How to remove PHP Random Encryption

0

I have a code but every time when updating the page it generates a random encryption key, I would like to know how to leave it to generate a unique key for each url, below the following code:

$gKey = 'welcometoapicodesdotcomthisiskey';
function decode($pData)
{
    global $gKey;
    $lData = str_replace(' ','+', $pData);
    $lBase64Decoded_Payload = base64_decode($lData);
    $lEncrypted_PlainText = substr($lBase64Decoded_Payload, 16);
    $lIV = substr($lBase64Decoded_Payload, 0, 16);
    $lDecrypted_PlainText = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $gKey, $lEncrypted_PlainText, MCRYPT_MODE_CBC, $lIV);
    $lBase64Decoded_PlainText = base64_decode($lDecrypted_PlainText);
    return $lBase64Decoded_PlainText;
}

function encode($pData)
{
    global $gKey;
    $lBase64Encoded_PlainText = base64_encode($pData);
    $lIV = GenerateIV();
    $lEncrypted_PlainText = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $gKey, $lBase64Encoded_PlainText, MCRYPT_MODE_CBC, $lIV);
    $lPayload = $lIV.$lEncrypted_PlainText;
    $lBase64Encoded_Payload = base64_encode($lPayload);
    return $lBase64Encoded_Payload;
}

function GenerateIV()
{
    $lIV = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
    while(strlen($lIV) < 16)
    {
        $lIV .= "
$gKey = 'welcometoapicodesdotcomthisiskey';
function decode($pData)
{
    global $gKey;
    $lData = str_replace(' ','+', $pData);
    $lBase64Decoded_Payload = base64_decode($lData);
    $lEncrypted_PlainText = substr($lBase64Decoded_Payload, 16);
    $lIV = substr($lBase64Decoded_Payload, 0, 16);
    $lDecrypted_PlainText = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $gKey, $lEncrypted_PlainText, MCRYPT_MODE_CBC, $lIV);
    $lBase64Decoded_PlainText = base64_decode($lDecrypted_PlainText);
    return $lBase64Decoded_PlainText;
}

function encode($pData)
{
    global $gKey;
    $lBase64Encoded_PlainText = base64_encode($pData);
    $lIV = GenerateIV();
    $lEncrypted_PlainText = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $gKey, $lBase64Encoded_PlainText, MCRYPT_MODE_CBC, $lIV);
    $lPayload = $lIV.$lEncrypted_PlainText;
    $lBase64Encoded_Payload = base64_encode($lPayload);
    return $lBase64Encoded_Payload;
}

function GenerateIV()
{
    $lIV = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
    while(strlen($lIV) < 16)
    {
        $lIV .= "%pre%";
    }
    return $lIV;
}
"; } return $lIV; }
    
asked by anonymous 12.11.2018 / 12:34

1 answer

0

The encryption key is fixed in your code, it is exactly what it is defined in:

$gKey = 'welcometoapicodesdotcomthisiskey';

With this key you can encrypt and decrypt text, just like any other person who knows (or discovers) this key.

What happens is that the numbers need a unique value, the Nonce. In the case of the CBC method it is called IV (which is the first block), and it must be unique and still random. The IV is public data, so anyone can have access to it, even it is concatenated at the beginning ( $lIV.$lEncrypted_PlainText; ).

What is generated "every time you refresh the page" is the IV, this behavior is right.

It is possible to generate unique but deterministic IVs, however this is not recommended in general, but can be done using some KDF, but I do not take the risk and give some suggestion. Also, mcrypt_* is already considered obsolete, so I do not think it's worth using it.

    
03.12.2018 / 15:09