Polyalphabetic encryption for Passwords

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in  
the source. I often wondered, how this could be prevented.

So if you have a web-project, that is access-restricted, try the  
following workaround:

include this snippet into your web-project:

function polyalph_encrypt($original, $key = FALSE) {
   if (!$key) $key = $_SESSION["passphrase"]; // The access-key
   //Make the key longer, if needed
   $i = round( strlen($original)/strlen($key) );
   for ($j=0;$j<$i;$j++)
      $key .= $key;
   $result = "";
   for ($i = 0; $i < strlen($original); $i++) {
      $sigma = 94 + ord( $original ) + ord( $key ) - 64;
      $result .= chr ( fmod ( $sigma, 94 ) + 32 );
   return $result;

function polyalph_decrypt($secret, $key = FALSE) {
   if (!$key) $key = $_SESSION["passphrase"]; // The access-key
   //Make the key longer if needed
   $i = round( strlen($secret)/strlen($key) );
   for ($j=0;$j<$i;$j++)
      $key .= $key;
   $result = "";
   for ($i = 0; $i < strlen($secret; $i++) {
      $sigma = 94 + ord( $secret ) - ord ( $key );
      $result .= chr ( fmod ( $sigma, 94 ) + 32 );
   return $result;

Of course, this will only function with ascii-passwords, but for most of  
us, this should be enough. So with this trick, the encrypted passwords  
can only be successfully decrypted, if the user enters the right  
master-password (= Access-password).  

Well, it is a little tricky and not 100% safe (as everything is):
- It wouldn't be a good idea to check the validity of the  
access-password in plaintext. Instead try the following:
if ($_POST["user"] == "YOURUSERNAME" && sha1($_POST["password"]) ==  
   $_SESSION["passphrase"] = $_POST["password"]
- of course this is only half-way safe if you have all more or less  
"random" passwords.
- And in the end it can only prevent foolish webmasters from spying out  
your database-passwords. But of course, the master-password is stored in  
plaintext in the $_SESSION variable and this means it is also avaible in  
plaintext somewhere on the computer.


Re: Polyalphabetic encryption for Passwords

Jeremy Deuel wrote:
Quoted text here. Click to load it

Nice functions, and not that simple to decrypt.

People already thought about this, and came up with the following:
XOR "encryption": A bitwise XOR (exclusive or, ^ operator) is done for
every character of the string. The key is repeated, as in your example.
The advantage is that encryption and decryption uses the same function:
Doing a XOR on a string twice will result in the original string.
ROT-13: Rotate the alphabet with 13 positions: A becomes N, B becomes
O, etc. Because there are 26 letters in the alphabet, doing a ROT-13
twice will result in the original string.

Also take a look at str_repeat(), which can repeat the key so that it
is long enough. You can use the % operator instead of fmod().

Re: Polyalphabetic encryption for Passwords

Quoted text here. Click to load it

Thanks for str_repeat and the % operator. I didn't know them yet..

ROT-13 is not thaaaaaat safe... ;)
XOR would be very interesting, like this one could implement the  
vernam-algorithm. How do I implement bitwise operations in PHP?

Re: Polyalphabetic encryption for Passwords

Jeremy Deuel wrote:

Quoted text here. Click to load it

        ResourcePasswords = f(publicdata, MasterPassword)
        publicdata = f'(ResourcePasswords, MasterPassword)

Quoted text here. Click to load it

Having a single password shared by multiple users is not exactly great
security on a multi-user system. While this system could be used on a
per-UserPassword basis to encrypt a single MasterPassword (which itself
encrypts multiple ResourcePasswords),  

        MasterPassword = f(publicdata[user], UserPassword[user])
        publicdata[user] = f'(MasterPassword , UserPassword[user])

subsequently changing the MasterPassword would be virtually impossible
without access to the unencrypted/hashed UserPasswords - another security

But if you could use assymetric encryption to distribute the MasterPasswords
with the UserPasswords acting as passphrases to the UserPrivateKey, you
could leave the user key pair lying around on the server disk and you'd
then have a *secure* and *manageable* solution.

        publicdata[user] = g'(MasterPassword, UserPublicKey[user])
        MasterPassword = g(publicdata[user], UserPrivateKey[user],  


Site Timeline