Is it safe to trim a decrypted string?

StackOverflow https://stackoverflow.com/questions/15938993

Pergunta

I am encrypting and decrypting a string using:

$key = 'my key';
$data = 'my string';
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($ivSize, MCRYPT_DEV_URANDOM);
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv);
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_CBC, $iv);
$data = trim($decrypted, chr(0));

http://codepad.viper-7.com/1JgCRs

Is it safe to just trim off the padding added by the encryption algorithm, or is it necessary to store the length of the data before encrypting?

Foi útil?

Solução 2

Padding is added on the right normally, so consider rtrim():

$data = rtrim($decrypted, chr(0));

However this is still not yet perfectly safe because in PHP strings can contain NUL-bytes. If for some reason the plain did had NUL-bytes at the end, the rtrim will remove the padding and those previous NUL-bytes.

Outras dicas

You are trimming the value after you decrypt so you won't run into ay issues with the current code.

If you try to re-encrypt the different, trimmed data, you will get a different encrypted value.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top