CCProtect (encrypt and decrypt cc's)

[ashleymeah]

Iv not looked into the code to much, But keep in mind there is no way to be 100% secure. As long as there is a way for you to get the original data, So can others.

That video i sent you, Its really hard to get the prime numbers that created the results. The more bits, the bigger the number and more harder to break the number up. Not even the NSA can decode the encryption but sure there is other ways around getting information. Helps when company's also openly give them the data in plain text so they don't need to decrypt to much.

Quantum computers are around the corner that would try every single possibility at the same time, There is some way to keep data safe with Quantum computers that the laws of physics guarantees you safety. (apparently anyway)

[JaydenC]

Hey don't even post here if you can't handle some constructive criticism, i'm completely right no matter how you look at it. Maybe you don't understand and thats cool but no need to de-rep me for trying to explain your crappy way of encrpytion to you.

Look, if I put in my cc # 2 times i'm going to get 2 different results. Why? Because you randomize your string everytime making this useless.

[seanrom]

Hey don't even post here if you can't handle some constructive criticism, i'm completely right no matter how you look at it. Maybe you don't understand and thats cool but no need to de-rep me for trying to explain your crappy way of encrpytion to you.

Look, if I put in my cc # 2 times i'm going to get 2 different results. Why? Because you randomize your string everytime making this useless.

What are you takling about? Randomize what string? I'm really getting tired of your bullshit criticism because you clearly know nothing about what you're saying.

[JaydenC]

What are you takling about? Randomize what string? I'm really getting tired of your bullshit criticism because you clearly know nothing about what you're saying.

Did you even code this? String = encrypted credit card number. It will be different every time you enter it. If you used any of PHP's encryption methods with a credit card number it will always be the same.

[Joopie]

Did you even code this? String = encrypted credit card number. It will be different every time you enter it. If you used any of PHP's encryption methods with a credit card number it will always be the same.

Sorry to interrupt, but what are you talking about?

Your logic sucks, sure you have parts right.

When you take the MD5 function with the CC number it will always be the same hash and you can't retreive the data from it. Adding a random string to the CC number without storing it somewhere else makes it impossible to check if it's the same.

Using the crypt function it generates everytime another hash and you can't retreive the data from it. And the nice part is, you can still check if it's the same, ofcourse only the user knows the original value.

Example can be found:*** removed ***play arround with that.

Unlike everything I've typed above, is this not a HASH class. Hash is mostly used to store user passwords because you can't decrypt it. With this class you CAN decrypt a value encrypted by this class.

But let me quess, you thought you checked the encoded string with each other and yes, that's not possible. You have to decrypt the encoded strings before you compare it. Makes sence right?

[JaydenC]

Sorry to interrupt, but what are you talking about?

Your logic sucks, sure you have parts right.

When you take the MD5 function with the CC number it will always be the same hash and you can't retreive the data from it. Adding a random string to the CC number without storing it somewhere else makes it impossible to check if it's the same.

Using the crypt function it generates everytime another hash and you can't retreive the data from it. And the nice part is, you can still check if it's the same, ofcourse only the user knows the original value.

Example can be found: PHP CRYPT play arround with that.

Unlike everything I've typed above, is this not a HASH class. Hash is mostly used to store user passwords because you can't decrypt it. With this class you CAN decrypt a value encrypted by this class.

But let me quess, you thought you checked the encoded string with each other and yes, that's not possible. You have to decrypt the encoded strings before you compare it. Makes sence right?

You're right but this function will still randomize everytime, no matter how you look at it. That's all I was trying to say.

[seanrom]

You're right but this function will still randomize everytime, no matter how you look at it. That's all I was trying to say.

It randomize everytime because the password changes everytime /facepalm

[JaydenC]

It randomize everytime because the password changes everytime /facepalm

I understand that. . . but if you put in the same credit card number twice you will get 2 different outcomes. Thats all i'm saying.

[Joopie]

Then what is the problem?

Verstuurd van mijn HTC Butterfly

[seanrom]

I understand that. . . but if you put in the same credit card number twice you will get 2 different outcomes. Thats all i'm saying.

As Joopie said, what is the problem?
You make no sense at all.

[שเ๒єtгเ๒є]

The point JaydenC means is following:

Let's say person one stores his/her cc in your db via encryption above. He/She pays a product on your page with his/her cc for example.
Now the only reason why to keep this data that cannot be de-crypted to it's original data (due random string) is to compare it with other credit cards only. But even that will not work, because user2 puts the same cc in your db but the output is completely different. Instead of a random string you should store a fixed string anywhere, otherwise it's not possible to use the stored cc data for any use.

That's his point.


Also the fact this:

PHP Code:

$protection = new CCProtect;

    $cc = array(
        'firstname' => 'Krista',
        'lastname' => 'Sheppard',
        'dob' => 'August 11, 1932',
        'cardnumber' => '4916 5210 7061 9044',
        'cvv2' => '769',
        'expire' => array(
            'month' => '6',
            'year' => '2015',
        ),
    );

    $cc2 = $protection->decrypt($protection->encrypt($cc), 75)); 


... does not work ($cc is not the same like $cc2) makes it an encryption without decryption only.


Then it's easier to put everything as salted string into md5.

[seanrom]

The point JaydenC means is following:

Let's say person one stores his/her cc in your db via encryption above. He/She pays a product on your page with his/her cc for example.
Now the only reason why to keep this data that cannot be de-crypted to it's original data (due random string) is to compare it with other credit cards only. But even that will not work, because user2 puts the same cc in your db but the output is completely different. Instead of a random string you should store a fixed string anywhere, otherwise it's not possible to use the stored cc data for any use.

That's his point.


So ...

PHP Code:

$protection = new CCProtect;

    $cc = array(
        'firstname' => 'Krista',
        'lastname' => 'Sheppard',
        'dob' => 'August 11, 1932',
        'cardnumber' => '4916 5210 7061 9044',
        'cvv2' => '769',
        'expire' => array(
            'month' => '6',
            'year' => '2015',
        ),
    );

    $cc2 = $protection->decrypt($protection->encrypt($cc), 75)); 


So $cc will not equal to $cc2, so it's unable to decrypt cc's. ...

No, this is a two way encryption. The encryption password is stored in the final big int string. The decryption function will get the password, decode the string and then figure out what field the encrypted cc is stored in. When that is found it will decrypt the message with the random password generated (that's stored in the final big int) and return that.

It doesn't matter how long the message you wan't encrypted is, what it is or what kind of type characters it is.

I don't know where you guys get this "random string" thing from either.

Since it's really hard for you guys to understand an example is coming up.

[Joopie]

*Some weard shit...*

If you're right, then my apache server lies to me...

*** removed ***

[seanrom]

Here's a live demo:
http://goo.gl/T4Tb5L

Script:

PHP Code:

<?php
    class CCProtect {
        private function pekkaEncode($s) {
            $out = '';
            for ($i=0;$i<strlen($s); $i++) {
                $out .= sprintf("%03d", ord($s[$i]));     
            }

            return $out;
        }

        private function pekkaDecode($s) {
            $out = '';
            for ($i=0;$i<strlen($s);$i+=3) {
                $out .= chr($s[$i].$s[$i+1].$s[$i+2]);
            }

            return $out;
        }

        private function generateRandomString($length = 10) {
            $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
            $randomString = '';
            for($i = 0; $i < $length; $i++) {
                $randomString .= $characters[rand(0, strlen($characters) - 1)];
            }

            return $randomString;
        }

        private function mCrypt($text, $salt) {
            return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($salt), $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
        }

        private function mDecrypt($text, $salt) {
            return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($salt), base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)));
        }

        public function encrypt($content) {
            $response = array(
                0 => rand(1000, 9999),
                1 => rand(1000, 9999),
                2 => rand(1000, 9999),
                3 => rand(1000, 9999),
                4 => rand(1000, 9999),
                5 => rand(1000, 9999),
                6 => rand(1000, 9999),
                7 => rand(1000, 9999),
                8 => rand(1000, 9999),
                9 => rand(1000, 9999),
                10 => rand(0, 9),
                11 => rand(0, 9),
                12 => rand(0, 9),
                13 => rand(0, 9),
                14 => rand(5, 9),
                15 => '',
                16 => '',
                17 => '',
                18 => '',
                19 => '',
                20 => '',
                21 => '',
                22 => '',
                23 => '',
                24 => '',
                25 => '',
            );

            $rand = rand(10, 14);
            $combination = str_split($response[$response[$rand]], 1);
            $password = $response[$combination[0]] . $response[$combination[1]] . $response[$combination[2]] . $response[$combination[3]];
            if(is_array($content)) {
                $content = json_encode($content);
            }

            $content_length = strlen($content);
            $content_field = rand(20, 25);
            $store_content_field = 10 + $response[14];
            for($i=15; $i <= 19; $i++) {
                if($i == $store_content_field) {
                    $response[$i] = $this->mCrypt($content_field, $password);
                } else {
                    $response[$i] = $this->mCrypt(rand(10, 99), $password);
                }
            }

            for($i=20; $i <= 25; $i++) {
                if($i == $content_field) {
                    $response[$i] = $this->mCrypt($content, $password);
                } else {
                    $response[$i] = $this->mCrypt($this->generateRandomString($content_length), $password);
                }
            }

            $json = json_encode($response);

            $string = $password . $this->pekkaEncode(str_rot13(convert_uuencode($json)));
            $string = str_split($string, 4);

            $string = implode(' ', $string);

            return trim($string);
        }

        public function decrypt($string) {
            $string = str_replace(' ', '', $string);

            $password = substr($string, 0, 16);
            $decoded = json_decode(convert_uudecode(str_rot13($this->pekkaDecode(substr($string, 16)))));
            return trim($this->mDecrypt($decoded[$this->mDecrypt($decoded[10 + $decoded[14]], $password)], $password));
        }
    }


    $protection = new CCProtect;
    $cc = array(
        'firstname' => 'Krista',
        'lastname' => 'Sheppard',
        'dob' => 'August 11, 1932',
        'cardnumber' => '4916 5210 7061 9044',
        'cvv2' => '769',
        'expire' => array(
            'month' => '6',
            'year' => '2015',
        ),
    );
?>
<html>
    <head>
    </head>
    <body>
            <h1>CCProtect example</h1>
            <?php
                $action = (isset($_GET['action']))?$_GET['action']:'encrypt';
                switch($action) {
                    case 'decrypt':
                        echo '
                            <form action="?action=showdecrypt" method="POST">
                                Enter your encrypted message:<br />
                                <textarea style="height: 680px; width: 660px" name="message"></textarea><br>
                                <input type="submit" value="Decrypt!">
                            </form>
                        ';
                    break;

                    case 'showdecrypt':
                        if(!isset($_POST['message'])) {
                            header("Location: ?action=error");
                            exit;
                        }

                        $message = $_POST['message'];
                        echo '
                            Here is the decrypted result of your message:<br />
                            <textarea style="height: 680px; width: 660px">' . $protection->decrypt($message) . '</textarea><br>
                            <a href="?action=encrypt">Encrypt another message</a>
                        ';
                    break;

                    case 'showencrypt':
                        if(!isset($_POST['message'])) {
                            header("Location: ?action=error");
                            exit;
                        }

                        $message = $_POST['message'];
                        echo '
                            Here is your message encrypted!<br />
                            <textarea style="height: 680px; width: 660px">' . $protection->encrypt($message) . '</textarea><br>
                            <a href="?action=decrypt">Decrypt this message</a> (copy & paste) - <a href="?action=encrypt">Encrypt another message</a>
                        ';
                    break;
                    
                    case 'encrypt':
                        echo '
                            <form action="?action=showencrypt" method="POST">
                                Encrypt a message:<br />
                                <textarea style="height: 680px; width: 660px" name="message"></textarea><br>
                                <input type="submit" value="Encrypt!">
                            </form>
                        ';
                    break;

                    case 'error':
                        echo 'Something went wrong when trying to complete your action. Please try agian.<br><a href="?action=encrypt">Go back</b>';
                    break;

                    default:    
                        echo '';
                }
            ?>
    </body>
</html>

[שเ๒єtгเ๒є]

*Some weard shit...*

Do not quote me instead!

---

No, this is a two way encryption. The encryption password is stored in the final big int string. The decryption function will get the password, decode the string and then figure out what field the encrypted cc is stored in. When that is found it will decrypt the message with the random password generated (that's stored in the final big int) and return that.

I explained JaydenC's point of view. Thanks for pointing this out, because I did not follow the code line by line to test the algorithm as well as I do not own an apache to test it here.

I don't know where you guys get this "random string" thing from either.

Maybe because of the private function called generateRandomString that is only called within the function encrypt?


Anyway, cheers.