crypt function in PHP different from Perl's crypt?

Lars Plessmann · Lars Plessmann

Why returns the crypt function a longer strin than Perls crypt?
I need the same length (8 chars) for a password field link its used in
the .htpasswd files of apache.
In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
instead of "Td2.gm2."

Why?

are there any parameters for crypt, to get only the neccesairy part?

thanks a lot,

Lars

Shane Lahey · Shane Lahey

this probably has to do with the user supplied salt your giving.... ??
either that or CRYPT_STD_DES is unsupported on your server???

to check if your system supports it, first try:

<?php
if (CRYPT_STD_DES == 1)
echo "Standard DES-based encryption is supported\n";
else echo "Error: Standard DES-based encryption is not supported\n";
?>

Information about crypt() is located at
[url]http://ca2.php.net/manual/en/function.crypt.php[/url]

The standard DES-based encryption crypt() returns the salt as the
first two characters of the output. It also only uses the first eight
characters of str , so longer strings that start with the same eight
characters will generate the same result (when the same salt is used).

On systems where the crypt() function supports multiple encryption
types, the following constants are set to 0 or 1 depending on whether
the given type is available:

CRYPT_STD_DES - Standard DES-based encryption with a two character
salt

CRYPT_EXT_DES - Extended DES-based encryption with a nine character
salt

CRYPT_MD5 - MD5 encryption with a twelve character salt starting with
$1$

CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt
starting with $2$

Note: There is no decrypt function, since crypt() uses a one-way
algorithm.

On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
<Lars.Plessmann@gmx.de> wrote:

>Why returns the crypt function a longer strin than Perls crypt?
>I need the same length (8 chars) for a password field link its used in
>the .htpasswd files of apache.
>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>instead of "Td2.gm2."
>
>Why?
>
>are there any parameters for crypt, to get only the neccesairy part?
>
>
>thanks a lot,
>
>Lars

Lars Plessmann · Lars Plessmann

Shane Lahey wrote:

> this probably has to do with the user supplied salt your giving.... ??
> either that or CRYPT_STD_DES is unsupported on your server???
>
> to check if your system supports it, first try:
>
> <?php
> if (CRYPT_STD_DES == 1)
> echo "Standard DES-based encryption is supported\n";
> else echo "Error: Standard DES-based encryption is not supported\n";
> ?>
>
>
>
> Information about crypt() is located at
> [url]http://ca2.php.net/manual/en/function.crypt.php[/url]
>
>
> The standard DES-based encryption crypt() returns the salt as the
> first two characters of the output. It also only uses the first eight
> characters of str , so longer strings that start with the same eight
> characters will generate the same result (when the same salt is used).
>
> On systems where the crypt() function supports multiple encryption
> types, the following constants are set to 0 or 1 depending on whether
> the given type is available:
>
> CRYPT_STD_DES - Standard DES-based encryption with a two character
> salt
>
> CRYPT_EXT_DES - Extended DES-based encryption with a nine character
> salt
>
> CRYPT_MD5 - MD5 encryption with a twelve character salt starting with
> $1$
>
> CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt
> starting with $2$
>
> Note: There is no decrypt function, since crypt() uses a one-way
> algorithm.
>
>
>
> On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
> <Lars.Plessmann@gmx.de> wrote:
>
>

>>Why returns the crypt function a longer strin than Perls crypt?
>>I need the same length (8 chars) for a password field link its used in
>>the .htpasswd files of apache.
>>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>>instead of "Td2.gm2."
>>
>>Why?
>>
>>are there any parameters for crypt, to get only the neccesairy part?
>>
>>
>>thanks a lot,
>>
>>Lars

>
>

Hi!

thanks.
I get the "Standard DES-based encryption is supported" message.
Thats the "short" string tells the documentation. But it isn't!
I don't enter the salt parameter, so it should use a random 2 character
string that delivers me a CRYPT_STD_DES crypt string.

But why do I get the long password?
In perl I get with the same apache the 8 character passwortd string
without any "$" prefixes.

shortbackandsides.no@spam.hairdresser.net · shortbackandsides.no@spam.hairdresser.net

Although the returned string is longer than that from using Perl to
generate a password, it may not matter.

You say it is for use in an .htpasswd file.

..htpasswd appears to work OK with either short or long passwords, I
have one which includes some of both types in it like this:

user1:$1$hSbU8fhz$vk.jwLUCx2AQSgqMpjpjR0
user2:1HH/7oEU7wTkY

I can log on OK as either user1 or user2 so whilst it is interesting
to understand why PHP is giving a longer result it may not matter once
you come to use it.

Or have I misunderstood something?

On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
<Lars.Plessmann@gmx.de> wrote:

>Why returns the crypt function a longer strin than Perls crypt?
>I need the same length (8 chars) for a password field link its used in
>the .htpasswd files of apache.
>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>instead of "Td2.gm2."
>
>Why?
>
>are there any parameters for crypt, to get only the neccesairy part?
>
>
>thanks a lot,
>
>Lars

Shane Lahey · Shane Lahey

i'll be damned, you need to pass a 2 char salt to get a DES crypt()

...... here's a simple solution simply call: des_crypt([password]).....

<?php

returns a completely random character from the $asc string.
function random_ch()
{
$asc =
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ0123456789./';
list($usec, $sec) = explode(' ', microtime());
mt_srand((float) $sec + ((float) $usec * 100000));
return $asc[ (mt_rand() % strlen($asc)) ];
}

// return a DES encrypted $pass using a random 2char salt.
function des_crypt($pass)
{
$salt = random_ch() . random_ch();
return crypt($pass, random_ch);
}

?>

On Wed, 26 May 2004 08:45:53 +0200, Lars Plessmann
<Lars.Plessmann@gmx.de> wrote:

>Shane Lahey wrote:
>

>> this probably has to do with the user supplied salt your giving.... ??
>> either that or CRYPT_STD_DES is unsupported on your server???
>>
>> to check if your system supports it, first try:
>>
>> <?php
>> if (CRYPT_STD_DES == 1)
>> echo "Standard DES-based encryption is supported\n";
>> else echo "Error: Standard DES-based encryption is not supported\n";
>> ?>
>>
>>
>>
>> Information about crypt() is located at
>> [url]http://ca2.php.net/manual/en/function.crypt.php[/url]
>>
>>
>> The standard DES-based encryption crypt() returns the salt as the
>> first two characters of the output. It also only uses the first eight
>> characters of str , so longer strings that start with the same eight
>> characters will generate the same result (when the same salt is used).
>>
>> On systems where the crypt() function supports multiple encryption
>> types, the following constants are set to 0 or 1 depending on whether
>> the given type is available:
>>
>> CRYPT_STD_DES - Standard DES-based encryption with a two character
>> salt
>>
>> CRYPT_EXT_DES - Extended DES-based encryption with a nine character
>> salt
>>
>> CRYPT_MD5 - MD5 encryption with a twelve character salt starting with
>> $1$
>>
>> CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt
>> starting with $2$
>>
>> Note: There is no decrypt function, since crypt() uses a one-way
>> algorithm.
>>
>>
>>
>> On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
>> <Lars.Plessmann@gmx.de> wrote:
>>
>>

>>>Why returns the crypt function a longer strin than Perls crypt?
>>>I need the same length (8 chars) for a password field link its used in
>>>the .htpasswd files of apache.
>>>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>>>instead of "Td2.gm2."
>>>
>>>Why?
>>>
>>>are there any parameters for crypt, to get only the neccesairy part?
>>>
>>>
>>>thanks a lot,
>>>
>>>Lars

>>
>>

>
>Hi!
>
>thanks.
>I get the "Standard DES-based encryption is supported" message.
>Thats the "short" string tells the documentation. But it isn't!
>I don't enter the salt parameter, so it should use a random 2 character
>string that delivers me a CRYPT_STD_DES crypt string.
>
>But why do I get the long password?
>In perl I get with the same apache the 8 character passwortd string
>without any "$" prefixes.

Lars Plessmann · Lars Plessmann

[email]shortbackandsides.no@spam.hairdresser.net[/email] wrote:

> Although the returned string is longer than that from using Perl to
> generate a password, it may not matter.
>
> You say it is for use in an .htpasswd file.
>
> .htpasswd appears to work OK with either short or long passwords, I
> have one which includes some of both types in it like this:
>
> user1:$1$hSbU8fhz$vk.jwLUCx2AQSgqMpjpjR0
> user2:1HH/7oEU7wTkY
>
> I can log on OK as either user1 or user2 so whilst it is interesting
> to understand why PHP is giving a longer result it may not matter once
> you come to use it.
>
> Or have I misunderstood something?
>
> On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
> <Lars.Plessmann@gmx.de> wrote:
>
>

>>Why returns the crypt function a longer strin than Perls crypt?
>>I need the same length (8 chars) for a password field link its used in
>>the .htpasswd files of apache.
>>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>>instead of "Td2.gm2."
>>
>>Why?
>>
>>are there any parameters for crypt, to get only the neccesairy part?
>>
>>
>>thanks a lot,
>>
>>Lars

>
>

I don't want to reserve so much fields for the password in the database.
So a 8 char password would be much better like the apache .htpasswd version.

Lars Plessmann · Lars Plessmann

Shane Lahey wrote:

> i'll be damned, you need to pass a 2 char salt to get a DES crypt()
>
> ..... here's a simple solution simply call: des_crypt([password]).....
>
> <?php
>
> returns a completely random character from the $asc string.
> function random_ch()
> {
> $asc =
> 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ0123456789./';
> list($usec, $sec) = explode(' ', microtime());
> mt_srand((float) $sec + ((float) $usec * 100000));
> return $asc[ (mt_rand() % strlen($asc)) ];
> }
>
>
> // return a DES encrypted $pass using a random 2char salt.
> function des_crypt($pass)
> {
> $salt = random_ch() . random_ch();
> return crypt($pass, random_ch);
> }
>
> ?>
>
>
>
>
> On Wed, 26 May 2004 08:45:53 +0200, Lars Plessmann
> <Lars.Plessmann@gmx.de> wrote:
>
>

>>Shane Lahey wrote:
>>
>>

>>>this probably has to do with the user supplied salt your giving.... ??
>>>either that or CRYPT_STD_DES is unsupported on your server???
>>>
>>>to check if your system supports it, first try:
>>>
>>><?php
>>>if (CRYPT_STD_DES == 1)
>>> echo "Standard DES-based encryption is supported\n";
>>>else echo "Error: Standard DES-based encryption is not supported\n";
>>>?>
>>>
>>>
>>>
>>>Information about crypt() is located at
>>>[url]http://ca2.php.net/manual/en/function.crypt.php[/url]
>>>
>>>
>>>The standard DES-based encryption crypt() returns the salt as the
>>>first two characters of the output. It also only uses the first eight
>>>characters of str , so longer strings that start with the same eight
>>>characters will generate the same result (when the same salt is used).
>>>
>>>On systems where the crypt() function supports multiple encryption
>>>types, the following constants are set to 0 or 1 depending on whether
>>>the given type is available:
>>>
>>>CRYPT_STD_DES - Standard DES-based encryption with a two character
>>>salt
>>>
>>>CRYPT_EXT_DES - Extended DES-based encryption with a nine character
>>>salt
>>>
>>>CRYPT_MD5 - MD5 encryption with a twelve character salt starting with
>>>$1$
>>>
>>>CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt
>>>starting with $2$
>>>
>>>Note: There is no decrypt function, since crypt() uses a one-way
>>>algorithm.
>>>
>>>
>>>
>>>On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
>>><Lars.Plessmann@gmx.de> wrote:
>>>
>>>
>>>
>>>>Why returns the crypt function a longer strin than Perls crypt?
>>>>I need the same length (8 chars) for a password field link its used in
>>>>the .htpasswd files of apache.
>>>>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>>>>instead of "Td2.gm2."
>>>>
>>>>Why?
>>>>
>>>>are there any parameters for crypt, to get only the neccesairy part?
>>>>
>>>>
>>>>thanks a lot,
>>>>
>>>>Lars
>>>
>>>

>>Hi!
>>
>>thanks.
>>I get the "Standard DES-based encryption is supported" message.
>>Thats the "short" string tells the documentation. But it isn't!
>>I don't enter the salt parameter, so it should use a random 2 character
>>string that delivers me a CRYPT_STD_DES crypt string.
>>
>>But why do I get the long password?
>>In perl I get with the same apache the 8 character passwortd string
>>without any "$" prefixes.

>
>

Well okay. this way brings me 13 char passwords. thats okay I think...
So, I will do it in this way!

thanks a lot, Shane!

-Lars

Shane Lahey · Shane Lahey

>

>I don't want to reserve so much fields for the password in the database.
>So a 8 char password would be much better like the apache .htpasswd version.

just so you know... the MD5 hashed passwords are MUCH more secure than
the DES encrypted passwords, so using the longer passwords would make
cracking passwords much much harder if your database were ever
comprimised... sometimes the few extra bytes are just worth it :D

Lars Plessmann · Lars Plessmann

Shane Lahey wrote:

> i'll be damned, you need to pass a 2 char salt to get a DES crypt()
>
> ..... here's a simple solution simply call: des_crypt([password]).....
>
> <?php
>
> returns a completely random character from the $asc string.
> function random_ch()
> {
> $asc =
> 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ0123456789./';
> list($usec, $sec) = explode(' ', microtime());
> mt_srand((float) $sec + ((float) $usec * 100000));
> return $asc[ (mt_rand() % strlen($asc)) ];
> }
>
>
> // return a DES encrypted $pass using a random 2char salt.
> function des_crypt($pass)
> {
> $salt = random_ch() . random_ch();
> return crypt($pass, random_ch);
> }
>
> ?>
>
>
>
>
> On Wed, 26 May 2004 08:45:53 +0200, Lars Plessmann
> <Lars.Plessmann@gmx.de> wrote:
>
>

>>Shane Lahey wrote:
>>
>>

>>>this probably has to do with the user supplied salt your giving.... ??
>>>either that or CRYPT_STD_DES is unsupported on your server???
>>>
>>>to check if your system supports it, first try:
>>>
>>><?php
>>>if (CRYPT_STD_DES == 1)
>>> echo "Standard DES-based encryption is supported\n";
>>>else echo "Error: Standard DES-based encryption is not supported\n";
>>>?>
>>>
>>>
>>>
>>>Information about crypt() is located at
>>>[url]http://ca2.php.net/manual/en/function.crypt.php[/url]
>>>
>>>
>>>The standard DES-based encryption crypt() returns the salt as the
>>>first two characters of the output. It also only uses the first eight
>>>characters of str , so longer strings that start with the same eight
>>>characters will generate the same result (when the same salt is used).
>>>
>>>On systems where the crypt() function supports multiple encryption
>>>types, the following constants are set to 0 or 1 depending on whether
>>>the given type is available:
>>>
>>>CRYPT_STD_DES - Standard DES-based encryption with a two character
>>>salt
>>>
>>>CRYPT_EXT_DES - Extended DES-based encryption with a nine character
>>>salt
>>>
>>>CRYPT_MD5 - MD5 encryption with a twelve character salt starting with
>>>$1$
>>>
>>>CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt
>>>starting with $2$
>>>
>>>Note: There is no decrypt function, since crypt() uses a one-way
>>>algorithm.
>>>
>>>
>>>
>>>On Wed, 26 May 2004 00:40:42 +0200, Lars Plessmann
>>><Lars.Plessmann@gmx.de> wrote:
>>>
>>>
>>>
>>>>Why returns the crypt function a longer strin than Perls crypt?
>>>>I need the same length (8 chars) for a password field link its used in
>>>>the .htpasswd files of apache.
>>>>In php i retrieve a string like "$1$Td2.gm2.$cqiXCn3YKNANp4Q64Vvkf0"
>>>>instead of "Td2.gm2."
>>>>
>>>>Why?
>>>>
>>>>are there any parameters for crypt, to get only the neccesairy part?
>>>>
>>>>
>>>>thanks a lot,
>>>>
>>>>Lars
>>>
>>>

>>Hi!
>>
>>thanks.
>>I get the "Standard DES-based encryption is supported" message.
>>Thats the "short" string tells the documentation. But it isn't!
>>I don't enter the salt parameter, so it should use a random 2 character
>>string that delivers me a CRYPT_STD_DES crypt string.
>>
>>But why do I get the long password?
>>In perl I get with the same apache the 8 character passwortd string
>>without any "$" prefixes.

>
>

Oh it doesn't work, because password A and password B are now not equal.
The same passwords encrypred with the des_crypt() function do not
concur. whats the problem?

by the way, I changed

> $salt = random_ch() . random_ch();
> return crypt($pass, random_ch);

to

$salt = random_ch() . random_ch();
return crypt($pass, $salt);

I think it was that what you meant?

I hope you can help?

Lars

Shane Lahey · Shane Lahey

On Wed, 26 May 2004 23:55:07 +0200, Lars Plessmann
<Lars.Plessmann@gmx.de> wrote:

>Oh it doesn't work, because password A and password B are now not equal.
>The same passwords encrypred with the des_crypt() function do not
>concur. whats the problem?
>
>by the way, I changed
>

> > $salt = random_ch() . random_ch();
> > return crypt($pass, random_ch);

>
>to
>
> $salt = random_ch() . random_ch();
> return crypt($pass, $salt);
>
>
>I think it was that what you meant?
>
>I hope you can help?
>
>
>Lars

hehe, simple
it's because the seed is random.
you will need to seed the provided password with the first two letters
of the stored password
.....
easier for me to give an example

say you have a database with user MisterX and encrypted password
xZX3RQm9R4w3.

when checking if MisterX is providing the same password in the future
you will need to take the first two letters from the stored encrypted
password (in this case 'xZ') and use that as the salt to encrypt the
new password, then compare the two hashes..... DES encryption is a
ONE-WAY hash, it' can't exactally be de-crypted, just compared.

hope this makes sense....

For my example: xZX3RQm9R4w3. is the word 'password' crypt()'ed with
the seed 'xZ'

Shane Lahey · Shane Lahey

maybe this will be easier for u to use? (classes are always more fun)
:D

to use in your php script:

require_once('myenc.class.php');

// create a new instance of the MyENC class
$enc = new MyENC;

// to encrypt a string
$encoded = $enc->des_crypt('password');

// to check if 'password' is the same as $encoded (hope this makes
sense)
$same_as_encode = $enc->des_check('password', $encoded);

// destroy $enc if we are finished with it :D
unset($enc);

crypt function in PHP different from Perl's crypt?

Thread Tools

Display

crypt function in PHP different from Perl's crypt?

Similar Questions and Discussions

Crypt::DH Crypt::Random install problem

#26131 [Opn->Bgs]: the crypt function have no MD5 support

#26131 [Opn]: the crypt function have no MD5 support

#26131 [NEW]: the crypt function have no MD5 support

note 33705 added to function.crypt

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt?

Re: crypt function in PHP different from Perl's crypt? (0/1)

Posting Permissions