Is it safe to trim a decrypted string?

StackOverflow https://stackoverflow.com/questions/15938993

Domanda

I am encrypting and decrypting a string using:

$key = 'my key';
$data = 'my string';
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($ivSize, MCRYPT_DEV_URANDOM);
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv);
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);
$data = trim($decrypted, chr(0));

http://codepad.viper-7.com/1JgCRs

Is it safe to just trim off the padding added by the encryption algorithm, or is it necessary to store the length of the data before encrypting?

È stato utile?

Soluzione 2

Padding is added on the right normally, so consider rtrim():

$data = rtrim($decrypted, chr(0));

However this is still not yet perfectly safe because in PHP strings can contain NUL-bytes. If for some reason the plain did had NUL-bytes at the end, the rtrim will remove the padding and those previous NUL-bytes.

Altri suggerimenti

You are trimming the value after you decrypt so you won't run into ay issues with the current code.

If you try to re-encrypt the different, trimmed data, you will get a different encrypted value.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top