Re: [PHP] Encryption failing

2008-01-18 Thread Zoltán Németh 
2008. 01. 17, csütörtök keltezéssel 12.14-kor Ken Kixmoeller -- reply to
[EMAIL PROTECTED] ezt írta:
> (forgot to copy the list)
> 
> On Jan 16, 2008, at 5:08 PM, Richard Lynch wrote:
> 
> 
> > Is it possible that 4% of the time, you have spaces on the start/end
> > of the string, which get trimmed before encryption?
> >
> 
> In this case, no. In trying to simplify the situation to narrow the  
> possibilities of error, I am generating "random" character strings of  
> only alphanumeric (or numeric-only) characters. Each is exactly 16  
> characters.
> 
> 
> 
> > And if rijndael is one of the algorithms which requires a fixed-size
> > input, that also would be "bad" to trim it.
> >
> 
> No documentation that I was able to find suggests that requirement.
> 
> 
> 
> 
> > Actually, I'd suggest that the encryption function has no business
> > trimming the text anyway.
> >
> 
> Philosophically I agree with you, but mCrypt has this nasty habit of  
> appending bunches of nulls to the decrypted string. So philosophical  
> purity gives way to practical application.


yeah, I just ran into the same thing yesterday evening with mcrypt and
rijndael_256.
encrypting went fine, decrypted string had a lot of nulls at the end. so
I too had to use trim() on it.

greets
Zoltán Németh

> 
> Good ideas, as usual. Thank you.
> 
> Ken
> 
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-17 Thread Ken Kixmoeller -- reply to [EMAIL PROTECTED] 

(forgot to copy the list)

On Jan 16, 2008, at 5:08 PM, Richard Lynch wrote:



Is it possible that 4% of the time, you have spaces on the start/end
of the string, which get trimmed before encryption?



In this case, no. In trying to simplify the situation to narrow the  
possibilities of error, I am generating "random" character strings of  
only alphanumeric (or numeric-only) characters. Each is exactly 16  
characters.





And if rijndael is one of the algorithms which requires a fixed-size
input, that also would be "bad" to trim it.



No documentation that I was able to find suggests that requirement.





Actually, I'd suggest that the encryption function has no business
trimming the text anyway.



Philosophically I agree with you, but mCrypt has this nasty habit of  
appending bunches of nulls to the decrypted string. So philosophical  
purity gives way to practical application.


Good ideas, as usual. Thank you.

Ken


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-16 Thread Richard Lynch 
Is it possible that 4% of the time, you have spaces on the start/end
of the string, which get trimmed before encryption?

And if rijndael is one of the algorithms which requires a fixed-size
input, that also would be "bad" to trim it.  If you need multiple of
16 bytes input, leave the input alone.

Actually, I'd suggest that the encryption function has no business
trimming the text anyway.

If I want to jagencdecr(str_repeat(' ', 1000), 'E'), then I probably
don't want the function to trim that, eh? :-)

On Tue, January 15, 2008 6:54 pm, Ken Kixmoeller -- reply to
[EMAIL PROTECTED] wrote:
> Hey --- - -
>
> I am in the process of upgrading the encryption technology I am using
> from (64 bit) blowfish to (256 bit) rijndael.
>
> The code (and some explanations) is below, but the results are, um,
> unusual, and I can't see what I am doing wrong. For testing, I have a
> program that generates a random 16-character string, encrypts it to a
> variable, and decrypts it. Running it in 500 iteration loops, it
> fails roughly 4% of the time. By "fails" I mean that the original
> string and the eventual decrypted one don't match.
>
> Anybody able to spot why?
>
> Ken
> --
> function jagencdecr($text,$EorD,$encpass='') {
>   // parameters:
>   // - $text = string to be en/decrypted,
>   // - $EorD = Encrypt or Decrypt
>   // - $encpass = key phrase
>   if (empty($text)) {return "";}
>   $text = trim($text);
>   $cypher = mcrypt_module_open('rijndael-256', '', 'ecb', '');
>   // "ecb" mode produces the above results.
>   // "ofb" mode produces 100% errors
>
>   $size = mcrypt_enc_get_iv_size($cypher);
>   $phprand = rand(1000,);
>   $iv = mcrypt_create_iv($size,$phprand); // produces the same results
> as below, platform independent
>   //$iv = mcrypt_create_iv($size,MCRYPT_RAND); // for Windows
>   //$iv = mcrypt_create_iv($size,MCRYPT_DEV_RAND); // for 'NIX
>
>   $ks = mcrypt_enc_get_key_size($cypher);
>   /* Create key */
>   $key = substr(md5($encpass), 0, $ks);
>   mcrypt_generic_init($cypher,$key,$iv);
>   if ($EorD == "D") {
>   $text_out = mdecrypt_generic($cypher,$text);
>   } else {
>   $text_out = mcrypt_generic($cypher,$text);
>   } // endif ($EorD == "D")
>   mcrypt_generic_deinit($cypher);
>   mcrypt_module_close($cypher);
>   return trim($text_out);
>
>   }  // endfunc jagencdecr Jaguar Ecnrypt/Decrypt
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-16 Thread Richard Lynch 


On Tue, January 15, 2008 10:48 pm, Casey wrote:
> On Jan 15, 2008 8:40 PM, Ken Kixmoeller -- reply to [EMAIL PROTECTED]
> <[EMAIL PROTECTED]> wrote:
>>
>> On Jan 15, 2008, at 11:08 PM, Andrés Robinet wrote:
>>
>>
>> > I second that, you should base64 encode values before encrypting
>> > and base64
>> > decode them after decrypting to be safe.
>> >
>>
>> Thanks for the idea.
>>
>> Like this? Fails 500/500 times on my test.
>>
>> 
>> if ($EorD == "D") {
>> $text_out = mdecrypt_generic($cypher,$text);

You are base64-ing it, but...

>> $text = base64_decode($text);

You are not decoding the base64, but the original.

>> } else {
>> $text= base64_encode($text);
>> $text_out = mcrypt_generic($cypher,$text);
>> } // endif ($EorD == "D")
>> 
>>
>> A quick test looks like this:
>>
>> 1: String: 9334133814260182
>>   -|- Enc: X5Þ(c)·ža`p#È]#c¦±3 ÔýCõÒiÏ~r ¢Tª"
>>   -|- Dec:OTMzNDEzMzgxNDI2MDE4Mg== -|- Nope
>>
>> 2: String: 3027022406512648
>>   -|- Enc: j£n,h\"m ê´ uKP%¥† ¼D }H‚'f ¢š„
>>   -|- Dec:MzAyNzAyMjQwNjUxMjY0OA== -|- Nope
>>
>> 3: String: 5042504153020331
>>   -|- Enc: 9ÿ• ýŸÝ§¤6Wi+€×Ÿéáo>n ñº*J 6}Ø+„
>>   -|- Dec:NTA0MjUwNDE1MzAyMDMzMQ== -|- Nope
>>
>> 4: String: 6741156238850410
>>   -|- Enc: · :´[Úq\‹ë‹ 4\Q«ÍŽ5±{º‡µØtþðtN?b
>>   -|- Dec:Njc0MTE1NjIzODg1MDQxMA== -|- Nope
>>
>> 5: String: 0003100244041329
>>   -|- Enc: D¾¤ úV:!Mû 4ƒÜ€àœ‰ŽòÐÐ^ï Hñ-š %z
>>   -|- Dec:MDAwMzEwMDI0NDA0MTMyOQ== -|- Nope
>>
>> Wrong: 5/5
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> It returns the correct value. If you look at the last example, and run
> base64_decode on "MDAwMzEwMDI0NDA0MTMyOQ==", you will get
> "0003100244041329".
> -Casey
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-16 Thread Ken Kixmoeller -- reply to [EMAIL PROTECTED] 

Many thanks, Mike --- yours works great... 0 errors.

On Jan 16, 2008, at 9:24 AM, mike wrote:


function data_encrypt($data) {
if(!$data) { return false; }
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
$GLOBALS['config']['salt'], $data, 'cbc', md5($GLOBALS['config']['
salt'].$GLOBALS['config']['salt'])));
}

function data_decrypt($data) {
if(!$data) { return false; }
return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
$GLOBALS['config']['salt'], base64_decode(str_replace(' ', '+',
$data)), '
cbc', md5($GLOBALS['config']['salt'].$GLOBALS['config']['salt'])));
}


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-16 Thread mike 
On 1/16/08, Ken Kixmoeller -- reply to [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
>
> On Jan 16, 2008, at 1:28 AM, Andrés Robinet wrote:
>
> His other post explains that php didn't seem to like spaces. No
> spaces in the test strings -- I'll check for those when/if I can get
> the core en/decryption working.

See below - I had an issue with a  .NET encrypted string in a cookie
and decrypting it in PHP. It was required for that. I think it might
be due to how .NET does it's base64 encoding; but I've kept it in my
code just in case even for pure PHP.

Here are my encrypt/decrypt functions. This is -not- the previous
.NET/PHP exchange I mentioned. That uses a weaker bit AES due to
.NET's defaults

function data_encrypt($data) {
if(!$data) { return false; }
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
$GLOBALS['config']['salt'], $data, 'cbc', md5($GLOBALS['config']['
salt'].$GLOBALS['config']['salt'])));
}

function data_decrypt($data) {
if(!$data) { return false; }
return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
$GLOBALS['config']['salt'], base64_decode(str_replace(' ', '+',
$data)), '
cbc', md5($GLOBALS['config']['salt'].$GLOBALS['config']['salt'])));
}

where $config['salt'] in a config file is your random key. make it
something worthwhile like "haX0r$sUCK!" that won't ever be easily
guessed.

I have code like this running on a couple sites - works like a charm,
that includes using it to encrypt cookie data and decrypt it on the
way back. I am not entirely sure if the str_replace for the spaces is
-required- for a PHP to PHP encryption/decryption, but it doesn't seem
to hurt, and I don't believe this should fail for any reason in your
tests...

The one caveat is I think it is suggested to use the mcrypt_generic()
functions now, which I believe meant writing a bunch more lines of
code and I liked my single line solution (and I might have had an
issue for some reason trying to make it work... I'll probably have to
redo this someday either way)

Re: [PHP] Encryption failing

2008-01-16 Thread Ken Kixmoeller -- reply to [EMAIL PROTECTED] 


On Jan 16, 2008, at 1:28 AM, Andrés Robinet wrote:


1 - Mike is right about first encrypting and then doing a  
base64_encode (then saving results to DB, cookies, etc). I don't  
know why replacing " " to "+" for decrypting, though.




His other post explains that php didn't seem to like spaces. No  
spaces in the test strings -- I'll check for those when/if I can get  
the core en/decryption working.



2 - Mike is also right about $text = base64_decode($text) which  
should be $text = base64_decode($text_out) I think.




Yup -- that's what i get for trying to do this hastily and late at  
night --



3 - You are trimming the results on return, according to one post  
in the manual notes this will remove null padding on the decrypted  
string. This is desired, most of the time, but if the original  
(cleartext message) string ended in nulls you will get a difference  
and that may be the cause of the errors you are getting.




I understand that, thank you. There are no trailing nulls on the  
original string.


After correcting the my program, I still get the same results, about  
4% wrong:


70: String: 5214006139804600
 -|- Enc: Ϊ%bÇCsšB>sìD%Å#z[ä. m…‡¿m§ð
 -|- Dec:àc8 -|- Nope

75: String: 1034702254251899
 -|- Enc: !:Ã2ºÍé×»àe2s? :Ù0LµŒÕ[«
 -|- Dec:à`*' -|- Nope

89: String: 8245007043826594
 -|- Enc: µÆ Íãd-‘Á´E3½yÍ×v‹,ZØW"éûqüŽ‚ó
 -|- Dec:[EMAIL PROTECTED] -|- Nope

etc.

Wrong: 23/500


Phooey.

Ken
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-16 Thread Ken Kixmoeller -- reply to [EMAIL PROTECTED] 


On Jan 15, 2008, at 10:48 PM, Casey wrote:


It returns the correct value. If you look at the last example, and run
base64_decode on "MDAwMzEwMDI0NDA0MTMyOQ==", you will get
"0003100244041329".


Oops. "Haste makes crappy programming."

Ken

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-15 Thread mike 
On 1/15/08, Andrés Robinet <[EMAIL PROTECTED]> wrote:

> 1 - Mike is right about first encrypting and then doing a base64_encode (then 
> saving results to DB, cookies, etc). I don't know why replacing " " to "+" 
> for decrypting, though.

we have an application which sets an encrypted cookie in .NET, and
base64 encodes it. for some reason, PHP was choking on spaces, but "+"
worked like a charm. not sure if it's something odd in the URL
encoding during transit or what... but it works like a charm.

I have on my todo list to post the code samples both from .NET side
and PHP side to help other people, but I haven't got around to it (not
to mention I have to take out some custom code specific to my
company's implementation)

RE: [PHP] Encryption failing

2008-01-15 Thread Andrés Robinet 
> -Original Message-
> From: mike [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 16, 2008 1:49 AM
> To: Ken Kixmoeller -- reply to [EMAIL PROTECTED]
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] Encryption failing
> 
> > 
> > if ($EorD == "D") {
> >$text_out = mdecrypt_generic($cypher,$text);
> >$text = base64_decode($text);
> 
> shouldn't this be base64_decode($text_out) ? :)
> 
> > } else {
> >$text= base64_encode($text);
> >$text_out = mcrypt_generic($cypher,$text);
> 
> reverse these... make sure $text is setup right
> 
> > } // endif ($EorD == "D")
> 
> if you want to use this via cookies, GET, POST, etc. i would
> 
> encrypt
> base64 encode
> 
> to decrypt:
> 
> string replace " " to "+"
> base64 decode
> then decrypt

Hi Ken,

Just my 3 cents:

1 - Mike is right about first encrypting and then doing a base64_encode (then 
saving results to DB, cookies, etc). I don't know why replacing " " to "+" for 
decrypting, though.
2 - Mike is also right about $text = base64_decode($text) which should be $text 
= base64_decode($text_out) I think.
3 - You are trimming the results on return, according to one post in the manual 
notes this will remove null padding on the decrypted string. This is desired, 
most of the time, but if the original (cleartext message) string ended in nulls 
you will get a difference and that may be the cause of the errors you are 
getting.

if ($EorD == "D") {
   // Get the original encrypted string
   $text = base64_decode($text);
   // Decrypt, you will get null padding
   $text = mdecrypt_generic($cypher, $text);
   // Restore the original text, you must keep the original text length stored 
somewhere
   $text_out = substr($text, 0, $text_length);
} else {
   $text_length = strlen($text);
   // base64 encode encrypted string, to avoid headaches with strange 
characters in db, variables, etc
   $text_out = base64_encode(mcrypt_generic($cypher, $text));
}
// Do not trim results if the clear text message ends with nulls

I'll have to work on something similar very soon, so I might have my own 
headaches later. If you have success (or even more trouble) any feedback would 
be much appreciated.

Regards,

Rob

Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | 
TEL 954-607-4207 | FAX 954-337-2695
Email: [EMAIL PROTECTED]  | MSN Chat: [EMAIL PROTECTED]  |  SKYPE: bestplace |  
Web: http://www.bestplace.biz | Web: http://www.seo-diy.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-15 Thread mike 
> 
> if ($EorD == "D") {
>$text_out = mdecrypt_generic($cypher,$text);
>$text = base64_decode($text);

shouldn't this be base64_decode($text_out) ? :)

> } else {
>$text= base64_encode($text);
>$text_out = mcrypt_generic($cypher,$text);

reverse these... make sure $text is setup right

> } // endif ($EorD == "D")

if you want to use this via cookies, GET, POST, etc. i would

encrypt
base64 encode

to decrypt:

string replace " " to "+"
base64 decode
then decrypt

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-15 Thread Casey 
On Jan 15, 2008 8:40 PM, Ken Kixmoeller -- reply to [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
>
> On Jan 15, 2008, at 11:08 PM, Andrés Robinet wrote:
>
>
> > I second that, you should base64 encode values before encrypting
> > and base64
> > decode them after decrypting to be safe.
> >
>
> Thanks for the idea.
>
> Like this? Fails 500/500 times on my test.
>
> 
> if ($EorD == "D") {
> $text_out = mdecrypt_generic($cypher,$text);
> $text = base64_decode($text);
> } else {
> $text= base64_encode($text);
> $text_out = mcrypt_generic($cypher,$text);
> } // endif ($EorD == "D")
> 
>
> A quick test looks like this:
>
> 1: String: 9334133814260182
>   -|- Enc: X5Þ(c)·ža`p#È]#c¦±3 ÔýCõÒiÏ~r ¢Tª"
>   -|- Dec:OTMzNDEzMzgxNDI2MDE4Mg== -|- Nope
>
> 2: String: 3027022406512648
>   -|- Enc: j£n,h\"m ê´ uKP%¥† ¼D }H‚'f ¢š„
>   -|- Dec:MzAyNzAyMjQwNjUxMjY0OA== -|- Nope
>
> 3: String: 5042504153020331
>   -|- Enc: 9ÿ• ýŸÝ§¤6Wi+€×Ÿéáo>n ñº*J 6}Ø+„
>   -|- Dec:NTA0MjUwNDE1MzAyMDMzMQ== -|- Nope
>
> 4: String: 6741156238850410
>   -|- Enc: · :´[Úq\‹ë‹ 4\Q«ÍŽ5±{º‡µØtþðtN?b
>   -|- Dec:Njc0MTE1NjIzODg1MDQxMA== -|- Nope
>
> 5: String: 0003100244041329
>   -|- Enc: D¾¤ úV:!Mû 4ƒÜ€àœ‰ŽòÐÐ^ï Hñ-š %z
>   -|- Dec:MDAwMzEwMDI0NDA0MTMyOQ== -|- Nope
>
> Wrong: 5/5
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

It returns the correct value. If you look at the last example, and run
base64_decode on "MDAwMzEwMDI0NDA0MTMyOQ==", you will get
"0003100244041329".
-Casey

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-15 Thread Ken Kixmoeller.com 


On Jan 15, 2008, at 11:08 PM, Andrés Robinet wrote:

I second that, you should base64 encode values before encrypting  
and base64

decode them after decrypting to be safe.


Thanks for the idea.

Like this? Fails 500/500 times on my test.


if ($EorD == "D") {
$text_out = mdecrypt_generic($cypher,$text);
$text = base64_decode($text);
} else {
$text= base64_encode($text);
$text_out = mcrypt_generic($cypher,$text);
} // endif ($EorD == "D")


A quick test looks like this:

1: String: 9334133814260182
 -|- Enc: X5Þ©·ža`p#È]#c¦±3ÔýCõÒiÏ~r¢Tª"
 -|- Dec:OTMzNDEzMzgxNDI2MDE4Mg== -|- Nope

2: String: 3027022406512648
 -|- Enc: j£n,h\"mê´ uKP%¥†¼D}H‚’f¢š„
 -|- Dec:MzAyNzAyMjQwNjUxMjY0OA== -|- Nope

3: String: 5042504153020331
 -|- Enc: 9ÿ•ýŸÝ§¤6Wi+€×Ÿéáo>nñº*J6}Ø+„
 -|- Dec:NTA0MjUwNDE1MzAyMDMzMQ== -|- Nope

4: String: 6741156238850410
 -|- Enc: ·:´[Úq\‹ë‹4\Q«ÍŽ5±{º‡µØtþðtN?b
 -|- Dec:Njc0MTE1NjIzODg1MDQxMA== -|- Nope

5: String: 0003100244041329
 -|- Enc: D¾¤úV:!Mû4ƒÜ€àœ‰ŽòÐÐ^ïHñ-š%z
 -|- Dec:MDAwMzEwMDI0NDA0MTMyOQ== -|- Nope

Wrong: 5/5

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-15 Thread Ken Kixmoeller -- reply to [EMAIL PROTECTED] 


On Jan 15, 2008, at 11:08 PM, Andrés Robinet wrote:


I second that, you should base64 encode values before encrypting  
and base64

decode them after decrypting to be safe.



Thanks for the idea.

Like this? Fails 500/500 times on my test.


if ($EorD == "D") {
$text_out = mdecrypt_generic($cypher,$text);
$text = base64_decode($text);
} else {
$text= base64_encode($text);
$text_out = mcrypt_generic($cypher,$text);
} // endif ($EorD == "D")


A quick test looks like this:

1: String: 9334133814260182
 -|- Enc: X5Þ©·ža`p#È]#c¦±3ÔýCõÒiÏ~r¢Tª"
 -|- Dec:OTMzNDEzMzgxNDI2MDE4Mg== -|- Nope

2: String: 3027022406512648
 -|- Enc: j£n,h\"mê´ uKP%¥†¼D}H‚’f¢š„
 -|- Dec:MzAyNzAyMjQwNjUxMjY0OA== -|- Nope

3: String: 5042504153020331
 -|- Enc: 9ÿ•ýŸÝ§¤6Wi+€×Ÿéáo>nñº*J6}Ø+„
 -|- Dec:NTA0MjUwNDE1MzAyMDMzMQ== -|- Nope

4: String: 6741156238850410
 -|- Enc: ·:´[Úq\‹ë‹4\Q«ÍŽ5±{º‡µØtþðtN?b
 -|- Dec:Njc0MTE1NjIzODg1MDQxMA== -|- Nope

5: String: 0003100244041329
 -|- Enc: D¾¤úV:!Mû4ƒÜ€àœ‰ŽòÐÐ^ïHñ-š%z
 -|- Dec:MDAwMzEwMDI0NDA0MTMyOQ== -|- Nope

Wrong: 5/5

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-15 Thread Ken Kixmoeller -- reply to [EMAIL PROTECTED] 


On Jan 15, 2008, at 11:08 PM, Andrés Robinet wrote:


-Original Message-
From: Bastien Koert [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 16, 2008 12:55 AM
To: Ken Kixmoeller -- reply to [EMAIL PROTECTED]; php-
[EMAIL PROTECTED]
Subject: RE: [PHP] Encryption failing


are you base64 encoding the resultant encryption string? I have found
that there are problems with certain characters that can result from
the encryption, usually a combination of characters that  
approximate a

null or end of line

bastien> From: [EMAIL PROTECTED]> Date: Tue, 15 Jan 2008  
21:41:45 -

0600> To: php-general@lists.php.net> Subject: Re: [PHP] Encryption
failing> > > On Jan 15, 2008, at 7:06 PM, Casey wrote:> > >> Maybe  
you
could echo the results of the failed ones and compare.> > I did  
that at

first, thinking that "something about these strings > might cause the
problem." But then I realized: I can't blame the > data. I don't have
any control over what users use for passwords, for > example. this
thing is supposed to en/decrypt the strings I gige it, > so there  
must

be some kind of programming flaw.> > FWIW, there was no discernible
pattern to the failed strings, at > least not to me. (Not that it
matters.)> > Ken> > -- > PHP General Mailing List
(http://www.php.net/)> To unsubscribe, visit:
http://www.php.net/unsub.php>


I second that, you should base64 encode values before encrypting  
and base64

decode them after decrypting to be safe.

Rob

Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale,  
FL 33308

| TEL 954-607-4207 | FAX 954-337-2695
Email: [EMAIL PROTECTED]  | MSN Chat: [EMAIL PROTECTED]  |  SKYPE:
bestplace |  Web: http://www.bestplace.biz | Web: http://www.seo- 
diy.com


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Encryption failing

2008-01-15 Thread Andrés Robinet 
> -Original Message-
> From: Bastien Koert [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 16, 2008 12:55 AM
> To: Ken Kixmoeller -- reply to [EMAIL PROTECTED]; php-
> [EMAIL PROTECTED]
> Subject: RE: [PHP] Encryption failing
> 
> 
> are you base64 encoding the resultant encryption string? I have found
> that there are problems with certain characters that can result from
> the encryption, usually a combination of characters that approximate a
> null or end of line
> 
> bastien> From: [EMAIL PROTECTED]> Date: Tue, 15 Jan 2008 21:41:45 -
> 0600> To: php-general@lists.php.net> Subject: Re: [PHP] Encryption
> failing> > > On Jan 15, 2008, at 7:06 PM, Casey wrote:> > >> Maybe you
> could echo the results of the failed ones and compare.> > I did that at
> first, thinking that "something about these strings > might cause the
> problem." But then I realized: I can't blame the > data. I don't have
> any control over what users use for passwords, for > example. this
> thing is supposed to en/decrypt the strings I gige it, > so there must
> be some kind of programming flaw.> > FWIW, there was no discernible
> pattern to the failed strings, at > least not to me. (Not that it
> matters.)> > Ken> > -- > PHP General Mailing List
> (http://www.php.net/)> To unsubscribe, visit:
> http://www.php.net/unsub.php>

I second that, you should base64 encode values before encrypting and base64
decode them after decrypting to be safe.

Rob

Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308
| TEL 954-607-4207 | FAX 954-337-2695
Email: [EMAIL PROTECTED]  | MSN Chat: [EMAIL PROTECTED]  |  SKYPE:
bestplace |  Web: http://www.bestplace.biz | Web: http://www.seo-diy.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-15 Thread mike 
me too - it was a space. i changed it to "+" and it worked fine.

$cookie = str_replace(' ', '+', $_COOKIE['foo']);



On 1/15/08, Bastien Koert <[EMAIL PROTECTED]> wrote:
>
> are you base64 encoding the resultant encryption string? I have found that 
> there are problems with certain characters that can result from the 
> encryption, usually a combination of characters that approximate a null or 
> end of line
>
> bastien> From: [EMAIL PROTECTED]> Date: Tue, 15 Jan 2008 21:41:45 -0600> To: 
> php-general@lists.php.net> Subject: Re: [PHP] Encryption failing> > > On Jan 
> 15, 2008, at 7:06 PM, Casey wrote:> > >> Maybe you could echo the results of 
> the failed ones and compare.> > I did that at first, thinking that "something 
> about these strings > might cause the problem." But then I realized: I can't 
> blame the > data. I don't have any control over what users use for passwords, 
> for > example. this thing is supposed to en/decrypt the strings I gige it, > 
> so there must be some kind of programming flaw.> > FWIW, there was no 
> discernible pattern to the failed strings, at > least not to me. (Not that it 
> matters.)> > Ken> > -- > PHP General Mailing List (http://www.php.net/)> To 
> unsubscribe, visit: http://www.php.net/unsub.php>
> _
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Encryption failing

2008-01-15 Thread Bastien Koert 

are you base64 encoding the resultant encryption string? I have found that 
there are problems with certain characters that can result from the encryption, 
usually a combination of characters that approximate a null or end of line
 
bastien> From: [EMAIL PROTECTED]> Date: Tue, 15 Jan 2008 21:41:45 -0600> To: 
php-general@lists.php.net> Subject: Re: [PHP] Encryption failing> > > On Jan 
15, 2008, at 7:06 PM, Casey wrote:> > >> Maybe you could echo the results of 
the failed ones and compare.> > I did that at first, thinking that "something 
about these strings > might cause the problem." But then I realized: I can't 
blame the > data. I don't have any control over what users use for passwords, 
for > example. this thing is supposed to en/decrypt the strings I gige it, > so 
there must be some kind of programming flaw.> > FWIW, there was no discernible 
pattern to the failed strings, at > least not to me. (Not that it matters.)> > 
Ken> > -- > PHP General Mailing List (http://www.php.net/)> To unsubscribe, 
visit: http://www.php.net/unsub.php> 
_

Re: [PHP] Encryption failing

2008-01-15 Thread Ken Kixmoeller -- reply to [EMAIL PROTECTED] 


On Jan 15, 2008, at 7:06 PM, Casey wrote:


Maybe you could echo the results of the failed ones and compare.


I did that at first, thinking that "something about these strings  
might cause the problem." But then I realized: I can't blame the  
data. I don't have any control over what users use for passwords, for  
example. this thing is supposed to en/decrypt the strings I gige it,  
so there must be some kind of programming flaw.


FWIW, there was no discernible pattern to the failed strings, at  
least not to me. (Not that it matters.)


Ken

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Encryption failing

2008-01-15 Thread Casey 
On Jan 15, 2008, at 4:54 PM, "Ken Kixmoeller -- reply to [EMAIL PROTECTED] 
" <[EMAIL PROTECTED]> wrote:



Hey --- - -

I am in the process of upgrading the encryption technology I am  
using from (64 bit) blowfish to (256 bit) rijndael.


The code (and some explanations) is below, but the results are, um,  
unusual, and I can't see what I am doing wrong. For testing, I have  
a program that generates a random 16-character string, encrypts it  
to a variable, and decrypts it. Running it in 500 iteration loops,  
it fails roughly 4% of the time. By "fails" I mean that the original  
string and the eventual decrypted one don't match.


Anybody able to spot why?

Ken
--
function jagencdecr($text,$EorD,$encpass='') {
   // parameters:
   // - $text = string to be en/decrypted,
   // - $EorD = Encrypt or Decrypt
   // - $encpass = key phrase
   if (empty($text)) {return "";}
   $text = trim($text);
   $cypher = mcrypt_module_open('rijndael-256', '', 'ecb', '');
   // "ecb" mode produces the above results.
   // "ofb" mode produces 100% errors

   $size = mcrypt_enc_get_iv_size($cypher);
   $phprand = rand(1000,);
   $iv = mcrypt_create_iv($size,$phprand); // produces the same  
results as below, platform independent

   //$iv = mcrypt_create_iv($size,MCRYPT_RAND); // for Windows
   //$iv = mcrypt_create_iv($size,MCRYPT_DEV_RAND); // for 'NIX

   $ks = mcrypt_enc_get_key_size($cypher);
   /* Create key */
   $key = substr(md5($encpass), 0, $ks);
   mcrypt_generic_init($cypher,$key,$iv);
   if ($EorD == "D") {
   $text_out = mdecrypt_generic($cypher,$text);
   } else {
   $text_out = mcrypt_generic($cypher,$text);
   } // endif ($EorD == "D")
   mcrypt_generic_deinit($cypher);
   mcrypt_module_close($cypher);
   return trim($text_out);

   }  // endfunc jagencdecr Jaguar Ecnrypt/Decrypt

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Maybe you could echo the results of the failed ones and compare. 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php