# |
Apr 23rd 2019, 15:37 |
neon1024 |
Thanks! :P |
# |
Apr 23rd 2019, 15:37 |
neon1024 |
Yeah good idea, I’ll ask the user with their primary key is |
# |
Apr 23rd 2019, 15:36 |
josbeir |
i'm no expert tho |
# |
Apr 23rd 2019, 15:36 |
josbeir |
you should lookup your db row with some other identifier and do the comparison after fetching |
# |
Apr 23rd 2019, 15:36 |
slackebot |
<neon1024> |
# |
Apr 23rd 2019, 15:35 |
phantomwatson |
Huh. I also assumed that it would always be the same output for the same input. |
# |
Apr 23rd 2019, 15:35 |
neon1024 |
Guess I’ll rewatch this https://www.youtube.com/watch?v=RTZXgxYGOWAandlist=PL_aPVo2HeGF9Hf1dr6lI7f6jJ48zqcz_fandindex=8andt=0s |
# |
Apr 23rd 2019, 15:34 |
phantomwatson |
Note `$iv = openssl_random_pseudo_bytes($ivSize);` |
# |
Apr 23rd 2019, 15:34 |
phantomwatson |
Oh, I'm just now seeing ``` public static function encrypt($plain, $key) { $method = 'AES-256-CBC'; $ivSize = openssl_cipher_iv_length($method); $iv = openssl_random_pseudo_bytes($ivSize); return $iv . openssl_encrypt($plain, $method, $key, OPENSSL_RAW_DATA, $iv); } ``` |
# |
Apr 23rd 2019, 15:34 |
josbeir |
learned that to at some point :slightly_smiling_face: |
# |
Apr 23rd 2019, 15:34 |
neon1024 |
I don’t fancy reading and decrypting my whole database table |
# |
Apr 23rd 2019, 15:34 |
josbeir |
yeah, i get that |
# |
Apr 23rd 2019, 15:33 |
neon1024 |
I certainly didn’t, but I did totally miss the fact that encryption does not produce consistant output |
# |
Apr 23rd 2019, 15:32 |
josbeir |
people always confuse encryption with hashing |
# |
Apr 23rd 2019, 15:32 |
neon1024 |
@josbeir `ctype_xdigit($value)` |
# |
Apr 23rd 2019, 15:32 |
josbeir |
yes |
# |
Apr 23rd 2019, 15:32 |
josbeir |
or you could decrypt it and compare that |
# |
Apr 23rd 2019, 15:32 |
neon1024 |
:P |
# |
Apr 23rd 2019, 15:32 |
neon1024 |
So I’ve filled my database with gibberish! :,( |
# |
Apr 23rd 2019, 15:32 |
josbeir |
but you should be able to check if the string is encrypted using a specific cypher method |
# |
Apr 23rd 2019, 15:31 |
josbeir |
so you will not be able to compare it |
# |
Apr 23rd 2019, 15:31 |
josbeir |
security::encrypt produces an encrpyted string wich will be always random stuff, it does not produce a hash |
# |
Apr 23rd 2019, 15:31 |
neon1024 |
Which could well be how I’ve ended up in this hole |
# |
Apr 23rd 2019, 15:31 |
neon1024 |
This feels intentional to me, which means the hole is in my understanding of encryption |
# |
Apr 23rd 2019, 15:31 |
neon1024 |
The same results occur when using a CONST |
# |
Apr 23rd 2019, 15:29 |
phantomwatson |
I mean. Maybe not having different results in _the same test_, but it's still worth checking. |
# |
Apr 23rd 2019, 15:28 |
phantomwatson |
If your test system is creating random configuration values for every test, that could explain it. |
# |
Apr 23rd 2019, 15:28 |
phantomwatson |
Try doing it the other way. Use a variable as your second parameter instead of a method call. |
# |
Apr 23rd 2019, 15:27 |
phantomwatson |
Even a hash function shouldn't produce different results every time. |
# |
Apr 23rd 2019, 15:27 |
neon1024 |
It uses Configure::read |
# |
Apr 23rd 2019, 15:26 |
phantomwatson |
The obvious place to look is your parameters. Are you calling `Configure::read()` every time, or are you saving the output to a `$key` variable and reusing that variable? |
# |
Apr 23rd 2019, 15:26 |
neon1024 |
This means, in my limited understanding, that Security::encrypt is working more like a hash |
# |
Apr 23rd 2019, 15:25 |
neon1024 |
Yes, I’m using 3.7.6 |
# |
Apr 23rd 2019, 15:25 |
neon1024 |
You can see here running the same test case file twice, gives different results |
# |
Apr 23rd 2019, 15:25 |
phantomwatson |
Is this CakePHP 3? |
# |
Apr 23rd 2019, 15:24 |
neon1024 |
Nope, it’s a closed source project |
# |
Apr 23rd 2019, 15:24 |
phantomwatson |
@neon1024, is your code online for us to look through? That's a weird problem. |
# |
Apr 23rd 2019, 15:24 |
neon1024 |
Yeah it seems, having used a unit test, that every time you call encrypt it returns a different value even with the same input and key |
# |
Apr 23rd 2019, 15:02 |
neon1024 |
When I try in the `bin/cake console` it just quits to command line |
# |
Apr 23rd 2019, 14:59 |
neon1024 |
Why is it that when I use `Security::encrypt($value, Configure::read('encryption.key'))` the output is different every time, even when `$value` doesn’t change? |
# |
Apr 23rd 2019, 09:51 |
neon1024 |
Or if they’re related you can traverse the table associations |