Photo by Phil Hearing on Unsplash

Bad Crypto

Paul Moore [here] posted an interesting challenge this morning:

Here is an outline of the encrypt and decrypt code that was shared:

Unfortunately, it’s written in PHP, but it is fairly easy to review. For the encrypt function, we have input data ($data), and then use the required encryption key ($encryption_key), and generate a new salt value ($iv):

In this case, we are using 256-bit AES with CBC (Cipher Block Chaining). Once complete, the function returns a Base64 representation of the encrypted byte array, followed by “::”, the length of the cipher, the HMAC value, “::”, and then the salt value ($iv). We thus have:

Base64(Encrypted_cipher::XX.HHHHHHH::ZZZZZ…