I'm trying to encrypt a string the same way on a server in PHP as on an Objective-C on iOS. I've used PHP's crypt() function with the blowfish algorithm, but it takes two parameters: the string to encode and a salt. The Objective-C implementation I found: https://dl.dropboxusercontent.com/u/28430840/Blowfish-iOS-Source.zip
which was at http://www.codeding.com/articles/blowfish-encryption-algorithm-for-iphone takes three different parameters: either EBC/CBC encoding, an initvector and a key -- how does this translate to the PHP salt?
I found the initial c library but I have no idea how to include it in my project -- when I compile it fails and complains about the x86.S file.
Thanks!!!
I suppose you are looking at the wrong function. It's not crypt what you search, but mcrypt_encrypt.
This function takes an init vector, a key and an encoding parameter.
Related
I have a requirement to pass sensitive data from the source server (running Craft CMS) to a Laravel API. As a result, I would like to encrypt the string at the source server so that the string can be decrypted in the Laravel API for processing.
Laravel has great encryption out of the box so I would prefer to use that for simplicity. How can I ensure the string is encrypted in the same format on the source server?
If this isn't possible (due to the environment difference), what is the next best alternative?
When you encrypt something in Laravel, it returns a base64 encoded JSON string with all the necessary information: IV, encrypted string, HMAC.
To create a string in the format of the Laravel Encrypter, you can do the following.
Encrypt the string using 'AES-CBC'. While it is not the most recommended mode, it is the mode Laravel uses. You can use either 256 bit or 128 bit although you obviously should use 256 (Laravel also tries to serialize the passed value so you should do this too).
Create the HMAC with the function hash_hmac(). The parameters you need are the IV (base64 encoded) and the encrypted string. Concatenate them and use your encryption key to create the HMAC using sha256 as the hashing algorithm.
Create an array with the IV, the encrypted string and the HMAC. Laravel uses the compact() function for this so I would do the same.
JSON encode the resulting array and base64 encode the resulting JSON string.
The result should be an encoded string that Laravel can decrypt with the correct key.
For reference: The source code for the Encrypter class
When I apply Crypt::encrypt(1) I'm getting this encrypted string:
eyJpdiI6IlBoQnliQkZkb0NPT1g5NG9FbkpqV2hLa3ZLUnlWSEFRMEZwM2YxTEdNVk09IiwidmFsdWUiOiJ0N0kyWmZvRWVETzE3WTJWVU5DS1ZpTVFYTGpXNHQxT2YyQWdsMFgxK0xvPSIsIm1hYyI6IjAzMjAzNzdhNzZmYmZiZDVkZGJkMjM5MWY5NjhkNzJjMWFhMzNiYmYyZDJkODNlMmFkODcyNzdhYTE3ZjFkODMifQ==
Is it possible to make string shorter (4-5 times shorter) in Laravel, using the same two-way encryption?
What you want to do, instead of encrypting uri portion is obfuscate it. For example, one of the great libraries for php is Hashids
I am working on a data intensive project where I have been using PHP for fetching data and encrypting it using phpseclib. A chunk of the data has been encrypted in AES with the ECB mode -- however the key length is only 10. I am able to decrypt the data successfully.
However, I need to use Python in the later stages of the project and consequently need to decrypt my data using it. I tried employing PyCrypto but it tells me the key length must be 16, 24 or 32 bytes long, which is not the case. According to the phpseclib documentation the "keys are null-padded to the closest valid size", but I'm not sure how to implement that in Python. Simply extending the length of the string with 6 spaces is not working.
What should I do?
I strongly recommend you adjust your PHP code to use (at least) a sixteen byte key, otherwise your crypto system is considerably weaker than it might otherwise be.
I would also recommend you switch to CBC-mode, as ECB-mode may reveal patterns in your input data. Ensure you use a random IV each time you encrypt and store this with the ciphertext.
Finally, to address your original question:
According to the phpseclib documentation the "keys are null-padded to the closest valid size", but I'm not sure how to implement that in Python. Simply extending the length of the string with 6 spaces is not working.
The space character 0x20 is not the same as the null character 0x00.
I have the luxury of starting from scratch, so I'm wondering what would be a good hash to use between PHP and Python.
I just need to be able to generate the same hash from the same text in each language.
From what I read, PHP's md5() isn't going to work nicely.
md5() always plays nicely - it always does the same thing because it is a standard hashing format.
The only tripping hazard is that some languages default return format for an MD5 hash is a 32 byte ascii string containing hexadecimal characters, and some use a 16 byte string containing a literal binary representation of the hash.
PHP's md5() by default returns a 32-byte string, but if you pass true to the second argument, it will return the 16 byte form instead. So as long as you know which version your other language uses (in you case Python), you just need to make sure that you get the correct format from PHP.
You may be better using the 32-byte form anyway, depending on how your applications communicate. If you use a communication protocol based on plain-text (such as HTTP) it is usually safer to use plain-text versions of anything - binary, in this case, is smaller, but liable to get corrupted in transmission by badly written servers/clients.
The binary vs. ascii problem applys to just about any hashing algorithm you can think of.
What is it you want from the hash? (portability, security, performance....)
From what I read, PHP's md5() isn't going to work nicely.
What did you read? Why won't it work?
I just need to be able to generate the same hash from the same text in each language
Since PHP only provides crc32 (very insecure), md5 and sha1 out of the box, it's not exactly a huge amount of testing you need to do. Of course if portability is not an issue then there's the mcrypt and openssl apis available. And more recently the hash PECL gives you a huge choice.
I suggest to use sha1 as it is implemented out of the box in both but has no collision valnurabilities like md5. See: http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities
Why is encryption algorithm may give different results in AS3 and PHP?
In AS3 I use library from http://labs.boulevart.be/index.php/2007/05/23/encryption-in-as2-and-as3/.
And in PHP I use RC4 Cipher.
Could some tell me what is the problem? Thanks.
How are you comparing the two results? You could be looking at one result display as a hex string, and another in ASCII for example. Have you also tried comparing the result to online (such as from Wikipedia) test vector for some simple strings to see if you are getting expected result?
Assuming the obvious like having the same key and initialisation values, you may want to look at the endianness assumptions of the two implementations.
If initial vector (iv) of the encryption libraries in not same (and it is unlikely to be the same as it should be random) the encryption will not give you same result.
If you want to check - check encryption with one and decryption with other and vise-verse