SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Evangelist mrwooster's Avatar
    Join Date
    Jan 2006
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    General question about ciphers... AES256 specifically

    Ok, this is not really a web based question but I am interested in implementing it in some of my server code so here goes...

    I have very limited knowledge about ciphers, but am aware of how AES works. What I was wondering was... how standardized are the implementations of ciphers (specifically AES).... for example, if I encrypt some data using aespipe or gpg (using --symmetric), will I be able to decrypt the data in PHP using the mcrypt library... or do different libraries use different implementations of the ciphers?

    I am aware that for programs that encrypt files or even entire disks, they create their own file formats and encode extra info into the files, but this is for simple 'data streams'...

    Thx

  2. #2
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    AES is very highly standartized, so there sould not be any problems. You have to bear in mind though, what kind of Block cipher operation mode is used (plainly encrypting each block is ECB mode). The thing that might differ from one implementation to other is how input is expected to be encoded and output is encoded for transmission (base64, hex, no-encoding at all etc)

  3. #3
    SitePoint Evangelist mrwooster's Avatar
    Join Date
    Jan 2006
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Aleksejs, I think that I will mainly be using CBC mode... it seems a bit more secure, and the encoded data will be base64 encoded. Thanks for the help, am going to run some tests to see if I can get multiple scripts to encode / decode the same data.

    Thx

  4. #4
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wonder how everything went. Especially, since you use CBC mode, how is IV transmitted?

  5. #5
    SitePoint Evangelist mrwooster's Avatar
    Join Date
    Jan 2006
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey Aleksejs. From my tests this seems to be one of those things that works in theory but not in practice.

    I am having a lot of trouble getting different implementations to produce exactly identical results.... and CBC is a non starter.

    As far as EBC goes, it seems like most of the differences occur in the handling of keys. Different implementations handle the padding of keys in different ways and many apply different hashing functions to the keys too.

  6. #6
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes I totally agree - implementing it is really major PITA. CBC does not clearly specify, how other party gets the IV.
    Is it plainly prepended? Or is it ECB encrypted before prepending?
    Anyhow - here is my experiments with CBC (using just PHP mcrypt library). I tried to demonstrate stateless session cookies and for that needed to encrypt cookie value (functions checktoken and maketoken - comments in Latvian, sorry):
    http://paste.php.lv/7692?lang=php


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •