0

The https handshake is unbearably slow in a BlackBerry app, so I'm going to try to use their native encryption functions to send private data to my server via http. I can send a unique shared secret key to the device using a one-time https transfer so I think this scheme is relatively secure unless someone gets access to the device, but I'm not concerned about that.

I've found the encrypt() function in the following BlackBerry article: http://supportforums.blackberry.com/t5/Java-Development/Use-Basic-Encryption/ta-p/445092

I've been tinkering with it and it seems to produce encrypted output.

The question is, how do I decrypt this on the server side in PHP using mcrypt_decrypt()?

I'm by no means an encryption expert and all the options are making my head spin. Key size, block size, block cipher mode, IV, etc.

I read in the comments here How to write AES/CBC/PKCS5Padding encryption and decryption with Initialization Vector Parameter for BlackBerry that maybe I should use a CBCEncryptorEngine on the BlackBerry side. The encrypt() example doesn't specify a block cipher mode, so adding this seems to make sense since mcrypt_decrypt() seems to want one.

Then does the IV have to be sent along with the encrypted data? it seems to be required Obviously I'm out of my element here.

I'm tinkering with this code in PHP:

mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $sSecretKey, $sEncrypted, MCRYPT_MODE_ECB);

But honestly I have no clue what constants to use and whether I need the IV. Naturally, it's giving me garbage out.

Can someone help me put these pieces together?

Community
  • 1
  • 1
Nicholas
  • 447
  • 1
  • 4
  • 18
  • well i only gave that BlackBerry article a short look, but it looks like AES 256 Bit in ECB mode (ECB = Electronic Code Book mode ... you don't want that ... have a look here -> http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 ) with pkcs5 padding ... in ECB mode you don't need an IV (zero will do) ... in other modes, you can send the IV unencrypted to the other side (there is no need to keep the value secret ...) – DarkSquirrel42 Nov 20 '11 at 06:33
  • Thanks for taking a look! Yes, ECB definitely doesn't look good. But how can you tell the BlackBerry code is using ECB? The MCRYPT_MODE_ECB constant in my PHP code just came from an example I copied. – Nicholas Nov 20 '11 at 14:33
  • there is no IV, and ECB is the default mode of operation for AES/Rijndael – DarkSquirrel42 Nov 20 '11 at 15:34
  • ok, makes sense. So it looks like I randomly had the right constants chosen, but why doesn't my decryption work? – Nicholas Nov 20 '11 at 15:47
  • Oops, I spoke too soon. The code I was using didn't have MCRYPT_MODE_ECB selected but when I went back to using that constant it worked. So much for the trial and error method! :) Thanks for the feedback. – Nicholas Nov 20 '11 at 15:52

1 Answers1

0

So that there's an official answer here, it turns out the PHP code I listed in the question actually works perfectly to decrypt the output from the encrypt() function in the BlackBerry knowledgebase article.

I'll look into adding CBC for more security but it might not be a requirement in my case since the data I'm sending is very variable.

Nicholas
  • 447
  • 1
  • 4
  • 18