Re: Joining ASP encryption (ASPEncrypt) and PHP encryption (mcrypt)
From: clem (clem_at_numeral.com)
Date: 05/28/03
- Next message: Simon Johnson: "Re: Open apology to Douglas Gwyn"
- Previous message: Danilo Gligoroski: "Re: Edon16 - crypto library for testing"
- In reply to: Kylotan: "Joining ASP encryption (ASPEncrypt) and PHP encryption (mcrypt)"
- Next in thread: Ben S: "Re: Joining ASP encryption (ASPEncrypt) and PHP encryption (mcrypt)"
- Reply: Ben S: "Re: Joining ASP encryption (ASPEncrypt) and PHP encryption (mcrypt)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 May 2003 03:31:59 -0700
On 28 May 2003 01:27:40 -0700, kylotan@hotmail.com (Kylotan) wrote:
>We are trying to write server-side code that encrypts and decrypts
>strings using PHP. All well and good, except that our encrypted data
>needs to be read by someone else who is using ASP and their encrypted
>data in ASP needs to be read by us with PHP.
>
>Given the correct use of the standards, this sounds like a trivial
>problem. However, I am no encryption expert and the
>libraries/components that do encryption for us tend to be a little
>opaque.
>
>For instance, we are using the mcrypt library
>(http://mcrypt.hellug.gr/) for PHP, which seems to support a lot of
>algorithms but makes no mention of things such as padding. On the
>other hand, our partners are using ASPEncrypt
>(http://www.aspencrypt.com/) which seems to give more control over
>things such as cipher padding, but obscures details such as how a key
>is created from a password, for instance.
>
>The end result is that what looks like the same key and cipher
>produces different results on our systems, and it's hard to isolate
>what is causing the discrepancy.
>
>Does anybody have any suggestions on methods that will work here, or
>sample code that has worked in the past? We were looking at using
>something like the RC4 algorithm, if that helps. Strength and speed
>are not necessarily as important as simply getting something that
>works consistently for both of us.
Just going to throw out some comments from the first impressions of
reading your post:
Judging from your comments about RC4, it looks like you are opening up
a can of worms. Do you realize the issues involved using RC4 in a
secure fashion? It is harder than it appears.
Will anyone get hurt or lose property if the data is compromised?
How long have you been using mcrypt? From your comments it sounds
like a week. Is this the extent of your security experience?
I've briefly used the AspEncrypt product you speak of and it is
trivial to understand how the key is generated, but you guys appear to
be baffled by it, so... I don't know, man... situation doubtful.
I would imagine the Mcrypt is even more primitive, so if you are
having such a hard time getting past this most trivial step, it is
more likely you could nail Famke Jannsen tomorrow night than get even
a remotely passable secure design. Does this sound harsh?
But...
If all you are doing is horsing around and just trying to get this to
work as a non-volatile (no one will lose property or get hurt if you
are compromised) project, I can tell you that AspEncrypt derives the
key by hashing (SHA-1 or MD5 per your choice, if I recall) and you can
also use a key which is non-hashed (not recommended for security).
You will also likely need to work in base-64 (which AspEncrypt does
support). I don't know a thing about Mcrypt.
- Next message: Simon Johnson: "Re: Open apology to Douglas Gwyn"
- Previous message: Danilo Gligoroski: "Re: Edon16 - crypto library for testing"
- In reply to: Kylotan: "Joining ASP encryption (ASPEncrypt) and PHP encryption (mcrypt)"
- Next in thread: Ben S: "Re: Joining ASP encryption (ASPEncrypt) and PHP encryption (mcrypt)"
- Reply: Ben S: "Re: Joining ASP encryption (ASPEncrypt) and PHP encryption (mcrypt)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
