OpenSSL_Decrypt returning blank


#1

Hi All,

I am not 100% sure if this is posted in the right area so apologies if its not.

I am trying to develop a basic website that will take data from a database and decrypt it before displaying it. The data is stored into a database using a vb.net application and is encrypted prior to saving based on the following github post https://gist.github.com/odan/138dbd41a0 … b03d814d7c.

I have the following php code in the decrypt area

<?php

			$servername = "server";
			$username = "user";
			$password = "password";
			$dbname = "database";
				
			$sqlcon = mysqli_connect($servername, $username, $password, $dbname);
		
			// Check connection
			if (mysqli_connect_error()) {
			    die("Database connection failed: " . mysqli_connect_error());
			}

			$sql = "SELECT * FROM tblcustomersinfo";
			$result = $sqlcon->query($sql);

			if ($result->num_rows > 0) {
				echo "<div style='overflow-x:auto;'><table style='width:100%' min-width='60px'>
			<col width=10px>
			<col width=22.5%>
			<col width=22.5%>
			<col width=22.5%>
			<col width=22.5%>
		  <tr>
			<th>View</th>
			<th>Title</th> 
			<th>First Name</th>
			<th>Surname</th>
			  <th>Postcode</th>
		  </tr>";
				// output data of each row
				while($row = $result->fetch_assoc()) {		
					$encryptionpassword = '11DiGiTs123';
					$method = 'aes-256-cbc';
					$hashedpassword = password_hash($encryptionpassword, PASSWORD_BCRYPT, ['cost' => 12]);

					$iv = chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0);
					
					$title = openssl_decrypt(base64_decode($row["title"]), $method, $hashedpassword, OPENSSL_RAW_DATA, $iv);
					$first_name = openssl_decrypt(base64_decode($row["first_name"]), $method, $hashedpassword, OPENSSL_RAW_DATA, $iv);
					$surname = openssl_decrypt(base64_decode($row["surname"]), $method, $hashedpassword, OPENSSL_RAW_DATA, $iv);
					$postcode = openssl_decrypt(base64_decode($row["postcode"]), $method, $hashedpassword, OPENSSL_RAW_DATA, $iv);
						echo "<tr>
			<td align='center'><a href='customerdetails.php?ID=".$row["urn"]."'>".$row["urn"]."</a></td>
			<td align='center'>" .$title. "</td> 
			<td align='center'>" .$first_name. "</td>
			  <td align='center'>" .$surname. "</td>
			  <td align='center'>" .$postcode. "</td>
					</tr>";
												 
					}
				echo "</table></br></div>";
			} else {
				echo "No Customers";
			}
			$sqlcon->close();
	
		?>

However the webpage that is being displayed no data being displayed in the associated cells. Saying this however if you just display the raw database data then the encrypted data is displayed.

I’m new to php and web development so some assistance would be great as from looking over the code everything seems ok and also from looking at the php documentation this seems to be correct aswell.

Thanks in advanced

Frosty


#2

Not sure, but VB might have stored the characters in a different manner.
I was looking at various sites to see how others handled this decryption process. Here is what I found that was common among them:

$ssl_cipher_name = "AES-256-CBC";
$key 			 = hash('sha256', "your key");
$iv_size 		 = openssl_cipher_iv_length($ssl_cipher_name);  // iv for AES-256-CBC = 16 bytes
$text_decode 	 = substr("your incoming text", 11);
$iv 			 = substr($text_decode, 0, $iv_size);
$text_decode 	 = substr($text_decode, $iv_size + 10);
$text			 = trim(openssl_decrypt(base64_decode($text_decode), $ssl_cipher_name, $key, 0, $iv));

This process varies from yours in that it skips the first 10 characters in the process. I am guess this is something to do between the two types of OpenSSL_Encryption. PEM or the other. PHP only uses one of them. Try cutting off the first 10 characters of your incoming text and see what happens… Might do it for you! Good luck!


#3

@ErnieAlex,

Thanks for your reply. I have had a go at changing the code to something you indicated in your previous post. With this i am now getting an error " Warning : openssl_decrypt(): IV passed is only 13 bytes long, cipher expects an IV of precisely 16 bytes, padding with \0 in C:\Server\data\htdocs\orders\customers.php on line 102". I’ve modified the $iv back to the
$iv = chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0);
and this seems to remove the error message so im guessing there could be something in this thats causing it??


#4

Let’s create a script that you can test in a php file that is simple.

$encryptionpassword = ‘11DiGiTs123’;
$method = ‘aes-256-cbc’;
$hashedpassword = password_hash($encryptionpassword, PASSWORD_BCRYPT, [‘cost’ => 12]);
$iv = chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0);
$title = openssl_decrypt(base64_decode("**********************""), $method, $hashedpassword, OPENSSL_RAW_DATA, $iv);
echo $title;

Please go into your database and take out any title and replace the *'s with that raw data for a real live title. Or you can use one of the first-names if that is better.
Then, we can test that smaller 6-line code and see why it is failing.

But, before that, there is a big difference in your version of PHP. Which version are you using?
It appears that version 5.6 uses slightly different code than 7.0. Let answer that first.