The example on php.net shows the creation and usage of a random IV (whereas their example uses EBC block mode which actually doesn't use the IV, so it's kinda misleading). Creating a random IV before encryption doesn't seem very useful to me, as you need the same IV next time when you decrypt earlier encrypted data.
Instead, I use this for ALL my encryption and decryption:
Code: Select all
$fixedIV = md5('hello');
// note that mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC) == strlen($fixedIV)Is this safe & secure? I mean, can I rely on just the keys being hard to crack? That is even though my IV is fixed, can be easily brute forced (rainbow tables), and consists of only 32 hexadecimal digits (as opposed to 32 random bytes).