1

I am trying to find implementing this Java encryption algorithm in PHP, but I do not have any experience in PHP. I have this DESede/ECB/PKCS5Padding encryption utils code in Java.

import org.apache.commons.codec.binary.Base64;

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;

public class DESUtil {
    private static final String KEY_ALGORITHM = "DESede";
    private static final String DEFAULT_CIPHER_ALGORITHM = "DESede/ECB/PKCS5Padding";

    public static String encrypt(String content, final String key) {
        try {
            Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER_ALGORITHM);
            byte[] byteContent = content.getBytes(StandardCharsets.UTF_8.name());
            cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(key));
            byte[] result = cipher.doFinal(byteContent);
            return Base64.encodeBase64String(result);
        } catch (Exception ex) {
            System.out.println("error:" + ex.getMessage());
        }
        return null;
    }
    
    public static String decrypt(String content, final String key) {
        try {
            Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER_ALGORITHM);
            cipher.init(Cipher.DECRYPT_MODE, getSecretKey(key));
            byte[] result = cipher.doFinal(Base64.decodeBase64(content));
            return new String(result, StandardCharsets.UTF_8.name());
        } catch (Exception ex) {
            System.out.println("error:" + ex.getMessage());
        }
        return null;
    }

    public static SecretKeySpec getSecretKey(final String key) {
        KeyGenerator kg = null;
        try {
            byte[] bytes = key.getBytes(StandardCharsets.UTF_8.name());
            kg = KeyGenerator.getInstance(KEY_ALGORITHM);
            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
            secureRandom.setSeed(bytes);
            kg.init(secureRandom);
            SecretKey secretKey = kg.generateKey();
            return new SecretKeySpec(secretKey.getEncoded(), KEY_ALGORITHM);
        } catch (Exception ex) {
            System.out.println("error:" + ex.getMessage());
        }
        return null;
    }
}

Run test, I got this

System.out.println("Result:"  + DESUtil.encrypt("abc", "123456"));
// Result:9huQhFxzOmA=

But I use openssl, the result is different

<?php

$key = "123456";
$data = "abc";
$out = openssl_encrypt($data, 'DES-EDE3', $key, OPENSSL_RAW_DATA);
echo base64_encode($out);
// VxvdZgL08kU=

2021-03-29 15:00 update. How to implementing DESede + SHA1PRNG in php,I try this(Java Aes class convert to php) post's answer(AES + SHA1PRNG),but result is different

<?php

$key = "123456";
$data = "abc";
$key = substr(openssl_digest(openssl_digest($password, 'sha1', true), 'sha1', true), 0, 16);
$out = openssl_encrypt($data, 'DES-EDE3', $key, OPENSSL_RAW_DATA);
echo base64_encode($out);
// rsXHh1tIzSs=

2021-03-29 18:25 update. try again.

<?php
// this key is 123456, generate by java kg.generateKey to base64 encode.
$key = "a7WDf7ZDKRBe5VeM2nzHf9PLKtkfZC9G";
$data = "abc";
$key = base64_decode($key);
$out = openssl_encrypt($data, 'DES-EDE3', $key, OPENSSL_RAW_DATA);
echo base64_encode($out);
// 9huQhFxzOmA=
// this result is correct, but how to implementing DESede + SHA1PRNG in php?

What is the right algorithm? How to implement this?

Kate
  • 11
  • 2
  • 1
    The issue is in your "getSecretKey" method - you did not implement it in PHP. A quick search gave me https://stackoverflow.com/questions/31623866/java-aes-class-convert-to-php with two helpfull answers/comments. – Michael Fehr Mar 29 '21 at 07:14
  • @MichaelFehr Thank you for your response, I try that post's answer, but the result is different.I add the result to post,Can you help me. – Kate Mar 29 '21 at 07:40
  • 1
    Porting to PHP is probably not possible. This is because in `getSecretKey()` `SHA1PRNG` is used as a key derivation function (KDF), using the password as seed. Since the implementation of `SHA1PRNG` is not uniform, it may vary from implementation to implementation, e.g. between different platforms, languages, libraries or versions. So you would need to analyze the implementation of the Java version you are using and port it to PHP. Instead, prefer to use a standardized KDF, e.g. PBKDF2, see [here](https://stackoverflow.com/a/24125677). – Topaco Mar 29 '21 at 09:54
  • Be sure to understand the security implications of using a "broken" cypher. – greybeard Mar 29 '21 at 12:02

0 Answers0