[Typo3-dev] OT: Encryption
Martin T. Kutschker
Martin.T.Kutschker at blackbox.net
Mon Apr 5 16:10:48 CEST 2004
Kasper Skårhøj wrote:
>
> Question: If you do NOT know the value of
> $this->TYPO3_CONF_VARS['SYS']['encryptionKey'] how can you decrypt the
> scrambled output? Of course if
> $this->TYPO3_CONF_VARS['SYS']['encryptionKey'] is short enough it could
> be guessed but imagine you take the bible as the encryption key string
> then you would have to use the exact character sequence of the whole
> bible to decode the string again.
I guess it's safe enough for the purpose but I'm no crypto expert either.
> (The function roundTripCryptString() is new in TYPO3 tslib_fe class and
> is used to encrypt the email address in mail forms so spammers does not
> get a hold of it)
You still might want to add a MD5 or SHA-1 hash of the encrypted (and
other) passed arguments. Though even if the key was broken you'd detect
a tampering with the args. Of course you MUST use a salt different from
the encryption key.
Masi
More information about the TYPO3-dev
mailing list