php decryption failing from URL

Question

I am using php decrypion to check that: an email address replying to a request is the same email address which was sent the request.

This is the code but at the bottom it simpy fails.

The url is simply:

blah.com/page?keyemail=fSHEk8KC17siklGHsj0HJA==

The code below also shows some tests i did to make sure the encrypt/decrypt were working ok... I echo'd down the code to see what was going on

$key="XiTo74UI09wwe4YeUmuvbL0E";

$iv = mcrypt_create_iv (mcrypt_get_block_size (MCRYPT_TripleDES, MCRYPT_MODE_CBC), MCRYPT_DEV_RANDOM);

// Encrypting
function encrypt($string, $key) {
    $enc = "";
    global $iv;
    $enc=mcrypt_cbc (MCRYPT_TripleDES, $key, $string, MCRYPT_ENCRYPT, $iv);

  return base64_encode($enc);
}

// Decrypting
function decrypt($string, $key) {
    $dec = "";
    $string = trim(base64_decode($string));
    global $iv;
    $dec = mcrypt_cbc (MCRYPT_TripleDES, $key, $string, MCRYPT_DECRYPT, $iv);
  return $dec;
}

// test example
$email = 'me@me.com';

echo "email is $email<br /><br />";

$email_key = encrypt($email, $key);

echo "key is $email_key<br /><br />";

$email_key2 = decrypt($email_key, $key);

echo "decrypted is $email_key2<br /><br />";
// END test example, all is ok


// this is the code that fails
$to_de = $_GET[keyemail];

echo "keyemail again is $to_de<br /><br />";

$email_key3 = decrypt($to_de, $key);

echo $email_key3;

What is being returned when I echo $email_key3 is encoded somehow - it should be me@me.com

I'm probably missing something obvious but it's lost me!

Since you already know what email it should come from normally it is better to use hashes here instead however what is the var_dump of `$_GET['keyemail']` as it should be instead of `$_GET[keyemail]` since even though PHP to translate keyemail to a string it will also throw an E_NOTICE if I remember right. — Sammaye, Oct 15 '12 at 15:27

score 0 · Answer 1 · answered Oct 15 '12 at 15:31

0

You can't generate a new IV on each page - you must either store the IV from the encryption step in a file or database - or append it to the encrypted string. Generating a new IV on the next page will not allow you to decrypt the string.

Also, if possible I would pass a hash of an the email (plus a salt) - not an encrypted form.

answered Oct 15 '12 at 15:31

Xeoncross

55,620
80
262
364

When I do AES encryption/decryption I create a random IV everytime via: `$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);` so long as I have the same key and iv size I believe it should work (and does), unless that's something specific to that algorithm? – Sammaye Oct 15 '12 at 15:39
If a different IV works for both input and output - what's the point of the IV? Either it's not needed for your algorithm, or it needs to be identical. – Xeoncross Oct 15 '12 at 15:50

score -1 · Answer 2 · edited May 23 '17 at 11:48

-1

I've noticed that the encryption method you're using is adding a random salt. That means that encrypting the same string with the same key does not result in the same output. Try using a non randomized KDF. Try the answer of this topic: https://stackoverflow.com/a/1289114/1745542

edited May 23 '17 at 11:48

Community

1
1

answered Oct 15 '12 at 15:25

meza

8,247
1
14
23

@meza: please learn how to use array indexes correctly: http://www.php.net/manual/en/language.types.array.php#language.types.array.foo-bar – Marcin Orlowski Oct 15 '12 at 15:35

php decryption failing from URL

2 Answers2