encryption is completely different from the server I am moving from. Therefore trying to decrypt the string which was produced on Server A is not possible on Server B.

jatar_k

9:12 pm on Aug 19, 2005 (gmt 0)

you could write something custom, chop it, slash it, change it

what exactly are you trying to do? I understand the question but what is the 'why' of this?

blaketar

9:31 pm on Aug 19, 2005 (gmt 0)

Example: (This is the way a url would currently display)
http://example.com/page.html?DBID=56

What I would like to do is hide the fact that this page is displaying DB ID 56. An Example Encrypt Function would output:
http://example.com/page.html?DBID=A98T507

Now this can be accomplished using mcrypt_cbc() and it works quite well. However with the string which is outputted using that function I cannot successfully take that string to a different server and de_crypt() it and get "56".

ChadSEO

9:40 pm on Aug 19, 2005 (gmt 0)

blaketar,

You could write a simple function, as it doesn't have to be very robust. Something like:

Take each digit, and grab the letter of the alphabet corresponding to the number.
or
Convert the number to Hex, then append the original number to it.
or
Take each digit, and grab a value from an array correpsonding to that number. Populate array with random, but unique, alphanumeric values.

Chad

jatar_k

9:46 pm on Aug 19, 2005 (gmt 0)

gotcha, now I get what you need

as ChadSEO said, just write some little function that does some replacement based on a few unique things.

switch em all to ascii and multiply them by something
use common offset replacement
use a hard coded key for your letters

I don't know, use a famous code from some spy book ;)

anything would work

MattyMoose

10:00 pm on Aug 19, 2005 (gmt 0)

If I understand this correctly, you need a two-way encryption method...

Basically:

Plain Text == CypherText

You can then later take CypherText and turn it into Plain Text.

All of the functions that you'll find in PHP (I should think) will be one-way hashes... You cannot reverse the process, ie, you can't feed it CypherText, and expect to receive PlainText. You'll get even more CypherText.

Probably the best way that you could do it would be to use some sort of "shared secret" or possibly "visible secret", where the "salt" for the encrypted cyphertext is visible, but doesn't really mean anything under casual inspection.

What I mean is, say you had a caesar function (look up ROT-13 or caesar shift in google), with a variable offset. So, you could pass something like:

?id=1093AD09

the "10" would indicate to your script that the offset is 10 (not the regular 13), and would then proceed to "decrypt" the rest of the string. So, A = K and D= N, and then you could further complicate things by making the letters actually be the ASCII values, so your string actually ends up being 93757809, which you could then, say, add them all together to get "48".

Only problem with the above system, is that you'll get a lot of collisions (91657809 gives the same "48" as 93757809), and so on, but you get the idea... Mess around with some funny little tricks here and there. Most simple "algorithms" will be enough to dissuade most people from trying too much, and someone who's really interested will need to spend the time and collect enough data to statistically evaluate what everything means.

As an aside, it'll be hard to generate the reverse in the above scenario... It's hard to make 1093Ad09 from "48". The math needs to work both ways, and you need to have a certain pattern that must be met when you go in both directions. My example isn't necessarily a good one for what you're trying to do, but it will hopefully give you an idea of what to look for.

I hope that made sense, and has helped you along a bit. :)

PS: try the Code Book by Simon Singh. It's a good read on the history of different encryption methods, and their methodology.

blaketar

10:09 pm on Aug 19, 2005 (gmt 0)

It is all helping and I thank you all on this!

That is the problem I have been running into while trying to develop this thing. If I turn it into ASCII or Hex numbers, using example id=56 => encrypted id=3536 whose to say where the numbers in the encrypted string start and stop to decrypt? 3, 35, 53, etc...

With math adding, subtracting, division. You contend with half’s and decimals that in allot cases rounding gets the wrong results.

It’s a strange problem, one I cannot put my finger on! Again I appreciate greatly everyone’s perspective and input!

jd01

8:48 am on Aug 20, 2005 (gmt 0)

This should give you a start, I think you will see where I was going if you run it. You will probably want to use a uniform length for the number being passed if you decide to use it - just messing around and didn't want to do any real work for a while.

If someone sat a watched enough, they could figure it out - If you want to add a little more confusion, subtract the real row number from the total rows in the DB and use that number, then add it the other way when you are decoding it.

$id=1434;
// find how many numbers we will need to look for on the other side.
$nums=strlen($id);

// get some random characters - does not necessarily need to be random, or this many possibilities, but why not? =)
$create_code = md5(rand(0,999));

// break our current number up - other methods are available, use the one you like the best
$cnt=0;
while($cnt < $nums) {
$page_id[$cnt]=substr($id,$cnt,1);
$cnt++;
}

// check what we have stored - testing only
print_r($page_id);

$code=$nums; $cnt2=0; $i=1;

// put our numbers in the middle of a group of characters (I would mix this up a little if I were going to use it IOW not always four, but maybe the number of characters in the string plus some number, so it changes from page to page.)

while($cnt2 < $nums) {
$code.=substr($create_code,$i,4).$page_id[$cnt2];
echo "<br>";
$i+=4;$cnt2++;
}

// this is where the page number is hidden
echo $code." id number passed.<br>";

// find how many numbers to find so we can get the id number(s) back
$find_nums=substr($code,0,1);

// show how many numbers we are looking for
echo $find_nums." numbers in the string.<br>";

$cnt3=1;

// get the numbers out of the string that was passed
while( $cnt3 <= $find_nums ) {
$page=($cnt3*5);
$realpage.=substr($code,$page,1);
$cnt3++;
}

// this is the hidden number
echo $realpage." real number.";

Hope it gives you some ideas.

Justin