Encrypted String Changes Every Time (very bad!)

[eluser]PhxVyper[/eluser]
Hi,

So, I am encrypting a string and noticed that every time I encrypt that very same string, the encrypted string is different EVERY TIME.

To test, I hard-coded the key to ensure it is the same key every time.

$this->load->library('encrypt');
echo $this->encrypt->encode('this is a test string','blahblahblah');

result 1:
PeGPM6MIq6Wn/eE9LHcQYKuVolY2LEQicmHiX3/vYK+pi28FV/Z2heAJMUtMQL4Av6hY/hTe0CUdpJhIKM6ZhA==

result 2:
+rLk+B6TTldVQb5NdD6UFB6gjo11jHbSHeZ2rC6TFmYg8LNg/TSH1YcNCEpe8sQGYqYaF2iHbZHpbhzFGsnEXg==

result 3:
Ne8lVIdFGGujf7wQrDojYy+oVejIOaOtNU7Pc1INbdYNq4/zUvFiwdrGFkxVasr+eWBQ9PgTzIfqms46EStLAA==

and so on.

what the.....!!!!!

shouldn't the value be consistent? Otherwise, I can't decrypt it!

[eluser]Chris Newton[/eluser]
As long as it decodes, then it's fine, it's doing its job. I've tested it as well, and the string may be different every time, but the decode works. That's the nice thing about working with frameworks, some things are 'black boxes' that you plug data into and get out the results without needing to know what's under the hood. In this case, just use the CI decrypt function, and you'll get your data back out safe & sound.


Here's some test code;

Code:

<?php
class Encrypt extends Controller{
    function Encrypt(){
        parent::Controller();
    }
    function index(){
    $this->load->library('encrypt');
    $msg = 'My secret message';
$encrypted_string = $this->encrypt->encode($msg);
echo 'encrypted: '.$encrypted_string;
echo '<br />';
echo '<br />';
$decrypted_string=$this->encrypt->decode($encrypted_string);

echo 'decrypted: '.$decrypted_string;
    }
}
?&gt;

[eluser]xwero[/eluser]
that is a part of the security of hashing (encrypting). Even if you add the same string you will get another value. If it would be the same for each time the same word(s) get encrypted hackers would simply make an encrypted dictionary and use it for attacks.

[eluser]gtech[/eluser]
just to confirm what xwero says, the encrytion library uses [url="http://uk3.php.net/mcrypt_create_iv"]mcrpt_create_iv[/url] to create a random seed (probably by using a timestamp), so it looks intentional.

[eluser]PhxVyper[/eluser]
This is a problem though when you are trying to compare a value submitted (not encrypted) with a value encrypted in a field in a database.

This one particular project I'm working on deals with HIPAA, so I must encrypt specific fields (while still making the data in those fields accessible/decryptable for future use).

For example:

1. I encrypt an email address and store that email in the database.
2. User enters email address in a form
3. I want to perform a lookup to determine if email exists in database.

This means I have to be able to encrypt the email address provided by the user and perform a SELECT against the table to determine if email record exists with a matching encrypted string.

Now, I would say that there is a quick solution by storing the init. vector value, but since I have multiple fields that I must encrypt, then this becomes problematic.

So, at this point, does anyone have a good idea on how I can work around this issue?

[eluser]gtech[/eluser]
First thing I can think of, if you use 1 way encryption (eg md5 or sha1) the encoded string is the same each time

$this->load->library('encrypt');
$msg = 'My secret message';
$encrypted_string = $this->encrypt->sha1($msg);
echo 'encrypted: '.$encrypted_string;
echo '<br />';
echo '<br />';

BUT you wont be able to decrypt the string

[eluser]gtech[/eluser]
Ah-ha a possible solution (read reply above this one 1st):

You could store the 1 way and the 2 way encrypted string in the database, so you can do the lookup AND you can decrypt the email.

as mentioned above the 1way stays the same (so long as the private key is the same)

[eluser]PhxVyper[/eluser]
Thanks.

I decided to extend the core library and have changed the init. vector call to use a preconfigured value.

[eluser]PhxVyper[/eluser]
Hi,

Actually, after further investigation, it is NOT the init. vector function that causes the "randomization" of the encrypted string. It is the _xor_encode and _xor_decode methods within the Encrypt class.

So, I have no extended the Encrypt class to just have two new methods and I'm using the core mcrypt_encode and mcrypt_decode methods.

Code:

<?php  if (!defined('BASEPATH')) exit('No direct script access allowed');

/**
* PD_Encrypt class for custom data encryption
*/
class Pd_Encrypt extends CI_Encrypt
{

    /**
     * Encrypt and Encode String
     *
     * @param string $string
     * @param string $key
     * @return string
     */
    function pd_encode($string, $key = '')
    {
        $key = $this->get_key($key);
        $enc = $string;

        if ($this->_mcrypt_exists === TRUE)
        {
            $enc = $this->mcrypt_encode($string, $key);
        }
        return base64_encode($enc);        
    }

    /**
     * Decode and Decrypt String
     *
     * @param string $string
     * @param string $key
     * @return string
     */
    function pd_decode($string, $key = '')
    {
        $key = $this->get_key($key);
        $dec = base64_decode($string);
        
         if ($dec === FALSE)
         {
             return FALSE;
         }
        
        if ($this->_mcrypt_exists === TRUE)
        {
            $dec = $this->mcrypt_decode($dec, $key);
        }
        
        return $dec;
    }
}
?>