2

My Delphi application uses TurboPower LockBox 3 to encrypt a plaintext information using AES 256. I now want to decrypt this information using PHP. But TurboPower LockBox 3 has some interoperability issues.

Please check the post by LockBox 3 author here for details :

http://lockbox.seanbdurkin.id.au/tiki-view_forum_thread.php?comments_parentId=363&topics_offset=1

And a similar post on Stackoverflow

Secure keypair encryption solution in Delphi & PHP?

In LockBox 3, during encryption, you set a password. This password is then used as a seed to generate the key and iv. So has anyone been able to mimic the key generation method on PHP side ? Or is there any way i can get the Key/IV being generated by LockBox 3 and put it in my PHP code so the file can be decrypted ?

Community
  • 1
  • 1
Madhur
  • 2,119
  • 1
  • 24
  • 31

1 Answers1

7

IV

As stated to you before, the IV nonce is prepended to the ciphertext message. So to obtain it on the PHP side, simply extract the first 8 bytes.

Keys

You need to decide if the shared secret is in password-string format or binary key format. The symetric Key class (TSymetricKey) has a method SaveToStream(), which works as you would expect it to. The TCodec component has a Key property, which will be available after you set the cipher, chaining mode and password.

All of the methods are self-documenting and do pretty much what they read like, however if you need some demo code, saving a key to a stream, let me know.

Sean B. Durkin
  • 12,659
  • 1
  • 36
  • 65
  • So i tried to retrieve the key being generated internally by LockBox 3 and as per my understanding, the key being generated is in UTF16LE format, and there are some code-points which cannot be converted to UTF8. How do i go about it ? Any workaround ? – Madhur Aug 27 '12 at 16:38
  • Keys are binary. It is only strings that can be said to be in UTF16 or UTF8. – Sean B. Durkin Aug 28 '12 at 00:07
  • Also there are no code-points in a UTF16 string that cannot be converted to UTF8. That is why there is a "U" in UTF16. Look it up in wikipedia. – Sean B. Durkin Aug 28 '12 at 00:15
  • Sorry for the ignorance, checked it up on wiki. The difference is just in the way bits are grouped to represent a code-point. On a positive note, i am now able to decrypt the data in php **PROVIDED** it is in multiple of 16bytes. So i think the padding scheme is creating a hindrance now. From answer to this post http://stackoverflow.com/questions/10847759/turbopower-lockbox3-can-i-control-initialization-vector-and-padding-for-aes-25 it seems CBC uses Ciphertext Stealing ? – Madhur Aug 28 '12 at 15:03
  • So, is there any way i can force LockBox 3 to not use CTS and use some simpler padding scheme instead ? Or do i need to implement something described http://stackoverflow.com/questions/10411036/how-can-i-encrypt-decrypt-data-using-aes-cbccts-ciphertext-stealing-mode-in-p on PHP side ? – Madhur Aug 28 '12 at 15:05
  • No. CTS is for your own good. Drink the medicine. On the PHP side, either implement CTS (not hard) with a non key-streaming chain mode like CBC, or simply choose a key-streaming chain mode like OFB. Which to go with? It depends on what your PHP crypto library supports. – Sean B. Durkin Aug 28 '12 at 15:23
  • PHP supports both CBC as well as OFB Check [Block Cipher Modes](http://php.net/manual/en/mcrypt.constants.php). If i decide to implement CTS, the steps defined [here](http://stackoverflow.com/questions/10411036/how-can-i-encrypt-decrypt-data-using-aes-cbccts-ciphertext-stealing-mode-in-p) correct ? – Madhur Aug 28 '12 at 16:43
  • If it's based on the wikipedia page, then probably. I won't examine it in detail, unless you try it first and it doesn't work out. – Sean B. Durkin Aug 29 '12 at 05:49