0

I have a database full of data encrypted in 3DES (ECB) that was encrypted with the php Mcrypt library. Since Mcrypt is depreacated, I need to switch to OpenSSL to decrypt it. All the data will be reencrypted using xchacha20-poly1305-ietf.

So I don't need comments about 3DES not being secure and ECB bad etc, we know, this is why we are trying to decrypt to have a better encryption algorithm.

I am providing below the code that was used to encrypt using mcrypt and the 1 line we are trying to use (openssl) to decrypt it. It always returns false and we are wondering why.

I am starting to suspect the problem is with the mcrypt library using an 8 bytes IV while open SSL saying it has to be 0 bytes.

Any help would be appreciated to find a way to decrypt the values using openssl.

Thanks in advance.

Here is the code: 

$sEncryptionKey = 'aaaabbbbccccddddeeeeffff';
$sDataToEncrypt = 'Foo bar';

echo "Data to be Encrypted: $sDataToEncrypt\n";

$rMcrypt = mcrypt_module_open(MCRYPT_3DES, '', MCRYPT_MODE_ECB, '');
$iIvSize = mcrypt_enc_get_iv_size($rMcrypt); //This gives 8 bytes

$sInitializationVector = mcrypt_create_iv($iIvSize, MCRYPT_RAND);
$iKeySize = mcrypt_enc_get_key_size($rMcrypt);

if ($iKeySize != strlen($sEncryptionKey)) {
    throw new Exception ('Invalid key length: '.$iKeySize);
}

mcrypt_generic_init($rMcrypt, $sEncryptionKey, $sInitializationVector);
$sEncryptedString = base64_encode(mcrypt_generic($rMcrypt, $sDataToEncrypt));

echo "Data Encrypted: $sEncryptedString\n";
$sDecryptedString = trim(mdecrypt_generic($rMcrypt, base64_decode($sEncryptedString)));

echo "Data Decrypted: $sDecryptedString\n";
mcrypt_generic_deinit($rMcrypt);
mcrypt_module_close($rMcrypt);

$sDecryptedString2 = openssl_decrypt(base64_decode($sEncryptedString), 'des-ede3', $sEncryptionKey, 0, ''); //this returns false.
echo "Data Decrypted (open SSL): $sDecryptedString2\n";

$sDecryptedString2 = openssl_decrypt(base64_decode($sEncryptedString), 'des-ede3', $sEncryptionKey, 0, $sInitializationVector); //Warning: openssl_decrypt(): IV passed is 8 bytes long which is longer than the 0 expected by selected cipher, truncating
?>

The output of the program shows:

Data to be Encrypted: Foo bar
Data Encrypted: 5Mraf9swmaI=
Data Decrypted: Foo bar
Data Decrypted (open SSL): 

Warning: openssl_decrypt(): IV passed is 8 bytes long which is longer than the 0 expected by selected cipher, truncating in /usr/local/www/appcluster01.ezmax.ca/pub/web/test/ian/test.cmd on line 31
Ian Lord
  • 21
  • 1
  • 3
  • Any 2 way symmetric encryption is inherently insecure on a webserver. Because the webserver would also possess the key to decrypt it. If you don't need the data decrypted (often) look at asymmetric encryption. But On to your problem, you have to use the same IV that was used to encrypt it to decrypt it. Beyond that I **don't think** the 2 are compatible. – ArtisticPhoenix Nov 09 '18 at 19:29
  • Possible duplicate of [Decrypt mcrypt with openssl](https://stackoverflow.com/questions/31520311/decrypt-mcrypt-with-openssl) – ArtisticPhoenix Nov 09 '18 at 19:34

1 Answers1

0

I just realized I was using openssl_decrypt incorrectly.

Changing to this works fine:

$sDecryptedString2 = openssl_decrypt(base64_decode($sEncryptedString), 'des-ede3', $sEncryptionKey, OPENSSL_ZERO_PADDING | OPENSSL_RAW_DATA, '');

I hope it will help someone somedays.

Thanks

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Ian Lord
  • 21
  • 1
  • 3