PHP AES-256 encryption

Question

I've got a supplied Key and IV from a client to use however the function i am using is not returning the expected result. I can't post the key and IV though as they are sensitive info. The only thing i'm not sure on is that the web service i'm connecting to is .NET and i'm working in php as you can see below i've tried padding methods. Any ideas?

function encrypt($str, $key, $iv){
 $block = mcrypt_get_block_size('rijndael_128', 'cbc');  
 $pad = $block - (strlen($str) % $block);    
 $str .= str_repeat(chr($pad), $pad);    
 return mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $str, MCRYPT_MODE_CBC, $iv);
}

Answer 1

Here you go, the trick is to use a 32 character key. This is a raw, AES 256 encryption method for php. This uses a random IV and base 64 encoding to store the binary data as character text, it's hard to say how to decrypt what you have without seeing how it was encrypted. That said, this is a proper way of doing AES256 in php.

//**************** Symmetric ****************//
function symEncode($decrypted, $key){
    # show key size use either 16, 24 or 32 byte keys for AES-128, 192
    # and 256 respectively
    //$key_size =  ini_get('mbstring.func_overload') ? mb_strlen($key , '8bit') : strlen($key);
    // Build $iv and $iv_base64.  We use a block size of 128 bits (AES compliant) and CBC mode.  (Note: ECB mode is inadequate as IV is not used.)
    $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_RAND);
    if (strlen($iv_base64 = rtrim(base64_encode($iv), '=')) != 22) return false;
    // Encrypt $decrypted and an MD5 of $decrypted using $key.  MD5 is fine to use here because it's just to verify successful decryption.
    $encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $decrypted . md5($decrypted . $key), MCRYPT_MODE_CBC, $iv));
    // We're done!
    return $iv_base64 . $encrypted;
}

And to decode this.

function symDecode($encrypted, $key){
    // Retrieve $iv which is the first 22 characters plus ==, base64_decoded.
    $iv = base64_decode(substr($encrypted, 0, 22) . '==');
    // Remove $iv from $encrypted.
    $encrypted = substr($encrypted, 22);
    // Decrypt the data.  rtrim won't corrupt the data because the last 32 characters are the md5 hash; thus any \0 character has to be padding.
    $decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($encrypted), MCRYPT_MODE_CBC, $iv), "\0\4");
    // Retrieve $hash which is the last 32 characters of $decrypted.
    $hash = substr($decrypted, -32);
    // Remove the last 32 characters from $decrypted.
    $decrypted = substr($decrypted, 0, -32);
    // Integrity check.  If this fails, either the data is corrupted, or the password/salt was incorrect.
    if (md5($decrypted . $key) != $hash){
        die( 'failed to decode data');
 }

Have you seen this? Php Decrypt a String from C# .NET RIJNDAEL 256

IN Reply to the downvote

As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC

furthermore ( Oracle attacks )

To prevent this attack, one could append an HMAC (Hash-based message authentication code) to the ciphertext. Without the key used to generate the HMAC, an attacker won't be able to produce valid ciphertexts. Since the HMAC is checked before the decryption stage, the attacker cannot do the required bit-fiddling and hence cannot discover the plaintext.

So, are you sure about that in the comments? How would you improve it? ( the only way I see is adding the key to the md5 hash which I have now done )

Granted I'm not an encryption expert, but the code above always encrypts to a different encryption text, with the same plain text.

Don't be mistaking in thinking the last 32 characters are static because, the md5 hash ( non-random ) is not exposed until decryption of the entire message.

Which requires both the IV and the KEY. The md5 hash is then used to programmatically verify that the data was successfully UN-encrypted, thereby defeating any attempts to modify / tamper with the encrypted data.

There is hardly a way for an attacker to "guess" where the IV is appended ( this is the HMAC as described in defeating an oracle attack ) as that too is random text. In essence they would need access to the code to even begin to decrypt it. And if they have access to the servers file system, you have bigger problems.

In essence, this is the scheme

  [random IV] [ encrypted [md5 hash] ]

As to being comparable to the code above, that is an impossible proposition without,

• A plaintext example
• B the exact code / methods used to encrypt the data
• C the output of the encryption code / method used above
• Although even B would be enough, but it would be better to verify the "methodology" before doing all the work to make it portable to PHP mcrypt.

And of which I requested.

Once that is supplied one would then verify that you can get A back out of C natively, because the nature of the encryption used the cipher text will always be different ( if its done right ). Therefore just reverse engineering a solution from just the cipher text is next to impossible. And again we don't even have an example of the input and the cipher text produced. As I mentioned without seeing how it is natively decrypted, it's guessing at best.

Therefor, the only thing I can do is share a bit of knowledge about how I would encrypt / decrypt it using AES in PHP