4

https://www.tools4noobs.com/online_tools/encrypt/ gives "a67a318c98a0307502ba81caade2f3a9" as a DES ECB result for the key "1234567890abcdef" and payload "encrypt this".

The PHP code

echo bin2hex(mcrypt_encrypt(
    MCRYPT_DES,
    hex2bin("1234567890abcdef"),
    "encrypt this",
    MCRYPT_MODE_ECB)) . "\n";

prints out "1a29ee87f2ad67644ff28450c676a664".

What's wrong with the code?

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
haba713
  • 2,465
  • 1
  • 24
  • 45
  • *tools4noobs* seems to cut the passphrase to `"12345678"` (no `hex2bin` as in your example). https://3v4l.org/sm8p8 – Yoshi Oct 13 '16 at 08:32

1 Answers1

3

The noobs4tools website strips out the hex2bin function and truncates the key length to 8 characters(as Yoshi stated in comments).

With a keysize of 12345678 the output of both the website and the PHP code is consistent.

The DES keysize is stated in the manual as being 56 bits. Read below some useful background on DES specific keysizes.

How should I create my DES key? Why is an 7-character string not enough?

Key Used by the noobs4tools website:

"12345678"

Key Used by your code:

 hex2bin("1234567890abcdef"); // 4Vx����

This difference then gives you the different outputs.

So the website does not translate the key into any other number- or data- form. It expects you to provide an already correctly formatted value in the page script.

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
  • According to http://php.net/manual/en/function.mcrypt-encrypt.php "Invalid key and iv sizes are no longer accepted. mcrypt_encrypt() will now throw a warning and return FALSE if the inputs are invalid. Previously keys and IVs were padded with '\0' bytes to the next valid size." (since PHP 5.6.0). I've tested code with PHP 5.6.26-0+deb8u1 and mcrypt_encrypt() does throw a warning or return FALSE. – haba713 Oct 13 '16 at 10:27
  • Thank you @haba713 your comment is correct, I have updated my answer. – Martin Oct 13 '16 at 11:23
  • Sorry @Martin. The word "not" was left out from my previous comment... so... I've tested code with PHP 5.6.26-0+deb8u1 and mcrypt_encrypt() does *NOT* throw a warning or return FALSE. – haba713 Oct 13 '16 at 12:42
  • @haba713 yes, I had found I had entered the text reather than the `hex2bin` function in my sandbox. My answer is now complete, as far as I can tell the issue is with the 3rd party website *nobs4tools* handling the input data – Martin Oct 13 '16 at 12:52