Justtechjobs.com Find a programming school near you






Online Campus Both


php3-list | 199807

Re: [PHP3] What is md5? From: Richard Lynch (lynch <email protected>)
Date: 07/31/98

>Thanks for the response, everyone; but one thing I don't get is what's
>the point of encrypting something if NO ONE (not even the encryptor) can
>decrypt it? Or am I wrong? How can the someone who is suppose to know
>the content of the encrypted file use PHP to decrypt it? Isn't there a
>key system to decrypt it? Thanks.

For passwords, *NOBODY* ever has to know how to decrypt. The seems goofy
to us mere mortals, but here's why:

You only need to be able to encrypt, and then check the results.

Nobody ever has to look up your password for you. You just have to type it
in, it gets encrypted, and then the result is compared to the stored
encryption.

So, let's say your password is: 'A'

Not a real good password, but just suppose.

When you first give the password to Unix, it gets immediately encrypted,
and looks something like this: 'RLE265jLKJkalkj3408' That gets stored in
the password file. Nobody can decrypt that, and come up with 'A'. Now,
nobody, never, ever, decrypts this.

The next time you login, you give your password 'A', and it gets
immediately encrypted, using the same encryption algorithm, and then
compared. Either you gave the same password, which has the same
encryption, or you didn't. But nobody had to reverse the encryption. They
never will.

Actually, I think it's been calculated that one computer could decode your
password in something like 100 years, or if you could get a hundred
people's computers working together, they could crack your password in a
few day's computing time. Such a conspiracy could occur, and regularly
does for the 'fun' of it among computer geeks, but to actually try and use
it to compromise a system would be rather hard, since there's bound to be
somebody with some modicum of ethics who find out about one of those
hundred people, and then informs the [intended] victim... At least we hope.

The whole point of this type of encryption is that *NOBODY* on the planet
can decrypt the encrypted passwords. So, even though many, many people can
read the password file, it doesn't pose a risk. It's a one-way encryption,
and that's all you need for login passwords.

Needless to say, this scheme won't work for credit cards, where you want to
encrypt it at one end, send it, and have one, and only one person who can
decrypt it at the other end. That's what SSL, DES, and PGP (& RSA?)
encryption are for, as I recall. [Don't quote me on DES and PGP.] Anyway,
they work entirely differently, and with varying degrees of success.

<PHILOSPHICAL ON><TECHNICAL OFF>
But, by definition, the credit card encryption can't be *AS* good as one
that nobody on the planet can decrypt. Because what one person can do,
another can do, *somehow*. So however SSL, DES, and PGP (& RSA?) work, it
ain't as good as the password encryption. But it is the only way you can
go when *somebody* at the other end has to be able to decrypt, as opposed
to your login stuff where *nobody* ever has to decrypt.
</TECHNICAL></PHILOSOPHICAL>

Now, the way hackers beat this login encryption, is they take a dictionary
(online, of course), and encrypt every word in it. Then, they grab the
password file, and compare the tables:

User Encrypted Password
-------------------------------
Zhong RLE265jLKJkalkj3408
.
.
.

Word Encrypted Word
-------------------------------
A RLE265jLKJkalkj3408
An RLEkj4897Dkj87034lk

So, they don't *DECRYPT* your password, but manage to 'guess' your password
because it's in the dictionary.

Whew. Hopefully this all makes sense without getting too technical, since
I do not understand the technical aspects of encryption. 

--
--
-- "TANSTAAFL" Rich lynch <email protected>

--
PHP 3 Mailing List   http://www.php.net/
To unsubscribe send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest list:  php3-digest-subscribe <email protected>
For help: php3-help <email protected>  Archive:  http://www.php.net/mailsearch.php3