Encryption/Hashing issues

2
votes

I'm working on a little script that will allow me to store relatively secure information in a cookie to validate a user login without the use of sessions. Part of the output is an encrypted salt to use when generating a hmac_hash with some of the information stored in the cookie, and some of the user information in the database.

However, after some testing, I've ran into a problem with the encryption/decryption of the strings and causing different hash results.

ie:

$str = '123456abcdef';
$hash1 = sha1($str);

$v1 = do_encrypt($str);
$v2 = do_decrypt($v1);

$hash2 = sha1($v2);

and I end up with

$hash1 - d4fbef92af33c1789d9130384a56737d181cc6df 
$hash2 - 0d6034f417c2cfe1d60d263101dc0f8354a1216f

but when I echo both strings, they are both 123456abcdef.

The do_encrypt function is as follows:

function do_encrypt($value) {

    $salt = generate_salt();
    $td = mcrypt_module_open('rijndael-256', '', 'cbc', '');
    mcrypt_generic_init($td, $ek, $salt);
    $encrypted_data = mcrypt_generic($td, $value);

    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return base64_encode($salt.$encrypted_data);    
}

The do_decrypt function:

function do_decrypt($value) {

    $data = base64_decode($value);
    $salt = substr($data, 0, 32);
    $data = substr($data, 32, strlen($data));
    $td = mcrypt_module_open('rijndael-256', '', 'cbc', '');
    mcrypt_generic_init($td, $ek, $salt);
    $decrypted_data = mdecrypt_generic($td, $data);

    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return $decrypted_data;
}

for both functions $ek is an encryption key pulled from another file.

I'm trying to understand why the characters that display are the same, but the actual variables are different (otherwise the hash results would be the same), and is there any way to ensure that both strings are identical for hashing purposes?

Thanks, Ryan.

1
phphashsha1mcryptrijndael
But you just said the encrypt generates a random salt, how do you know that salt when you decrypt it? And could you just show us the functions?Ben
Encryption/decryption is not relevant in hashing, there is only hashing to match one hashed value to another generated hash value. Encryption != hashing.Jared Farrish
@jaredfarrish I know the difference between the two. I am encrypting an additional piece to be stored in the cookie, that when it is retrieved, I can decrypt the value to use as the hmac salt.itsreeyan
@mazzzzz I've added the do_encrypt function.itsreeyan
Rolling your own encryption technique is going to be error-prone. You would need to be very methodical with what you were doing. If you can, take a look at php.net/manual/en/book.openssl.php; you will almost always be better off using known, proven techniques than homegrown techniques when doing encryption and hashing.Jared Farrish

1 Answers

2
votes

As per comments, it looks like you are getting trailing nulls - It's likely that mcrypt has a block size of 32 bytes and that any encrypted/decrypted string must be a multiple of this many bytes.

Taken from the mcrypt_encrypt documentation:

If the size of the data is not n * blocksize, the data will be padded with '\0'.