Failing to upgrade mcrypt to openssl decryption in PHP

Question

I'm upgrading a legacy application from PHP 7.0 to 7.2 and my decrypt function isn't working when I switch out mcrypt for openssl.

I tried the existing answers like mcrypt is deprecated, what is the alternative?, and Gists like https://gist.github.com/odan/c1dc2798ef9cedb9fedd09cdfe6e8e76, but I'm still not able to make the code work.

Can anyone shed some light what I'm doing wrong?

Old code

function decrypt($value, $key) {
    $ivLength = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
    $iv = substr($value, 0, $ivLength);
    return rtrim(
        mcrypt_decrypt(
            MCRYPT_RIJNDAEL_128,
            hash('sha256', $key, true),
            substr($value, $ivLength),
            MCRYPT_MODE_CBC,
            $iv
        ),
        "\0"
    );
}

New code (not working with existing inputs)

function decrypt($value, $key) {
    $ivLength = openssl_cipher_iv_length('AES-128-CBC');
    $iv = substr($value, 0, $ivLength);
    // Note: $key is hashed because it was hashed in the old encrypt function below
    return openssl_decrypt(substr($value, $ivLength), 'AES-128-CBC', hash('sha256', $key, true), OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv);
}

For context, here's how the old code encrypted the values:

function encrypt($value, $key) {
    $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_DEV_URANDOM);
    return $iv . mcrypt_encrypt(
            MCRYPT_RIJNDAEL_128,
            hash('sha256', $key, true),
            $value,
            MCRYPT_MODE_CBC,
            $iv
        );
}

Also, the raw value in $value is twice as long when output to the error log in the new code than the old code and looks similar but with more characters.

I'm fairly sure the old encrypt and the new decrypt would not be compatible with each-other — GrumpyCrouton, Oct 05 '18 at 20:01
Why are you using a different method for the key? `additional_key` also isn't defined anywhere — Devon Bessemer, Oct 05 '18 at 20:03
@Devon whoops, that shouldn't be there, it was already refactored out. I removed it from the code. — Anton, Oct 05 '18 at 20:05
@Devon Good catch. I updated the code but it still doesn't work, returns an empty string. — Anton, Oct 05 '18 at 20:16
@Anton Well if you could decrypt them the same way, wouldn't that be a security issue? — GrumpyCrouton, Oct 05 '18 at 20:30
@GrumpyCrouton I thought mcrypt was bring deprecated due to lack of support, not security issues, though. What do websites do with their encrypted data during such an upgrade? — Anton, Oct 05 '18 at 20:35
@Anton I'll be honest, I don't really know an awful lot about encryption/decryption. That's one of the reasons I didn't state my first comment as an absolute fact, I really don't know — GrumpyCrouton, Oct 05 '18 at 20:43

t.m.adam · Accepted Answer · 2018-10-07T21:30:49.277

The main issue here is the key size. You're creating the key with SHA256 which returns a 256 bit hash, therefore you're using AES / Rijndael with a 256 bit key.

The number in Rijndael-128 defines the block size, the key size is determined by the length of the key we use. The number in AES-128 defines the key size (the block size is constant, 128 bits), and if the actual key length is different than this number, then the key is shortened or expanded (with zero bytes) to fit the selected key size.

This means that your mcrypt code uses Rijndael-128 (AES) with a 256 bit key, in CBC mode. The openssl equivalent is AES-256-CBC, and if we use this algorithm then mcrypt and openssl should produce compatible results.

function decrypt_mcrypt_with_openssl($value, $key) {
    $iv = substr($value, 0, 16);
    $ciphertext = substr($value, 16);
    $key = hash('sha256', $key, true);
    $plaintext = openssl_decrypt(
        $ciphertext, 'AES-256-CBC', $key, 
        OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, 
        $iv
    );
    return rtrim($plaintext, "\0");
}

SHA256 is not suitable as a key derivation function. If you're deriving your key from a password you can use hash_pbkdf2 with a random salt and a high enough number of iterations. Or you could create a cryptographically secure pseudo-random key with openssl_random_pseudo_bytes.

I think it's best to stop using mcrypt completely and use only openssl. Mcrypt doesn't support PKCS7 padding, it doesn't provide any authenticated encryption algorithms, and it is not being maintained anymore.

You are the best ever coder I've come across so far @t.m.adam. Yes, it worked out right. Wish I had you as my teacher. Thanks. — MITHU, Feb 22 '20 at 14:28

Failing to upgrade mcrypt to openssl decryption in PHP

1 Answers1