Problem with mcrypt function*

Asked

Viewed 492 times

6

I am using these two functions below to encrypt and decrypt a string. I left the example as clean as possible.

Function for encryption

$key = '123';
$iv  = md5( md5( 'key' ) );
mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, $iv);

Function to decrypt

$key = '123';
$iv  = md5( md5( 'key' ) );
mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, $iv);

I don’t know the function at all, and I’m having trouble using json Encode/Decode. I can use Encode without problem, but Decode does not run the string decrypted.

I used as an example a simple array array( 123 ) and the decrypted output is exactly equal to json_encode( array( 123 ) ), the difference is the size, but neither before nor at the end.

Dump

decrypt( $argument )        : string(32) "[123]"
json_encode( array( 123 ) ) : string(5) "[123]"

I found a question which reports the same problem as mine and the proposed solution was the use of rtrim( $decrypted , "\0" ). It worked for the author and me, but the explanation is superficial:

Says that the ENCRYPT/DECRYPT function adds garbage to get the correct size, and must remove nulls at the end of the string.

I also created null values at the end of the string but did not affect the size in the dump. I can’t understand how the string size doesn’t match.

  1. The use of \0 in the trim covers which characters?
  2. I would like to know more about the options Cipher and mode, I did not find in the DOC deeper references of each case.
  3. It is possible to combine Cipher and mode so that the string does not create null values to satisfy the size.
php mcrypt
  • 3

    rtrim( , "\0" ) covers only the character " 0" itself. It is the same as rtrim( ,chr(0) ). That one padding is a feature of the mode chosen for encryption. It is used for blocks to be the same size for the cryptographic function. http://en.wikipedia.org/wiki/Block_cipher - It is a pity that I do not have time to prepare an answer now early.

  • @Bacco, I used it trim( $crypt ) and it had the same effect - is there a difference? I saw that it says something about RFC 5652, I’ll take it easy.

  • The problem of trim without specifying the chr(0) is that if the original string has spaces and/or line breaks at the beginning or end, you just lost them too. Oh, something else, that md5(md5()) It makes me sick to my stomach. While you’re at it, have you read this? http://answall.com/questions/2402/ does not have a direct connection to your question, but it is interesting to know.

  • I understand the question of Trim. The link has interesting things, I will read it calmly - your answer needs time to assimilate :). About the md5, was an example I took for educational purposes. I have never worked with mcrypt.

1 answer

2


For those who come to find this topic in the future, what Bacco said in that comment, basically, is to remove all the "garbage" added by the ciphers so that they have the same size which, in code, would be this:

$string = json_encode( array( 123 ) );

$key = '123';
$iv  = md5( md5( 'key' ) );

$encrypted = mcrypt_encrypt(

    MCRYPT_RIJNDAEL_256, md5( $key ),

    $string, MCRYPT_MODE_CBC, $iv
);

$decrypted = rtrim(

    mcrypt_decrypt( MCRYPT_RIJNDAEL_256, md5($key), $encrypted, MCRYPT_MODE_CBC, $iv),

    "\x00..\x1F"
);

Just compare with a var_dump() and see that without that rtrim() the encrypted string is quite different from the unencrypted string, but both have the same length:

string '’!Ù Èžtvûþ×Ij>+|oÙ(Œà¢qŒ)·Î"“Æ¡h' (length=32)
string '[123]���������������������������' (length=32)

But (and now comes my contribution), it is not enough to remove only the byte null ( 0 or 0x00) as each language can include its own trash.

That’s why my pseudo-code has a wider character range \x00.. x1F, that is, the first 31 characters of the ASCII Table.

By the way, responding to this survey of yours, if you only consider the removal of byte null ( 0) can peacefully use rtrim() without arguments as this character is already in the default deletion list of the function.

  • Thanks Bruno. It seems that the Decrypt is kind of lame and forgets to remove the complement itself used. I’ve been looking for more about the function and found examples using mcrypt_create_iv and mcrypt_get_iv_size, then calculate the size of the iv and subtracts the string.

Browser other questions tagged php mcrypt

You are not signed in. Login or sign up in order to post.