Using PHP, I've created the following set of functions witch ultimately takes a string (password) and applies a bcrypt encryption to it. Furthermore, it generates a key to use with mcrypt then applies that to the bcrypt string (along with base64 to simplify the string) to then insert into a database for storage.
From this when decoding I decrypt the mcrypt encryption applied to the hash and then use password_verify()
to then validate it.
However, I am not able to get password_verify()
to validate the hash if it has been run through the mcrypt process, even though after it has been decoded the two strings (one from the encode function and one from the decode) are IDENTICAL.
The encode function looks like this:
function passwordEncode($string) {
$hash = password_hash($string, PASSWORD_BCRYPT, ['cost' => 12]);
$key = generateKey();
$encrypt = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key."******", $hash, MCRYPT_MODE_ECB));
return [$encrypt, $key, $hash];
}
This would return:
[0] ENCRYPT: lTzVGcAY1jkuawebFG/9ZI4O5f/+4hjZHRewstOBAAJwQlYydLJ+B+2QHg9A16qjCUe7FHfTacPzmvH+xnT4rQ==
[1] KEY: 122593420654793b0ee4efc932
[2] HASH: $2y$10$k/4gM1jMIMxnmfBMgrML6enMgqIvnZp2EzPU.G64P3Bb3MDrwJj8e
The HASH index is only for debugging purposes to provide an output hash that has not been run through the mcrypt process
The decode function looks like this:
function passwordDecode($string, $key) {
$decrypt = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key."******", base64_decode($string), MCRYPT_MODE_ECB);
return $decrypt;
}
This would return:
DECRYPT: $2y$10$k/4gM1jMIMxnmfBMgrML6enMgqIvnZp2EzPU.G64P3Bb3MDrwJj8e
Using the raw hash that hasn't been run through mcrypt returns Verified
$encode = passwordEncode("password");
if(password_verify("password", $encode[2])) {
echo 'Verified';
} else {
echo 'Not verified';
}
However using the hash run through mcrypt encryption and decryption returns Not verified
$encode = passwordEncode("password");
if(password_verify("password", passwordDecode($encode[0], $encode[1]))) {
echo 'Verified';
} else {
echo 'Not verified';
}
After spending hours essentially grinding my forehead against a cheese grater, I still haven't been able to figure out what mcrypt is doing to the string to unverify it. I've made an attempt at searching for invisible characters (keyword attempt) but other than that I'm out of ideas as to what the cause is.
Edit: also, this returns not verified
$encode = passwordEncode("password");
if($encode[2]==passwordDecode($encode[0], $encode[1])) {
echo 'Verified';
} else {
echo 'Not verified';
}
So something's being done to the string...I just don't know what