CCProtect (encrypt and decrypt cc's)

[JaydenC]

Sorry to interrupt, but what are you talking about?

Your logic sucks, sure you have parts right.

When you take the MD5 function with the CC number it will always be the same hash and you can't retreive the data from it. Adding a random string to the CC number without storing it somewhere else makes it impossible to check if it's the same.

Using the

You must be registered to see links

function it generates everytime another hash and you can't retreive the data from it. And the nice part is, you can still check if it's the same, ofcourse only the user knows the original value.

Example can be found:

You must be registered to see links

play arround with that.

Unlike everything I've typed above, is this not a HASH class. Hash is mostly used to store user passwords because you can't decrypt it. With this class you CAN decrypt a value encrypted by this class.

But let me quess, you thought you checked the encoded string with each other and yes, that's not possible. You have to decrypt the encoded strings before you compare it. Makes sence right?

You're right but this function will still randomize everytime, no matter how you look at it. That's all I was trying to say.

 

[seanrom]

You're right but this function will still randomize everytime, no matter how you look at it. That's all I was trying to say.

It randomize everytime because the password changes everytime /facepalm

 

[JaydenC]

It randomize everytime because the password changes everytime /facepalm

I understand that. . . but if you put in the same credit card number twice you will get 2 different outcomes. Thats all i'm saying.

 

[Joopie]

Then what is the problem?

Verstuurd van mijn HTC Butterfly

 

[seanrom]

I understand that. . . but if you put in the same credit card number twice you will get 2 different outcomes. Thats all i'm saying.

As Joopie said, what is the problem?
You make no sense at all.

 

[שเ๒єtгเ๒є]

The point JaydenC means is following:

Let's say person one stores his/her cc in your db via encryption above. He/She pays a product on your page with his/her cc for example.
Now the only reason why to keep this data that cannot be de-crypted to it's original data (due random string) is to compare it with other credit cards only. But even that will not work, because user2 puts the same cc in your db but the output is completely different. Instead of a random string you should store a fixed string anywhere, otherwise it's not possible to use the stored cc data for any use.

That's his point.


Also the fact this:

$protection = new CCProtect;

    $cc = array(
        'firstname' => 'Krista',
        'lastname' => 'Sheppard',
        'dob' => 'August 11, 1932',
        'cardnumber' => '4916 5210 7061 9044',
        'cvv2' => '769',
        'expire' => array(
            'month' => '6',
            'year' => '2015',
        ),
    );

    $cc2 = $protection->decrypt($protection->encrypt($cc), 75));

... does not work ($cc is not the same like $cc2) makes it an encryption without decryption only.


Then it's easier to put everything as salted string into md5.

 

[seanrom]

The point JaydenC means is following:

Let's say person one stores his/her cc in your db via encryption above. He/She pays a product on your page with his/her cc for example.
Now the only reason why to keep this data that cannot be de-crypted to it's original data (due random string) is to compare it with other credit cards only. But even that will not work, because user2 puts the same cc in your db but the output is completely different. Instead of a random string you should store a fixed string anywhere, otherwise it's not possible to use the stored cc data for any use.

That's his point.


So ...

$protection = new CCProtect;

    $cc = array(
        'firstname' => 'Krista',
        'lastname' => 'Sheppard',
        'dob' => 'August 11, 1932',
        'cardnumber' => '4916 5210 7061 9044',
        'cvv2' => '769',
        'expire' => array(
            'month' => '6',
            'year' => '2015',
        ),
    );

    $cc2 = $protection->decrypt($protection->encrypt($cc), 75));

So $cc will not equal to $cc2, so it's unable to decrypt cc's. ...

No, this is a two way encryption. The encryption password is stored in the final big int string. The decryption function will get the password, decode the string and then figure out what field the encrypted cc is stored in. When that is found it will decrypt the message with the random password generated (that's stored in the final big int) and return that.

It doesn't matter how long the message you wan't encrypted is, what it is or what kind of type characters it is.

I don't know where you guys get this "random string" thing from either.

Since it's really hard for you guys to understand an example is coming up.

 

[Joopie]

*Some weard poop...*

If you're right, then my apache server lies to me...

*** removed ***

 

[seanrom]

Here's a live demo:

You must be registered to see links

Script:

<?php
	class CCProtect {
		private function pekkaEncode($s) {
			$out = '';
			for ($i=0;$i<strlen($s); $i++) {
				$out .= sprintf("%03d", ord($s[$i]));	 
			}

			return $out;
		}

		private function pekkaDecode($s) {
			$out = '';
			for ($i=0;$i<strlen($s);$i+=3) {
				$out .= chr($s[$i].$s[$i+1].$s[$i+2]);
			}

			return $out;
		}

		private function generateRandomString($length = 10) {
		    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
		    $randomString = '';
		    for($i = 0; $i < $length; $i++) {
		        $randomString .= $characters[rand(0, strlen($characters) - 1)];
		    }

		    return $randomString;
		}

		private function mCrypt($text, $salt) {
		    return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($salt), $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
		}

		private function mDecrypt($text, $salt) {
		    return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($salt), base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)));
		}

		public function encrypt($content) {
			$response = array(
				0 => rand(1000, 9999),
				1 => rand(1000, 9999),
				2 => rand(1000, 9999),
				3 => rand(1000, 9999),
				4 => rand(1000, 9999),
				5 => rand(1000, 9999),
				6 => rand(1000, 9999),
				7 => rand(1000, 9999),
				8 => rand(1000, 9999),
				9 => rand(1000, 9999),
				10 => rand(0, 9),
				11 => rand(0, 9),
				12 => rand(0, 9),
				13 => rand(0, 9),
				14 => rand(5, 9),
				15 => '',
				16 => '',
				17 => '',
				18 => '',
				19 => '',
				20 => '',
				21 => '',
				22 => '',
				23 => '',
				24 => '',
				25 => '',
			);

			$rand = rand(10, 14);
			$combination = str_split($response[$response[$rand]], 1);
			$password = $response[$combination[0]] . $response[$combination[1]] . $response[$combination[2]] . $response[$combination[3]];
			if(is_array($content)) {
				$content = json_encode($content);
			}

			$content_length = strlen($content);
			$content_field = rand(20, 25);
			$store_content_field = 10 + $response[14];
			for($i=15; $i <= 19; $i++) {
				if($i == $store_content_field) {
					$response[$i] = $this->mCrypt($content_field, $password);
				} else {
					$response[$i] = $this->mCrypt(rand(10, 99), $password);
				}
			}

			for($i=20; $i <= 25; $i++) {
				if($i == $content_field) {
					$response[$i] = $this->mCrypt($content, $password);
				} else {
					$response[$i] = $this->mCrypt($this->generateRandomString($content_length), $password);
				}
			}

			$json = json_encode($response);

			$string = $password . $this->pekkaEncode(str_rot13(convert_uuencode($json)));
			$string = str_split($string, 4);

			$string = implode(' ', $string);

			return trim($string);
		}

		public function decrypt($string) {
			$string = str_replace(' ', '', $string);

			$password = substr($string, 0, 16);
			$decoded = json_decode(convert_uudecode(str_rot13($this->pekkaDecode(substr($string, 16)))));
			return trim($this->mDecrypt($decoded[$this->mDecrypt($decoded[10 + $decoded[14]], $password)], $password));
		}
	}


	$protection = new CCProtect;
	$cc = array(
		'firstname' => 'Krista',
		'lastname' => 'Sheppard',
		'dob' => 'August 11, 1932',
		'cardnumber' => '4916 5210 7061 9044',
		'cvv2' => '769',
		'expire' => array(
			'month' => '6',
			'year' => '2015',
		),
	);
?>
<html>
	<head>
	</head>
	<body>
			<h1>CCProtect example</h1>
			<?php
				$action = (isset($_GET['action']))?$_GET['action']:'encrypt';
				switch($action) {
					case 'decrypt':
						echo '
							<form action="?action=showdecrypt" method="POST">
								Enter your encrypted message:<br />
								<textarea style="height: 680px; width: 660px" name="message"></textarea><br>
								<input type="submit" value="Decrypt!">
							</form>
						';
					break;

					case 'showdecrypt':
						if(!isset($_POST['message'])) {
							header("Location: ?action=error");
							exit;
						}

						$message = $_POST['message'];
						echo '
							Here is the decrypted result of your message:<br />
							<textarea style="height: 680px; width: 660px">' . $protection->decrypt($message) . '</textarea><br>
							<a href="?action=encrypt">Encrypt another message</a>
						';
					break;

					case 'showencrypt':
						if(!isset($_POST['message'])) {
							header("Location: ?action=error");
							exit;
						}

						$message = $_POST['message'];
						echo '
							Here is your message encrypted!<br />
							<textarea style="height: 680px; width: 660px">' . $protection->encrypt($message) . '</textarea><br>
							<a href="?action=decrypt">Decrypt this message</a> (copy & paste) - <a href="?action=encrypt">Encrypt another message</a>
						';
					break;
					
					case 'encrypt':
						echo '
							<form action="?action=showencrypt" method="POST">
								Encrypt a message:<br />
								<textarea style="height: 680px; width: 660px" name="message"></textarea><br>
								<input type="submit" value="Encrypt!">
							</form>
						';
					break;

					case 'error':
						echo 'Something went wrong when trying to complete your action. Please try agian.<br><a href="?action=encrypt">Go back</b>';
					break;

					default:	
						echo '';
				}
			?>
	</body>
</html>

 

[שเ๒єtгเ๒є]

*Some weard poop...*

Do not quote me instead!

---

No, this is a two way encryption. The encryption password is stored in the final big int string. The decryption function will get the password, decode the string and then figure out what field the encrypted cc is stored in. When that is found it will decrypt the message with the random password generated (that's stored in the final big int) and return that.

I explained JaydenC's point of view. Thanks for pointing this out, because I did not follow the code line by line to test the algorithm as well as I do not own an apache to test it here.

I don't know where you guys get this "random string" thing from either.

Maybe because of the private function called generateRandomString that is only called within the function encrypt?


Anyway, cheers.

 

[seanrom]

Do not quote me instead!

---



I explained JaydenC's point of view. Thanks for pointing this out, because I did not follow the code line by line to test the algorithm as well as I do not own an apache to test it here.



Maybe because of the private function called generateRandomString that is only called within the function encrypt?


Anyway, cheers.

Lol, you should have tested the script before you started to defend him.

generateRandomString is called to make blind ways for potential hackers.

 

[שเ๒єtгเ๒є]

Lol, you should have tested the script before you started to defend him.

generateRandomString is called to make blind ways for potential hackers.

Nah, it's more a misunderstanding I wanted to help to resolve in my eyes. Thanks.

 

[Mootie]

Why do people bother securing data in this fashion? You obviously don't understand basic cryptography if you're using ECB to encrypt such a large amount of data.

First 2-3 variables(first & last name, dob) are relatively easy to guess and might be stored elsewhere in database. If you know them, you can decrypt the rest relatively easily.

You might think the whole randomization is clever obfuscation, but sophisticated string pattern analysis will break this in milliseconds. Essentially, anyone that's using code to encrypt user creditcard numbers with methods not verified by a professional cryptographer AND network security analyst, is only fooling themselves into believing their methods are any better than storing in plaintext against a decent attack.

Securing decryptable data is much more complex than storing hashes, but even experts can fail at securing hashes. One example is a hash authentication blunder shown here...

You must be registered to see links

.

But this is especially moot(no pun intended) when talking about pservers. Almost every pserver admin I've encountered will hand over root to any dev that seems to know what they're talking about. Why bother with such silly encryption when your server can be hacked much easier with extremely minimal social engineering?

 

[AngraMainyu]

You'd think when it comes to what is effectively a glorified substitution cipher, the randomness of the ciphertext would be the least of people's worries. Is there a lot of entropy? Yes. Enough to make brute force cryptanalysis pointless? Yes, but that's a feature of every modern cryptographic cipher, which this one mostly inherits through the use of AES. Is it going to stump a hacker who's rooted your server? Not really, it's more like a Christmas present. This cipher is only slightly more secure than plain ol' ROT13.

 

[TimeBomb]

You might think the whole randomization is clever obfuscation, but sophisticated string pattern analysis will break this in milliseconds. Essentially, anyone that's using code to encrypt user creditcard numbers with methods not verified by a professional cryptographer AND network security analyst, is only fooling themselves into believing their methods are any better than storing in plaintext against a decent attack.

This bolded remark is extremely important. When time permits, I often prefer coding my own application architecture from the ground up. I won't get into the benefits and detriments of this practice, but I must say that one thing I never do myself is anything regarding cryptography. It's a very complex field that has its own set of professionals.

When it comes to this level of security, don't take matters into your own hands unless you know exactly what you're doing. And chances are that you don't. Leave it to the experts in cryptography and security to handle this. There are already many released documents, code examples, and so on from heavily experienced groups and people that will secure whatever you need to secure much more effectively than anything you could come up with on your own. Don't code like you're an expert in cryptography unless you are. Don't take security into your own hands. Use proven methods.