How to encrypt and decrypt in different HTTP requests

Question

I want to create a $state string, and send it in a URL to another app. The other app will do it's thing (OAuth verification) before redirecting back to the orignal app with the state returned once more in the URL (e.g. state=789sdgydfg9d...)

Below I'm simply testing the encrypt/decrypt with mcrypt functions:

$secret_key = 'e6aeee1c80c231bf724b31d3c4cc77dd';
$string = 'This is a string to encode';
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// this will be sent with the first redirect...
$state = rawurlencode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $string, MCRYPT_MODE_CBC, $iv));

// .. this will be received when the client is redirected back here 
// in another HTTP request
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, rawurldecode($state), MCRYPT_MODE_CBC, $iv);

var_dump($decrypted_string); // Outputs: "This is a string to encode"

If I do this test, it works coz it's the same request, and I guess $iv is the same for the mcrypt_encrypt and mcrypt_decrypt.

However, if I split this between two HTTP requests as I intend:

$secret_key = 'e6aeee1c80c231bf724b31d3c4cc77dd';
$string = 'This is a string to encode';
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// this will be sent with the first redirect...
$state = rawurlencode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $string, MCRYPT_MODE_CBC, $iv));

Then the client is redirected back with the state passed back in the URL:

$secret_key = 'e6aeee1c80c231bf724b31d3c4cc77dd';
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, rawurldecode($state), MCRYPT_MODE_CBC, $iv);

// Outputs: "�|% <�-��+^�%6��7�rY��^�"

It is all messed up. I'm guessing that as $iv is created another time with MCRYPT_RAND option it's gonna be different, thus decrypt differently too. But I can't find an example of how this ought to be written for this case.

How should I be encrypting/decrypting so that I can successfully decrypt after the redirect back?

Possible duplicate of [Best way to use PHP to encrypt and decrypt passwords?](http://stackoverflow.com/questions/1289061/best-way-to-use-php-to-encrypt-and-decrypt-passwords) — miken32, Jan 27 '17 at 19:54
It is best not to use mcrypt, it has been abandonware for nearly a decade now. It has therefore been deprecated and will be removed from the core and into PECL in PHP 7.2. It does not support standard PKCS#7 (née PKCS#5) padding, only non-standard null padding that can't even be used with binary data. mcrypt has many outstanding bugs dating back to 2003. Instead consider using [defuse](https://github.com/defuse/php-encryption) or [RNCryptor](https://github.com/RNCryptor), they provide a complete solution, are being maintained and is correct. — zaph, Jan 27 '17 at 20:30
Instead of RIJNDAEL_256 (the 256 is the block size) use RIJNDAEL_128 which is essentially AES. — zaph, Jan 27 '17 at 20:32

How to encrypt and decrypt in different HTTP requests

0 Answers0