Search code examples
delphicryptographyaeslockbox-3

Lockbox3 encryptstring : same string gives different encrypted result


I try lockbox3 with Delphi XE10. I want to encrypt a user's input string and compare it with a value for verification. but every time the same input string gives different encrypted result. What is my fault, please ?

here the sample code that gives this error

<UNIT CODE START>
unit Unit21;

interface

uses
  Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
  Vcl.Controls, Vcl.Forms, Vcl.Dialogs, TPLB3.Codec, TPLB3.BaseNonVisualComponent, TPLB3.CryptographicLibrary,
  Vcl.StdCtrls;

type
  TForm21 = class(TForm)
    Button1: TButton;
    CryptographicLibrary1: TCryptographicLibrary;
    Codec1: TCodec;
    Label1: TLabel;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form21: TForm21;

implementation

{$R *.dfm}

procedure TForm21.Button1Click(Sender: TObject);
var s0,s1 : string;
begin
    codec1.Password := 'ou[asdl[kn';
    s0 := 'asdfghjkl';
    codec1.EncryptString(s0,s1);
    label1.caption := s1;
end;

end.
<UNIT CODE END>

<FORM CODE START>

object Form21: TForm21
  Left = 0
  Top = 0
  Caption = 'Form21'
  ClientHeight = 299
  ClientWidth = 635
  Color = clBtnFace
  Font.Charset = DEFAULT_CHARSET
  Font.Color = clWindowText
  Font.Height = -11
  Font.Name = 'Tahoma'
  Font.Style = []
  OldCreateOrder = False
  PixelsPerInch = 96
  TextHeight = 13
  object Label1: TLabel
    Left = 168
    Top = 72
    Width = 31
    Height = 13
    Caption = 'Label1'
  end
  object Button1: TButton
    Left = 32
    Top = 72
    Width = 75
    Height = 25
    Caption = 'Button1'
    TabOrder = 0
    OnClick = Button1Click
  end
  object CryptographicLibrary1: TCryptographicLibrary
    Left = 192
    Top = 136
  end
  object Codec1: TCodec
    AsymetricKeySizeInBits = 512
    AdvancedOptions2 = []
    CryptoLibrary = CryptographicLibrary1
    Left = 200
    Top = 192
    StreamCipherId = 'native.StreamToBlock'
    BlockCipherId = 'native.AES-256'
    ChainId = 'native.CBC'
  end
end
<FORM CODE END>

Solution

  • At first glance the problem seems that you are using CBC (Cipher block chaining) mode of AES.

    It's actually not a problem, but the way CBC mode has been designed to work.

    Check out this wikipedia article for more details on Block cipher mode of operation

    In cryptography, a mode of operation is an algorithm that uses a block cipher to provide an information service such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation (encryption or decryption) of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

    ...

    In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.


    If you want to always receive the same cipher text for some plain text, you can switch to the basic ECB (Electronic Codebook) mode instead (eg. change ChainId = 'native.CBC' to ChainId = 'native.ECB').

    But this is not recommended, as it makes your cipher text vulnerable to some attacks. A symmetric cipher should not be used to encrypt the same plain text with the same key more than once.

    That is why chaining modes of operation were introduced. They are used to "generate" a sequence of derived keys (based on the key you provided - which in your case is itself based on the password) that are used instead of the base key.

    Make sure to also read this question:


    If you are designing a real-world system (that will be used by other people than yourself), and you need to provide security to any part of it, invest some time in learning more about cryptography.

    A good start is to take a similar course on cryptography: Cryptography I (free)