Search code examples
phpmcryptrijndael

Figuring out the exact key created by PHP's mcrypt


A PHP application I'm maintaining uses Rijndael_256 with EBC_MODE encryption with mcrypt. Fun has it that the key isn't 256 bits long, but only 160. According to the mcrypt_encrypt documentation the key is padded with \0 to get the required size if it's too small.

The key with which the data will be encrypted. If it's smaller than the required keysize, it is padded with '\0'. It is better not to use ASCII strings for keys.

This seem to happen at around the start of line 1186 in mcrypt.c and modifying the key at line 1213.

So lets say we've got $key = 'abcdefghijkm'; which is too short, but PHP's implementation of mcrypt makes sure it's extended to 32 characters (or 256 bit) when using RIJNDAEL_256. What will the final key look like?

I'm asking this because another application is being built that uses the same encrypted data, but is in another language. Perl to be exact and I'm using Crypto::Rijndael. For the given example key, what is the exact key I would have to feed to Crypto::Rijndael (or any other for that matter) to be able to decrypt the data again?

Update

With Perl I can generate a key that's \0 padded doing pack('a32', 'my secret key'); (or Z32), length() will report 32 and the Crypt::Rijndael module accepts the key. Looking at the source of PHP's mcrypt this should be the key that's being generated (\0 padded), but it simply won't take it.

In theory in PHP pack('a32', 'my secret key'); should result in the same \0 padded key that PHP's mcrypt generates, but this isn't the case.

I'm very close to just encrypt everything again but with a new key. This is taking too much time.


Solution

  • The issue isn't the key's padding, it's that you're using two different block sizes. In PHP, using MCRYPT_RIJNDAEL_256 uses a block size of... 256 bits. However, in perl using Crypt::Rijndael, they note:

    blocksize
    The blocksize for Rijndael is 16 bytes (128 bits), although the algorithm actually supports any blocksize that is any multiple of our bytes. 128 bits, is however, the AES-specified block size, so this is all we support.

    So there's no key that will allow for conversion between those different algorithms. You can either switch to 128 bits in PHP:

    <?
    $key = "abcdefghijklmnopqrstuvwxyz";
    $data = "Meet me at 11 o'clock behind the monument.";
    $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_ECB, nil);
    echo bin2hex($crypttext) . "\n";
    // prints c613d1804f52f535cb4740242270b1bcbf85151ce4c874848fd1fc2add06e0cc2d26b6403feef4a8df18f7dd7f8ac67d
    ?>
    

    Which Perl can decrypt without a problem using Crypt::Rijndael:

    use Crypt::Rijndael;
    $key = "abcdefghijklmnopqrstuvwxyz\0\0\0\0\0\0";
    $crypttext = "c613d1804f52f535cb4740242270b1bcbf85151ce4c874848fd1fc2add06e0cc2d26b6403feef4a8df18f7dd7f8ac67d";
    $cipher = Crypt::Rijndael->new($key, Crypt::Rijndael::MODE_ECB());
    print $cipher->decrypt(pack('H*', $crypttext));
    # prints "Meet me at 11 o'clock behind the monument."
    

    Or you can switch to a different Perl module that supports more block sizes, e.g., Crypt::Rijndael_PP:

    # Same PHP code except using MCRYPT_RIJNDAEL_256
    # prints f38469ec9deaadbbf49bb25fd7fc8b76462ebfbcf149a667306c8d1c033232322ee5b83fa87d49e4e927437647dbf7193e6d734242d583157b492347a2b1514c
    

    Perl:

    use Crypt::Rijndael_PP ':all';
    $key = "abcdefghijklmnopqrstuvwxyz\0\0\0\0\0\0";
    $crypttext = "f38469ec9deaadbbf49bb25fd7fc8b76462ebfbcf149a667306c8d1c033232322ee5b83fa87d49e4e927437647dbf7193e6d734242d583157b492347a2b1514c";
    print rijndael_decrypt(unpack('H*', $key), MODE_ECB, pack('H*', $crypttext), 256, 256);
    # prints "Meet me at 11 o'clock behind the monument."