1

I'm planning to implement Tiny Encryption Algorithm and exchange data between two PHP sites.

Specifically, using the code presented at PHP-einfach.de

Does anyone have any experiences / thoughts / comments on using this algorithm? (other than why are you using it)

Background: Its some code that i'm planning to put in a drupal module. the drupal module allows authenticated users of that site to connect to my site. I'm planning to give secret apikeys to these drupal site owners. The code on the drupal site will encrypt data: "userid-commandid-time" with the apikey and show this as a hidden field on a form. Their users submitting that form will be redirected to my site with this encrypted data.. When i get it, i'll decrypt it using my copy of the apikey and check the other data values. Time is being sent to make the request valid for a limited time only.

Also, i did consider oauth, but we're later in our development cycle and work is pretty much done. the system does not have to be 100% secure, its going to be exposed to a limited set of people (the drupal module users). it just has to be reasonable enough to dissuade most wannabe pranksters. gaining access to the key and our encryption methodology would at most allow the hacker spoofed (but limited) access to our system.

Improve this question
3
  • Please explain more on what type of data you are planing to move and why you decided to use TEA.
    – KilledKenny
    CommentedApr 21, 2011 at 12:31
  • sure - its some code that i'm planning to put in a drupal module. the drupal module allows authenticated users of that site to connect to my site. I'm planning to give secret apikeys to these drupal site owners. The code on the drupal site will encrypt data: "userid-commandid-time" with the apikey and show this as a hidden field on a form. Their users submitting that form will be redirected to my site with this encrypted data.. When i get it, i'll decrypt it using my copy of the apikey and check the other data values. Time is being sent to make the request valid for a limited time only.
    – siliconpi
    CommentedApr 21, 2011 at 12:36
  • Thanks for the clarification. It is best to edit your question to put it there where everyone will notice it. And I wonder if you've looked at how a more standard protocol like OAuth would handle your use case.
    – nealmcb
    CommentedApr 21, 2011 at 20:04

2 Answers 2

Reset to default
9

TEA is cryptographically broken. Its successors XTEA and XXTEA fare much better in that respect. Also, the performance of the *TEA algorithms is not very good.

The good point of TEA is the tiny code size -- this is a great asset in situations where code size is constrained, e.g. when you want to learn the code by heart, or when the code is part of often-downloaded software (e.g. a Javascript implementation). This does not apply to a PHP implementation, which stays server-side. So there is little point in using TEA or XTEA, and my advice would be to stick to a faster, more secure and more standard encryption algorithm (i.e. AES, also known as Rijndael).

(Also, encryption is only part of a data exchange protocol; you also need some kind of integrity protection, and there is the whole issue of key management. Usual recommendation is to rely on an existing protocol which already covers all the tricky details, first and foremost being SSL/TLS.)

Improve this answer
1
  • 1
    It's not that broken is it? It just has a few equivalent keys.
    – forest
    CommentedApr 5, 2018 at 7:34
3

I agree whit Thomas Pornin previous post.

I also have some comments on how you do the cross site authentication method. I recommend that you do the authentication on the server side. instead of giving the user the authentication info give it a unique random value instead. Then also send that value to the site you want the client to login to and ask it to return the user that present that random value.

Improve this answer
3
  • hmm - interesting chain of thought - wish i thought of it earlier in my development work! We have upwards of 20-30 "forms" on each page generated for a user. do you have any thoughts on how we can make your suggestion more optimal in that scenario?
    – siliconpi
    CommentedApr 21, 2011 at 13:59
  • If you like it please vote it up. You only have to do a handshake at every page load. You only have to do it once and when your site needs a update the you can get it from the other site whiteout needing to talk true the client.
    – KilledKenny
    CommentedApr 21, 2011 at 14:33
  • i cant! sorry, am new to security.s-ex
    – siliconpi
    CommentedApr 21, 2011 at 16:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.