On Wed, Nov 30, 2011 at 10:34 PM, Adam Richardson <simpleshot@xxxxxxxxx> wrote:
> On Wed, Nov 30, 2011 at 4:25 PM, Matijn Woudt <tijnema@xxxxxxxxx> wrote:
>
>> On Wed, Nov 30, 2011 at 10:18 PM, Adam Richardson <simpleshot@xxxxxxxxx>
>> wrote:
>> > On Wed, Nov 30, 2011 at 4:14 PM, Matijn Woudt <tijnema@xxxxxxxxx> wrote:
>> >
>> >> On Wed, Nov 30, 2011 at 9:57 PM, Rick Dwyer <rpdwyer@xxxxxxxxxxxxx>
>> wrote:
>> >> > Hello all.
>> >> >
>> >> > I am using the following function to encrypt a string:
>> >> >
>> >> > define('SALT', 'myvalueforsalthere');
>> >> >
>> >> > function encrypt($text)
>> >> > {
>> >> > return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, SALT,
>> >> > $text, MCRYPT_MODE_ECB,
>> >> > mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256,
>> >> MCRYPT_MODE_ECB),
>> >> > MCRYPT_RAND))));
>> >> > }
>> >> >
>> >>
>> >> Can you post your decrypt function too?
>> >>
>> >> You create a random IV here, don't you need that IV to decrypt too?
>> >>
>> >>
>> > You're normally right, Matijn,
>> >
>> > However, ECB mode doesn't use an IV, so even though he's generating an
>> IV,
>> > it's not being used (and, the benefit of an IV is one of the main reasons
>> > you try to avoid ECB.)
>> >
>> > Adam
>>
>> Ah, I see, you're right. I thought he was using CBC (which I would
>> recommend).
>> That also means that example #1 is wrong at mcrypt_encrypt help page[1].
>>
>> Matijn
>>
>> [1] http://php.net/manual/en/function.mcrypt-encrypt.php#example-884
>>
>
> Nice catch in the documentation, Matijn. While it will encrypt and decrypt
> successfully, the IV isn't being used, so it would seem to be a better
> illustration of use of someone switched the mode to one that's using the IV.
>
> Someone with access to the documents want to make the change to one of the
> other modes (as Matijn pointed out, CBC is pretty common?)
>
> Adam
I tried to submit a bug report, but the PHP version that comes with
Ubuntu Server (oneiric) is 5.3.6, and they only accept bug reports
from version 5.3.8 and above. If anyone else wants to, please do so.
In that case, there's a second related bug, which is that
mcrypt_get_iv_size does not return 0 for ECB modes, which it should
(as the documentation also notes).
Matijn
> --
> Nephtali: A simple, flexible, fast, and security-focused PHP framework
> http://nephtaliproject.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
