Tom,
Sorry, I wasn't clear in my first e-mail. We're setting both a vector
and a key. However, when the encrypt or decrypt routine is run, the
key itself is modified while the vector is left unchanged.
For example, given the following values:
Key: 1234567890ABCDEFGHIJKLMNOPQRSTUV
(32 byte, 256 bit)
IV: 1234567890ABCDEF
(16 byte, 128 bit)
Algorithm: MCRYPT_RIJNDAEL_128
Mode: MCRYPT_MODE_CBC
PHP Mcrypt:
$module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
mcrypt_generic_init($module, '1234567890ABCDEFGHIJKLMNOPQRSTUV',
'1234567890ABCDEF');
$encrypted = mcrypt_generic($module, 'test_string');
$encoded = base64_encode($encrypted);
----
$encoded = gFHQANviiEyF2LEy24Ws+w==
Zend_Filter_Encrypt:
$encrypt = new Zend_Filter_Encrypt(
array(
'adapter'=>'mcrypt',
'algorithm'=>MCRYPT_RIJNDAEL_128,
'mode'=>MCRYPT_MODE_CBC,
'key'=>'1234567890ABCDEFGHIJKLMNOPQRSTUV',
'vector'=>'1234567890ABCDEF'
)
);
$encrypted = $encrypt->filter('test_string');
$encoded = base64_encode($encrypted);
-----
$encoded = mkN6BBnQWHnwiPjnKe6zGg==
The difference there is the result of a difference in key. Even though
I am passing the same key to both function, Zend_Filter_Encrypt_Mcrypt
is modifying it. The key that is actually used to perform the
encryption is '09c87b51e8bfad618e7bb82c538ac525' and not
'1234567890ABCDEFGHIJKLMNOPQRSTUV'.
If I have an existing set of encrypted data using the key
1234567890ABCDEFGHIJKLMNOPQRSTUV, I would have to re-encrypt it using
09c87b51e8bfad618e7bb82c538ac525 in order for Zend_Filter_Decrypt to
work on it, using the same key. Obviously in real life keys would be
a little more complex than 1234...TUV but, the idea remains the same.
Zend_Filter_Encrypt_Mcrypt will only work with applications that run
substr(md5($key), 0, [key length]) logic on the given key before
performing encryption.
Does that make any more sense?
Thanks,
James
On Wed, Apr 22, 2009 at 2:07 PM, Thomas Weidner <thomas.weid...@gmx.at> wrote:
> James,
>
> You may be mistaken by the used notations.
>
> For mcrypt you don't need just a key for decryption.
> You also need the vector from the encryption to get the content decrypted.
> Take a look at the manual for details.
>
> The point is, that the key is used as base for creating the
> encryption-vector.
> And only to have the key is not enough for decryption.
>
> So to answer your questions in detail:
> 1.) No, Yes
> 2.) No
> 3.) No (you should set vector and key when you have them... the key alone
>
> Greetings
> Thomas Weidner, I18N Team Leader, Zend Framework
> http://www.thomasweidner.com
>
> ----- Original Message ----- From: "James Stuart" <ja...@jstuart.org>
> To: <fw-general@lists.zend.com>
> Sent: Wednesday, April 22, 2009 7:41 PM
> Subject: [fw-general] Zend_Filter_Encrypt_Mcrypt Key Modified Before
> Encryption/Decryption
>
>
> Hi,
>
> I encountered an interesting problem with Zend_Filter_Encrypt_Mcrypt.
> We are hoping to use it to interact with a database that contains
> encrypted information. We set everything up, plugged our keys in,
> fired up the app... and nothing decrypted properly. After a little
> big of digging, we found the issue: three lines of code in the
> encrypt() and decrypt() methods of the Mcrypt adapter.
>
> srand();
> $keysize = mcrypt_enc_get_key_size($cipher);
> $key = substr(md5($this->_encryption['key']), 0, $keysize);
>
> This code appears to be in place to ensure that the key is the correct
> size. In doing so, it completely changes the actual value of the key.
> By modifying the key itself the code, for all intensive purposes,
> eliminates the possibility of Zend_Filter_Encrypt_Mcrypt being able to
> interact with any other, non Zend Framework (or even non
> Zend_Filter_Encrypt_Mcrypt) systems.
>
> In order for these filters to be useful to us, we need to be able to
> set the exact key that will be used for encryption. Before we work
> around the issue here I have a couple of questions for this list:
>
> 1.) Am I correct in interpreting that the code above is simply a way
> of ensuring that the key is the correct size? Is it being used for
> any other purpose?
> 2.) Does anyone else see this as a potential issue for them?
> 3.) Would it be worth us modifying Zend_Filter_Encrypt_Mcrypt to
> ensure there is a way around the modification of keys? (If not, we
> may just fork a copy of the class for our own purposes.)
>
> Thanks,
> James
>
