performance - php mcrypt encryption without IV -
i need use encryption mechanism. chose mcrypt available , examples. see generation time much. when use iv in given examples, taken lot of time while when removed it generate encrypted value instantly.
// code example using iv $ivsize = mcrypt_get_iv_size(mcrypt_rijndael_128, mcrypt_mode_ecb); $iv = mcrypt_create_iv($ivsize, mcrypt_dev_random); $encryptedstring = mcrypt_encrypt(mcrypt_rijndael_128, $encryptionkey, utf8_encode($origstring), mcrypt_mode_ecb, $iv); return base64_encode($encryptedstring); // code example without iv $encryptedstring = mcrypt_encrypt(mcrypt_rijndael_128, $encryptionkey, utf8_encode($origstring), mcrypt_mode_ecb); return base64_encode($encryptedstring);
so if there big security issues encryption without using iv ?
dev_random
generates random integers /dev/random
or equivalent, listens unpredictable data such mouse movement, keyboard strokes etc generate secure data. if there no keystrokes etc., waits until there enough data... , that's why it's slow.
dev_urandom
uses /dev/urandom
or equivalent , while may use data above too, in addition that, combines pseudorandom number generators supply random data in real time (which more predictable, doesn't matter.)
they used determine way ivs constructed.
now onto ivs.
ivs used derive initial seed random functions used encryption functions.
you use ecb. first thing notice ecb doesn't use iv, wrote doesn't make sense; if use ecb can skip creating ivs altogether , able decrypt data without problems. other thing you shouldn't use ecb. ecb encodes data every block same data going same. cbc on other hand xors every block data previous block (and this, needs iv). demonstrate difference between these, @ this:
from left right: original image, image encoded ecb mode , image encoded cbc mode.
if want use cbc, should regenerate iv each piece of data encrypt separately, otherwise bad using ecb. regenerating ivs each time prevents repetition-based attacks.
finally, if use cbc, will need store iv can decrypt text later. if don't, garbage. fortunately enough, encryption algorithms designed ivs can public, don't have worry keeping ivs in secret.
tl;dr: use cbc public ivs regenerated each data separately.
(also... if don't care decrypting, might interested in cryptograhic hashes instead.)
Comments
Post a Comment