mcrypt encrypt, mcrypt generic :Trying to see the point .

Forum Moderators: coopster

Message Too Old, No Replies

mcrypt encrypt, mcrypt generic :Trying to see the point .

Warning: mcrypt ecb(): Attempt to use an empty IV...Part II

capulet_x

4:45 am on Mar 28, 2007 (gmt 0)

This post evolved from my previous unresolved post.

The more and more I read about mcrypt_ encrypt and mcrypt_generic the more examples I saw that illustrated encryption and decryption within the same script.
My question is this?

What's the point of encrypting something if you can't carry the encrypted data to another page and use the data in its encrypted form?

No pun intended but I guess I can't see how this mcrypt_ encrypt can be applied to cookies which seemed like one of the primary applications for encryption on the web.

Any thoughts?

eelixduppy

10:44 am on Mar 28, 2007 (gmt 0)

As long as you know the key and algorithm used to encrypt it, you should be able to decrypt the string from anywhere. Consider this example which I just threw together:


 $key = "this is a secret key";
 $input = "Let us meet at 9 o'clock at the secret place.";
#
 $td = mcrypt_module_open('tripledes', '', 'ecb', '');
 $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
 mcrypt_generic_init($td, $key, $iv);
 $encrypted_data = mcrypt_generic($td, $input);
 mcrypt_generic_deinit($td);
 mcrypt_module_close($td);
 session_start();
 $_SESSION['info'] = $encrypted_data;

As you can see, it encrypts the message and sets it to a session variable. Now if I put the following in another php script:


session_start();
echo 'Encrypted: '.$_SESSION['info'].'<br/><br/>';
 $key = "this is a secret key";
 $td = mcrypt_module_open('tripledes', '', 'ecb', '');
 $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
 mcrypt_generic_init($td, $key, $iv);
 $decrypted_data = mdecrypt_generic($td, $_SESSION['info']);
 mcrypt_generic_deinit($td);
 mcrypt_module_close($td);
 echo 'Descrypted: '.$decrypted_data;

So you can see that I've decrypted the string from a completely different script with no problem. And as you can see you need to know the key and the algorithm used.

[edited by: eelixduppy at 12:50 pm (utc) on Mar. 28, 2007]

henry0

11:54 am on Mar 28, 2007 (gmt 0)

Eelix this is interesting
I am since yesterday facing the following:
Need to use Get to pass a pic ID
but I do not like using Get for it passes input in full sight
so I was thinking about using some encryption
I never used that type, will give it a try.

capulet_x

8:59 pm on Mar 28, 2007 (gmt 0)

Thank you, EElix...

Your clear illustration made it a lot easier for me to understand. Originally I was trying to pass the encrypted variable via a cookie raher than a session variable. I've been trying to hide a URL to a local server but alas it seems I cannot-for reason that have become more apparent-hide the URL from malicious eyes and not also hide it from the browser.
Hiding it in the session variable is a start...I think I might also put the page inside of an iframe. Not really secure but it'll have to do.

Thanks again for your detailed input.

Regards.