AES_ENCRYPT

Posted: Tue Mar 09, 2004 7:34 am

I just rewrote a login/validation password function using the AES_CRYPT() AES_DECRYPT() functions. Sure is slick too bad it is only in MySQL 4.1 and up no sense in writing 2 login functions to maintain compatability with the popular 3.23x series. (Well I might I really like this function).

Biggest plus is unlike other encryption methods it should be cross platform portable without any hassles.

But once 3.23 is phased AES_ECRYPT will be fast and simple to implement.

Worker Joined: Feb 16, 2004 Posts: 164

Nice - I would like that for my own site, - is it really that easy to rewrite?

Posted: Tue Mar 09, 2004 12:25 pm

Edited:
There was fundimental flaws in this code. Will post new code as soon as I get a chance. (Tonight?)

Ok here is a demo like package.
SUA.ZIP

I did change so that a cookie is required as a third check uses a hash not an IP so should be aol compatable? Is just a nice little demo not bullet proof. It also show KSES in a very basic use processing forms lol.

I believe all the major bugs are out of the basic functions and authentification is a little crude but I think very effective. Some error messages should be changed ect.. to clean it up for actual use.

Peter

Posted: Tue Mar 09, 2004 4:13 pm

Got around setting an email cookie by adding this code maybe explode()chop() would be better?

Code:




list($user_email, $trash) = explode("::", $hash);


$email = $user_email;

to verify just above
$check2 = $hash;
At the beginning. This works slick because $hash is the users email address and $trash adds a unique string to the session and cookie. $trash is the $email (user email) $passwd (encrypted) using $password (encrypted as Salt) none of which can be decoded even if someone could split it down without the original Salt in this example $sitekey.

Posted: Tue Mar 09, 2004 5:42 pm

I know just the thing to test this on...........interesting..........thanks for the Encrypt 101

Posted: Tue Mar 09, 2004 7:25 pm

lol ya just just be sure to add something to the salt thats unique to the user I used email and it works fine. Comes out like this the same password from 3 different users.
s7£YkÔŒbOVp‡a—²
€£î^ûGØ$ûÕÔ
Ý!lu.ñ.r}Ïº„ •

Now thats also so my password here so ... if someone cracks that Mr. Green

The egg is on my face.

Posted: Mon Mar 15, 2004 11:35 pm

Bounce fixed issues/errors and packed up a simple demo see above post sua.zip

If any huge bugs let me know. I'm just about ready to try something like this on a site.