tags:

views:

84

answers:

2

I've been asked to point a login form to an external site, where login and pass should be present in the URL and the pass should be Blowfish encrypted. I was provided a "key" which is in the format: "nnn-nnnssssssssssssssssssssssssnnnnnn" where n is a number and s is a letter (24 of them).

From the PHP docs it seems that to trigger Blowfish encryption with crypt() one needs to provide a salt in a specific format, starting with "$2a$", but this is not the format of the key I was provided. Does this mean I need to provide a salt of my own? If yes, what is the point of the key I was provided?

+1  A: 

crypt is a hashing function, it's not for encryption. To actually encrypt something you need mcrypt or a pure php implementation (i remember to see something in pear).

stereofrog
+1 Worst name ever for a hash function. ;)
deceze
I may have formulated things wrong, "hashing" is probably the correct term.
stef
@stef, well, if the hashing is actually what they want, i'd call them and ask ;) i guess, you're supposed to use "$nnn$xxxx" instead of "nnn-xxxxx..."
stereofrog
+1  A: 

Try this as the salt: $2a$nn$nnnnsssssssssssnnn$ (didn't work)

It isn't a hash then and you'll have to use mcrypt or the PEAR library:

http://pear.php.net/package/Crypt_Blowfish

Example:

http://www.chilkatsoft.com/p/php_blowfish.asp

I don't see an IV so the mode will have to be ECB (weak) and the whole thing will be the key.

Rob Olmos
Yep that's what I did but this gives me $2a$08$HBHfHB.yHBa2MQyvKhLrcOjQY22GCusbxK2NT2ClnfNHDh4r61gmO as the hashed value for a test string but this is different from the hashed result at their side, which is p/R0ePNz - afaik theirs can not be a blowfish hash.
stef
@stef Thanks for the feedback. See my edited answer.
Rob Olmos