uawdijnntqw1x1x1
IP : 216.73.216.143
Hostname : dsru51-17647.fornex.org
Kernel : Linux dsru51-17647.fornex.org 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
OS : Linux
PATH:
/
var
/
www
/
rustam
/
data
/
www
/
belyaus.pro
/
modules
/
..
/
..
/
kran-balka.com
/
libraries
/
src
/
Crypt
/
README.md
/
/
# Important Security Information If you're going to use JCrypt in any of your extensions, make *sure* you use **CryptoCipher** (requires mcrypt to be installed on the server) or **SodiumCipher**; These are the only two which are cryptographically secure. ```php use Joomla\CMS\Crypt\Cipher\SodiumCipher; $cipher = new SodiumCipher; $key = $cipher->generateKey(); $data = 'My encrypted data.'; $cipher->setNonce(\Sodium\randombytes_buf(\Sodium\CRYPTO_BOX_NONCEBYTES)); $encrypted = $cipher->encrypt($data, $key); $decrypted = $cipher->decrypt($encrypted, $key); if ($decrypted !== $data) { throw new RuntimeException('The data was not decrypted correctly.'); } ``` ```php use Joomla\CMS\Crypt\Cipher\CryptoCipher; $cipher = new CryptoCipher(); $key = $cipher->generateKey(); // Store this for long-term use $message = "We're all living on a yellow submarine!"; $ciphertext = $cipher->encrypt($message, $key); $decrypted = $cipher->decrypt($ciphertext, $key); ``` ## Avoid these Ciphers if Possible * `JCryptCipher3Des` * `JCryptCipherBlowfish` * `JCryptCipherMcrypt` * `JCryptCipherRijndael256` All of these ciphers are vulnerable to something called a [chosen-ciphertext attack](https://en.wikipedia.org/wiki/Chosen-ciphertext_attack). The only provable way to prevent chosen-ciphertext attacks is to [use authenticated encryption](https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly), preferrably in an [Encrypt-then-MAC construction](http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/). The only JCrypt cipher that meets the *authenticated encryption* criteria is **`JCryptCipherCrypto`**. ## Absolutely Avoid JCryptCipherSimple `JCryptCipherSimple` is deprecated and will be removed in Joomla 4. It's vulnerable to a known plaintext attack: If you know any information about the plaintext (e.g. the first character is '<'), an attacker can recover bits of the encryption key with ease. If an attacker can influence the message, they can actually steal your encryption key. Here's how: 1. Feed `str_repeat('A', 256)` into your application, towards `JCryptCipherSimple`. 2. Observe the output of the cipher (the ciphertext). 3. Run it through this code: ```php function recoverJcryptCipherSimpleKey($ciphertext, $knownPlaintext) { $key = ''; for ($i = 0; $i < strlen($knownPlaintext); ++$i) { $key.= chr(ord($ciphertext[$i]) ^ ord($knownPlaintext[$i])); } } $key = recoverJcryptCipherSimpleKey( $someEncryptedTextOutput, str_repeat('A', 256) ); ``` Given how trivial it is to steal the encryption key from this cipher, you absolutely should not use it.
/var/www/rustam/data/www/belyaus.pro/modules/../../kran-balka.com/libraries/src/Crypt/README.md