What is the most secure crypting function that I can use in php. I need to encrypt some data on my website, and I need the latest cryption. Thanks in advance.
MD5 is the most common and it's a bitch to crack, most websites use it. Most credit card companies insist on using MD5 encryption if you store anything sensitive about transactions, so if the banks are telling you to use it there's a safe bet it works.
depends what you are doing. if you are using it for authentication, then 1 way hashes like MD5() or SHA1() are fine (preferrably with $salt), but there is no way of DEcrypting those hashes, just authenticating that a certain hashes string value equals the databased $salt+$hash. Most comonly used for storing id's, name-alias constructs, and mostly passwords in databases so anyone viewing the database dont have direct viewable access to the real credentials. As to the "crackability" to reverse engineering them, the only method is brute forcing using lists or rainbow tables, which is why adding $salt to the hash is paramount. For instance, MD5("brian") is much easier/faster to crack than the $salt-added MD5("jngfwueigth47_f97h273HYY-8923h47g2HHHaS"."brian"), which is pretty much impossible because that value probably doesnt exist in a rainbow table. If you need to DEcrypt, then something else needs to be used. Something like mCrypt perhaps ... "... an interface to the mcrypt library, which supports a wide variety of block algorithms such as DES, TripleDES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes. Additionally, it supports RC6 and IDEA which are considered 'non-free' ..."
Totally untrue. MD5 would be pointless to store transaction data, since its a HASH and cannot be decrypted, which would make it useless data
You have no reason to access the credit card number of a customer once you have processed the transaction, therefor a two-way method is not necessary. Just because the method is one-way doesn't make it useless. The only reason you would need to break the encryption is if the bank needed it, in which case you can send them the hash and they can break it. The OP didn't specify if he wanted 1 or 2 way encryption, so I took a guess at 1-way.
He said encryption, not hashing, which is a cipher that can be broken using the correct key. And why would you need to store a hash of a card? you wouldnt. and as for the "break" of the MD5...like I said, its a hash, not a cipher, so it can't be broken. The best they can use it for is to match the hash value to a hashed value of the card number they have stored on their system. Regardless, you should never store someones credit card details
Agreed. However you can break an MD5 encryption, just because it's a hash doesn't make it invulnerable. Lookup Rainbow Tables and you'll see how it's done, it's actually quite amazing if you learn the math and logic behind how to break a hash encryption. According to the theory behind Rainbow Tables, you can break any hash. It's a really cool concept, and it can work even if you add a salt to the hash, but it takes way longer to break.
actually the better and most well known web systems that do direct payment processing DOES encrypt credit card data for a faster payment process, and also allows the customer to edit their cards in their account data. With that requires a boatload of security, including hashing, encryption, https, as well as datacenter security. Of course using a 3rd party payment processor then they dont get the credit card details. amazon, banking, paypal, ebay, embarq, buy, overstock, and thousands of others online enterprises successfully handle financial and credit card data securely to give the user maximum convenience, especially those with 1-click-buying.
Yeah, the reason the salt will make it harder is only for the length of the string being hashed. Storing hashes and salts on the same server is pointless too, since if you have your server hacked, the salts are just as accessible as the hashes. I know its not impossible to break a hash, but its more brute force than anything else. There are of course md5 lookup tables, but they're not really ideal for large strings If I need to use a hashing function I only use SHA512 since it's far less susceptible to collisions and brute attacks --EDIT-- @bind - Yes, companies do store card data in some instances, but these are all stored remotely on another server, and like you said, have a whole boatload more security
Uhh...you do understand the meaning of "1-way" right? lol. Unless you are a major hacker you can't decrypt a MD5 hash, and even then it's not easy (trust me, I've tried lol).
lol, there would make one weird looking hash. You'd probably crash the box that you try to do it on if it's a large amount of data.
Free good crypto is gnupg, or gpg. http://devzone.zend.com/node/view/id/1265 http://www.kelv.net/programming/pgp.php