Encrypt text in PHP and decrypt in Python

Question

I am using following code snippet to encrypt a text in PHP7:

$plaintext = "message to be encrypted";
$cipher = "aes-256-cbc";
$ivlen = openssl_cipher_iv_length($cipher);
$iv = "0123456789012345";
$key = "akshayakshayaksh";
$ciphertext = openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv);
print $ciphertext;

Output: cUXDhOEGz19QEo9XDvMzXkGFmg/YQUnXEqKVpfYtUGo=

Now, when I try to decrypt this in Python3 it gives error:

from Crypto.Cipher import AES
obj2 = AES.new('akshayakshayaksh', AES.MODE_CBC, '0123456789012345')
ciphertext = "cUXDhOEGz19QEo9XDvMzXkGFmg/YQUnXEqKVpfYtUGo="
obj2.decrypt(ciphertext)

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/anaconda3/lib/python3.6/site-packages/Crypto/Cipher/blockalgo.py", line 295, in decrypt return self._cipher.decrypt(ciphertext) ValueError: Input strings must be a multiple of 16 in length

I get that AES is a block cipher algorithm. However, how should I fix my PHP code so that it generates "padded" cipher, any clues?

Did you convert [base64](https://stackoverflow.com/questions/3538021/why-do-we-use-base64) before transferring? — kelalaka, Jan 14 '19 at 06:52
Currently I do not "transfer" this cipher text per say. I can just copy paste it for decryption. So I don't think Base64 is necessary right now. Please correct if I am wrong! — Akshay Lokur, Jan 14 '19 at 08:11
It seems, the ciphertext already base64 due to `=`. Then decode it by `b64decode`. Cipher wants the bytes. — kelalaka, Jan 14 '19 at 08:16
Now I understand you! But when tried like this: obj2.decrypt(b64decode(ciphertext)), getting output: b'\xaa\x7f\xa0\xd5\x07\xf3\xcf1X\x15\xd6\x1e\x16\xdd\x0eC\xebk\xf3\xa3eP]T\xd0Y\xc2\xc5\xae\x8b\xd7\xd9' . And I can't convert this hex string to plain ASCII/English! — Akshay Lokur, Jan 14 '19 at 08:44
\xaa means `a` https://stackoverflow.com/questions/2672326/what-does-a-leading-x-mean-in-a-python-string-xaa , but there is problem in decode, I think — kelalaka, Jan 14 '19 at 08:59

t.m.adam · Accepted Answer · 2019-01-14T15:13:11.853

7

The main issue here is that you're using different key-size. PHP's openssl_encrypt determines the key size from the encryption algorithm string ("aes-256-cbc" in this case) so it expects a 256 bit key. If the key is shorter it is padded with zero bytes, so the actual key used by openssl_encrypt is:

"akshayakshayaksh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"

Pycryptodome determines the key size from the actual size of the key, so your Python code uses AES-128-CBC. Also, as mentioned in the coments by kelalaka, the ciphertext is base64 encoded (openssl_encrypt base64-encodes the ciphertext by default - we can get raw bytes if we use OPENSSL_RAW_DATA in $options). Pycryptodome doesn't decode the ciphertext, so we must use b64decode().

key = b'akshayakshayaksh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
obj2 = AES.new(key, AES.MODE_CBC, b'0123456789012345')
ciphertext = b"cUXDhOEGz19QEo9XDvMzXkGFmg/YQUnXEqKVpfYtUGo="
print(obj2.decrypt(b64decode(ciphertext)))
#b'message to be encrypted\t\t\t\t\t\t\t\t\t'

The extra \t characters at the end is the padding - CBC requires padding. Pycryptodome doesn't remove padding automatically but it provides padding functions in Crypto.Util.Padding.

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from base64 import b64decode

key = b'akshayakshayaksh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
obj2 = AES.new(key, AES.MODE_CBC, b'0123456789012345')
ciphertext = b"cUXDhOEGz19QEo9XDvMzXkGFmg/YQUnXEqKVpfYtUGo="
plaintext = obj2.decrypt(b64decode(ciphertext))
plaintext = unpad(plaintext, AES.block_size)

Although PHP's openssl accepts arbitrary sized keys, it's best to use key size specified in the algorithm string, to prevent confusion at the very least. Also the key bytes should be as random as possible.

As noted by Maarten Bodewes in the comments this key uses a limited range of bytes and so it's very weak. Furthermore it is created by repeating a word and that makes it vulnerable to dictionary attacks (which are much faster than bruteforce attacks).

In PHP we can get cryptographically secure random bytes with random_bytes(),

$key = random_bytes(32);

and in Python with os.urandom()

key = os.urandom(32)

(You can use the same functions to create the IV; you shouldn't use a static IV, the IV must be unpredictable)

You could also derive a key from your password with a KDF. In this case it is important to use a random salt and a high enough number of iterations. PHP provies a PBKDF2 algorithm with the hash_pbkdf2 function, and Python with hashlib.pbkdf2_hmac.

edited Jan 14 '19 at 15:13

answered Jan 14 '19 at 09:51

t.m.adam

15,106
3
32
52

Thanks. Is there a way in python I can get zero padded 256 bit key from my original one? – Akshay Lokur Jan 14 '19 at 09:54
Yes there is (`key += b'\0' * (32 - len(key))` for example), but I don't think it's a good idea to pad the key. Instead use a 32 byte key both in Python and PHP. – t.m.adam Jan 14 '19 at 10:04
2

Wow great answer! – eddiewould Jan 14 '19 at 11:34
1

Of course, keys should never be strings. If you use just lowercase characters then you get a comparable strength of `log_2(26^len("akshayakshayaksh"))` or [75 bits](https://www.wolframalpha.com/input/?i=log_2(26%5Elen(%22akshayakshayaksh%22))). And that's just when the letters are chosen fully randomly - which they probably aren't. – Maarten Bodewes Jan 14 '19 at 13:13
@MaartenBodewes This is definitely a weak key. It seems that it's formed by the word "akshay" (probably indian name, from a quick google search) repeated to match the key size (or half the key size). If so it should be vulnerable to a rule-based dictionary attack. I too advised the OP to create strong keys, but maybe I could have placed more emphasis on this subject. – t.m.adam Jan 14 '19 at 14:38
Well, you did specify secure random bytes; I wasn't expecting you to write a full book on key management :) Possibly I should have put that below the question. – Maarten Bodewes Jan 14 '19 at 15:07
@MaartenBodewes Either way I updated my answer to mention your comment. Key-strength is very important. It should be quite helpful to the OP and any other readers. – t.m.adam Jan 14 '19 at 15:16
@t.m.adam great writeup! You must have guessed I am very novice in this stuff and still have further query:- If one is not supposed to share randomly generated key and randomly generated IV, how can recipient decrypt the cipher, as the decryption APIs need to use same key and IV as that was used for encryption? – Akshay Lokur Jan 15 '19 at 02:53
The IV (and salt, if the key is created with a KDF) is not secret. A common practice is to prepend this value(s) to the ciplertext. However, key storage or transmission is not that easy. Usually asymmetric cryptography is used to transfer a symmetric key between two parties. HTTPS and SSH are two examples of secure communication channels. Of course, the design of such protocols is complex and delicate and should be performed only by cryptography/security experts. – t.m.adam Jan 15 '19 at 06:12
1

@t.m.adam: "probably indian name, from a quick google search" --> It's the name of the PO. ;-) Btw, thanks all three of you for both the question and the elaborate answer(s). – Ideogram May 17 '21 at 07:59

score 1 · Answer 2 · answered Jun 09 '21 at 13:36

I was struggling with this today when a friend pointed me to the Fernet library. It has a python and php version and makes this really easy and robust.

PHP version: https://github.com/kelvinmo/fernet-php

<?php
require 'vendor/autoload.php';

use Fernet\Fernet;

$key = '[Base64url encoded fernet key]';
$fernet = new Fernet($key);

$token = $fernet->encode('string message');

$message = $fernet->decode('fernet token');
if ($message === null) {
    echo 'Token is not valid';
}

?>

Python: https://pypi.org/project/cryptography/

from cryptography.fernet import Fernet
# Put this somewhere safe!
key = Fernet.generate_key()
f = Fernet(key)
token = f.encrypt(b"A really secret message. Not for prying eyes.")
f.decrypt(token)
print(token)

Encrypt text in PHP and decrypt in Python

2 Answers2