MCrypt Collision Probability

**WildFoxMedia** · Apr 18, 2009 17:00

I am trying to create a unique encryption using the following code:

PHP Code:


$td = mcrypt_module_open('tripledes', '', 'ecb', '');
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
mcrypt_generic_init($td, $key, $iv);
$encrypted = mcrypt_generic($td, $data);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);

The $data being passed in looks like... "||12-94||" - The numbers will be be changing and will potentially range from 2-8 digits each.

I realize you can never say never in terms of collisions, but what kind of odds am I looking at? These hashes values are then base64_encoded and use in URLs for tracking, so being unique is paramount, is there a better way to achieve this that wont suffer from possible collisions?

**logic_earth** · Apr 18, 2009 17:43

What you are doing is not hashing, its encryption which can then be decrypted. Collisions is not something you have to worry about when encrypting. Because unlike hashing the data is never really gone.

**WildFoxMedia** · Apr 18, 2009 17:54

What your saying makes sense, but just to be completely clear, there is no possibility for collision when encrypting?

Also, any opinions on doing something like...

PHP Code:


$data = base64_encode('||1221-15252||');



$translated = str_replace('=', '', strtr(base64_encode($data), '+/', '-_')) . 'aAn';

and then on the flip side

PHP Code:


$decoded = base64_decode(strtr(substr($translated, 0, -3), '-_', '+/'));

It seems like its still "never gone" similar to encryption, but it doesnt require mcrypt and it just tacks on something extra to the end to confuse anyone that would attempt a base64_decode()

**crmalibu** · Apr 18, 2009 17:55

If these numbers need to be protected, you could also consider just never putting them out in the wild. Each combination of numbers could just be stored in a private database, and let the database generate an integer id. This could be safer unless you think someone may be able to predict sequences.

**SituationSoap** · Apr 20, 2009 06:57

Originally Posted by WildFoxMedia

What your saying makes sense, but just to be completely clear, there is no possibility for collision when encrypting?

Also, any opinions on doing something like...

PHP Code:


$data = base64_encode('||1221-15252||');



$translated = str_replace('=', '', strtr(base64_encode($data), '+/', '-_')) . 'aAn';

and then on the flip side

PHP Code:


$decoded = base64_decode(strtr(substr($translated, 0, -3), '-_', '+/'));

It seems like its still "never gone" similar to encryption, but it doesnt require mcrypt and it just tacks on something extra to the end to confuse anyone that would attempt a base64_decode()

I don't think you really understand how Base64 works. Adding "aAn" onto the end of the string doesn't meant that when you B64 Decode you're going to get something different: you're just going to get the string with "aAn" on the end of it.

As for your question on collisions: you have a 10^8th chance of a collision, because that's the maximum size of your dataset. As long as the starting data is unique, the ending data will be unique.

I'm going to second the idea of locking the values in question in a database, though. Note that you'll need to properly secure yourself against SQL injection or you're right back where you started in all this.

User Tag List

Thread: MCrypt Collision Probability

Thread Tools

Display

MCrypt Collision Probability

Bookmarks

Bookmarks

Posting Permissions