Is it safe to trim a decrypted string?

StackOverflow https://stackoverflow.com/questions/15938993

Question

I am encrypting and decrypting a string using:

$key = 'my key';
$data = 'my string';
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($ivSize, MCRYPT_DEV_URANDOM);
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv);
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);
$data = trim($decrypted, chr(0));

http://codepad.viper-7.com/1JgCRs

Is it safe to just trim off the padding added by the encryption algorithm, or is it necessary to store the length of the data before encrypting?

Was it helpful?

Solution 2

Padding is added on the right normally, so consider rtrim():

$data = rtrim($decrypted, chr(0));

However this is still not yet perfectly safe because in PHP strings can contain NUL-bytes. If for some reason the plain did had NUL-bytes at the end, the rtrim will remove the padding and those previous NUL-bytes.

OTHER TIPS

You are trimming the value after you decrypt so you won't run into ay issues with the current code.

If you try to re-encrypt the different, trimmed data, you will get a different encrypted value.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top