0

Hey I really need some guidance.

ATM. i am using this encryption/decryption method for regular strings.

function encrypt($pure_string) { $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB); $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); $encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH, "!@#$%#^&*", utf8_encode($pure_string), MCRYPT_MODE_ECB, $iv); return $encrypted_string; } function decrypt($encrypted_string) { $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB); $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); $decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, "!@#$%#^&*", $encrypted_string, MCRYPT_MODE_ECB, $iv); return $decrypted_string; }

But after some research that might not be the most secure way? The data is being stored in a MYSQL DB.

And i do not have access to install custom php plugins to the webserver. So is there any other secure way to do this?

And how should I generate / store my encryption key?

This is not used for password and etc.

Improve this question
14
  • The question is unclear because you do not explain why you need to store data in an encrypted way and why you believe that the above method is not safe enough. Commented Sep 7, 2016 at 9:14
  • ECB doesn't really use an initialization vector (the algorithm isn't perturbed per-block). Use CBC at minimum. Otherwise, this is basically just a preshared key--lightly secure at best and OK for scrambling stuff that gets stored on disk that's not too sensitive. Nothing is ever really secure, but using bcrypt to derive a key and using something like AES-256-CBC is somewhat better. Commented Sep 7, 2016 at 9:14
  • Instead of encrypting and decrypting passwords, you should just hash the password and store the hashed password in the database and when a user inputs a password, hash the password the same way and check the user's hashed password with the database's hashed password. Commented Sep 7, 2016 at 9:17
  • 3
    IMO you better try to secure your server and application as much as possible. Commented Sep 7, 2016 at 9:35
  • 1
    @Tschallacka you might be right about that yea :) Commented Sep 7, 2016 at 13:05

1 Answer 1

Reset to default
2

But after some research that might not be the most secure way?

You somehow managed to hit the holy trinity of insecure code:

  1. The library: using an abandoned library (mcrypt) which has many bugs. OpenSSL can be used, but it's still a challenge of using it securely. defuse/php-encryption is a much better alternative.

  2. The block cipher: Using Blowfish where even its creator said that it is insecure. AES (=Rijndael-128) is a better alternative, but that's not something you should worry about when using a good library (see 1).

  3. The block cipher mode of operation: Using ECB mode is insecure almost in every case (scroll down to the penguin). Generally, a randomized mode like CBC is needed, but that's not something you should worry about when using a good library (see 1).

That's something that applies to secure transmission of data (and then some). If you need to find stuff in your database based on encrypted columns, then you need to think about adding a hash column or really using ECB mode.

And how should I generate / store my encryption key?

Keys are usually simple byte arrays. Some ciphers - like DES - have weak keys which you need to check for and generate another one. A good library usually gives you an API for generating a key.

Storing keys is an issue of much debate. Think about the usefulness of encrypting some data where the key is stored close to the encrypted data. After all, you usually need access and decrypt that data frequently. There is no good solution for this. If you store the encryption key on another machine than the data, the chance is higher that you get something else wrong and leave your network vulnerable.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.