2 replies to this topic

[Vaielab]

Hello,

I want to find a way to obfuscate data with openssl, my data are mostly id, so small-ish number.

Right now I'm using this

$key = 'SecretKey';

$td = mcrypt_module_open('tripledes', '', 'ecb', '');

$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);

mcrypt_generic_init($td, $key, $iv);

$encrypted_data = mcrypt_generic($td, $string);

mcrypt_generic_deinit($td);

mcrypt_module_close($td);

return urlencode(str_replace('=', '', strtr(base64_encode($encrypted_data), '+/', '-_')));

And it's working great.
But I want to go to the next level.
Now it's more like a reference table. Each time I encode the number 1, the same string is returned.
I know that with some encoding we can have the same number be encoder in a multiple way, but when decoded always return the same number.
What encoding/modification should I do in my script to acheive this result?

Thank you

[Orjan]

I believe a salt or two is a good way to do that. randomize a string, for example 6 positions and add it to the string to be encrypted. to be able to compare if you use it for passwords, you need to store the salt. one way to do it is to store the salt somewhere in the encrypted string, for example insert it at position X. to compare, take away the salt from the encrypted string, add the salt to the given password and encrypt it. if the encrypted strings now match, the password matches.

[Alexander]

I would like to note on your original attempt:

• 3DES (three-DES) was formed to increase the effective keylength to 168 or so bits, as DES had an original key length of 56 bits of which was deemed to short. It was abandoned quickly due to its slow operations, and other ciphers being available with high key sizes.
  
• Electronic codebook (ECB) will cause the same data to make the same patterns, encryption is done on each isolated block, having nothing to do with the one before. You can in fact extrapolate what the contents may look like, based on these patterns (images, common words.) I would therefor recommend CBC.
  
• An asymmetrical cipher will allow others to encode strings, if the original key were to be found, in some situations.
  
• MCRYPT_RAND is slow, MCRYPT_URAND (or whatever it may be called) will be equally secure in your sense, relying on a SHA-1 based RNG when no entropy is available, rather than freezing.

OpenSSL (and TLS) was meant as an infrastructure for key exchange, a public key crypto-system, message digest authentication, and of course data encryption. For most purposes AES (Rijndael) should be used. You should be able to use a predefined, and long enough (256 bit) key and apply a random IV, send the IV and cipher data in the URL (or whatever it may be), and decode it on the web server.

Alexander.

Edited by Alexander, 04 November 2011 - 04:21 PM.