Adding an encryption method?

Question

Encryption is a topic that I have literally no experience with whatsoever until I actually learn about it at University next year (excluding basic knowledge of simple cyphers). I'll hopefully understand them better in the future, but for now I'd just llike to implement them into my apps without knowing the inner details.

Scenario

I'm trying to secure one of my PHP/NodeJS apps by adding encryption to it. I'm doing this so I can share data between NodeJS and PHP in a secure manner.

PHP server -> Needs to be able to encrypt and decrypt data

NodeJS server -> Only needs to be able to decrypt data

Possible solutions

I've spent hours searching for a decent solution to my problem. I've tried many code samples, but this seems to be the best code sample that I've come across and tested so far.

As you can see from the code, decryption methods have been built for both NodeJs and PHP. Both appear to work very well so far from what I've tested. That's half of my problem solved already. :-)

What I'm trying to do now, is figure our how to implement an encryption function with PHP code. I've tried this:

print "Encrypted: " . base64_encode(openssl_encrypt("Hello world", 'aes-256-cbc', $password));

but I get the output of: aUZaNnFlWWV5M0dObTE1U3pxMENwdz09 when I should in fact be getting the value of edata as output: U2FsdGVkX18M7K+pELP06c4d5gz7kLM1CcqJBbubW/Q=

Does anyone know why this output is different? I'm obviously doing something wrong, but I just can't figure out what I should be doing as there is so much going on in that PHP code... If someone could give me a little guidance that would be great. Thanks!

Answer 1

but I get the output of: aUZaNnFlWWV5M0dObTE1U3pxMENwdz09 when I should in fact be getting the value of edata as output: U2FsdGVkX18M7K+pELP06c4d5gz7kLM1CcqJBbubW/Q=

There are two things to keep in mind:

1. Unless you specify OPENSSL_RAW_DATA, openssl_encrypt() will automatically base64 encode the output for you, so the second output is double-encoded.

2. The Node.js snippet you linked above does some funky stuff to generate a key and IV, and your PHP snippet doesn't do this at all.

   var rounds = 3;
   var data00 = password + salt;
   
   console.log("Data00 (Base64): " + new Buffer(data00, "binary").toString("base64"));
   
   md5_hash = new Array();
   md5_hash[0] = crypto.createHash("md5").update(data00).digest("binary");
   
   var result = md5_hash[0];
   console.log("MD5-Hash[0] (Base64): " + new Buffer(result, "binary").toString("base64"));
   
   for (i = 1; i < rounds; i++) {
       md5_hash[i] = crypto.createHash("md5").update(md5_hash[i - 1] + data00).digest("binary");
       result += md5_hash[i];
       console.log("Result (Base64): " + new Buffer(result, "binary").toString("base64"));
   }
   

   Conversely, your PHP snippet uses a naked $password variable and doesn't pass an IV at all, which generates an error:

   php > $password = 'password';
   php > echo base64_encode(openssl_encrypt("Hello world", 'aes-256-cbc', $password));
   PHP Warning:  openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended in php shell code on line 1
   NlpwenNFNCtJYjhjOWNIYkNHazZCZz09
   

So those are your immediate sources of failure:

• Your key is different.
• The Node.js snippet uses an IV, you do not. You need an IV for AES-CBC.

But also: AES-CBC is not secure by itself. See this answer for what to do instead.