Creating your own encryption method

tego10122 · 02-11-2009, 07:09 PM

Hello , How could I compile a class/function to create my own encryption method.

eg:

Code:

$text = 'milkdud22' 
output: my25Ql$jk

Wildhoney · 02-11-2009, 07:23 PM

Just scramble the input with some string functions like so:

php Code:

function TalkPHP_Encrypt($szString)
{
    $szString = str_rot13($szString);
    $szString = md5($szString);
    $szString = substr($szString, 5, 15);
    return $szString;
}

echo TalkPHP_Encrypt('Everybody at TalkPHP loves encryption');

That is of course unless you want to reverse it, in which case it'll require a little more thought. What is wrong with the in-built encryption methods, however?

tego10122 · 02-12-2009, 04:12 AM

Um , well nothing really I just like to have it so I have my own encryption method hopefully making it harder to crack.

Village Idiot · 02-12-2009, 04:23 AM

Anything you create will probably be worse than the major existing methods (SHA1 is still to be reverse engineered). The methods you have now are created by people who have real experience in this stuff. One of the first rules of using encryption methods is "Don't use your own".

Wildhoney · 02-12-2009, 01:35 PM

As Village Idiot said, SHA1's yet to be reversed. Add a salt to that SHA1 and even dictionary attacks will be fruitless.

ETbyrne · 02-12-2009, 06:03 PM

The best idea is to use a combination of encryption methods. I personally use this:

PHP Code:


			
$newpass = sha1(md5('password'));

Village Idiot · 02-12-2009, 06:56 PM

Quote:

Originally Posted by ETbyrne

The best idea is to use a combination of encryption methods. I personally use this:

PHP Code:


			
$newpass = sha1(md5('password'));

Why would that be any better? If they get reverse engineered it would not be hard at all to get past that. Reason being that they both leave data in an easy to spot format. If you want to make it virtually impossible to reverse engineer (w/o seeing the script), combine the two strings and substring a few out. This will essentially take any possible footprint away and destroy the data. If they see your script, they would still have to cross-reference the two values that they see and try to triangulate the missing letters off of that.

maZtah · 02-12-2009, 07:07 PM

I'm using the method Wildhoney mentioned.

PHP Code:


			
define('SALT', 'SD9isd9034K#J$Ldfdf9I_DLKAMSD;l=');

$szPassword = sha1(SALT . $_POST['password']);

Then for every website I'm setting another SALT.

Salathe · 02-12-2009, 07:12 PM

Quote:

Originally Posted by ETbyrne

The best idea is to use a combination of encryption methods. I personally use this:

PHP Code:


			
$newpass = sha1(md5('password'));

That's the best piece of bad advice I've seen all day.

Mixing multiple hashing algorithms does not a secure system make. Once an attacker knows that all you're feeding into SHA1 is an unsalted MD5 hash, their life just got way easier.