In message <6126f3d3-91a0-02b3-20e8-ab26dbf8b...@gmail.com> on Sun, 2 Sep 2018
06:48:09 -0500, Jim Dutton said:
> It appears that the (PHP) openssl_encrypt function will accept a string of
> random bytes as the encryption key in place of a generated private key. It
> works without any errors or
I have been using the examples given in the PHP-openssl_encrypt documentation
for AEAD with PHP 7 or a suitable emulation of that using HMAC with PHP 5. Being
very familiar with security issues and functionality I automatically started
using an elliptical curve private key as the "key" after
> On Sep 2, 2018, at 6:51 PM, Jim Dutton wrote:
>
> It is interesting to note that the openssl_private_encrypt function appears
> to require a "true" private key and either expects or defaults to RSA.
Not surprising, given the name and brief documentation.
> In both cases neither
OK - thanks for the feedback. It is interesting to note that the
openssl_private_encrypt function appears to require a "true" private key and
either expects or defaults to RSA. In both cases neither PHP-OpenSSL nor
OpenSSL documentation make these distinctions between the two "encrypt"
> On Sep 2, 2018, at 7:48 AM, Jim Dutton wrote:
>
> It appears that the (PHP) openssl_encrypt function will accept a string of
> random bytes as the encryption key in place of a generated private key.
This is an interface to data encryption with the OpenSSL *symmetric*
encryption algorithms,
>This begs the question: what does openssl_encrypt actually do with just a
> string
of random bytes passed as the "key". I can't find anything in the OpenSSL or
PHP/openssl source code that clearly identifies any particular action
There is no such name (git grep -I openssl_encrypt)
It appears that the (PHP) openssl_encrypt function will accept a string of
random bytes as the encryption key in place of a generated private key. It
works without any errors or warnings. So does the openssl_decrypt function.
This begs the question: what does openssl_encrypt actually do with just
