Solved

How do I encrypt a string and get a equal length encrypted string?

Posted on 2011-02-20
12
953 Views
Last Modified: 2012-05-11
How do I encrypt a string and get a equal length encrypted string? And if i use that algorithm, can the attackers crack my key when they have plaintext and ciphertext?

(it relate to PHP and MySQL)
0
Comment
Question by:joaqujnsec
12 Comments
 
LVL 6

Expert Comment

by:akajohn
ID: 34938355
As a starting point depending on your requirements, you do need to chose between these two main methods of encryption.

http://www.suse.de/~garloff/Writings/mutt_gpg/node3.html

Otherwise in general the longer the key the harder it is to crack. otherwise if people are able tocrack it is going to take them years to crack it after which the information they obtain could be no longer useful.

Once you choose a mechanism then we would point you to an implementation of the said algorithm.
Hope this helps,

A.
0
 

Expert Comment

by:tsteens
ID: 34949249
As akajohn says you need to deside on wheter to use symmetric or assymetric encryption. What are you going to use encryption for?  If you just want to encrypt what is in your database MySQL supports encryption. http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html. AES is generally considered the safest algorithm, but there are never any real guarantee against cryptoanalasys.
If you want to secure passwords for storage in your database a hash algorithm will probably be better suited. A hash algorithm will always return a string of the same length. http://en.wikipedia.org/wiki/Hash_function
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 34949419
This one gets asked from time to time. There are learned papers here:

http://eprint.iacr.org/2001/012
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffsem/ffsem-spec.pdf

but the basic idea is this.

If you try re-encrypting the output of an otherwise ordinary algo (such as aes) enough times, eventually you end up with one the same size or smaller than the one you entered. (I.E. there are enough trailing zeros you can truncate to original size and that the remainder is zeros can be read as implicit)

Conversely, if you decrypt, and the output is larger than the input, you re-decrypt until you get a result with enough trailing zeros that you can truncate it to input size, and end up with the value you started with.

Note that these will be arbitrary non-ascii strings though - raw binary - and probably not printable.
0
 

Author Comment

by:joaqujnsec
ID: 34996128
Can you give me PHP example code for encrypt and decrypt with the same output length?
0
 

Expert Comment

by:tsteens
ID: 34996164
What is the purpose of the encryption and why do you need a consistent output length?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Expert Comment

by:tsteens
ID: 35024595
Have you found out what you need yet?

It would be really useful to know what you are going to use the encryption for in order to give you a good answer. However the following encrypts a string with AES.
  I've slightly modified the example from http://phpseclib.sourceforge.net/documentation/sym_crypt.html#sym_crypt_aes. You need to install the AES part of the PHP Secure Communications Library. From PEAR folow instructions here: http://phpseclib.sourceforge.net/pear.htm.

The output shows the length of the ciphertext after each encryption. I get...
10256
10272
10288
... which shows an increase in the length of the cipher text. I've not been able to find a PHP implementation of the cipher mode described in the links posted by DaveHowe.

Please let me know if this is helpful or if you need more help. A more precise description of the problem you are trying to solve would be very helpful.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35357313
Up to you, really - I gave the answer, but wasn't willing to code it for him as there would be considerable work involved.
0
 

Expert Comment

by:tsteens
ID: 35357410
I agree with DaveHowe. He posted a possible solution, but joaqujnsec hasn't really given the enough inpout to verify if that is the best solution. There are several easier ways to work with encryption, but it really comes down to the specific problem he is trying to solve.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35365409
 The most common problem for which this is the specific is the case where an existing database must be post-facto encrypted, often without the active co-operation of the original program. There is usually a fixed-sized record that must contain the data both before and after the encryption is applied, and no opportunity to modify the backend engine to obscure the data but provide views to it that contain either dummy data returns, a hash, or the unencrypted data depending on the rights of the user requesting.

  There are better solutions if you can alter front or back end to suit, but this one is surprisingly common in situations where a company has suddenly found a requirement to protect captured data (usually a regulatory requirement) but does not wish to remove that data entirely.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 35422453
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now