mcrypt seem to be not 100% reversible
Question
I've 336 'Client' in my database
I tried this code to encrypt and then decrypt some data
The esit is: Right: 323 - Wrong: 13
What's the reason because mcrypt is not fully reversible ?
EDIT: Please don't try to change the nature of the problem, ask to my question or I'll downvote your answers. The problem it's this algorithm seems to be not 100% reversible and this is the problem, THE PROBLEM IS NOT WHY I'M USING IT
$wrong = $right = 0;
foreach ($clients as $c) {
$string_to_encode = trim($c->first_field . ":::" . $c->last_field);
$mc_key = Yii::app()->params["rijndael_key"];
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv_1 = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypt = trim(mcrypt_encrypt(
MCRYPT_RIJNDAEL_256,
$mc_key,
$string_to_encode,
MCRYPT_MODE_ECB,
$iv_1));
$token = urlencode(base64_encode($crypt));
$string_to_decode = base64_decode(urldecode($token));
$string_decoded = trim(mcrypt_decrypt(
MCRYPT_RIJNDAEL_256,
$mc_key,
$string_to_decode,
MCRYPT_MODE_ECB,
$iv_1));
if ($string_to_encode != $string_decoded) {
echo $string_to_encode . PHP_EOL;
echo "***** ERROR ! ***** " . PHP_EOL;
echo $string_to_encode . PHP_EOL;
echo $string_decoded . PHP_EOL;
$wrong ++;
} else {
$right ++;
}
}
echo "Right $right - Wrong $wrong" . PHP_EOL;
An exmple of differences from plain and decoded string [please note that I changed login name .... ]
customer.email@alice.it:::11734
customer.email@alice.it:::11z͉\wo����y�+� �>�d��x�
The algo is not 100% reversibile. This is the problem, this is the question... obviously I'll not use this in production... it's only a case to demo to YOU that this algo has some problem
3 answers
solution1
3 ACCPTED 2013-11-29 17:01:37
Others have mentioned it but you are trimming the results of encryption. The cipher text will appear randomly and some of the items you are encrypting will produce whitespace at the end.
If you trim the cipher text you are losing information and the string will not decode properly.
solution2
2 2013-11-29 16:22:18
Instead of encrypting your password, hash them .
Advantages:
- PHP(5.5+) has a native API for password hashing and verifying.
- Hashing is always irreversible. If your database gets stolen, an attacker can never get the plain text password directly.
- Proper Hashing+Salting solves 99% of attack vectors on passwords.
solution3
0 2013-11-29 16:32:08
It's already been addressed that you shouldn't use a two-way encryption algorithm for saving passwords, but instead a one-way hashing algorithm.
You're trimming your data ciphertext. Remove trim() around mcrypt_encrypt() and you'll be fine.
That said, you have another problem. You generate IVs, but ECB mode doesn't use IVs, so those are useless. A more secure approach to keep your ciphertext more unpredictable is to switch to CBC mode. When you do this, keep in mind that the IVs should be identical when encrypting and decrypting (ie $iv_1 and $iv_2 should be identical).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.