Skip to content
This repository

\Zend\Filter\Encrypt and \Zend\Filter\Decrypt not working together? #3541

Closed
pdobrigkeit opened this Issue · 3 comments

3 participants

Philipp Dobrigkeit Enrico Zimuel Matthew Weier O'Phinney
Philipp Dobrigkeit

I am trying to do the following:

$value = '123';
$encrypt = new \Zend\Filter\Encrypt();
$encrypt->setVector('12345678901234567890');
$encrypted = $encrypt->filter($value);

$vector = $encrypt->getVector();
$decrypt = new \Zend\Filter\Decrypt();
$decrypt->setVector($vector);

echo $decrypt->filter($encrypted)

The Output is false

Anybody has an idea? Is the Decrypt filter currently broken?

$encrypted = 71aac05c78e7266838ea4cbe830bf25ed6fc539d5e38600ac4e5a79f8c97096cMTIzNDU2Nzg5MDEyMzQ1NlE8l6GsEoACJmSjks9w7Wc=

Enrico Zimuel
Owner

@pdobrigkeit I fixed this issue with the PR #3550. The problem was related to the correct size of the Vector (salt in BlockCipher).

Enrico Zimuel
Owner

@pdobrigkeit I forgot to mention that the correct way to use the Zend\Filter\Encrypt is to use the encryption key instead of the Vector. The Vector represent only the Initialization Vector (IV) of the encryption algorithm (default is BlockCipher). This Vector is public, is not a secret, and is stored in the encrypted string.
With your example the encrypted message is always encrypted with the key 'ZendFramework'.
A correct use case can be something like that:

$value = '123';
$key   = 'test';

$encrypt = new \Zend\Filter\Encrypt(array('key' => $key)); 
$encrypted = $encrypt->filter($value);
printf ("Encrypted: %s\n", $encrypted);

$decrypt = new \Zend\Filter\Decrypt(array('key' => $key));
printf ("Decrypted: %s\n", $decrypt->filter($encrypted));

Please note that the encrypted output is different on each execution. This because the Vector (IV) is generated random each time. This is a good security practice.

Enrico Zimuel
Owner

After a depth review of Zend\Filter\Encrypt and Decrypt I decided to add the setKey() method, with the last commits on the PR #3550. Moreover, for security reason, I removed the default key 'ZendFramework' from the Filter\Encrypt\BlockCipher. Now it's mandatory to specify the key in order to use the Zend\Filter\Encrypt and Decrypt. The Vector (salt) becomes optional, because we are using the BlockCipher adapter as default.
I'm going to update the documentation of Zend\Filter\Encrypt and Decrypt according with these changes.

Deleted user Unknown referenced this issue from a commit
Matthew Weier O'Phinney weierophinney Merge branch 'hotfix/3550'
Close #3550
Fixes #3541
bfff3f3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.