Home > Software engineering >  How to fix openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and
How to fix openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and

Time:06-29

I tried to DES encryption a Query String but it give this error.

<?php
class DES
{
    var $key;
    var $iv;
    function DES( $key, $iv=0 ) {
        $this->key = $key;
        if( $iv == 0 ) {
            $this->iv = $key;
        } else {
            $this->iv = $iv;
        }
    }

    function encrypt($str) {
        return base64_encode( openssl_encrypt($str, 'DES-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv  ) );
    }

}
?>

$str="method=GetUserStatusDV&Key=01234567789ABCDEF0123456789ABCDE&Time=20150101012345&Username=abd12345"; // for example
    $key = 'ZyXw4321'; // for example
    $crypt = new DES($key);
    $mstr = $crypt->encrypt($str);
    $urlemstr = urlencode($mstr);
    echo "[ $str ] Encrypted: [ $mstr ] UrlEncoded encrypted string: [ $urlemstr ]";

openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended

CodePudding user response:

Even though you are using a deprecated way to instantiate your class (using same name instead of __construct method) the sample code you provided is working.

You can improve your class like this.

class DES
{
    private $key;
    private $iv;
    public function __construct(string $key, string $iv = '') {
        $this->key = $key;
        if(strlen($iv) != 8) {
            $this->iv = \Illuminate\Support\Str::random(8);
        } else {
            $this->iv = $iv;
        }
    }

    public function encrypt($str) {
        return base64_encode( openssl_encrypt($str, 'DES-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv  ) );
    }

}
  • Related