Jump to content

Php && Blowfish Encryption


RobertP

Recommended Posts

I am just curious, is this the correct way to implement blowfish encryption?

 

class:

<?php

/*
 * @package "Gludoe CMS"
 * @version 1.0.1
 * @authors "Robert Pettet"
 * @support https://www.gludoe.com/
 * @licence https://www.gludoe.com/commons/licence-1.0.0.txt
 */

if (!defined('_ROOT'))
    exit(header($_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found'));

class Blowfish {

    private $key;
    private $iv;

    public function __construct($key, $iv) {
        $this->key = $key;
        $this->iv = $iv;
    }

    public function encrypt($data) {
        return mcrypt_encrypt(MCRYPT_BLOWFISH, $this->key, $data, MCRYPT_MODE_CBC, $this->iv);
    }

    public function decrypt($data) {
        return mcrypt_decrypt(MCRYPT_BLOWFISH, $this->key, $data, MCRYPT_MODE_CBC, $this->iv);
    }

}

?>

 

example:

$blowfish = new blowfish('DfRgBWE4Y4T7UgTWEdFP1Y','85440934');
$data = $blowfish->encrypt('testString');
echo $blowfish->decrypt($data);
//Output: testString

Link to comment
Share on other sites

Just wondering if anyone has used blowfish in php, not as hash, but for encryption and decryption.. like my above example (which is working, but i would like some feed back).

 

This is used to communicate over https from my server / clients, and if my clients are using a shared / insecure server, i need to know that information can remain intact..

Link to comment
Share on other sites

Bruce Schneier has some test vectors for the algorithm on his site. You could write some tests to verify your usage. Whenever docs are not explaining how to use a function its best to download the source and view the tests and those will show you how to use it. The mcrypt extension tests actually uses Schneier's vectors. See ./php-5.4.9-src/ext/mcrypt/tests/blowfish.phpt

 

As for transmitting and receiving data just make sure keep an eye on encoding, the web stack tends to be loose and wild with it, that is character encoding, server-side gzip and so on. You may want to put in checks to make sure outdated versions of SSL/TLS are not being used. As for communicating with a shared server, you may want to include checks on where you put your data, make sure the file or database doesn't have shared or group read permissions, make sure not to use temporary directories as they can be shared locations, use secure network connection to the database, et cetera.

 

Trust but verify.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.