2

My encryption/iv code doesn't work. Whenever I test the login I get this error

Warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended in /Users/luke/Sites/user.php on line 174

I have tracked it down to this line

$size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CFB);
$iv = mcrypt_create_iv($size, MCRYPT_DEV_URANDOM);
$method = "aes-128-cbc";
$passWord = mcrypt_create_iv($size, MCRYPT_DEV_URANDOM);
$verificationNumber = openssl_encrypt($passWord, $method, $iv);

Mcrypt is installed fine as shown by this. phpinfo mcrypt settings Can you help or do i possibly need to provide more code?

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
fancy_duck6
  • 157
  • 1
  • 9
  • 1
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 26 '16 at 22:08
  • Ok thank you hopefully that helps – fancy_duck6 Jan 26 '16 at 22:12

1 Answers1

1

You are getting the iv size for "CAST": MCRYPT_CAST_256 but you are encryption with "aes-128-cbc". That is an algorithm mis-match.

The CAST block size is 64-bits, the AES block size if 128-bits. Instead use MCRYPT_RIJNDAEL_128, AES is a subset of Rijndael with a block of 128-bits.

zaph
  • 111,848
  • 21
  • 189
  • 228