Thank you! that explains it. Believe it or not, this code is courtesy of a telco in Malaysia (not one of the Big Two). Hard to believe that such craptacular code actually goes into production. Such practices would never be tolerated in an open-source community.
That explains why I kept getting null pointer exceptions when I tried to use getIV() to get the IV. There's no IV at all! Although I did know about the use of the password as the key directly. Guess I shouldn't be using Crypt::CBC at all.
Off-topic again:
I'm renewing my recruitment ploy for developers! if you people reading this have the requisite 2+ years of Linux/Perl/PHP and so forth, and want to work on craptacular Malaysian code (just kidding..), give us a call or email!!! and you don't even have to get up early. :)
Thanks..
On 9/7/06, Gideon Guillen <[EMAIL PROTECTED]> wrote:
On 9/7/06, Orlando Andico <[EMAIL PROTECTED]> wrote:
[snipped]
> As you can see, the IV or salt isn't specified anywhere. I don't want to go
> digging around (and decompiling) the javax.crypto.* libraries!
Well, from what I see in the code, 'Cipher.getInstance("DES")' implies
that it's actually using DES in ECB, not CBC, and with PKCS #5
padding. ('Cipher.getInstance("DES")' implies
'Cipher.getInstance("DES/ECB/PKCS5Padding")')
And as for they key, the reason why there's no salt is that it's
actually using the raw string's first 8 bytes as the encryption key.
So if the password is "foobar12" that's the actual encryption key. Or
if the password is "foobar54321" the encryption key is "foobar54".
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
