Reduce the encrypted string length in codeigniter

Asked 29/3, 2016 at 8:3 Answered 29/3, 2016 at 12:17

Solved php codeigniter encryption cryptography encryption-symmetric

When i try to encrypt a string using encryption library by CI, the returned string is very big,around 178 chars long. Is there is any method to reduce the length of the string. default cipher is: AES-128.

Suppose: $data=$this->encryption->encrypt("welcome to ooty"); it returns 178 length string value.. i need it to be reduced under 20

Update: When I encrypt a number, say 6 , it returns 178 long string.

Unroll answered 29/3, 2016 at 8:3 Comment(9)

i also need this if possible – Swaim 29/3, 2016 at 8:4

"welcome to oooty" You mispelled booty – Palatine 29/3, 2016 at 8:14

Can't you change the encrypted string to base64? This should reduce the size. – Crawl 29/3, 2016 at 8:31

@КодСерфинг145 No it won't ... Base64 adds at least 33% overhead in size and CI_Encryption does already base64_encode() the cipherText by default anyway. – Accidental 29/3, 2016 at 8:39

@Accidental oh okay I understand =P Well then maybe try this: github.com/ferno/base65536 xD probably useless – Crawl 29/3, 2016 at 8:41

@КодСерфинг145 That won't help either ... no kind of encoding will help. – Accidental 29/3, 2016 at 8:43

@Accidental but it is somehow possible in encrypt class in codeigniter ref: codeigniter.com/user_guide/libraries/… . – Unroll 29/3, 2016 at 11:7

What are you doing that needs "under 20" characters? – Embower 30/3, 2016 at 15:16

but in that case you wont be able to decrypt – Superdominant 27/2, 2018 at 5:41

Encryption does not reduce the data length.

AES encryption output length depends on the mode. A streaming mode such as CTR mode will not change the length. A block mode such as ECB or CBC will need to be padded to a multiple of block length but PKCS#7 padding will only increase the length a maximum of one block size, 16-bytes for AES.

There is more going on than just encrypting the bytes. A mode such as CBC may be used and the IV (one block length) may be prepended to the encrypted data. Authentication may be added and that could add perhaps 32-bytes. There may be password derivation and the salt and count may be added. Finally the result may be encoded to Base64 or hexadecimal which would increase the length respectively 33% or 100%.

Potential case: "welcome to ooty" is 15 bytes. padding is 1 byte, authentication 32-bytes, salt 32-bytes, count 2-bytes, version 1-byte = 83-bytes, hex encoded = 166-bytes, close to the 178 bytes you are getting.

All this extra buys security. Depending on you use it may not all be necessary, consult a cryptographic domain expert.

Thier answered 29/3, 2016 at 12:17 Comment(2)

but the question remains , how to Reduce the encrypted string length in codeigniter? – Syndicalism 27/9, 2018 at 16:25

@MujahedAKAS The answer is: it can't. Encryption does not, can not, reduce data length, the encrypted length is the the same as the input length plus any padding. A better encoding or compression may be able to reduce the length prior to encryption. – Thier 27/9, 2018 at 21:12

You could use a different combination of cipher, cipher-mode and HMAC algorithm that would add less data overhead, but no - the resulting cipherText won't be reduced to 20 - the HMAC alone will result in at least 28 bytes.

Also, judging by your description ("around 178 characters"), the plainText itself is longer than 20 bytes ... encryption isn't compression, you can't expect the resulting cipherText to have a smaller length than the plainText.

Accidental answered 29/3, 2016 at 8:30 Comment(11)

I got it. But when I encrypt just "1" , the result is 178 char long. I forgot to mention above, my mistake. – Unroll 29/3, 2016 at 9:40

172, not 178 ... But yes - it's long and you can't get it down to under 20. Whatever you're trying to do, it will have to allow longer lenghts. There's just a "base" length that you have to accept. On the positive side, if/when you encrypt larger data, the difference wouldn't be that big. – Accidental 29/3, 2016 at 10:58

but it is somehow possible in encrypt class in codeigniter ref: codeigniter.com/user_guide/libraries/… – Unroll 29/3, 2016 at 11:7

@Accidental The length can be reduced to the length of the data to be encrypted with a streaming mode such as CTR. HMAC and etc. may not be required. It all depends on the application/protocol used. Also the level of security required. – Thier 29/3, 2016 at 12:27

@Thier You're not supposed to omit authentication, I've intentionally not mentioned that because there's no such thing as "level of security required" - it's either secure or not. If somebody looks at the code and says the cipherText lacks authentication, that's automatically a valid bug report. – Accidental 29/3, 2016 at 14:25

There are protocols where authentication of the encrypted data is not done/needed. There a "level of security", many times called "work factor". If you have an encryption key on a server it is not secure, if you are using software encryption is not secure (my wife will laughs at it software encryption). Move up to an HSM and up the physical security and you come really close but 100%. But not all encryption requires an HSM with physical security, there are levels of security, one chooses the level necessary to thwart a certain level of attacker taking into consideration the value of the data – Thier 29/3, 2016 at 18:10

I suggest that an HSM "level of security" is not needed for Tic-Tac-Toe scores. – Thier 29/3, 2016 at 18:10

You know what I meant just as well as you know the OP isn't trying to hide Tic-Tac-Toe scores and that they most likely don't know if they need authentication or not. – Accidental 29/3, 2016 at 19:2

The point is you said: there's no such thing as "level of security required" - it's either secure or not. but that is an over statement and incorrect. Security is all about increasing work factor to meet the required security. The OP may be in a position of not providing the level of security needed but we don't know. Then we have PHP mcrypt written by such Bozos that they did not include PKCS#7 née PKCS#5 padding as an option providing only null padding and it is assumed that they know what they are doing? Do you still maintain that there is no such thing as "level of security required"? – Thier 29/3, 2016 at 19:24

If you're hell-bent on proving you're right on "the point" that you arbitrarily chose from a comment you know was well-meaning - fine, you're right. But please remember that we're on StackOverflow, not crypto.stackexchange.com, and people will make the wrong decisions when given other options than "secure or not". – Accidental 29/3, 2016 at 19:50

@Thier I can think of a number of use-cases for encryption where authenticated encryption is not strictly necessary, but the overlap with what most developers implement is virtually zero. – Embower 30/3, 2016 at 15:20

Well you could do substr($encodedString, 0, 20) but this would be a VERY BAD IDEA™

You would be greatly reducing the entropy of the encrypted string, and thus the security of that encryption. It's that long for a reason!

Passbook answered 29/3, 2016 at 8:14 Comment(1)

That would just get a part of the HMAC, which is unusable by itself. – Accidental 29/3, 2016 at 8:31

Recommended topics

Hot tags