Tom, Sorry, I wasn't clear in my first e-mail. We're setting both a vector and a key. However, when the encrypt or decrypt routine is run, the key itself is modified while the vector is left unchanged.
For example, given the following values: Key: 1234567890ABCDEFGHIJKLMNOPQRSTUV (32 byte, 256 bit) IV: 1234567890ABCDEF (16 byte, 128 bit) Algorithm: MCRYPT_RIJNDAEL_128 Mode: MCRYPT_MODE_CBC PHP Mcrypt: $module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, ''); mcrypt_generic_init($module, '1234567890ABCDEFGHIJKLMNOPQRSTUV', '1234567890ABCDEF'); $encrypted = mcrypt_generic($module, 'test_string'); $encoded = base64_encode($encrypted); ---- $encoded = gFHQANviiEyF2LEy24Ws+w== Zend_Filter_Encrypt: $encrypt = new Zend_Filter_Encrypt( array( 'adapter'=>'mcrypt', 'algorithm'=>MCRYPT_RIJNDAEL_128, 'mode'=>MCRYPT_MODE_CBC, 'key'=>'1234567890ABCDEFGHIJKLMNOPQRSTUV', 'vector'=>'1234567890ABCDEF' ) ); $encrypted = $encrypt->filter('test_string'); $encoded = base64_encode($encrypted); ----- $encoded = mkN6BBnQWHnwiPjnKe6zGg== The difference there is the result of a difference in key. Even though I am passing the same key to both function, Zend_Filter_Encrypt_Mcrypt is modifying it. The key that is actually used to perform the encryption is '09c87b51e8bfad618e7bb82c538ac525' and not '1234567890ABCDEFGHIJKLMNOPQRSTUV'. If I have an existing set of encrypted data using the key 1234567890ABCDEFGHIJKLMNOPQRSTUV, I would have to re-encrypt it using 09c87b51e8bfad618e7bb82c538ac525 in order for Zend_Filter_Decrypt to work on it, using the same key. Obviously in real life keys would be a little more complex than 1234...TUV but, the idea remains the same. Zend_Filter_Encrypt_Mcrypt will only work with applications that run substr(md5($key), 0, [key length]) logic on the given key before performing encryption. Does that make any more sense? Thanks, James On Wed, Apr 22, 2009 at 2:07 PM, Thomas Weidner <thomas.weid...@gmx.at> wrote: > James, > > You may be mistaken by the used notations. > > For mcrypt you don't need just a key for decryption. > You also need the vector from the encryption to get the content decrypted. > Take a look at the manual for details. > > The point is, that the key is used as base for creating the > encryption-vector. > And only to have the key is not enough for decryption. > > So to answer your questions in detail: > 1.) No, Yes > 2.) No > 3.) No (you should set vector and key when you have them... the key alone > > Greetings > Thomas Weidner, I18N Team Leader, Zend Framework > http://www.thomasweidner.com > > ----- Original Message ----- From: "James Stuart" <ja...@jstuart.org> > To: <fw-general@lists.zend.com> > Sent: Wednesday, April 22, 2009 7:41 PM > Subject: [fw-general] Zend_Filter_Encrypt_Mcrypt Key Modified Before > Encryption/Decryption > > > Hi, > > I encountered an interesting problem with Zend_Filter_Encrypt_Mcrypt. > We are hoping to use it to interact with a database that contains > encrypted information. We set everything up, plugged our keys in, > fired up the app... and nothing decrypted properly. After a little > big of digging, we found the issue: three lines of code in the > encrypt() and decrypt() methods of the Mcrypt adapter. > > srand(); > $keysize = mcrypt_enc_get_key_size($cipher); > $key = substr(md5($this->_encryption['key']), 0, $keysize); > > This code appears to be in place to ensure that the key is the correct > size. In doing so, it completely changes the actual value of the key. > By modifying the key itself the code, for all intensive purposes, > eliminates the possibility of Zend_Filter_Encrypt_Mcrypt being able to > interact with any other, non Zend Framework (or even non > Zend_Filter_Encrypt_Mcrypt) systems. > > In order for these filters to be useful to us, we need to be able to > set the exact key that will be used for encryption. Before we work > around the issue here I have a couple of questions for this list: > > 1.) Am I correct in interpreting that the code above is simply a way > of ensuring that the key is the correct size? Is it being used for > any other purpose? > 2.) Does anyone else see this as a potential issue for them? > 3.) Would it be worth us modifying Zend_Filter_Encrypt_Mcrypt to > ensure there is a way around the modification of keys? (If not, we > may just fork a copy of the class for our own purposes.) > > Thanks, > James >