In PHP we can use the
crypt () function to create one way encryption. This means that the data is encrypted but cannot easily be decrypted. Although at first glance that may seem useless, it is actually very useful when working with passwords.When a user chooses their password, the password is then encrypted and the encrypted version of this password is saved. The next time the user goes to login, their password is encrypted again and then checked against the already saved (encrypted) version to see if they are the same. This way if the data is intercepted, they only ever see the encrypted version.
The crypt function is phrased as: crypt ( input_string, salt)
In this case input_string is the string you would like to encrypt (your password for example,) and salt is an optional parameter that influences how the encryption will work. PHP by default uses a two character DES salt string. If your system standard is MD5, a 12-character salt string is used.
The following are the four types of salt that work with all crypt () functions.
CRYPT_STD_DES – Standard DES-based encryption with a two character salt
CRYPT_EXT_DES – Extended DES-based encryption with a nine character salt
CRYPT_MD5 – MD5 encryption with a twelve character salt starting with $1$
CRYPT_BLOWFISH – Blowfish encryption with a sixteen character salt starting with $2$ or $2a$
Now let’s see what actually happens when we use crypt ()
<?php
$password = crypt(‘mypassword‘);
print $password . “ is the encrypted version of mypassword”;
?>
This will output the encrypted version of ‘mypassword’ for you to see. Now let’s try it using different types of salt.
<?php
$password = crypt(‘mypassword’ , ‘d4′);
print $password . ” is the CRYPT_STD_DES version of mypassword<br>”;
$password = crypt(‘mypassword’ , ‘k783d.y1g’);
print $password . ” is the CRYPT_EXT_DES version of mypassword<br>”;
$password = crypt(‘mypassword’ , ‘$1$d4juhy6d$’);
print $password . ” is the CRYPT_MD5 version of mypassword<br>”;
$password = crypt(‘mypassword’ , ‘$2a$07$kiuhgfslerd………..$’);
print $password . ” is the CRYPT_BLOWFISH version of mypassword<br>”;
?>
This will output something like this:
d4/qPbCcJ5tD. is the CRYPT_STD_DES version of mypassword
k7xEagYCDPPSc is the CRYPT_EXT_DES version of mypassword
$1$d4juhy6d$a.jIPYnvne1FWF2V6mGQR0 is the CRYPT_MD5 version of mypassword
$2a$07$kiuhgfslerd………..6k0kSI76CqJ/RWGnSp9MWRDF91gJZfW is the CRYPT_BLOWFISH version of mypassword
As long as you always use the same salt the encrypted password should always be the same, making it a good solution for password storage.
Blowfish is a block cipher that encrypts data in 8-byte blocks. The algorithm consists of two parts: a key-expansion part and a data-encryption part. Key expansion converts a variable-length key of at most 56 bytes (448 bits) into several subkey arrays totaling 4168 bytes. (Note: the description in this article differs slightly from the one in the April 1994 issue of Dr. Dobb’s Journal; there were typos in steps (5) and (6) of the subkey generation algorithm.)
Blowfish has 16 rounds. Each round consists of a key-dependent permutation, and a key- and data-dependent substitution. All operations are XORs and additions on 32-bit words. The only additional operations are four indexed array data lookups per round.
Subkeys:
Blowfish uses a large number of subkeys. These keys must be precomputed before any data encryption or decryption. The P-array consists of 18 32-bit subkeys: P1, P2,…, P18. There are also four 32-bit S-boxes with 256 entries each: S1,0, S1,1,…, S1,255; S2,0, S2,1,..,, S2,255; S3,0, S3,1,…, S3,255; S4,0, S4,1,..,, S4,255.
Encryption and Decryption:
Blowfish has 16 rounds. The input is a 64-bit data element, x. Divide x into two 32-bit halves: xL, xR. Then, for i = 1 to 16:
xL = xL XOR Pi
xR = F(xL) XOR xR
Swap xL and xR
After the sixteenth round, swap xL and xR again to undo the last swap. Then, xR = xR XOR P17 and xL = xL XOR P18. Finally, recombine xL and xR to get the ciphertext.
Function F looks like this: Divide xL into four eight-bit quarters: a, b, c, and d. Then, F(xL) = ((S1,a + S2,b mod 232) XOR S3,c) + S4,d mod 232.
Decryption is exactly the same as encryption, except that P1, P2,…, P18 are used in the reverse order.
Generating the Subkeys:
The subkeys are calculated using the Blowfish algorithm:
1. Initialize first the P-array and then the four S-boxes, in order, with a fixed string. This string consists of the hexadecimal digits of pi (less the initial 3): P1 = 0x243f6a88, P2 = 0x85a308d3, P3 = 0x13198a2e, P4 = 0×03707344, etc.
2. XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key, and so on for all bits of the key (possibly up to P14). Repeatedly cycle through the key bits until the entire P-array has been XORed with key bits. (For every short key, there is at least one equivalent longer key; for example, if A is a 64-bit key, then AA, AAA, etc., are equivalent keys.)
3. Encrypt the all-zero string with the Blowfish algorithm, using the subkeys described in steps (1) and (2).
4. Replace P1 and P2 with the output of step (3).
5. Encrypt the output of step (3) using the Blowfish algorithm with the modified subkeys.
6. Replace P3 and P4 with the output of step (5).
7. Continue the process, replacing all entries of the P array, and then all four S-boxes in order, with the output of the continuously changing Blowfish algorithm.
In total, 521 iterations are required to generate all required subkeys. Applications can store the subkeys rather than execute this derivation process multiple times.
C Code:
C code for Blowfish starts on page xx. This is improved and corrected code; the code in the April 1994 issue had some bugs and was less efficient than this code. The code is also available electronically; see “Availability,” page xx.