I am working on a cross-language project that wraps the ruby โโ/ Sinatra API in PHP, which will be used by another team. None of the information provided by the API is sensitive, but we would prefer it not to be easily accessible to a random observer guessing the URL.
private function generateSliceIDToken($key){ $currentEpoch = time(); $ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($ivSize, MCRYPT_RAND); $encryptedBytes = mcrypt_encrypt( MCRYPT_RIJNDAEL_128, $key, $currentEpoch.**Passcode**, MCRYPT_MODE_CBC, $iv ); $ivAndEncryptedBytes = $iv . $encryptedBytes; return urlencode(urlencode(base64_encode($ivAndEncryptedBytes)));
Code above Encrypts password and timestamp using mcrypt RIJNDAEL implementation and encodes it for sending to ruby โโAPI
if identifier.validate_token Base64.decode64(URI.unescape( URI.unescape(params[:token])))
Sinatra captures and decodes it
def validate_token(token) cipher = OpenSSL::Cipher::AES.new(128, 'CBC') cipher.decrypt cipher.key = **key** cipher.iv = token[0,16] plain = cipher.update(token[16..-1]) + cipher.final return plain[10,8] == **Passcode** end
and transfers it for decryption
The problem is that the decryption failed with the "Bad Decrypt" error
I was fortunate that Mcrypt RIJNDAEL and Cipher AES were compatible, but is this assumption wrong? Any help I can get would be most helpful.
source share