Basic Facts:
$algorithm = MCRYPT_BLOWFISH; $mode = MCRYPT_MODE_CBC; $randSource = MCRYPT_DEV_URANDOM;
Note This is not a strict coding question.
Context:
CentOS 7, Apache 2.4.12, & PHP 5.6.20.
I am making an HTML email with a "verify your email address" link that allows a registration process to complete. Everything on my virtual private server is UTF-8, and all form and query string input is processed with multi-byte (mb) funcions.
Background
As an experiment (I know about the age and state of the mcrypt library), I am attempting to decrypt Blowfish encrypted query string parameters. Assume that on the way up, the encryption sequence works perfectly and I am receiving email with the link.
On the way down, the hmac_hash()
signing (SHA-512, just for this experiment) is working and I am able to separate each independent message (32 characters) from its hash checksum (128 characters). Base64 decoding of the separated message portion is working. For each parameter, I am left with the composite cipher text, where composite cipher text equals the IV + base cipher text. Assume I use a version of substr()
to obtain the IV and the base cipher text independently (which is par for the course).
Problem
PHP: Warning mcrypt_generic_init(): Iv size is incorrect; supplied length: 12, needed: 8
Assume I have combed the PHP manual and Stackoverflow. Assume I have looked at other questions similar, but not exactly like this one. Assume I have searched the Internet to no avail. Assume I have enough experience to setup mb_string
properly. Assume that I will take care of mcrypt padding when I get past this current problem.
Could multi-byte issues be interfering with decryption?
Could base64 encoding the IV + base cipher text
corrupt the IV?
Could base64 padding be an issue?
Should I be specifying a more specific MCRYPT_BLOWFISH_*
?
Why does the blowfish IV size report 8 bytes, but rarely produces an 8 byte IV?
Which substr() should I use, substr()
or mb_substr()
, for a setup that leans towards making everything UTF-8 and processes all other input as multi-byte UTF-8. I know that is an odd question, but all of the PHP Manual mycrypt decryption sequence examples use substr(), and none use mb_substr()
. Everything on my site works with mb_functions when possible, and I would not mind using substr()
if it solved my problem, but it does not solve it. When I use mb_substr()
, I get the following warning.
PHP: Warning mcrypt_generic_init(): Iv size is incorrect; supplied length: 11, needed: 8
Does anyone have any experience with this exact issue? Constructive answers will be rewarded!
Latest
Above is an example Blowfish hash that I am trying to reconstruct from an array, received via a SHA512 HMACed, symmetricly Blowfish encrypted (CBC), url safe Base64 encoded, urlencoded, query string (phew!).
Below, this is what the strings for the query string look like before being urlencoded (don't mind the indexes right now).
Above is the Base64 decoded and Blowfish decrypted array derived from the query string (Obviously, there are security steps in between this result, but I am just trying to show the latest state of things.) Something is not right. Encryption appears to work without any errors. Decryption does not produce and errors either. The plain text is just wrong. If I join/implode these elements, they will not be like the blowfish hash above.
1 Answers
Answers 1
Preliminary answer.
Both mycrpt_create_iv()
and mcrypt_generic()
output an ISO-8859-1 string. If you have a pure UTF-8 stack, and you intend on using Mcrypt's Blowfish to encrypt query string values, you must ensure that the composite cipher text (IV + Cipher Text) arrives at the decryption sequence as ISO-8859-1 (so, to be safe, you better make sure it arrives at the encryption sequences as ISO-8859-1). You can use substr()
to recover the IV and true ciper text just fine, but you must first use utf8_decode()
to change your UTF-8 composite cipher text to single byte ISO-8859-1 (testing in progress).
In effect, it seems that you want to be using ISO-8859-1 with mcrypt. Shape your inputs accordingly. But, still, now that the IV error is gone the data does not decrypt.
0 comments:
Post a Comment