PHP Classes

MCRYPT_RAND is not cryptographically secure; MCRYPT_DEV_URAND...

Recommend this page to a friend!

      EFC/XFSS - Extended File Stealth System  >  All threads  >  MCRYPT_RAND is not cryptographically...  >  (Un) Subscribe thread alerts  
Subject:MCRYPT_RAND is not cryptographically...
Summary:Package rating comment
Author:Scott Arciszewski
Date:2015-12-12 06:30:57

Scott Arciszewski rated this package as follows:

Utility: Bad
Consistency: Not sure
Documentation: Not sure
Examples: Not sure

  1. MCRYPT_RAND is not cryptographically...   Reply   Report abuse  
Picture of Scott Arciszewski Scott Arciszewski - 2015-12-12 06:30:58
MCRYPT_RAND is not cryptographically secure; MCRYPT_DEV_URANDOM should be used for creating IVs.

Using substr() and strlen() on strings will fall apart if someone sets mbstring.func_overload to 2, 3, or 7. Use mb_substr($str, $start, $length, '8bit') and mb_strlen($str, '8bit') to always operate on binary strings.

$decryptkey = bin2hex(md5(uniqid(rand(),1)));

This is NOT a cryptographically secure way to generate an encryption key.

set_key() forces a hexadecimal-encoded key, which greatly reduces the potential security of this library by cutting your keyspace in half.

And it's also vulnerable to chosen-ciphertext attacks.

Conclusion: This is not secure.

Please nobody use this library as is.