3

I have two functions and a random generated key:

function encode ($a) {
    $key = "7HLgdzXyaTaZuTss6xayLk3qLTJ2jsRLgPnMzpNwhwnEZsnHUfHxfYW5r3sQcZsC";
    $aEncoded = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,md5($key),$a,MCRYPT_MODE_CBC,md5(md5($key))));
    return $aEncoded;
}

function decode ($a) {
    $key = "7HLgdzXyaTaZuTss6xayLk3qLTJ2jsRLgPnMzpNwhwnEZsnHUfHxfYW5r3sQcZsC";
    $aDecoded = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,md5($key),base64_decode($a),MCRYPT_MODE_CBC,md5(md5($key))),"\0");
    return $aDecoded;
}

As a user logs in, some private data and the current timestamp will get encoded and saved as a session cookie. Also the same timestamp is getting saved in a mysql database. Now i want to authenticate the user as he sends a packet to a ws server. Is it secure to send the key to the server, decode it there and check if the timestamp of the key matches the last login saved in the mysql database? (I will also check if a key is old, so if someone doesn't login anymore the key won't work anymore after 6 hours.

EDIT: The user won't be able to see those functions, the key will be generated in the login php file!

Simon Pannek
  • 41
  • 1
  • 6
  • It is best not to use mcrypt, it is abandonware, has not been updated in years and does not support standard PKCS#7 (née PKCS#5) padding, only non-standard null padding that can't even be used with binary data. mcrypt has many outstanding [bugs](https://sourceforge.net/p/mcrypt/bugs/) dating back to 2003. The mcrypt-extension is deprecated will be removed in PHP 7.2. Instead consider using [defuse](https://github.com/defuse/php-encryption) or [RNCryptor](https://github.com/RNCryptor), they provide a complete solution and are being maintained and is correct. – zaph Apr 17 '17 at 13:37
  • You specify `MCRYPT_RIJNDAEL_256` which may not give you what you think. The `256` refers to the block size, not the key size. Generally a block size of 128-bits is specified as that is compatible with AES. – zaph Apr 17 '17 at 13:40
  • For CBC mode use a random IV, just prefix the encrypted data with the IV for use in decryption, it does not need to be secret. – zaph Apr 17 '17 at 13:42

1 Answers1

1

Encoding a string using base64 for login information is not increasing security.

To implement a secure method, I suggest to use a key binding encryption just like OpenSSL.

PHP also support it, you may define a key in your php program and encrypt your cookie with that, I also suggest to use a dynamic key(i.e 6 digit date 170417), in case you need the cookie to be completely undiscoverable!

Take a look at openssl_encrypt and openssl_get_cipher_method()

Iman Nia
  • 2,255
  • 2
  • 15
  • 35
  • 1
    Thank you! First of all, if someone hacked the key and was able to authenticate through a key of another user, he couldn't do any damage. (That's why I don't need a high level security). I never heard about openssl and just read that you should always use openssl instead of base64. Is that true? Or are there any advantages base64 has? – Simon Pannek Apr 17 '17 at 11:11
  • 2
    **Base64 offers _no security whatsoever_.** It isn't an encryption algorithm; it's a way to represent binary data with text so it ca be easily transmitted across certain protocols. The security of OP's code is fully dependent on `mcrypt_encrypt()` and `mcrypt_decrypt()`. – ChrisGPT was on strike Apr 17 '17 at 11:18
  • 1
    Yeah i meant that, you still understand my question, right? – Simon Pannek Apr 17 '17 at 11:30
  • 1
    @SimonPannek, I think I do now. But you originally asked how secure base64 was, and that's what this user answered (incorrectly). Stack Overflow questions and answers are meant to serve as a resource for other users in the future as well as for the users who directly ask and answer them. Thank you for updating your question; if Zich updates this answer to remove the part about base64 being "a method with middle level security" I'll remove my downvote. – ChrisGPT was on strike Apr 17 '17 at 11:39
  • 1
    @Chris I am afraid I have to disagree with "base64 offers no security" cause, at least you will have a binary representation of a string which is no longer human readable.So it increase the security. But I completely agree with you that base64 is not anencryptiin algorithm – Iman Nia Apr 17 '17 at 15:06
  • 2
    @Zich, you're 100% wrong about that. **Base64 offers no security _at all_.** It barely even obfuscates; even if it did it [wouldn't provide meaningful security](https://en.wikipedia.org/wiki/Security_through_obscurity#Criticism). The only thing needed to get data out of a base64 encoded string is to base64 decode it. That functionality is [built](http://php.net/manual/en/function.base64-decode.php) [into](https://docs.python.org/3/library/base64.html?highlight=base64#base64.b64decode) [virtually](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/atob) every language. – ChrisGPT was on strike Apr 17 '17 at 15:14
  • @SimonPannek Base64 and Openssl are in two different catagory, the term *encryption* is used whenever there is a key to encode or decode a binary data.given this definition, openssl is a encryption algorithm and base64 is not. About your statement "always using openssl instead of base64". I don't know! I never heard such a thing and it doesn't seem to be true cause they do different jobs, so they can not be used instead of rach other, however base64 could wrongly be used in rule of encryption. As a suggestion, I suggest to use openssl instead of base64 in your case.good luck – Iman Nia Apr 17 '17 at 15:16
  • @Chris We both are on same page and same side, I am just saying when you encode a human readable data into a binary encoded string(using base64 for instance) you are increasing the security level, one step! Imagine that you do not know the encoding of a base64 encoded string, are you able to read the data? You will need to finf the encoding algorithm and use it, am I right? The effort you do at this stage is because someone has encoded the data into base64, sorry my english is not good enough, I hope I could describe what I was saying. – Iman Nia Apr 17 '17 at 15:24
  • 1
    @Zich, just because some data isn't in plain text doesn't make it more secure. Old binary `.doc` Word files weren't human-readable but opening them in Word made them so trivially. Would you consider that format "secure"? Base64 is similar to that. **Its purpose is entirely unrelated to security, and it provides none.** You should edit your answer to remove the claim that base64 provides "middle level security". Leaving that claim in place is irresponsible and dangerous. – ChrisGPT was on strike Apr 17 '17 at 15:27
  • @Chris Ok Yes you are right, I should edit it to prevent misunderstandings, I didnt mean to introduce base64 as a security encryption – Iman Nia Apr 17 '17 at 17:02
  • What is this thing about SSL? The question is about data at rest in a mysql database. Symmetric encryption such as AES is an appropriate encryption method. – zaph Apr 18 '17 at 03:55
  • @zaph Please notice this part in question "I want to authenticate the user as he sends a packet to a ws server, is it secure....." which brings ssl into the answer. Though, Storing data in MySql, AES is a good choice! – Iman Nia Apr 18 '17 at 05:55
  • Yes, HTTPS it arguably the best way to encrypt in transit data to the server and that currently used TLS not SSL. But `key binding encryption just like SSL` makes no sense in this context. – zaph Apr 18 '17 at 12:21
  • @zaph Well in PHP `openssl_encrypt` gets a key as an argument to bind it with data, please take a look at http://php.net/manual/en/function.openssl-encrypt.php – Iman Nia Apr 19 '17 at 04:47
  • You are confusing the SSL (Secure Sockets Layer) protocol with the OpenSSL library, they are two different things. OpenSSL supports encryption other than SSL (TLS superseded SSL in 1999) as well as other cryptographic functions. – zaph Apr 19 '17 at 05:31
  • @zaph Yes I thought SSl uses openssl encryption :) but looks like they are two different thing, thanks I edited the answer – Iman Nia Apr 20 '17 at 16:38