0

Hi I'm building an email activation link for my registered users.. The link contains an id and with its registered email was both encrypted but after the link was clicked it will redirect to a page that will decrypt my message but the decryptor example that was provided by the AES encryption website gives me wrong result when the link retrieves the encrypted variable for the email.. although if I try to use the encrypted variable for the id(with a constant value not from database) it returns me a correct result why..

here is my code

for the decrypting page

$imputText = $_GET['v'];
$imputKey = "3173aLASOf";
$blockSize = 256;
$es = new ES(null, $imputKey, $blockSize);

$es->setData($imputText);
$dec=$es->decrypt();
echo "After decryption: ".$dec."<br/>";

echo "Activated";

but if I change the $_GET['v']; into a static encrypted message it decrypts correctly

and here the encryption script

$username=$_POST['email'];

$imputText = $username;
$imputKey = "3173aLASOf";
$blockSize = 256;
$es = new ES($imputText, $imputKey, $blockSize);

$enc = $es->encrypt();
$imputText2 = 1;

$es2 = new ES($imputText2, $imputKey, $blockSize);

$enc2 = $es2->encrypt();

$message = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title> E-mail </title>
</head>
<body bgcolor="#CCCCCC" style="font-weight:300;font-family:"Helvetica Neue", Helvetica, sans-serif;color:#FFFFFF;line-height:18px;margin:0;padding:0;">

<table cellpadding="15" cellspacing="0" border="0" align="center" width="600" bgcolor="#EEEEEE">
    <thead style="background:#391E03;">
        <th colspan="2" align="justify" style="font-size:14px;color:#FFF;font-weight:400;"> You have a Mail Information from <strong style="text-transform:capitalize;">'.$lname.'</strong>... </th>
    </thead>

    <tbody style="color:#444444">       
        <tr id="introduction">
            <td style="font-size:14px;line-height:26px;width:100%;">
                <h3>Customer Information</h3>
                <dl>
                    <dt style="clear:left;float:left;width:160px;font-weight:700;">Activation Link</dt>
                    <dd style="text-transform:capitalize;margin-left:180px;"><a href="http://www.mydomain.com/folder1/reg/activated.php?conf='.$enc2.'&&v='.$enc.'">'.$enc.'</a>&nbsp;</dd>
        </dl>
            </td>
        </tr>
    </tbody>


</table>

</body>
</html>';

I did not provide the whole mail script because I dont think that the problem lies on my mailer script.. I have tried decrypting the encrypted message using the decryptor found on AES-encryption

and the message was also decrypted correctly.. Any idea why it does not work when I try to do it by getting it on the addressbar.. I tried getting the id(constant value not from database) from the addressbar and it displayed the ID(constant value not from database) correctly please help me

Kim Oliveros
  • 711
  • 1
  • 7
  • 28
  • 1
    overkill just use the user id. –  Apr 28 '14 at 03:47
  • hmm sorry I think saying it as user id is wrong .. that id is used for telling my database that it was clicked and the email is used for telling which user it is.. I'll revised my post sorry for that – Kim Oliveros Apr 28 '14 at 03:49
  • sending the encrypted email is overkill, just send the user id. worse case is some one confirms someone else by changing the id - big woop. –  Apr 28 '14 at 03:54
  • even if the mail expires after it was clicked once? – Kim Oliveros Apr 28 '14 at 03:55
  • mail expires ? this email will self destruct in 10 seconds ? – lagbox Apr 28 '14 at 03:57
  • and what is the cause of my problem? why does my decryptor script returns a wrong value if the variable was fetched by $_GET? – Kim Oliveros Apr 28 '14 at 03:57
  • no what I mean is that the token that was provided on the message expires after 2 days or something or after it was clicked – Kim Oliveros Apr 28 '14 at 03:59
  • @Dagon The whole idea of email verification is that you cannot activate the account without knowing the secret sent to you, thus "worse case is some one confirms someone else by changing the id" means that the mail is itself pointless. – Perseids Apr 28 '14 at 09:46
  • @user256009: Maybe you have some problems with url escapes? But on a more general note: You should not do email authentication like this. Instead generate a random string, store it alongside the account information and send the random string as authentication token to the email address. When the link is clicked look up the random string and activate the account. This is by far easier than implementing a cryptographic solution working around the bad PHP crypto libraries. – Perseids Apr 28 '14 at 12:17
  • Hi @Perseids I tried using PHP uniqid() function instead of my current method as an authentication token, because your comment made sense to me and its more easier but I'm kinda worried would uniqid() cause a duplicate entry on my database? and also do I still need it to be encrypted? or can you suggest some good method for this issue? this is how I used the uniqid() for your reference: `uniqid($lname,more_entropy)` – Kim Oliveros Apr 28 '14 at 22:53

1 Answers1

1

I'll formulate my comment reply as an answer as it is getting a little large and constitutes an answer anyway:

Maybe you have some problems with url escapes? But on a more general note: You should not do email authentication like this. Instead generate a random string, store it alongside the account information and send the random string as authentication token to the email address. When the link is clicked look up the random string and activate the account. This is by far easier than implementing a cryptographic solution working around the bad PHP crypto libraries.

uniqid is conceptually not a good choice for such a random string. The value you want the owner of the email address to supply back to you is supposed to be unpredictable (so that I cannot register with someone else's email address and guess the correct value) instead of unique. If you choose a large enough random value it is also going to be unique (with a sufficient high probability) but that is not a necessary security aspect (though it might be nice for your database design). To guarantee unpredictable values you can use a good (in the sense of cryptographic security) 64 bit random value. See https://stackoverflow.com/a/1551064/371137 for how to get cryptographically secure random bytes it in PHP. To encode them for link clicking you can url-safe base64 encode them or just hex encode them.

I suggest a short value of 64 bits mainly because an attacker has to try an authentication tag against your server online and thus brute force attacks are infeasible even with small values and it is more convenient for most users to have manageable small links. I still don't suggest an even shorter value because with 64 bits the collision probability for random values is still so small that you can ignore it for practical uses.

If you still want to make extra sure they are in fact unique in your database you can

  • look the value up after generation and regenerate it if you already have it in your database or
  • choose a longer random value (160 bit values are even safe against offline collision attacks) or
  • supply the account id in the verification link and avoid any problems with collisions altogether.
Community
  • 1
  • 1
Perseids
  • 12,584
  • 5
  • 40
  • 64