[nycphp-talk] so-called triple md5
Chris Snyder
csnyder at chxo.com
Tue Sep 2 13:22:22 EDT 2003
Thanks David--
I guess if something is worth hiding, it's worth hiding well.
I'm a little surprised that no one has written the native PHP
implementation of Blowfish, slow though it may be. I noticed that there
are PEAR classes that implement RC4 and TEA.
I'm having trouble finding any sort of online resource that compares
encryption algorithms. Short of reading "Applied Cryptography," are
there any good overviews out there that might help someone say, "Oh, TEA
is good enough for what I'm doing," or "Gee, I guess I need to recompile
with mcrypt support so I can use Blowfish?"
chris.
David Sklar wrote:
>Don't use this algorithm. It "encrypts" things by just XORing plaintext with
>the MD5 hash of a key. This has many problems, including the fact that since
>the output of md5() is a string that contains only the characters [a-e0-9],
>there's only 16 possible values that each piece of ciphertext needs to be
>xor'ed with to produce plaintext.
>
>If you need to encrypt data that needs to be decrypted later, use an
>algorithm designed by a known, qualified cryptosystem designer and (more
>importantly) that has stood up to lots of testing and attempts to break it.
>For example, Blowfish (http://www.counterpane.com/blowfish.html), which is
>available in the mcrypt extension. There are also versions available in
>other languages (http://www.counterpane.com/blowfish-download.html) and you
>could probably write a (slow) native PHP implementation.
>
>David
>
>
>
More information about the talk
mailing list