I have a function to encrypt and decrypt the data. I want to get the IV of the encrypted string while decrypting.
Is there any possible way to extract the iv of an encrypted string in php?
I am using php's mcrypt_encrypt function with RIJNDAEL_128.
The IV will not be included in the encrypted output. It is your responsibility to pass this IV value to whomever needs to decrypt your data.
A common approach is prepend the IV to the ciphertex, so that the first sixteen bytes will be the IV for your AES decryption operation.
As mentioned in the comments, IV values should be randomly generated. Hard-coding an IV will lessen the security of your system.
Related
I have a requirement to pass sensitive data from the source server (running Craft CMS) to a Laravel API. As a result, I would like to encrypt the string at the source server so that the string can be decrypted in the Laravel API for processing.
Laravel has great encryption out of the box so I would prefer to use that for simplicity. How can I ensure the string is encrypted in the same format on the source server?
If this isn't possible (due to the environment difference), what is the next best alternative?
When you encrypt something in Laravel, it returns a base64 encoded JSON string with all the necessary information: IV, encrypted string, HMAC.
To create a string in the format of the Laravel Encrypter, you can do the following.
Encrypt the string using 'AES-CBC'. While it is not the most recommended mode, it is the mode Laravel uses. You can use either 256 bit or 128 bit although you obviously should use 256 (Laravel also tries to serialize the passed value so you should do this too).
Create the HMAC with the function hash_hmac(). The parameters you need are the IV (base64 encoded) and the encrypted string. Concatenate them and use your encryption key to create the HMAC using sha256 as the hashing algorithm.
Create an array with the IV, the encrypted string and the HMAC. Laravel uses the compact() function for this so I would do the same.
JSON encode the resulting array and base64 encode the resulting JSON string.
The result should be an encoded string that Laravel can decrypt with the correct key.
For reference: The source code for the Encrypter class
The Hypothesis: my encryption/decryption mechanism malfunctioned in such a way that integer plaintext message Pi1 was encrypted and got later decrypted into an integer plaintext Pi2.
The technical circumstance: I use AES 128-bit with random IV for encryption/decryption. The key is changed everyday. I use openssl php extension.
The actual problem: I encrypted Pi1, but then I decrypted it to Pi2. Those are numbers around 120000 and 120100 respectively. I do not know whether key(somedayago) or key(today) was used to decrypt the message.
The question: is it possible that
Pi1 encrypted with k was decrypted using k to Pi2? or
Pi1 encrypted with k(today-n) was decrypted using k(today) to Pi2?
Thanks
I need to encrypt large string is it possible to do it with RSA public key private key ?
Depending on how large the string you're wanting to encrypt is - if it's larger than the modulo - it's usually best to just encrypt a randomly generated string of x bytes that serves as the key to a symmetric algorithm and then use that symmetric algorithm to encrypt the "large string".
eg. encrypt a 16 byte (128 bit) key for AES and then encrypt the "large string" not with RSA but with AES and append it to the RSA encrypted AES key.
Or you could use a larger modulo, too, but the larger the modulo the more time it'd take to perform encryption / decryption.
Short question: I have encrypted a string with AES-256 with the openssl commandline tool. How can I decrypt this with PHP's openssl library? (since Rijndael-256 and AES-256 are not the same, and there is no AES-256 option)
Thanks in advance,
Jori.
You should use MCRYPT_RIJNDAEL_128 instead of MCRYPT_RIJNDAEL_256 but you should use a 256 bit key, preferably the one you encrypted the data with.
The X in MCRYPT_RIJNDAEL_X is the block size of the cipher. Rijndael has several block and key sizes, but only Rijndael with a block size of 128 bits and a key size of 128, 192 or 256 bits (and the key size specific vectors and number of rounds) should be called AES.
Make sure you also match the encryption mode (the unsafe ECB or CBC encoding) and make sure your (un)padding is correct.
Shouldn't it be acceptable to use any routine to decrypt, as long as it decrypts AES-256?
Try this, previously seen on stackoverflow... it was just a google away... PHP AES encrypt / decrypt
Is there a way in PHP to test if a string has been encrypted using mcrypt_encrypt?
You have not written what you're actually concerned about specifically, but:
Whether or not some data has been encrypted is not dependent on which encryption function has been used but which encryption algorithm. Say, if somebody has encrypted something in PERL or in PHP - you can't tell by having the encrypted string.
So as this applies, you can't tell for mcrypt_encrypt. That function does not leave any sign inside the encrypted data.
However, if you have the key and the original text (plain) as well as the algorithm, you can reverse what mcrypt_encrypt does with mcrypt_decrypt. You can then compare the plains and if they match you can say that the plain was encrypted with the specific key and algorithm.
As we're talking about encryption, this is normally not the case, you don't have the plain.
However, you can create a checksum of the plain and encrypt it as well. Then you can decrypt it later on and compare it with a checksum of the plain you encrypted as well to tell if the data was successfully decrypted. But as this shows, this is actually additional information next to the encrypted data.
If you add more information what you're looking for, it might be possible to give more helpful suggestions.
when encrypting add some static text to your string ; when cheking use mcrypt_encode again with static text this time without original string see if encrypted static text exist in encrypted string . it should work
Presumably you mean mcrypt_encrypt()? There is no mcrypt_encode() function.
No. A properly encrypted string should be indistinguishable from random garbage. The only way to test a crypted string to see if it's crypted is to decrypt it.