I am storing some encrypted information in a MySQL database, but I can't get it back out for some reason. I am storing the encrypted data as BINARY(46). Why is my select statement failing?
Here is my SELECT statement:
SELECT max(created) FROM incentive_sales WHERE incentive_sales.accountID = :aid
So shouldn't I encrypt the accountID (:aid) for my select statement?
Here is my encrypt function:
private function _encrypt($decrypted, $password, $salt = '|SgQLL*ea!UMwf^s%'){
// Build a 256-bit $key which is a SHA256 hash of $salt and $password.
$key = hash('SHA256', $salt . $password, true);
// Build $iv and $iv_base64. We use a block size of 128 bits (AES compliant) and CBC mode. (Note: ECB mode is inadequate as IV is not used.)
srand(); $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_RAND);
if (strlen($iv_base64 = rtrim(base64_encode($iv), '=')) != 22){
return false;
}
// Encrypt $decrypted using $key.
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $decrypted, MCRYPT_MODE_CBC, $iv));
return $iv_base64.$encrypted;
}
And my decrypt function:
private function _decrypt($encrypted, $password, $salt = '|SgQLL*ea!UMwf^s%'){
// Build a 256-bit $key which is a SHA256 hash of $salt and $password.
$key = hash('SHA256', $salt . $password, true);
// Retrieve $iv which is the first 22 characters plus ==, base64_decoded.
$iv = base64_decode(substr($encrypted, 0, 22) . '==');
// Remove $iv from $encrypted.
$encrypted = substr($encrypted, 22);
// Decrypt the data.
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($encrypted), MCRYPT_MODE_CBC, $iv)
return $decrypted;
}
The correct answer is, "As far as I know, you cannot use encrypted data as a selection in the where clause because it will always be different."
To circumvent this (because I do want to be able to select based on the encrypted data), I also store a hashed/salted value of the encrypted data which I then use in my select statement.
Related
I want to encrypt data in livecode using mergAESEncryptWithKey pData,pKey,pIV,[pMode],[pKeySize],[pPadding]. The encrypted data is then posted to php. PhP decrypts the data using the same function, does something with the data and then encrypts the results and posts them to livecode. Livecode then decrypts the data from php
My PHP Code looks like this (This works perfect)
function encrypt($plaintext, $salt) {
$method = "AES-256-CBC";
$key = hash('sha256', $salt, true);
$iv = openssl_random_pseudo_bytes(32);
$ciphertext = openssl_encrypt($plaintext, $method, $key, $iv);
$hash = hash_hmac('sha256', $ciphertext . $iv, $key, true);
return $iv . $hash . $ciphertext;
}
function decrypt($ivHashCiphertext, $salt) {
$method = "AES-256-CBC";
$iv = substr($ivHashCiphertext, 0, 32);
$hash = substr($ivHashCiphertext, 32, 48);
$ciphertext = substr($ivHashCiphertext, 64);
$key = hash('sha256', $salt, true);
//if (!hash_equals(hash_hmac('sha256', $ciphertext . $iv, $key, true), $hash)) return null;
return openssl_decrypt($ciphertext, $method, $key, $iv);
}
echo $encrypted."</br>";
echo "----------------------------The message is:<br/>";
echo decrypt($encrypted, 'hashsalt');
For most of you who just don't know but still want to post good for nothing comments, I figured it out. #Sammitch and #Mark asking a question don't mean someone is stupid.
/*
* Encrypt or decrypt data using
* AES-256-CBC
*/
function encrypt_decrypt($mode,$data,$key,$salt){
//define the cipher method
$ciphering = "AES-256-CBC";
// Use OpenSSl Encryption method. This works on PHP 7.2 and above
$iv_length = openssl_cipher_iv_length($ciphering);
$options = 0;
if($mode=="encrypt"){
// Use openssl_encrypt() function to encrypt the data
$Data = openssl_encrypt($data, $ciphering, $key, $options, $salt);
}else{
// Use openssl_decrypt() function to decrypt the data
$Data = openssl_decrypt($data, $ciphering, $key,$options, $salt);
}
return $Data;
}
Oooh and this is for livecode
//encrypt
encrypt tString using "aes-256-cbc" with key theKey and IV saltHash at 256 bit
//decrypt
decrypt base64Decode(varEnc) using "aes-256-cbc" with key theKey and IV saltHash at 256 bit
Hello i'm using Mcrypt to obfuscate some values i'm sending via mail.
When i encrypt the value on my local site, and decrypt it it works ok in every attempt, i mail the value, but when i link back to my site, and try to decrypt it in another page, it works sometimes only.
I'm kinda stuck and dunno why. I'm not so familiar with crypt functions.
This is the code im using for encrypt
function encrypt($decrypted, $password, $salt='!kQm*fF3pXe1Kbm%9') {
// Build a 256-bit $key which is a SHA256 hash of $salt and $password.
$key = hash('SHA256', $salt . $password, true);
// Build $iv and $iv_base64. We use a block size of 128 bits (AES compliant) and CBC mode. (Note: ECB mode is inadequate as IV is not used.)
srand(); $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_RAND);
if (strlen($iv_base64 = rtrim(base64_encode($iv), '=')) != 22) return false;
// Encrypt $decrypted and an MD5 of $decrypted using $key. MD5 is fine to use here because it's just to verify successful decryption.
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $decrypted . md5($decrypted), MCRYPT_MODE_CBC, $iv));
// We're done!
return $iv_base64 . $encrypted;
}
This is the code i'm using for decrypt
function decrypt($encrypted, $password, $salt='!kQm*fF3pXe1Kbm%9') {
// Build a 256-bit $key which is a SHA256 hash of $salt and $password.
$key = hash('SHA256', $salt . $password, true);
// Retrieve $iv which is the first 22 characters plus ==, base64_decoded.
$iv = base64_decode(substr($encrypted, 0, 22) . '==');
// Remove $iv from $encrypted.
$encrypted = substr($encrypted, 22);
// Decrypt the data. rtrim won't corrupt the data because the last 32 characters are the md5 hash; thus any \0 character has to be padding.
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($encrypted), MCRYPT_MODE_CBC, $iv), "\0\4");
// Retrieve $hash which is the last 32 characters of $decrypted.
$hash = substr($decrypted, -32);
// Remove the last 32 characters from $decrypted.
$decrypted = substr($decrypted, 0, -32);
// Integrity check. If this fails, either the data is corrupted, or the password/salt was incorrect.
if (md5($decrypted) != $hash) return false;
// Yay!
return $decrypted;
}
The $password and $salt variables are being packed using
pack("H*", $string);
After the first failed attempts, i started using urlencode and urldecode for the values on the URL but still the same issue persists.
What i'm doing wrong? i'm really stuck here
Thanks
Your encoded string is being sent with plus (+) signs, wich are being interpreted on the url as blank spaces, you can encode the URL or use str_replace to change empty spaces on the string for plus's sign
Such.
$encrypted_string= "random1234string with blank space";
$empty = array(" ");
$plus = array("+");
$new_encrypted_string = str_replace($empty, $plus, $encrypted_string);
Outputs: "random1234string+with+blank+space"
I'm having totally confounding encryption/decryption results. I have two different strings that I need to encode and later decode, the encrypted string being stored in a MySQL database in between. The first of these strings comes out just fine. However, the second one always returns from decryption with the value FALSE. I've stripped out all of the non-essential factors, and am directly passing a plaintext value of "test" to both encryption routines. Again, the first one returns correctly (as "test") the second one returns as "false").
I'm banging my head against the wall trying to figure out what I am doing wrong. I'm using the same password and the same salt in both files. How is it possible that one will work but the second won't???
One clue: if I put this code into a single php file and bypass the database, it all works just fine. Not sure what to make of this, but it's interesting at least.
Here is the code. The encryption/decryption routine comes from a user post on the php site for mcrypt. Can anyone see it? It's probably something stupid.
setValues.php
$encrypted_email_pw = encrypt("test", $password);
$encrypted_default_pw = encrypt("test", $password);
$sql = "UPDATE Settings
SET email_password='$encrypted_email_pw',
default_pw='$encrypted_default_pw'
WHERE id='$id'";
$result = mysql_query($sql);
getValues.php
$sql = "SELECT * FROM Settings";
$result = mysql_query($sql);
$row = mysql_fetch_array($result); //there is only one row in this table
$decrypted_email_pw = decrypt($row['email_password'], $password);
$decrypted_default_pw = decrypt($row['default_pw'], $password);
echo $decrypted_email_pw . " | " . $decrypted_default_pw;
//output: test | false
die();
crypto.php
<?php
function encrypt($decrypted, $password, $salt='6rVDB?zKe6batB+k') {
// Build a 256-bit $key which is a SHA256 hash of $salt and $password.
$key = hash('SHA256', $salt . $password, true);
// Build $iv and $iv_base64.
// We use a block size of 128 bits (AES compliant) and CBC mode.
// (Note: ECB mode is inadequate as IV is not used.)
srand(); $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_RAND);
if (strlen($iv_base64 = rtrim(base64_encode($iv), '=')) != 22) return false;
// Encrypt $decrypted and an MD5 of $decrypted using $key.
// MD5 is fine to use here because it's just to verify successful decryption.
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $decrypted . md5($decrypted), MCRYPT_MODE_CBC, $iv));
// We're done!
return $iv_base64 . $encrypted;
}
function decrypt($encrypted, $password, $salt='6rVDB?zKe6batB+k') {
// Build a 256-bit $key which is a SHA256 hash of $salt and $password.
$key = hash('SHA256', $salt . $password, true);
// Retrieve $iv which is the first 22 characters plus ==, base64_decoded.
$iv = base64_decode(substr($encrypted, 0, 22) . '==');
// Remove $iv from $encrypted.
$encrypted = substr($encrypted, 22);
// Decrypt the data.
// rtrim won't corrupt the data because the last 32 characters are the md5 hash;
// thus any \0 character has to be padding.
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($encrypted), MCRYPT_MODE_CBC, $iv), "\0\4");
// Retrieve $hash which is the last 32 characters of $decrypted.
$hash = substr($decrypted, -32);
// Remove the last 32 characters from $decrypted.
$decrypted = substr($decrypted, 0, -32);
// Integrity check. If this fails, either the data is corrupted, or the password/salt was incorrect.
if (md5($decrypted) != $hash) return false;
return $decrypted;
}
?>
Have you checked the two columns in the Settings table? Do they have the same data types?
And are you sure the encrypt() and decrypt() methods work correctly?
After you get this working, you should consider using a random generated salt for each password and store the salt in the table together with the password.
My web application needs to connect to several FTP servers and I don't want the FTP passwords to be stored in plain text. Hashing is not an option, because I need two-way encryption.
That's why I wrote the following class in PHP, based on mcrypt documentation. It uses mcrypt to encrypt and decrypt plain text. A password input field is used as input for the $password variable.
Can I consider this encryption as secure when I use a 50 character strong password to encrypt the text?
Thank you in advance.
class Crypto
{
private $_iv_size, $_iv;
function __construct()
{
$this->_iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$this->_iv = mcrypt_create_iv($this->_iv_size, MCRYPT_RAND);
}
function encrypt($plaintext, $password)
{
$key = pack('H*', hash("SHA512", $password, true));
$plaintext_utf8 = utf8_encode($plaintext);
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key,
$plaintext_utf8, MCRYPT_MODE_CBC, $this->_iv);
$ciphertext = $this->_iv . $ciphertext;
$ciphertext_base64 = base64_encode($ciphertext);
return $ciphertext_base64;
}
function decrypt($ciphertext_base64, $password)
{
$key = pack('H*', hash("SHA512", $password, true));
$ciphertext_dec = base64_decode($ciphertext_base64);
$iv_dec = substr($ciphertext_dec, 0, $this->_iv_size);
$ciphertext_dec = substr($ciphertext_dec, $this->_iv_size);
$plaintext_utf8_dec = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key,
$ciphertext_dec, MCRYPT_MODE_CBC, $iv_dec);
return $plaintext_utf8_dec;
}
}
Yes, AFAICS(1) the code should protect the payload.
since you are deriving the key used for the encryption from the password, it would be neater to only implement this once in your code (even if it is only a single line). But the glaring WTF is that you through all this bother, to protect an FTP password which is sent in clear text to the FTP server!
1 - it's imposible to prove that code is secure or bug free
I'm trying to encrypt some information in my code, so I searched for a way to do this.
I found this on php official website:
http://www.php.net/manual/vote-note.php?id=107483&page=book.mcrypt&vote=down
So, I changed it a little bit and I did this:
class EncrypterDecrypter {
private $SECRET = "xxxxxxxxxxxxxxxxxxxx";
function encrypt($decrypted, $salt = 'zzzzzzzzzzzzzzzzzz') {
$password = $this->SECRET;
// Build a 256-bit $key which is a SHA256 hash of $salt and $password.
$key = hash('SHA256', $salt . $password, true);
// Build $iv and $iv_base64. We use a block size of 128 bits (AES compliant) and CBC mode. (Note: ECB mode is inadequate as IV is not used.)
srand();
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_RAND);
if (strlen($iv_base64 = rtrim(base64_encode($iv), '=')) != 22)
return false;
// Encrypt $decrypted and an MD5 of $decrypted using $key. MD5 is fine to use here because it's just to verify successful decryption.
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $decrypted . md5($decrypted), MCRYPT_MODE_CBC, $iv));
// We're done!
return $iv_base64 . $encrypted;
}
public function decrypt($encrypted, $salt = 'zzzzzzzzzzzzzzzzzz') {
$password = $this->SECRET;
// Build a 256-bit $key which is a SHA256 hash of $salt and $password.
$key = hash('SHA256', $salt . $password, true);
// Retrieve $iv which is the first 22 characters plus ==, base64_decoded.
$iv = base64_decode(substr($encrypted, 0, 22) . '==');
// Remove $iv from $encrypted.
$encrypted = substr($encrypted, 22);
// Decrypt the data. rtrim won't corrupt the data because the last 32 characters are the md5 hash; thus any \0 character has to be padding.
$decrypted = rtrim(
mcrypt_decrypt(MCRYPT_RIJNDAEL_128,
$key, base64_decode($encrypted),
MCRYPT_MODE_CBC, $iv),
"\0\4");
// Retrieve $hash which is the last 32 characters of $decrypted.
$hash = substr($decrypted, -32);
// Remove the last 32 characters from $decrypted.
$decrypted = substr($decrypted, 0, -32);
// Integrity check. If this fails, either the data is corrupted, or the password/salt was incorrect.
if (md5($decrypted) != $hash)
return false;
// Yay!
return $decrypted;
}
}
I already tried to change the key and salt size but the warning keeps showing.
I also searched other topics but I could not find any answer, they all look to specific.