| Subject: | MCRYPT_RAND is not cryptographically... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 1 |
|---|
| Author: | Scott Arciszewski |
|---|
| Date: | 2015-12-12 06:30:57 |
|---|
| |
|
|
Scott Arciszewski rated this package as follows:
| Utility: | Bad |
|---|
| Consistency: | Not sure |
|---|
| Documentation: | Not sure |
|---|
| Examples: | Not sure |
|---|
|
|
 Scott Arciszewski - 2015-12-12 06:30:58 MCRYPT_RAND is not cryptographically secure; MCRYPT_DEV_URANDOM should be used for creating IVs.
Using substr() and strlen() on strings will fall apart if someone sets mbstring.func_overload to 2, 3, or 7. Use mb_substr($str, $start, $length, '8bit') and mb_strlen($str, '8bit') to always operate on binary strings.
$decryptkey = bin2hex(md5(uniqid(rand(),1)));
This is NOT a cryptographically secure way to generate an encryption key.
set_key() forces a hexadecimal-encoded key, which greatly reduces the potential security of this library by cutting your keyspace in half.
And it's also vulnerable to chosen-ciphertext attacks.
Conclusion: This is not secure.
Please nobody use this library as is.
|
