-1

I tried to create two funcions, one to encrypt params and another to decrypt them and I'm having a problem. Sometimes, when I try to decrypt any word / number, the decryption fails. Only sometimes, so, i don't know which can be the error. Going to post my functions if anyone wants to check them:

function url_base64_decode($str){
return base64_decode(strtr($str,
    array(
    '.' => '+',
    '-' => '=',
    '~' => '/'
    )
));
}

function url_base64_encode($str){
    return strtr(base64_encode($str),
        array(
            '+' => '.',
            '=' => '-',
            '/' => '~'
        )
    );
}

function mdecrypt($input){
    $key = '4oF9B2NWXbmvIC5nNLLTbnmr5knkEBNBcrJt9m3xM3kjFyCZc3QAZbolXomtaIQSBBDDxxxAAAjTPV';
    $input = trim(chop($this->url_base64_decode($input)));
    $td = mcrypt_module_open ('tripledes', '', 'ecb', '');
    $key = substr(md5($key),0,24);
    $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
    mcrypt_generic_init ($td, $key, $iv);
    $decrypted_data = mdecrypt_generic ($td, $input);
    mcrypt_generic_deinit ($td);
    mcrypt_module_close ($td);
    return trim(chop($decrypted_data));
}

function mencrypt($input) {
    $key = '4oF9B2NWXbmvIC5nNLLTbnmr5knkEBNBcrJt9m3xM3kjFyCZc3QAZbolXomtaIQSBBDDxxxAAAjTPV';
    $key = substr(md5($key),0,24);
    $td = mcrypt_module_open ('tripledes', '', 'ecb', '');
    $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
    mcrypt_generic_init ($td, $key, $iv);
    $encrypted_data = mcrypt_generic ($td, $input);
    mcrypt_generic_deinit ($td);
    mcrypt_module_close ($td);
    return trim(chop($this->url_base64_encode($encrypted_data)));
}

I created a loop to encrypt numbers, and for example, the number 63 fails on decrypt:

  • encrypted : pECnbC3qkwg- decrypted : 60
  • encrypted : yOo70iZ7LKk- decrypted : 61
  • encrypted : GRkGYosxwO4- decrypted : 62
  • encrypted : AJGJzNep3YU- decrypted : +ÕϤȿß
  • encrypted : wvT3n6F~xkU- decrypted : 64
  • encrypted : 7p.gxcfLFcE- decrypted : 65

Anyone knows what should I do?

Thank you all

Alex Perez
  • 25
  • 1
  • 7
  • So how do you know that `-` should be replaced with `=` and not be `-`? – u_mulder Jul 14 '16 at 08:09
  • I wouldn't recommend a RYO encryption solution tbh : http://stackoverflow.com/questions/9262109/php-simplest-two-way-encryption PHP can also support GPG but that might not be suitable for your use-case : http://php.net/manual/en/ref.gnupg.php – CD001 Jul 14 '16 at 08:19
  • It is best not to use mcrypt, it is abandonware, has not been updated in years and does not support standard PKCS#7 (née PKCS#5) padding, only non-standard null padding that can't even be used with binary data. mcrypt had many outstanding [bugs](https://sourceforge.net/p/mcrypt/bugs/) dating back to 2003. Instead consider using [defuse](https://github.com/defuse/php-encryption), it is being maintained and is correct. – zaph Jul 14 '16 at 11:25

1 Answers1

0

Question key derivation code:

$key = substr(md5($key),0,24);

You are trying to create a 24-byte key from MD5 but MD5 only supplies a 16-byte hash, the last 8-bytes age going to be undefined. The last 8-bytes may end up the same by luck but that is not guaranteed so some times it works, some times it doesn't.

Best suggestion is to use a library that does all this work for you, good options include:

Notes:

3DES should not be used in new work, use AES. Do not use ECB mode, it is not secure, use CBC mode with a random iv, prepend the iv to the encrypted data for decryption. Do not use MD5 for password derivation, use PBKDF2.

ECB mode does not use an iv, why are you creating one?

zaph
  • 111,848
  • 21
  • 189
  • 228