I need to translate next PHP code to Lua:
mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $message, MCRYPT_MODE_ECB);
to Nginx+Lua.
I have openssl extension, but the problem is MCRYPT_RIJNDAEL_256. I do not know what method for openssl I need to use, and as I understood from this post: http://thefsb.tumblr.com/post/111035508040/porting-php-code-from-mcrypt-to-openssl I can't use openssl at all. Any other solutions?
Also, you may say I should not use mcrypt_decrypt/encrypt or MCRYPT_RIJNDAEL_256 at all, but I must, since I need to port PHP project to Nginx+Lua and changing encryption method will break whole system at the moment and consequences will be devastating.
Related
Since this day I've used mcrypt on my website to encrypt the users e-mail address.
The php mcrypt module was installed with php 7.4 on my last server so it didn't make any problems.
Since I needed to change the hosting company, they won't provide me with a mcrypt installation on their server. So I'll need to change the function which will be supported on php 7.4.
I had this function to encrypt my users e-mail address for security reasons if a sql injection ever happened.
function encrypt_128($string){
$string = rtrim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $string, MCRYPT_MODE_ECB)));
return $string;
I've replaced with this function but it doesn't return the same output.
function encrypt_128($string){
return rtrim(base64_encode(openssl_encrypt($string, 'aes-256-ecb', $key, OPENSSL_RAW_DATA)));
I've read that mcrypt uses no padding and I tried adding OPENSSL_ZERO_PADDING but it can't encrypt the users e-mail address anymore, and returns no output.
I'll need the function to make the same output because the new users can register with the same e-mail address as the old users.
It turns out it isn't a way to make this possible
I just decrypted all my data and re encrypted them with the new algorithm. It took long but it was a needed change.
If anyone knows how feel free to post an answer.
Since mcrypt was deprecated in PHP 7.1 and I have a lot of data encrypted/decrypted with mcrypt in existing project, how to migrate my PHP code from mcrypt to OpenSSL? I have the following code to encrypt:
$encoded = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, 'salt', 'source string', MCRYPT_MODE_ECB));
And decryption code is:
$source = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, 'salt', base64_decode('encoded string'), MCRYPT_MODE_ECB);
What openssl_ functions should I use in the above examples to get the same results without encoded data conversion?
Or the only way is to run a script which will decrypt all my stored encrypted data with mcrypt and encode with openssl?
Thanks
OpenSSL doesn't have the Rijndael-256 cipher; there's no equivalent - you'll have to decrypt and re-encrypt everything.
But also:
You're missing padding and authentication.
Don't use ECB mode.
"salt" is not a proper encryption key, nor is any regular string. Use random_bytes() to generate your keys, with the proper key length for the chosen algorithm.
All of the above can be summed up like this: don't do it on your own, use a well-vetted library like defuse/php-encryption.
Cryptography is no simple thing and you can't do it properly with just 5 lines of code.
I'm looking for anything about RC4 Decryption with decode the input using: Hexa
Lucky for me, I found
PHP's mcrypt_encrypt.
I want to decrypt many cipher files with the same key.
But, I had a problem with:
$iv_size = mcrypt_get_iv_size(MCRYPT_ARCFOUR, MCRYPT_MODE_STREAM);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
print (mcrypt_decrypt(MCRYPT_ARCFOUR, $key, $text, MCRYPT_MODE_STREAM, $iv));
(And UTF-8 Vietnamese)
The result of echo $iv_size is 0.
Please help me, I don't know how I can fix it?
Key : Lyr1cjust4nct (key file .txt)
Mode: STREAM
Decode the input using: Hexa
Ciphertext: cipher.txt (Hexa)
http://pastebin.com/bmYcmU0J
RC4 doesn't support IVs. You instead need to use a unique key for each message.
RC4 has two big weaknesses that apply to your situation:
Using related keys is not secure. So you can't just concatenate a fixed key with a variable/unique IV. You'd need to use some kind of hashing scheme.
The beginning of the output is very biased, which leaks information about the ciphertext. So you need to throw away the beginning of the key-stream. I think throwing away 1024 bytes should take care of the biggest biases.
RC4 doesn't include any integrity protection (MAC). So if an attacker manipulates the ciphertext, you'll run into problems.
=> Don't use RC4. Use AES in an authenticated mode such as GCM or by combining AES with a MAC using the encrypt-then-MAC principle.
I strongly recommend using a high level library written by experts, since people get encryption wrong very often, even when using standard primitives like AES.
I'm trying to store encrypted cookies in a PHP app and have implemented 2 different encryption libraries in attempts to get this to work.
Both implementations, when deployed to the server, are generating fatal exceptions when calling my encryption function. On my local dev env, however, both encryption implementations are working successfully.
My open_ssl implementation code (works on localhost, does not work on remote server):
set_encrypted_cookie("foo","my_cookie_name");
function set_encrypted_cookie($msg,$name){
$key = '0123456qwerty'; // Key is stored externally but defined locally for debugging
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$encryptedStr = openssl_encrypt($msg, 'aes-256-cbc', $key, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv);
setcookie($name,$encryptedStr,0,'/');
}
Any thoughts on why the server might be not allowing the openssl_encrypt() func to execute?
openssl_encrypt() returns raw binary, you should base64_encode() before storing in a cookie.
Before you do that, a couple of things you can do to improve your cryptography protocol:
Use MCRYPT_DEV_URANDOM, not MCRYPT_RAND.
Store your IV with your ciphertext (before base64_encode()ing it), so you can use the same IV when decrypting.
Encrypt then MAC.
The last link has two functions, setLessUnsafeCookie() and getLessUnsafeCookie(), that you can use as a drop-in on PHP 5.6.x.
There are still two more things to do to make it safe to use:
Use HKDF to split the key into an encryption key and a decryption key.
Use PKCS7 padding on the plaintext.
(If you want to go for maximum security, you can use libsodium instead of openssl.) Also, don't use mcrypt.
Problem
I need to encrypt data in Javascript and decrypt it in PHP. Mcrypt seems the way to go on the PHP side, and AES seems thoroughly good enough, but I'm having trouble finding a javascript decryption algorithm that matches it. Any suggestions? I'm open to replacing any of the assumptions (mcrypt, aes, ECB, etc) if it'll help get a compatible js encryption/decryption library.
Code
The PHP looks pretty much like this:
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$encrypted = mcrypt_encrypt( MCRYPT_RIJNDAEL_256, $key, $plaintext,
MCRYPT_MODE_ECB,$iv );
Rationale
Not that it matters, but the point here is to encrypt some credentials to an external system so that we can pass it around our server without our analytics and logging servers picking it up in the clear. It'll eventually be decrypted in the PHP just before it's sent to the external system.
I ended up using the SlowAES library, which has parallel implementations in PHP and JS:
http://kevinkuchta.com/_site/2011/08/matching-php-and-js-encryption/