Welcome Guest, Not a member yet? Register   Sign In
Why Does Reactor Need Encryption Keys?
#1

[eluser]xjohnson[/eluser]
 
Hi, All -

One of the features I like in CI v1.7.3 is being able to encrypt cookie data by simply turning a 'FALSE' setting into a 'TRUE' setting in the config.php file. However, this ease seems to be slightly more complicated with the CI v2.0.2 I just upgraded to. Whether or not I choose to encrypt cookie data, I'm required to provide some sort of "encryption key" in the config.php file.

But, I'm not sure why. What should be used as an encryption key? - any old series of random string of characters? Why can't CI v2.0.2 just encrypt data as it has in the past? If the idea is to provide two-way encryption, then under what conditions would someone want to do that? .... In a nutshell, what is the philosophy behind this requirement?

Thanks in advance.



Warm Regards
 
#2

[eluser]fesweb[/eluser]
I don't know the actual answer, but I assume that adding your own encryption key ties the encryption to your own specific application. It adds another element that cannot be predicted by someone trying to replicate your sessions or cookies.
#3

[eluser]WanWizard[/eluser]
To force you to pick unique encryption keys. What's the point of encrypting something if your key is public?
#4

[eluser]troy_mccormick[/eluser]
The previous replies are correct in that if you don't have a "hash" (which is what the encryption key is being used as), the data you encrypt utilizing MD5 or other hashing method can be looked up in a table quite easily. I personally just use this site to generate a key for me:

https://www.grc.com/passwords.htm

And copy and paste it in. Takes all of two seconds, and adds that much more security to my app.

Happy Developing!




Theme © iAndrew 2016 - Forum software by © MyBB