Einzelnen Beitrag anzeigen

Kas Ob.
Online

Registriert seit: 3. Sep 2023
347 Beiträge
 
#8

AW: Verschlüsseln in PHP und entschlüsseln in Delphi?

  Alt 7. Mär 2024, 10:11
@gpl ,

Please look at the answer for this question on SO :
https://stackoverflow.com/questions/...ncrypt-decrypt

Then adjust the PHP code to something similar then after that we talk about Delphi, encrypting data and send it over the wire (Internet) should be authenticated, it looks like trivial and not needed but when things go south the damage will be huge.

By just encrypting some data with fixed IV (!) and send it to different machine with authentication (for verification of integrity of the data) is like loading a gun with live bullet and aim it at your feet and wait, then wait for someone cough loudly around you !

I saw a damage similar to this implementation, the server was using different (random) IV per encryption as it should, yet there wasn't any authentication, the thing is with AES or any other symmetric encryption is that it will produce data no matter for any key (and IV), and there is no way to know if it is corrupted or not, anyway the server was sending the data and in that software after an update they request extra fields for the address (extra phone number) and someone forgot few lines that handle the password(s) from internally debugging the development build, after putting that server online some clients updated by adding the fields not looking that the other fields is garbage (or mostly empty because it was structured as list of strings) then clicked apply, data sent to the server and saved now it is all the fields are lost except the last one, which also unreadable because the list (data structure) was violated too.

This could have been prevented by adding an authentication, hence the decryption with wrong key(IV or password ...) could either raise an exception or simply not get the corrupt data allowing overwriting and losing valuable information.

So and sorry for long writing, either take some advices from that SO question or search for better solution, change the PHP side after, only after that you will not need a lot to write the same with Delphi as long you are not using some PHP library with unknown default parameters.

Also my suggestion is something like this answer to be exact:
https://stackoverflow.com/questions/...72528#46872528
it does Encrypt-then-MAC, but if you are going to use fixed IV (highly not recommended and simply wrong) then you should switch to MAC-then-Encrypt by calculating the HMAC for "$plaintext . iv" instead of "$ciphertext . iv" then test for data integrity (unlike that example) after the decryption not before.

Also you didn't mention what is the encryption library in Delphi you will use or prefer to.

ps: as said above the problem is from string encoding.
ps2 : DON'T REUSE IV, IV should be unique for each encryption, also should be sent over with the encrypted data, reusing it will defeat the whole point of the encryption.
Kas
  Mit Zitat antworten Zitat