I am working on a project that utilizes mcrypt (serpent) and mySQL amongst other things.
I am storing an encryption key and initialization vector in a mySQL database. Each time the page loads the last key and iv are retrieved from the database and then a new key and initialization vector are generated from random alphanumeric characters and the database is updated. Sometimes it works and other times it doesn't.
The data that is being encrypted is a password (string) that is coded in base64, that string is then made sage to be passed into a URL and retrieved via get. The username is also being passed to the url. Once the next page is opened the encrypted/base64_encoded string is checked to replace any URL unsafe characters and base64_decoded. It uses the username to find the corresponding key & initialization vector. It is then decrypted with mcrypt (serpent) and the escape character is stripped off. The decrypted password is then hashed with sha512 and compared to a sha512 string that was previously stored.
I have concluded that the strings are being stored correctly however sometimes, approximately 50% of the time, there is a problem retrieving the key and iv from the database and using them to decrypt the password which is then hashed. When I compare the strings they are not evaluating true as they should. I have noticed that it happens less often when I take my time and wait >10 seconds before loading the next page.
I have manually defined static keys and ivs in the php code which will prevent this problem.
Does anybody have any solutions?