On Wed, Nov 30, 2011 at 4:25 PM, Matijn Woudt <tijn...@gmail.com> wrote:
> On Wed, Nov 30, 2011 at 10:18 PM, Adam Richardson <simples...@gmail.com>
> wrote:
> > On Wed, Nov 30, 2011 at 4:14 PM, Matijn Woudt <tijn...@gmail.com> wrote:
> >
> >> On Wed, Nov 30, 2011 at 9:57 PM, Rick Dwyer <rpdw...@earthlink.net>
> wrote:
> >> > Hello all.
> >> >
> >> > I am using the following function to encrypt a string:
> >> >
> >> > define('SALT', 'myvalueforsalthere');
> >> >
> >> > function encrypt($text)
> >> > {
> >> > return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, SALT,
> >> > $text, MCRYPT_MODE_ECB,
> >> > mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256,
> >> MCRYPT_MODE_ECB),
> >> > MCRYPT_RAND))));
> >> > }
> >> >
> >>
> >> Can you post your decrypt function too?
> >>
> >> You create a random IV here, don't you need that IV to decrypt too?
> >>
> >>
> > You're normally right, Matijn,
> >
> > However, ECB mode doesn't use an IV, so even though he's generating an
> IV,
> > it's not being used (and, the benefit of an IV is one of the main reasons
> > you try to avoid ECB.)
> >
> > Adam
>
> Ah, I see, you're right. I thought he was using CBC (which I would
> recommend).
> That also means that example #1 is wrong at mcrypt_encrypt help page[1].
>
> Matijn
>
> [1] http://php.net/manual/en/function.mcrypt-encrypt.php#example-884
>
Nice catch in the documentation, Matijn. While it will encrypt and decrypt
successfully, the IV isn't being used, so it would seem to be a better
illustration of use of someone switched the mode to one that's using the IV.
Someone with access to the documents want to make the change to one of the
other modes (as Matijn pointed out, CBC is pretty common?)
Adam
--
Nephtali: A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com
