2014年2月28日星期五

LeaseWebLabs.com: Lessons learned implementing AES in PHP using Mcrypt


The LeaseWebLabs.com site has a new post talking about some of their difficulties (and lessons learned) when implementing AES in PHP with mcrypt for a recent project.



The Advanced Encryption Standard (AES) is the successor of triple DES. When you need a standardized, secure, high performance symmetric cipher it seems like a good choice. Wi-Fi network traffic is encrypted with AES for instance. Also when you want to securely store data in a database or on disk you could choose AES. Many SSDs store data internally using AES encryption. PHP supports AES through "mcrypt". On Debian based systems (like Ubuntu and Mint) you can install it using "sudo apt-get install php5-mcrypt".


With no direct support for AES in mcrypt, they decided on Rijndael-128 instead and include some code examples of getting its key and block size. They also include an example of the dynamic typing PHP does when converting a string to an integer and the "key padding" PHP automatically does if the key length it too short. A few other problems they discovered during implementation are mentioned as well including null padding on strings and PHP's ignoring of a wrong size initialization vector (no padding, just an error).


Link: http://www.leaseweblabs.com/2014/02/aes-php-mcrypt-key-padding/

没有评论:

发表评论