What is the difference of AES-128 and AES-512 using php's mcrypt?

nimasdj · November 19, 2015, 12:24pm

I am confused about the difference of AES-128 and AES-512 using php’s mcrypt. The difference is just the length of the key (32 and 64 characters) or the difference is the used algo such as MCRYPT_RIJNDAEL_128? If the difference is the latter, how should be the algo for AES-512?

Dormilich · November 19, 2015, 5:35pm

that’s the same (at least for PHP). MCRYPT_RIJNDAEL means it’s AES and 128 is the key length.

there is no AES-512 (at most there could be Rijndael-512, but that’s not supported by mcrypt):

The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.

Jeff_Mott · November 19, 2015, 5:55pm

It’s admittedly confusing, but when we talk about Rijndael-128 or Rijndael-256, we’re referring to the block size, but when we’re talking about AES-128 or AES-256, we’re referring to the key size.

AES is defined as Rijndael with a 128-bit block size (that is, Rijndael-128). So, for example:

AES-192 would be the same as Rijndael with a 128-bit block size (Rijndael-128) and a 192-bit key size.
AES-256 would be the same as Rijndael with a 128-bit block size (Rijndael-128) and a 256-bit key size

Addon-Solutions · November 20, 2015, 8:43am

First of all there is no AES-512. AES is specified with keylengths 128, 192 and 256. Next, please pay attention to not mix Rijndael with AES! AES is based on Rijndael, but the latter also provides choices for the block length. This block length is changeable in PHP using the constants MCRYPT_RIJNDAEL_128

Post edited by TechnoBear to remove fake signature

nimasdj · November 20, 2015, 11:34am

The most important thing is the key, if the site get hacked and they can see the key in config.php, niether mcrypt nor openssl is useful. So a formula should be applied to key before using it, so hackers still need to login to admin area to use it as that key is useless to decrypt outside the application. Can you suggest a good formula to be applied on the key before usage?

I was thinking of this, but please help with your suggestions:

$key = 'ksdfhdjsfhdfgsdgsdfg';
$salt = 'ashdkjsahkdh';
$new_key = pack('H*', hash_hmac("sha256", pack('H*', sha1($key)), $salt));

Jeff_Mott · November 20, 2015, 6:07pm

If a hacker can see your source code, then they can also see and run your formula.

system · February 20, 2016, 1:14am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.