Search code examples
phpencryptionopensslaesphp-openssl

symmetric AES encryption with php produces different result than openssl cmd

I need to make a simple very basic encryption with AES 128 ECB mode.

The idea is to generate a cryptogram, code it in base64 and then decipher that text from a web service in php to process its content. Later we will increase the robustness of the encryption with a 256 key and CBC mode.

The problem is that the encrypted text generated from the openssl tool (installed by default in MacOX) generates a completely different result than the one generated by the openssl_encrypt function in php 7.

echo -n 'Sergio Sánchez' | openssl12n enc -aes-128-ecb  -a

Result

U2FsdGVkX1+wrLjaCTSM9T3WMV1YcD9Cwzj0mKBoa7M=

No Salt

echo -n 'Sergio Sánchez' | openssl12n enc -aes-128-ecb -nosalt -a

Result

stpJKCaUQ/Q1GLzDvqaYRg==

PHP 7

echo base64_encode(openssl_encrypt('Sergio Sánchez', 'AES-128-ECB', 'password', OPENSSL_RAW_DATA));

Result

dum7MBJOzIi9jvMTvEYnug==

How can I generate a compatible cryptogram between both tools?

Solution

  • Here is an example of Command Line OpenSSL and web based encryption with the same encrypted example:

    Changing the test data and key in order to reduce length issues:
    key: 'testkey1testkey1 hex: 746573746b657931746573746b657931
    data: '54657374446174615465737444617461' hex: 746573746b657931746573746b657931

    Test OpenSSL encryption:
    echo -n 'TestDataTestData' | openssl enc -aes-128-ecb -a -K 746573746b657931746573746b657931
    Output: 'AdLbg3zhQ2/hei0QxAdvnVZaYCTUjgmjheMmWi8Js5A='
    hex: 01D2DB837CE1436FE17A2D10C4076F9D565A6024D48E09A385E3265A2F09B390
    The first 16 bytes are the encrypted data, the last 16 bytes are padding, see note.

    Test web based encryption (yes it is ECB mode):
    http://extranet.cryptomathic.com/aescalc?key=746573746b657931746573746b657931&iv=00000000000000000000000000000000&input=54657374446174615465737444617461&mode=ecb&action=Encrypt&output=
    output: 01D2DB837CE1436FE17A2D10C4076F9D

    Comparing the two outputs (dropping the padding):
    AESCalc : 01D2DB837CE1436FE17A2D10C4076F9D
    OpenSSL: 01D2DB837CE1436FE17A2D10C4076F9D

    From here you can make changes as necessary one by one.

    Helpful links:
    OpenSSL enc man page
    AES Calculator
    Base64 to hex decoder
    Text to Hex Converter
    PKCS#7 padding

    Note 1: PKCS#7 padding always adds padding so when used with data that is a multiple of the block size a full block of padding is (must be) added. If padding were not added, even in this case, it would not be possible in all cases to determine that no padding were added.

    Note 2: AESCalc with padding explicitly added:
    http://extranet.cryptomathic.com/aescalc?key=746573746B657931746573746B657931&iv=00000000000000000000000000000000&input=5465737444617461546573744461746110101010101010101010101010101010&mode=ecb&action=Encrypt&output=01D2DB837CE1436FE17A2D10C4076F9D
    Output: 01D2DB837CE1436FE17A2D10C4076F9D565A6024D48E09A385E3265A2F09B390