1

I'm using Yii CSecurityManager for Password encryption:

$this->securityManager->encrypt('TEST', '1');

*the TEST is the string to encrypt and the 1 is the key.

but when i test before i decrypt i find that the value keeps changing.

for ($index = 0; $index < 10; $index++) {
        $EncPassword = $this->securityManager->encrypt('TEST', '1');
        echo $EncPassword;
    }

i'm relying on this value in another part of my application...I dug into the encrypt password i see that it is in fact random:

public function encrypt($data,$key=null)
{
    $module=$this->openCryptModule();
    $key=$this->substr($key===null ? md5($this->getEncryptionKey()) : $key,0,mcrypt_enc_get_key_size($module));
    srand();
    $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND);
    mcrypt_generic_init($module,$key,$iv);
    $encrypted=$iv.mcrypt_generic($module,$data);
    mcrypt_generic_deinit($module);
    mcrypt_module_close($module);
    return $encrypted;
}

so my question is how can i encrypt based on a key and get the same value each time?

thanks, Danny

Improve this question
3
  • Why do you want to encrypt passwords? Commented Aug 25, 2013 at 20:36
  • it's part of my app...it's not only password and i need this functionality Commented Aug 25, 2013 at 20:40
  • 1
    But why? It makes no sense, even if you have to encrypt some data there is no need for it to generate the same output each time. And passwords should not be encrypted, they should be hashed. Commented Aug 25, 2013 at 20:43

1 Answer 1

Reset to default
2

In principle you can create the same ciphertext each time. Just use a static IV and you would have accomplished it. It would however mean that you would leak information about the passwords. Identical passwords would have the same ciphertext for different users.

If you really want to have the same ciphertext, prepend the first 16 bytes of a hash over the username to the password and encrypt with a zero IV. Note that this still could leak a bit of information about the password in time.

Note that using the ciphertext value for other means than storage of the plain text is a very bad idea in general.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

That is exactly what i looked for!! can you please give an example of using zero IV...I couldnt find a way to do it since it's random in Yii
@DannyValariola Well, you just generate this byte array of 16 bytes valued 00 - possibly using mcrypt_enc_get_iv_size, instead of using mcrypt_create_iv.
I padded with 16Byte and created an encryption key which is resource specific (as per you advice), but what i dont understand is how can you change the $this->securityManager->encrypt it's part of the framework....or you would extend CSecurityManager?
@DannyValariola Sorry, don't know the Yii CSecurityManager myself, but extending CSecurityManager sounds like a good idea. As long as you can make sure that the extended class is actually used of course.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.