#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    18
    Rep Power
    0

    Problems with mcrypt encryption/decryption


    I am using mcrypt to encrypt and then decrypt a number.
    It works most of the time but on occasion where the decrypted number is supposed to be displayed there is just a lot of random gibberish like this
    p�{���i ��u��

    I dont understand why it works most of the time but not others, there is no obvious pattern either.

    The code is below
    Code:
    public function encryptCard($creditno){
    		$key = 'arandomkey'; 
                    $td = mcrypt_module_open('tripledes', '', 'cfb', '');
                    srand((double) microtime() * 1000000);
                    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
                    $okey = substr(md5($key.rand(0, 9)), 0, mcrypt_enc_get_key_size($td));
                    mcrypt_generic_init($td, $okey, $iv);
                    $encrypted = mcrypt_generic($td, $creditno.chr(194));
                    $code = $encrypted.$iv;
                    $code = str_replace("'", "\'", $code);
                    return $code;
    	}
    	
    	public function decryptCard($code){
    		$key = 'arandomkey'; 
                    $td = mcrypt_module_open('tripledes', '', 'cfb', '');
                    $iv = substr($code, -8);
                    $encrypted = substr($code, 0, -8);
                    for ($i = 0; $i < 10; $i++) {
                        $okey = substr(md5($key.$i), 0, mcrypt_enc_get_key_size($td));
                        mcrypt_generic_init($td, $okey, $iv);
                        $decrypted = trim(mdecrypt_generic($td, $encrypted));
                        mcrypt_generic_deinit($td);
                        $txt = substr($decrypted, 0, -1);
                        if (ord(substr($decrypted, -1)) == 194 && is_numeric($txt)) break;
                    }
                    mcrypt_module_close($td);
                    return $txt;
    	}
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    Why are you doing this?
    PHP Code:
    $code str_replace("'""\'"$code); 
    (will reply more later)
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  4. #3
  5. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    PHP Code:
    $td mcrypt_module_open('tripledes''''cfb'''); 
    Although the examples in the manual do show a string for the first and third argument, it is better to use a constant for this because the constant won't change in the future, but the string value might.

    Unless you need 3DES for compatibility reasons, I recommend using AES instead. 3DES is not considered to be insecure, but 3DES only exists because the algorithm that it's based on (DES) is insecure. AES is a more modern replacement for DES.

    ----

    PHP Code:
    srand((double) microtime() * 1000000); 
    Don't seed the RNG yourself; especially not using the time, which is extremely predictable. Make sure you are running PHP 5.3 or higher so that mcrypt_create_iv will seed itself using a secure source of randomness.

    ----

    PHP Code:
    $okey substr(md5($key.rand(09)), 0mcrypt_enc_get_key_size($td)); 
    ! Don't MD5 your key. This is an extreme security weakness because you just reduced the security of your key from 2^192 down to 16^24 - that's 29 orders of magnitude that you just weakend your encryption by.

    Also get rid of that rand(0, 9) thing, that serves no purpose and adds no security.

    Look up pbkdf2 and use that to stretch your key instead.

    ----

    PHP Code:
    $encrypted mcrypt_generic($td$creditno.chr(194)); 
    Using a single character as a check character isn't insecure, but also isn't particularly effective.

    ----

    PHP Code:
    $code str_replace("'""\'"$code); 
    I don't know what this is doing and it shouldn't be there.

    ====

    PHP Code:
    $iv substr($code, -8); 
    Assuming that your IV is always 8 bytes isn't a very safe assumption. When this changes in the future your code will break.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    18
    Rep Power
    0
    Hi, E-Oreo. Thanks for the detailed analysis of the encryption/decryption functions. Unfortunately i was trying to fix someone else's code which i later found out was just copied off a blog post on the net.
    I ended up creating my own functions using mcrypt_encrypt and crypt_decrypt and have had no problems with it. Im glad i did change it after all of the issues you picked up on in the previous code

IMN logo majestic logo threadwatch logo seochat tools logo