hashcat Forum
mcrypt decryption - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: General Help (https://hashcat.net/forum/forum-8.html)
+--- Thread: mcrypt decryption (/thread-1858.html)



mcrypt decryption - U_nix - 12-23-2012

Hello,

how long would it take to crack this if you know nothing about the function?

Code:
encryptthis($texttoenc."SaL7y");

Code:
function encryptthis($string){
$cryptkey="Mas73rK3y2012";
$crypt = mcrypt_create_iv (mcrypt_get_iv_size (MCRYPT_BLOWFISH, MCRYPT_MODE_ECB), MCRYPT_RAND);
$add_crypt = mcrypt_encrypt (MCRYPT_BLOWFISH, $cryptkey, $string, MCRYPT_MODE_ECB, $crypt);
return(base64_encode($add_crypt));
}



RE: mcrypt decryption - epixoip - 12-23-2012

first, we crack hashes, not encryption.

second, an attacker wouldn't have to crack the passwords. they would simply run all of the passwords in your database back through your function with your key, and instantly decrypt all of them at once. there's a reason we hash passwords instead of encrypting passwords, and that's because encrypting passwords is a very bad idea. if an attacker can access your password database, they almost always can also view the function and keys you used to encrypt the passwords. encryption does not provide any real protection, and that's why everyone hashes passwords instead of encrypting them.

third, you used ecb mode instead of cbc mode. never use ecb mode, n00b.

fourth, why blowfish? why not rijndael, serpent, or twofish?


RE: mcrypt decryption - U_nix - 12-23-2012

It` s not for passwds, it` s for textencryption.

I` m aware of the cbc ecb discussion.

The question was not what an attacker could do if he had access.


RE: mcrypt decryption - epixoip - 12-23-2012

I'm sorry, I just assumed that since you provided absolutely no context, and since you posted it to the Support forum, that this somehow related to password cracking.

In short, if you knew what you were doing, you wouldn't be using Blowfish EBC with a 96 bit key. And you wouldn't be asking us if it were any good. What you have right now could be broken very quickly, even without knowledge of the function used.

If you are actually aware of the ECB "discussion," then you would know that ECB is a complete joke and provides very little confidentiality. The two images of Tux in this Wikipedia article do a great job of illustrating how ECB leaks data, and why ECB is never to be used: http://en.wikipedia.org/wiki/ECB_mode#Electronic_codebook_.28ECB.29

You also didn't answer my question: why Blowfish? Blowfish has been deprecated by Twofish, so why not use it? Or why not use a stronger alternative to either of them, such as AES or Camellia? If you want to be taken seriously, use AES-256-CBC or Camellia-256-CBC.


RE: mcrypt decryption - U_nix - 12-23-2012

I "hardscripted" some things into the site what mades it more timeconsuming to apply changes. It` s changed now to cbc, a 32byte key and Rijndael 256.

This was implemented some times ago and I just didn` t cared about it. At that time I was happy to implement some encryption at all.


RE: mcrypt decryption - undeath - 12-24-2012

your use of back-tics is disturbing.