11

When i try to encrypt a string using encryption library by CI, the returned string is very big,around 178 chars long. Is there is any method to reduce the length of the string. default cipher is: AES-128.

Suppose: $data=$this->encryption->encrypt("welcome to ooty"); it returns 178 length string value.. i need it to be reduced under 20

Update: When I encrypt a number, say 6 , it returns 178 long string.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
Tibin
  • 612
  • 1
  • 8
  • 21

3 Answers3

2

Encryption does not reduce the data length.

AES encryption output length depends on the mode. A streaming mode such as CTR mode will not change the length. A block mode such as ECB or CBC will need to be padded to a multiple of block length but PKCS#7 padding will only increase the length a maximum of one block size, 16-bytes for AES.

There is more going on than just encrypting the bytes. A mode such as CBC may be used and the IV (one block length) may be prepended to the encrypted data. Authentication may be added and that could add perhaps 32-bytes. There may be password derivation and the salt and count may be added. Finally the result may be encoded to Base64 or hexadecimal which would increase the length respectively 33% or 100%.

Potential case: "welcome to ooty" is 15 bytes. padding is 1 byte, authentication 32-bytes, salt 32-bytes, count 2-bytes, version 1-byte = 83-bytes, hex encoded = 166-bytes, close to the 178 bytes you are getting.

All this extra buys security. Depending on you use it may not all be necessary, consult a cryptographic domain expert.

zaph
  • 111,848
  • 21
  • 189
  • 228
  • but the question remains , how to Reduce the encrypted string length in codeigniter? – Ahmed Syed Sep 27 '18 at 16:25
  • @MujahedAKAS The answer is: it can't. Encryption does not, can not, reduce data length, the encrypted length is the the same as the input length plus any padding. A better encoding or compression may be able to reduce the length prior to encryption. – zaph Sep 27 '18 at 21:12
1

You could use a different combination of cipher, cipher-mode and HMAC algorithm that would add less data overhead, but no - the resulting cipherText won't be reduced to 20 - the HMAC alone will result in at least 28 bytes.

Also, judging by your description ("around 178 characters"), the plainText itself is longer than 20 bytes ... encryption isn't compression, you can't expect the resulting cipherText to have a smaller length than the plainText.

Narf
  • 14,600
  • 3
  • 37
  • 66
  • I got it. But when I encrypt just "1" , the result is 178 char long. I forgot to mention above, my mistake. – Tibin Mar 29 '16 at 09:40
  • 172, not 178 ... But yes - it's long and you can't get it down to under 20. Whatever you're trying to do, it will have to allow longer lenghts. There's just a "base" length that you have to accept. On the positive side, if/when you encrypt larger data, the difference wouldn't be that big. – Narf Mar 29 '16 at 10:58
  • but it is somehow possible in encrypt class in codeigniter ref: http://www.codeigniter.com/user_guide/libraries/encrypt.html?highlight=encode#message-length – Tibin Mar 29 '16 at 11:07
  • @Narf The length can be reduced to the length of the data to be encrypted with a streaming mode such as CTR. HMAC and etc. may not be required. It all depends on the application/protocol used. Also the level of security required. – zaph Mar 29 '16 at 12:27
  • 1
    @zaph You're not supposed to omit authentication, I've intentionally not mentioned that because there's no such thing as "level of security required" - it's either secure or not. If somebody looks at the code and says the cipherText lacks authentication, that's automatically a valid bug report. – Narf Mar 29 '16 at 14:25
  • There are protocols where authentication of the encrypted data is not done/needed. There a "level of security", many times called "work factor". If you have an encryption key on a server it is not secure, if you are using software encryption is not secure (my wife will laughs at it software encryption). Move up to an HSM and up the physical security and you come really close but 100%. But not all encryption requires an HSM with physical security, there are levels of security, one chooses the level necessary to thwart a certain level of attacker taking into consideration the value of the data – zaph Mar 29 '16 at 18:10
  • I suggest that an HSM "level of security" is not needed for Tic-Tac-Toe scores. – zaph Mar 29 '16 at 18:10
  • You know what I meant just as well as you know the OP isn't trying to hide Tic-Tac-Toe scores and that they most likely don't know if they need authentication or not. – Narf Mar 29 '16 at 19:02
  • The point is you said: *there's no such thing as "level of security required" - it's either secure or not.* but that is an over statement and incorrect. Security is all about increasing work factor to meet the required security. The OP may be in a position of not providing the level of security needed but we don't know. Then we have PHP mcrypt written by such Bozos that they did not include PKCS#7 née PKCS#5 padding as an option providing only null padding and it is assumed that they know what they are doing? Do you still maintain that there is no such thing as "level of security required"? – zaph Mar 29 '16 at 19:24
  • 1
    If you're hell-bent on proving you're right on "the point" that you arbitrarily chose from a comment you *know* was well-meaning - fine, you're right. But please remember that we're on StackOverflow, not crypto.stackexchange.com, and people **will** make the wrong decisions when given other options than "secure or not". – Narf Mar 29 '16 at 19:50
  • @zaph I can think of a number of use-cases for encryption where authenticated encryption is not strictly necessary, but the overlap with what most developers implement is virtually zero. – Scott Arciszewski Mar 30 '16 at 15:20
0

Well you could do substr($encodedString, 0, 20) but this would be a VERY BAD IDEA™

You would be greatly reducing the entropy of the encrypted string, and thus the security of that encryption. It's that long for a reason!

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592