HMAC Truncation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
function canonicalize(string ...$pieces) { | |
$output []= pack('J', count($pieces)); | |
foreach ($pieces as $piece) { | |
$output []= pack('J', mb_strlen($piece, '8bit')); | |
$output []= $piece; | |
} | |
return implode($output); | |
} | |
function encrypt(string $plaintext, string $key, array $identity): string | |
{ | |
$nonce = random_bytes(24); | |
$identity []= $nonce; | |
$output = sodium_crypto_aead_xchacha20poly1305_ietf_encrypt( | |
$plaintext, | |
canonicalize(...$identity), | |
$nonce, | |
$key | |
); | |
return sodium_bin2hex($nonce . $output); | |
} | |
function decrypt(string $ciphertext_hex, string $key, array $identity): string | |
{ | |
$ciphertext_raw = sodium_hex2bin($ciphertext_hex); | |
$nonce = mb_substr($ciphertext_raw, 0, 24, '8bit'); | |
$encrypted = mb_substr($ciphertext_raw, 24, null, '8bit'); | |
$identity []= $nonce; | |
return sodium_crypto_aead_xchacha20poly1305_ietf_decrypt( | |
$encrypted, | |
canonicalize(...$identity), | |
$nonce, | |
$key | |
); | |
} | |
$k1 = random_bytes(32); | |
$k2 = random_bytes(32); | |
$rows = [ | |
['name' => 'foo', 'email' => 'foo@example.com'], | |
['name' => 'bar', 'email' => 'bar@example.com'] | |
]; | |
$encrypted = []; | |
$decrypted = []; | |
foreach ($rows as $i => $row) { | |
if (!isset($encrypted[$i])) { | |
$encrypted[$i] = []; | |
} | |
$encrypted[$i]['name'] = encrypt($row['name'], $k1, ['users', 'name']); | |
$encrypted[$i]['email'] = encrypt($row['email'], $k1, ['users', 'email']); | |
$encrypted[$i]['email_idx'] = substr(hash_hmac('sha256', $row['email'], $k1), 48); | |
if (!isset($decrypted[$i])) { | |
$decrypted[$i] = []; | |
} | |
$decrypted[$i]['name'] = decrypt($encrypted[$i]['name'], $k1, ['users', 'name']); | |
$decrypted[$i]['email'] = decrypt($encrypted[$i]['email'], $k1, ['users', 'email']); | |
} | |
var_dump($encrypted, $decrypted); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
array(2) { | |
[0]=> | |
array(3) { | |
["name"]=> | |
string(86) "1744440ec2d27b4a8c7d092e2367daa4c1f3d33a5f8aabde7221a05796120c4df078b5fc99cee6a65ddc31" | |
["email"]=> | |
string(110) "444ca3f4092215884d04f360bc593a76a6776bdbbabc7950eb1129d182aac703c02368d617380883ec8fd43703f3f585492c142097ebb5" | |
["email_idx"]=> | |
string(16) "28e9ef076233d870" | |
} | |
[1]=> | |
array(3) { | |
["name"]=> | |
string(86) "4b09b22685b7c5c4c06a3c1d3deb7f731f0f00f0b10dd94f50cf8dccd76e7e7f8b018734facf5f663f2727" | |
["email"]=> | |
string(110) "8843320551b538f8fe3aa0e20d841fa2cc1fc12f10a771c063bef16d35bf14ccc4c3dee7e8cfae626641d252d475b515327e29e79965ca" | |
["email_idx"]=> | |
string(16) "04e48ca810a8b1ae" | |
} | |
} | |
array(2) { | |
[0]=> | |
array(2) { | |
["name"]=> | |
string(3) "foo" | |
["email"]=> | |
string(15) "foo@example.com" | |
} | |
[1]=> | |
array(2) { | |
["name"]=> | |
string(3) "bar" | |
["email"]=> | |
string(15) "bar@example.com" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment