1

I'm encrypting the string "aaaaaaaaaaaaaaaa" (a 16 byte UTF8 string) using AES 128 CBC with a blank iv and key (16 0's) and getting different results

in PHP:

echo base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128,pack("H*", "00000000000000000000000000000000"),"aaaaaaaaaaaaaaaa",MCRYPT_MODE_CBC,pack("H*", "00000000000000000000000000000000")))

returns "kmwP6gWv1l9ZMdKanGs/nA=="

in Node.js:

let cipher = require('crypto').createCipheriv('aes-128-cbc',Buffer.alloc(16),Buffer.alloc(16))
console.log(cipher.update('aaaaaaaaaaaaaaaa','utf8','base64') + cipher.final('base64'))

returns "kmwP6gWv1l9ZMdKanGs/nHeUidae8Z4dK0HU7p2z+1c="

the first bit (bolded) is identical to PHP, but the PHP value has an extra 'A=' and then Node value has a whole extra 'HeUidae8Z4dK0HU7p2z+1c'

I'll admit that I'm pretty shaky on what's going on here - what am I missing here?

edit ... but not so shaky that I don't understand that what I'm doing here isn't particularly secure. Don't worry about whether this is the 'right' way to do encryption - please focus on the fact that the results ought to line up.

edit2 - I can, however, get close using hex rather than base64 -

PHP: 926c0fea05afd65f5931d29a9c6b3f9c

Node: 926c0fea05afd65f5931d29a9c6b3f9c779489d69ef19e1d2b41d4ee9db3fb57

the second chunk of Node hex is returned by the .final method, and I don't understand what it's for.

Improve this question
2
  • I don't know if it's relevant but base64decode.org only works on the 2nd string if ASCII is selected. Commented Feb 11, 2017 at 8:10
  • 1
    It is best not to use mcrypt, it has been abandonware for nearly a decade now. It has therefore been deprecated and will be removed from the core and into PECL in PHP 7.2. It does not support standard PKCS#7 (née PKCS#5) padding, only non-standard null padding that can't even be used with binary data. mcrypt has many outstanding bugs dating back to 2003. Instead consider using defuse or RNCryptor, they provide a complete solution, are being maintained and is correct. Commented Feb 11, 2017 at 15:28

1 Answer 1

Reset to default
4

AES works on a block size of 16 bytes. You are encrypting the string "hello world", which is 11 bytes long in UTF8. Thus, padding is used to increase the length of your string to 16 bytes.

Node, and as it should, uses PKCS5 Padding to pad your plain-text to 16 bytes and then encrypts it.

mcrypt, as it shouldn't, uses zero bytes to pad your plain-text. mcrypt is deprecated and has been abandoned for a decade.

Because your two padding schemes are different, the plain-text is actually different before we even get to the point where we apply AES.

My advice: use the openssl_* functions in PHP instead. And don't use a static IV. Using a static IV makes your program vulnerable to some of the same vulnerabilities as ECB mode, which is not good!

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

CBC mode even with a static IV (a bad idea) does not suffer the same vunerabilities as ECB mode (a really bad idea). CBC mode will not exhibit the Penguin effect, scroll down to the Penguin.
You are correct, but a static IV can still lead to a plaintext recovery attack. Perhaps I should have chosen better words. Will edit.
"Because your two padding schemes are different, the plain-text is actually different before we even get to the point where we apply AES" - Alright cool, I think that makes sense.
So if I use "aaaaaaaaaaaaaaaa" instead of "hello world" - which is 16 byes, should be no padding necessary - but what I'm getting continues to confuse me. see my updated question.
@mattlohkamp With regards to your edit, the extra hex values are actually a full block of PKCS5 padding since you encrypted a whole block prior.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.