This article will explain what encryption is and what hashing is, and why phpBB uses hashing for the protection of passwords.
What is encryption?
Encryption, as defined by Wikipedia, is "the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted)."
To give a brief history, in World War II, the Enigma Machine was used by the Germans to encrypt and decrypt messages. However, the Allies were able to get hold of the device and the keys so intercepted messages could be decrypted and the intelligence gained allowed significant advances against the Axis.
All encryption requires a key. One of the most well-known methods, called the Caesar shift, used a simple key. In World War I and II, encryption was used to transmit information to and from the battlefield without the enemy knowing. Both sides did this. The key is much like the key to the lock on your home door. The key is how you unlock your door. Without the key, attempts can be made to break in to your home, but typically this is messy, involving broken windows, broken door jambs, and and so on. Occasionally you will have someone that knows what they are doing, and will have a lock pick set to turn the tumblers. Encryption is similar, it requires a key to lock and unlock the contents.
One of the most popular encryption algorithms is the RSA method. RSA uses public/private key cryptography to allow the exchange of messages while only the recipient can decrypt with his or her private key, because the encryption method used his or her public key.
Because of this attribute, encryption is said to be two-way. It can be decrypted. The idea, of course, is that it can only be decrypted by the person with the key.
The first example uses Rot13, which is the modern day implementation of the Caesar shift.
- Code: Select all
$message = 'phpBB3 is the one that rules them all.';
// The Caesar shift, implemented in Rot13
// This isn't considered "true encryption" today due to its simplicity, but it shows how encryption works
// This implementation shifts by 13 characters
$rot13 = str_rot13($message);
$rot13_decrypt = str_rot13($rot13);
// Rijndael 256, a popular encryption method
// Below code taken from http://us3.php.net/manual/en/function.mcrypt-encrypt.php
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$key = "This is a very secret key";
$rijndael256 = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $message, MCRYPT_MODE_ECB, $iv);
$rijndael256_decrypt = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $rijndael256, MCRYPT_MODE_ECB, $iv);
// Output the message
echo('<strong>The message</strong>' . "<br />");
echo($message . "<br /><br />");
// Output the key
echo('<strong>The key</strong>' . "<br />");
echo($key . "<br /><br />");
// Output the encrypted text
echo('<strong>Encrypted text</strong>' . "<br />");
echo('<em>Rot13:</em> ' . $rot13 . "<br />");
echo('<em>Rijndael 256:</em> ' . $rijndael256 . "<br /><br />");
// Output the decrypted text
echo('<strong>Decrypted text</strong>' . "<br />");
echo('<em>Rot13:</em> ' . $rot13_decrypt . "<br />");
echo('<em>Rijndael 256:</em> ' . $rijndael256_decrypt . "<br /><br />");
What is hashing?
Hashing, in cryptography, is the taking of a message and creating a new message in such a way that it cannot be reversed. There is simply no key for it to be unlocked.
This has many uses, including verifying files, ensuring the integrity of an encrypted message, and of course password storage. Because there isn't a key, there is no way to get the original. This attribute is typically referred to as one-way.
Real-world applications include phpBB2 and phpBB3. phpBB2 uses MD5, or Message Digest 5. phpBB3 uses phpass which makes use of MD5 with salting to help resist bruteforce attacks.
Because there is no key in hashing, the only way to get the original message back is to either know the original message, or brute force until the representation of the original is found. What this means is that in order to verify that the message is the hashed message, the message must be hashed and compared to the hash to verify that it is the same. This is how authentication in phpBB is done.
- Code: Select all
$password = "this is more a passphrase@@5";
$password_check = "this is more a passphrase@@";
// Use MD5 to hash
$password_md5 = md5($password);
$password_check_md5 = md5($password_check);
// Now verify the two
if($password_md5 == $password_check_md5)
According to the above code, the test should fail. When we run it, we see that it does indeed give us "Access denied."
Still plenty more left
While discussing large primes, Chinese Remainder Theorem, message digests, and so on are outside the realm of this article, hopefully you now have a basic understanding of the difference of the two methods and why phpBB uses hashing instead of encryption.