Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>The sources you have provided all use nearly exactly the same code. I can only assume they stole the code from each other. So it's not several sites doing this, it was most likely a single site, and the others who didn't really understand what was going on simply inherited this.</p> <p>There is no <strong>good</strong> reason to add additional spaces to a string prior to encrypting it, it does not enhance the strength of the cryptography in any way, it doesn't make it "better".</p> <p>My guess would be that in these examples, it has been done to show that functions like <code>trim</code> do not affect the <strong>contents</strong> of an encrypted stream. (I personally don't understand why this needs to be proved - it seems entirely logical to me)</p> <p>If you're accepting a base64 encoded encrypted data (perhaps from a form submission), you will most likely trim the submitted data to remove any chaff the user left in there, I suspect someone somewhere was concerned that trimming the encrypted data would break the original plaintext.</p> <p><strong>Edit:</strong></p> <p>Note, if this string wasn't base64 encoded, it would be entirely possible to damage the ciphertext. Since the ciphertext would be represented in binary form, it is possible that it would have whitespace characters at the end, which could be trimmed off causing corruption.</p> <p><strong>Edit 2:</strong></p> <p><code>md5(key)</code> for the key, and <code>md5(md5(key))</code> for the initialisation vector are both <strong><em>terrible terrible</em></strong> ways to implement this.</p> <p>Firstly, AES 256 should have a 256 bit key. If you want to use a passphrase, then use <code>hash('sha256', $passphrase, true)</code>. The final <code>true</code> makes it return the result as binary, not hex encoded, and this is important so you actually get as much entropy as possible in your key.</p> <p>Secondly, initialisation vectors <em>should not be re-used</em>, ever. <code>md5(md5(key))</code> will always produce the same value, for the same key. This weakens your encryption considerably if an attacker manages to obtain several ciphertexts.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload