Sorry, I meant Thomas and not Tom. It's been a long day. James
On Wed, Apr 22, 2009 at 2:07 PM, Thomas Weidner <[email protected]> wrote: > James, > > You may be mistaken by the used notations. > > For mcrypt you don't need just a key for decryption. > You also need the vector from the encryption to get the content decrypted. > Take a look at the manual for details. > > The point is, that the key is used as base for creating the > encryption-vector. > And only to have the key is not enough for decryption. > > So to answer your questions in detail: > 1.) No, Yes > 2.) No > 3.) No (you should set vector and key when you have them... the key alone > > Greetings > Thomas Weidner, I18N Team Leader, Zend Framework > http://www.thomasweidner.com > > ----- Original Message ----- From: "James Stuart" <[email protected]> > To: <[email protected]> > Sent: Wednesday, April 22, 2009 7:41 PM > Subject: [fw-general] Zend_Filter_Encrypt_Mcrypt Key Modified Before > Encryption/Decryption > > > Hi, > > I encountered an interesting problem with Zend_Filter_Encrypt_Mcrypt. > We are hoping to use it to interact with a database that contains > encrypted information. We set everything up, plugged our keys in, > fired up the app... and nothing decrypted properly. After a little > big of digging, we found the issue: three lines of code in the > encrypt() and decrypt() methods of the Mcrypt adapter. > > srand(); > $keysize = mcrypt_enc_get_key_size($cipher); > $key = substr(md5($this->_encryption['key']), 0, $keysize); > > This code appears to be in place to ensure that the key is the correct > size. In doing so, it completely changes the actual value of the key. > By modifying the key itself the code, for all intensive purposes, > eliminates the possibility of Zend_Filter_Encrypt_Mcrypt being able to > interact with any other, non Zend Framework (or even non > Zend_Filter_Encrypt_Mcrypt) systems. > > In order for these filters to be useful to us, we need to be able to > set the exact key that will be used for encryption. Before we work > around the issue here I have a couple of questions for this list: > > 1.) Am I correct in interpreting that the code above is simply a way > of ensuring that the key is the correct size? Is it being used for > any other purpose? > 2.) Does anyone else see this as a potential issue for them? > 3.) Would it be worth us modifying Zend_Filter_Encrypt_Mcrypt to > ensure there is a way around the modification of keys? (If not, we > may just fork a copy of the class for our own purposes.) > > Thanks, > James >
