0

Ok. I am completely stuck on encryption. Could someone walk me through the process of how to encrypt a string using an AES 128bit key, CBC, PKCS7Padding, base64 format? I am new to encryption so bear with me here. I have posted questions in the past that relate to previous 3rd party libraries but none have worked for me. If someone could provide me sample code and briefly explain the process that would be greatly appreciated. Thanks.

wayon
  • 19
  • 4
  • possible duplicate of [AES Encryption for an NSString on the iPhone](http://stackoverflow.com/questions/1400246/aes-encryption-for-an-nsstring-on-the-iphone) – Marcus Adams Aug 18 '14 at 18:12
  • Sort of. I don't understand the code here: http://pastie.org/426530 – wayon Aug 18 '14 at 18:24
  • Like where is [self length] and [self bytes] coming from? – wayon Aug 18 '14 at 18:25
  • Have you tried something? Do you have a specific question? StackOverflow is not a code writing service. – ntoskrnl Aug 18 '14 at 18:30
  • Not suggesting that.. Your acknowledgement of myself entering into the encryption arena must not of resonated. – wayon Aug 18 '14 at 18:52
  • A link or some tutorial might help me start. @MarcusAdams pointed out a previous question that was asked, but is there a good reading you know for starting encryption? – wayon Aug 18 '14 at 18:55
  • "Like where is [self length] and [self bytes] coming from?" (from previous question) The code sample seems to be a category on NSData and is called on an NSData instance so self refers to the data. Personally I think Categories for encryption just cause confusion – zaph Aug 18 '14 at 19:51
  • @Zaph That's really the tough part about learning this stuff. Makes sense. – wayon Aug 18 '14 at 19:52

1 Answers1

2

For those who find errors and/or ommisions please either add a commwent and I will revise or edit this post directly.

AES 128bit key, CBC, PKCS7Padding, base64

  • AES: is an encryption method (Advanced Encryption Standard)
  • 128 bit: the key length in bits (16 bytes).
  • CBC: an encryption mode (Cipher Block Chaining)
  • PKCS7Padding: adding bytes to data to be encrypted to make the data an exactly multiple of the block size
  • Base64: an encoding of 8-bit data into printable characters. Nothing to do with encryption but many times used with encryption
  • Block: AES encrypts data a block (16 bytes) at a time
  • iv: a seed value for certain encryption modes including CBC (initialization vector)

Needed for "AES, 128bit key, CBC, PKCS7Padding"

Encryption:

  • data: 8-bit bytes (any number)
  • key: 16 8-bit bytes (exactly)
  • iv: 16 8-bit bytes (exactly)

The encryption uses these inputs to create an encrypted output of 8-bit bytes with a length longer than the input due to padding to create an exact multiple of the block size. This will make the output data at least 1 byte longer than the input.

The output is raw bytes, that is not ASCII or a unicode encoding. In many cases the result must be printable characters and is Base64 encoded to achieve that. Base64 encoding makes the data longer.

Decryption:
If the data is in Base64 format decode it to raw bytes

  • data: 8-bit bytes
  • key: 16 8-bit bytes (exactly)
  • iv: 16 8-bit bytes (exactly)

The output will be raw 8-bit data bytes, exactly as were encrypted. If the encryption input data was ASCII or a unicode encoding the output will also be also.

That is all there is to it. The difficulties are getting the three items (data,key and iv) exactly the same.

Many crypto packages will accept keys and iv that are to short (or missing in the iv case) and pad them to the necessary length somehow. This is non-standard and causes problems. The easy way around this is to supply values that are exactly the correct length. These are data, that is 8-bit bytes, not strings, if you have strings convert then to data. When comparing the data, key and iv do it with hex dumps only. If you do this correxctly the encryption/decryption will just work.

There are a couple of other issues:

The key and iv must be known by both sides (encryption & decryption). The key is generally provided by one side to the other through a separate communications, perhaps even snail-mail. The iv also be shared and need not be secret, in fact it can be sent with the encrypted data.

The key needs to be good and of the correct length. In case it is a password a function is used to make it longer in a non-reversible manner. It should not be really fast. Current best practice is to use the PBKDF2 (Password Based Key Derivation Function) function with an iteration count. Older code tended to use a simple Hash (MD5 or SHA-*) but no longer should be used in new work.

Apple provided APIs for all this in Common Crypto for encryption and key derivation and NSData for Base64 encoding.

For a free PDF of an execelent book Handbook of Applied Cryptography

zaph
  • 111,848
  • 21
  • 189
  • 228