TripleDES Encryption between PHP vs C#/.NET - c#

I have legacy server uses TripleDES encryption in .NET/C#.
Need to decrypt text by using PHP.
I wrote PHP code but it's not able to decrypt message generated form C#.
C# Code
using System;
using System.Data;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace testns
{
class Program
{
static void Main(string[] args)
{
string key = "123456789012345678901234";
string iv = "12345678";
string text = "this is just test string";
string e = Program.EncryptTripleDES(text, key, iv);
Console.WriteLine(e);
string d = Program.DecryptTripleDES(e, key, iv);
Console.WriteLine(d);
// Return
// QDIRAeQ/O1hhjN4XqgcETG7IChnybCqZ
// this is just test string
}
private static string EncryptTripleDES(string neqs, string nafKeyCode, string nafIvCode)
{
byte[] rgbKey = Encoding.UTF8.GetBytes(nafKeyCode);
byte[] rgbIV = Encoding.UTF8.GetBytes(nafIvCode);
string sEncrypted = string.Empty;
if (!String.IsNullOrEmpty(neqs))
{
TripleDESCryptoServiceProvider cryptoProvider = new TripleDESCryptoServiceProvider();
cryptoProvider.Mode = CipherMode.CBC;
cryptoProvider.Padding = PaddingMode.None;
byte[] buffer = Encoding.UTF8.GetBytes(neqs);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, cryptoProvider.CreateEncryptor(rgbKey, rgbIV), CryptoStreamMode.Write);
cs.Write(buffer, 0, buffer.Length);
cs.FlushFinalBlock();
sEncrypted = Convert.ToBase64String(ms.ToArray());
}
return sEncrypted;
}
private static string DecryptTripleDES(string neqs, string nafKeyCode, string nafIvCode)
{
byte[] rgbKey = Encoding.UTF8.GetBytes(nafKeyCode);
byte[] rgbIV = Encoding.UTF8.GetBytes(nafIvCode);
string decryptedText = string.Empty;
if (!String.IsNullOrEmpty(neqs))
{
TripleDESCryptoServiceProvider cryptoProvider = new TripleDESCryptoServiceProvider();
cryptoProvider.Mode = CipherMode.CBC;
cryptoProvider.Padding = PaddingMode.None;
byte[] buffer = Convert.FromBase64String(neqs);
MemoryStream ms = new MemoryStream(buffer);
CryptoStream cs = new CryptoStream(ms, cryptoProvider.CreateDecryptor(rgbKey, rgbIV), CryptoStreamMode.Read);
StreamReader sr = new StreamReader(cs);
decryptedText = sr.ReadToEnd();
//(new Logs()).LogException(decryptedText);
}
return decryptedText;
}
}
}
PHP Code
$key = '123456789012345678901234';
$iv = '12345678';
$text = 'this is just test string';
$e = openssl_encrypt($text, 'des-ede3-cbc', $key, 0, $iv);
echo $e . "<br /><br />";
$d = openssl_decrypt($e, 'des-ede3-cbc', $key, 0, $iv);
echo $d . "<br /><br />";
// Return
// QDIRAeQ/O1hhjN4XqgcETG7IChnybCqZqN3DpVbYFwk=
// this is just test string
Got from PHP
QDIRAeQ/O1hhjN4XqgcETG7IChnybCqZqN3DpVbYFwk=
Got from C#
QDIRAeQ/O1hhjN4XqgcETG7IChnybCqZ
As you an see it's almost the same for PHP has extra qN3DpVbYFwk= characters.
What I am doing wrong? It is something to do with padding?
Thanks


It looks like the problem is that you have turned padding off (PaddingMode.None) in your C# code and Padding is turned on (by default) in your PHP code.
The OpenSSL library methods openssl_encrypt and openssl_decrypt have padding turned on by default when you pass 0 as the options parameter. The default padding is PKCS#7.
So to solve your issue you will either need to add PaddingMode.PKCS7 to your C# code (which I personally recommend):
cryptoProvider.Padding = PaddingMode.PKCS7;
Or you turn off the padding in PHP using OPENSSL_ZERO_PADDING. Remember that in PHP you will need to add the flag OPENSSL_ZERO_PADDING to both openssl_encrypt and openssl_decrypt.
example:
$e = openssl_encrypt($text, 'des-ede3-cbc', $key, OPENSSL_ZERO_PADDING, $iv);
Important
Remember the padding options must be set on both encrypt and decrypt modes.

Related

AES encryption/decryption between php and c#

I'm trying to make encryption and decryption between php and c# using AES-128-ECB
I found a way to encrypt in php and decrypt in c#.
the problem now i'm trying to do the opposite I'm facing problem trying to understand how c# working with Cryptography
the code I used I found it on this question
PHP and C# AES256 encryption -> decryption
I'm using the same code it's easy to do it on php for decryption but my problem with c#
I found this docs cryptography using rijadealManaged I coudn't understand it
c# code :
public String Decryptions(String text, String key)
{
//decode cipher text from base64
byte[] cipher = Convert.FromBase64String(text);
//get key bytes
byte[] btkey = Encoding.ASCII.GetBytes(key);
//init AES 128
RijndaelManaged aes128 = new RijndaelManaged();
aes128.Mode = CipherMode.ECB;
aes128.Padding = PaddingMode.PKCS7;
//decrypt
ICryptoTransform decryptor = aes128.CreateDecryptor(btkey, null);
MemoryStream ms = new MemoryStream(cipher);
CryptoStream cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read);
byte[] plain = new byte[cipher.Length];
int decryptcount = cs.Read(plain, 0, plain.Length);
ms.Close();
cs.Close();
//return plaintext in String
return Encoding.UTF8.GetString(plain, 0, decryptcount);
}
php code :
function encryption($json) {
$encrypted= '';
$plaintext = $json;
$cipher = 'AES-128-ECB';
$key = '1234567891123456';
$encrypted = openssl_encrypt($plaintext, $cipher, $key, 0);
return $encrypted;
echo $encrypted;
}
UPDATE :
tried this code from answers :
public string Encryption(string text,string key,string privatekey)
{
byte[] inputtextbyteArray = System.Text.Encoding.UTF8.GetBytes(text);
using RijndaelManaged aes128 = new RijndaelManaged { Mode = CipherMode.ECB, Padding = PaddingMode.PKCS7 };
using var memstr = new MemoryStream();
using var crystr = new CryptoStream(memstr, aes128.CreateDecryptor(Encoding.UTF8.GetBytes(key), Encoding.UTF8.GetBytes(privatekey)), CryptoStreamMode.Write);
crystr.Write(inputtextbyteArray, 0, inputtextbyteArray.Length);
return Convert.ToBase64String(memstr.ToArray());
}
public string Decryption(string base64, string key, string privatekey)
{
try
{
byte[] inputtextbyteArray = Convert.FromBase64String(base64.Replace(" ", "+"));
using RijndaelManaged aes128 = new RijndaelManaged { Mode = CipherMode.ECB, Padding = PaddingMode.PKCS7 };
using var memstr = new MemoryStream();
using var crystr = new CryptoStream(memstr, aes128.CreateDecryptor(Encoding.UTF8.GetBytes(key), Encoding.UTF8.GetBytes(privatekey)), CryptoStreamMode.Write);
crystr.Write(inputtextbyteArray, 0, inputtextbyteArray.Length);
return Encoding.UTF8.GetString(memstr.ToArray());
}
catch (Exception ex)
{
throw new Exception("LOL NO HACKING!");
}
}
I understand how code work but the Errors I'm getting confusing :

public string Encryption(string text,string key,string privatekey)
{
byte[] inputtextbyteArray = System.Text.Encoding.UTF8.GetBytes(text);
using RijndaelManaged aes128 = new RijndaelManaged { Mode = CipherMode.ECB, Padding = PaddingMode.PKCS7 };
using var memstr = new MemoryStream();
using var crystr = new CryptoStream(memstr, aes128.CreateDecryptor(Encoding.UTF8.GetBytes(key), Encoding.UTF8.GetBytes(privatekey)), CryptoStreamMode.Write);
crystr.Write(inputtextbyteArray, 0, inputtextbyteArray.Length);
return Convert.ToBase64String(memstr.ToArray());
}
public string Decryption(string base64, string key, string privatekey)
{
try
{
byte[] inputtextbyteArray = Convert.FromBase64String(base64.Replace(" ", "+"));
using RijndaelManaged aes128 = new RijndaelManaged { Mode = CipherMode.ECB, Padding = PaddingMode.PKCS7 };
using var memstr = new MemoryStream();
using var crystr = new CryptoStream(memstr, aes128.CreateDecryptor(Encoding.UTF8.GetBytes(key), Encoding.UTF8.GetBytes(privatekey)), CryptoStreamMode.Write);
crystr.Write(inputtextbyteArray, 0, inputtextbyteArray.Length);
return Encoding.UTF8.GetString(memstr.ToArray());
}
catch (Exception ex)
{
throw new Exception("LOL NO HACKING!");
}
}
I didn't test it
remeber by use "using" you dont need to use ms.Close();
And aes128.CreateDecryptor(btkey, null); why you use null
just make a private key
and btw i just choice "key" in my code but easy to call it chiper

How do I decrypt in php something aes encrypted with c#

A partner is using c# to encrypt 12 digit numbers to a database, I need to decode these values on a unix server ideally using php 5.6 but php 7.2, perl 5.16 or python 3.6 are all available.
I've started with example 2 of the php openssl-encrypt manual which gets me something which will encode/decode test strings successfully, but cannot decode the c# encoded data.
I've also tried the suggestions at https://odan.github.io/2017/08/10/aes-256-encryption-and-decryption-in-php-and-csharp.html without success, presumably because the partner isn't using CBC.
Substituting $key = substr(hash('sha256', $secret, true), 0, 32); for the secret in the function calls didn't help.
I've tried all the ciphers supported by openssl-encrypt without success.
The partner has provided their c# code (which appears to be a more or less direct lift from Microsoft sample code):
public static string EncryptString(string key, string plainText)
{
byte[] iv = new byte[16];
byte[] array;
using (Aes aes = Aes.Create())
{
aes.Key = Encoding.UTF8.GetBytes(key);
aes.IV = iv;
ICryptoTransform encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
using (MemoryStream memoryStream = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream((Stream)memoryStream, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter streamWriter = new StreamWriter((Stream)cryptoStream))
{
streamWriter.Write(plainText);
}
array = memoryStream.ToArray();
}
}
}
return Convert.ToBase64String(array);
}
public static string DecryptString(string key, string cipherText)
{
byte[] iv = new byte[16];
byte[] buffer = Convert.FromBase64String(cipherText);
using (Aes aes = Aes.Create())
{
aes.Key = Encoding.UTF8.GetBytes(key);
aes.IV = iv;
ICryptoTransform decryptor = aes.CreateDecryptor(aes.Key, aes.IV);
using (MemoryStream memoryStream = new MemoryStream(buffer))
{
using (CryptoStream cryptoStream = new CryptoStream((Stream)memoryStream, decryptor, CryptoStreamMode.Read))
{
using (StreamReader streamReader = new StreamReader((Stream)cryptoStream))
{
return streamReader.ReadToEnd();
}
}
}
}
}
I have the following functions at present:
function encrypt2($data, $secret, $cipher, $iv)
{
$ivlen = openssl_cipher_iv_length($cipher);
$ciphertext_raw = openssl_encrypt($data, $cipher, $secret, $options=OPENSSL_RAW_DATA, $iv);
$hmac = hash_hmac('sha256', $ciphertext_raw, $secret, $as_binary=true);
return base64_encode($ciphertext_raw);
}
function decrypt2($data, $secret, $cipher, $iv)
{
$c = base64_decode($data);
$ivlen = openssl_cipher_iv_length($cipher);
$original_plaintext = openssl_decrypt($c, $cipher, $secret, $options=OPENSSL_RAW_DATA, $iv);
return ($original_plaintext ? $original_plaintext : 'openssl_decrypt failed');
}
I can't share partner data because I only have real data but here is an example call to the php functions above the second of which produces results resembling the real data:
$data = '123456789012';
$secret = "qwertyuiop12345";
$cipher = "AES-256-ECB";
$iv = "";
$encrypted2 = encrypt2($data, $secret, $cipher, $iv);
$decrypted2 = decrypt2($encrypted2, $secret, $cipher, $iv);
echo "$data > $encrypted2 > $decrypted2\n";
Gives:
123456789012 > NDdefqxcYZvtjAcvPrQ00A== > 123456789012
What changes do I need to make to my php to match the c# code?
Alternatively a solution using perl or python would work.
Update with sample data:
xyz#gmail.com encrypted with b14ca5898a4e4133bbce2ea2315a1916 gives c4Eej4S8G3mclVQJb+qkfQ==
That's exactly what my code generates.
The live key I've been given is 16 characters long but the example above uses a 32 character string, is something being done to double the length of the original before use?

Convert PHP Encryption algorithm to C#

I am trying to use a SSO solution in C#, where the documentation is only available in PHP.
I have this PHP Code:
function encrypt ($message)
{
$initialVector = "1234567890123456";
$key = md5($this->apiPassword);
$crypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $message, MCRYPT_MODE_CFB, $initialVector);
return base64_encode($initialVector) .":" . base64_encode($crypt);
}
The C# Code I tried is the following:
private string encrypt(string message)
{
RijndaelManaged aes128 = new RijndaelManaged();
aes128.BlockSize = 128;
aes128.KeySize = 128;
aes128.Mode = CipherMode.CFB;
aes128.Padding = PaddingMode.None;
aes128.IV = Encoding.ASCII.GetBytes("1234567890123456");
aes128.Key = Encoding.ASCII.GetBytes(getMd5(key));
byte[] plainTextBytes = Encoding.ASCII.GetBytes(json);
ICryptoTransform encryptor = aes128.CreateEncryptor();
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, encryptor, CryptoStreamMode.Write);
cs.Write(plainTextBytes, 0, plainTextBytes.Length);
// convert our encrypted data from a memory stream into a byte array.
byte[] cypherTextBytes = ms.ToArray();
// close memory stream
ms.Close();
return Convert.ToBase64String(aes128.IV) + ":" + Convert.ToBase64String(cypherTextBytes);
}
key and message are identical. The IV part is returned correctly, only the encrypted parts are not equal. The md5 method is also working correctly.
Edit: Changing the Padding also doesn't change anything.

Rijndael Encryption/Decryption C# vs PHP

I'm trying to encrypt data on client side(C#) then transmit it to the server through POST and decode it at the server side(PHP).
For this test purpose I'm also attaching to the POST all values were used on the client side to match it for the server
Values are:
Plain Text
Pass Phrase
IV
Generated By Client Encrypted Text
These parameters im re-using at the server side, it is mean i'm using the same plain text, the same pass phrase and the same IV
however results doesn't match
Encrypted text at the client side doesn't match to the encrypted text from server side where both of them were generated from the same input parameters
Here is Console output where you can clearly see what is going on:
https://dl.dropboxusercontent.com/u/15715229/ConsoleOutput.JPG
As You see server generate different hash with use of same "in" parameters...
What am I doing wrong?
here is my code:
C# Code:
static void Main(string[] args)
{
string url = "http://localhost/temp.php";
WebClient web = new WebClient();
string plainText = "This is sentence I want to encrypt";
string passPhrase = "MyPassPhrase";
string IV = DateTime.Now.ToLongTimeString() + "InVector";
Console.WriteLine("");
Console.WriteLine("----- Start Client -----");
Console.WriteLine("Plain text = " + plainText);
Console.WriteLine("PassPhrase = " + passPhrase);
Console.WriteLine("IV = " + IV);
string encryptedText = Encrypt(plainText, passPhrase, IV);
Console.WriteLine("Encrypted Text = " + encryptedText);
string decryptedText = Decrypt(encryptedText, passPhrase, IV);
Console.WriteLine("Decrypted Text = " + decryptedText);
Console.WriteLine("----- End Client -----");
Console.WriteLine("");
NameValueCollection postData = new NameValueCollection();
postData.Add("plainText", plainText);
postData.Add("encryptedText", encryptedText);
postData.Add("passPhrase", passPhrase);
postData.Add("IV", IV);
string webData = Encoding.UTF8.GetString(web.UploadValues(url, "POST", postData));
Console.WriteLine("----- Start Server Respond -----");
Console.WriteLine(webData);
Console.WriteLine("----- End Server Respond -----");
}
public static string Encrypt(string plainText, string passPhrase, string IV)
{
byte[] initVectorBytes = Encoding.UTF8.GetBytes(IV);
byte[] plainTextBytes = Encoding.UTF8.GetBytes(plainText);
byte[] keyBytes = Encoding.UTF8.GetBytes(passPhrase);
RijndaelManaged symmetricKey = new RijndaelManaged();
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform encryptor = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write);
cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
cryptoStream.FlushFinalBlock();
byte[] cipherTextBytes = memoryStream.ToArray();
memoryStream.Close();
cryptoStream.Close();
return Convert.ToBase64String(cipherTextBytes);
}
public static string Decrypt(string cipherText, string passPhrase, string IV)
{
byte[] initVectorBytes = Encoding.UTF8.GetBytes(IV);
byte[] cipherTextBytes = Convert.FromBase64String(cipherText);
byte[] keyBytes = Encoding.UTF8.GetBytes(passPhrase);
RijndaelManaged symmetricKey = new RijndaelManaged();
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes);
MemoryStream memoryStream = new MemoryStream(cipherTextBytes);
CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read);
byte[] plainTextBytes = new byte[cipherTextBytes.Length];
int decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);
memoryStream.Close();
cryptoStream.Close();
return Encoding.UTF8.GetString(plainTextBytes, 0, decryptedByteCount);
}
My PHP Code:
<?php
if(isset($_POST['plainText']))
{
$plainText = $_POST['plainText'];
$clientEncryptedText = $_POST['encryptedText'];
$passPhrase = $_POST['passPhrase'];
$iv = $_POST['IV'];
echo "Plain text = ".$plainText."\n";
echo "PassPhrase = ".$passPhrase."\n";
echo "IV = ".$iv."\n";
$encryptedText = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $passPhrase, $plainText, MCRYPT_MODE_CBC, $iv ));
echo "Server Encrypted Text = ".$encryptedText."\n";
echo "Client Encrypted Text = ".$clientEncryptedText."\n";
$decryptedText = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $passPhrase, base64_decode($encryptedText), MCRYPT_MODE_CBC, $iv );
echo "Server Decrypted Text = ".$decryptedText."\n";
$decryptedText = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $passPhrase, base64_decode($clientEncryptedText), MCRYPT_MODE_CBC, $iv );
echo "Decrypted text from Client = ".$decryptedText."\n";
}
else
{
echo "POST is not set";
}
Can you please tell me what am i doing wrong and where? at the client (C#) or at the server (PHP)?
Regards
Vadims Briksins

Your Passphrase is not a key of the appropriate length. Same goes for the IV. Thus, some kind of padding, truncation or hashing will happen. PHP and C# likely do it differently. Also, you don't specify if AES-128 or AES-256 is to be used in C# - thus, you are likely using AES-256 in C#, while decrypting with AES-128. Also C# could, theoretically, also use different block sizes (it likely doesn't). Padding could also differ, which could cause issues later down the road.
Make sure your IV matches the block size used (should be 128 bit = 16 byte) and the passphrase/key matches whatever key size you chose.
If you will be using real passphrases in practice, you need to use something like PBKDF2 to derive keys from them.
You also may want to add integrity checking (e.g. using HMAC with a separate key).
Also, don't implement crypto yourself if you don't have to. Check if SSL/TLS could fix the problem for you, and then use it if possible. You can use hardcoded selfsigned certificates if you want to and it matches your requirements, but using an existing crypto protocol is usually a better idea than building your own.

finally got it sorted. Whole day was fighting with it and now would love to share the code with you.
Code is 100% working - Tested and Verified!
Content of C# CryptoMaster.cs file (Client Side):
using System;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Net;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
namespace EncryptionClient
{
class CryptoMaster
{
private string encryptedText;
public void StartEncryption()
{
Console.WriteLine("");
Console.WriteLine("----- Client Start -----");
string plainText = "Hello, this is a message we need to encrypt";
Console.WriteLine("Plain Text = " + plainText);
string passPhrase ="Pass Phrase Can be any length";
string saltValue = DateTime.Now.ToLongTimeString(); //slat should be 8 bite len, in my case im using Time HH:MM:SS as it is dynamic value
string hashAlgorithm = "SHA1";
int passwordIterations = 1;
string initVector = "InitVector Should be 32 bite len";
int keySize = 256;
encryptedText = Encrypt(plainText, passPhrase, saltValue, hashAlgorithm, passwordIterations, initVector, keySize);
Console.WriteLine("Encrypted Text = " + encryptedText);
string decryptedText = Decrypt(encryptedText, passPhrase, saltValue, hashAlgorithm, passwordIterations, initVector, keySize);
Console.WriteLine("Decripted Text = " + decryptedText);
Console.WriteLine("----- Client End -----");
SendDataToWebServer(plainText, passPhrase, saltValue, hashAlgorithm, passwordIterations, initVector, keySize);
}
private void SendDataToWebServer(string plainText, string passPhrase, string saltValue, string hashAlgorithm, int passwordIterations, string initVector, int keySize)
{
NameValueCollection POST = new NameValueCollection();
//NOTE: I'm Including all this data to POST only for TESTING PURPOSE
//and to avoid manual entering of the same data at server side.
//In real live example you have to keep sensative data hidden
POST.Add("plainText", plainText);
POST.Add("passPhrase", passPhrase);
POST.Add("saltValue", saltValue);
POST.Add("hashAlgorithm", hashAlgorithm);
POST.Add("passwordIterations", passwordIterations+"");
POST.Add("initVector", initVector);
POST.Add("keySize", keySize+"");
POST.Add("encryptedText", encryptedText);
WebClient web = new WebClient();
string URL = "http://localhost/Encryptor.php";
Console.WriteLine("");
string serverRespond = Encoding.UTF8.GetString(web.UploadValues(URL, "POST", POST));
Console.WriteLine("----- Server Start -----");
Console.WriteLine(serverRespond);
Console.WriteLine("----- Server End -----");
}
public string Encrypt(string plainText, string passPhrase, string saltValue, string hashAlgorithm, int passwordIterations, string initVector, int keySize)
{
byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
byte[] plainTextBytes = Encoding.UTF8.GetBytes(plainText);
Rfc2898DeriveBytes password = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations);
byte[] keyBytes = password.GetBytes(keySize / 8);
RijndaelManaged symmetricKey = new RijndaelManaged();
symmetricKey.BlockSize = 256;
symmetricKey.KeySize = 256;
symmetricKey.Padding = PaddingMode.Zeros;
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform encryptor = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write);
cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
cryptoStream.FlushFinalBlock();
byte[] cipherTextBytes = memoryStream.ToArray();
memoryStream.Close();
cryptoStream.Close();
string cipherText = Convert.ToBase64String(cipherTextBytes);
return cipherText;
}
public static string Decrypt(string cipherText, string passPhrase, string saltValue, string hashAlgorithm, int passwordIterations, string initVector, int keySize)
{
byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
byte[] cipherTextBytes = Convert.FromBase64String(cipherText);
Rfc2898DeriveBytes password = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations);
byte[] keyBytes = password.GetBytes(keySize / 8);
RijndaelManaged symmetricKey = new RijndaelManaged();
symmetricKey.BlockSize = 256;
symmetricKey.KeySize = 256;
symmetricKey.Padding = PaddingMode.Zeros;
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes);
MemoryStream memoryStream = new MemoryStream(cipherTextBytes);
CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read);
byte[] plainTextBytes = new byte[cipherTextBytes.Length];
int decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);
memoryStream.Close();
cryptoStream.Close();
string plainText = Encoding.UTF8.GetString(plainTextBytes, 0, decryptedByteCount);
return plainText;
}
}
}
Content of PHP Encryptor.PHP file (Server Side):
<?php
error_reporting(0);
if (isset($_POST['plainText'])) {
$plainText = $_POST['plainText'];
$passPhrase = $_POST['passPhrase'];
$saltValue = $_POST['saltValue'];
$hashAlgorithm = $_POST['hashAlgorithm'];
$passwordIterations = $_POST['passwordIterations'];
$initVector = $_POST['initVector'];
$keySize = $_POST['keySize'];
$clientEncryptedText = $_POST['encryptedText'];
$key = getKey($passPhrase,$saltValue, $passwordIterations, $keySize, $hashAlgorithm);
echo "Plain Text = ".$plainText."\n";
echo "Client Encrypted Text = ".$clientEncryptedText."\n";
$encryptedText = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $plainText, MCRYPT_MODE_CBC, $initVector));
echo "Server Encrypted Text = ".$encryptedText."\n";
$decryptedText = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($encryptedText), MCRYPT_MODE_CBC, $initVector), "\0");
echo "Server Decrypted Text = ".$decryptedText."\n";
$decryptedText = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($clientEncryptedText), MCRYPT_MODE_CBC, $initVector), "\0");
echo "Client Decrypted Text = ".$decryptedText;
}
function getKey( $passPhrase, $saltValue, $passwordIterations, $keySize, $hashAlgorithm ) {
$hl = strlen(hash($hashAlgorithm, null, true));
$kb = ceil($keySize / $hl);
$dk = '';
for ( $block = 1; $block <= $kb; $block ++ ) {
$ib = $b = hash_hmac($hashAlgorithm, $saltValue . pack('N', $block), $passPhrase, true);
for ( $i = 1; $i < $passwordIterations; $i ++ )
$ib ^= ($b = hash_hmac($hashAlgorithm, $b, $passPhrase, true));
$dk .= $ib;
}
return substr($dk, 0, $keySize);
}
?>
Console Output can be viewed by this link

How can I get CSharp / .NET to "play nice" with PHP-encrypted strings?

(preface: I'm a newbie with encryption and security, figured this would be a fun way to learn)
I'm building a program in C# that communicates with a server written in PHP using standard HTTP protocol. I want both programs to be able to send and receive encrypted data. However, there appear to be inconsistencies regarding how the encryption is being handled, despite them both using the same kind of functions.
Both programs use Rjindael 128 bit in CBC mode.
For demonstration / testing, I made two functions that are virtually identical, each taking the same string, encrypting it, and spitting out the result as a base64 string.
The PHP function:
public static function EncryptionTest () {
echo 'Testing Encryption to base64 string...<br/>';
$originalString = 'This is the original String! How cool is that?';
$key = "abcdefghijklmnopqrstuvwxyz012345";
$iv = "1234567890123456";
$encrypted = mcrypt_encrypt (MCRYPT_RIJNDAEL_128, $key, $originalString, MCRYPT_MODE_CBC, $iv);
echo base64_encode ($encrypted);
}
And it's C# counterpart:
public static void EncryptionTest ()
{
System.Console.WriteLine ("Testing Encryption to base64 string...");
string originalString = "This is the original String! How cool is that?";
byte [] encryptedData;
byte [] key = System.Text.ASCIIEncoding.UTF8.GetBytes ("abcdefghijklmnopqrstuvwxyz012345");
byte [] iv = System.Text.ASCIIEncoding.UTF8.GetBytes ("1234567890123456");
RijndaelManaged cryptor = new RijndaelManaged ();
cryptor.Key = key;
cryptor.IV = iv;
cryptor.BlockSize = 128;
cryptor.Mode = CipherMode.CBC;
ICryptoTransform encryptor = cryptor.CreateEncryptor (cryptor.Key, cryptor.IV);
using (MemoryStream msEncrypt = new MemoryStream ())
{
using (CryptoStream csEncrypt = new CryptoStream (msEncrypt, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter swEncrypt = new StreamWriter (csEncrypt) )
{
swEncrypt.Write (originalString);
}
encryptedData = msEncrypt.ToArray ();
}
}
System.Console.WriteLine (System.Convert.ToBase64String (encryptedData) );
}
Now, here is the PHP result:
Testing Encryption to base64 string...
yzwIdowhLj+cMOFPMuHSA80pWQ6R8yfFQlEsLx5kIzUOJdFykLjsaKfK4VfaBGRv
And the C# result:
Testing Encryption to base64 string...
yzwIdowhLj+cMOFPMuHSA80pWQ6R8yfFQlEsLx5kIzUg74mGEQf9iW+OQ68m6cpp
As you can see, the two results are clearly encrypted (good), are the same number of characters (good), but are different (could be bad).
I wrote decryption tests which take these strings and process them. Here is the PHP function:
public static function DecryptionTest () {
$phpBase64 = 'yzwIdowhLj+cMOFPMuHSA80pWQ6R8yfFQlEsLx5kIzUOJdFykLjsaKfK4VfaBGRv';
$csBase64 = 'yzwIdowhLj+cMOFPMuHSA80pWQ6R8yfFQlEsLx5kIzUg74mGEQf9iW+OQ68m6cpp';
$key = "abcdefghijklmnopqrstuvwxyz012345";
$iv = "1234567890123456";
$phpEncrypted = base64_decode ($phpBase64);
$phpDecrypted = mcrypt_decrypt (MCRYPT_RIJNDAEL_128, $key, $phpEncrypted, MCRYPT_MODE_CBC, $iv);
$csEncrypted = base64_decode ($csBase64);
$csDecrypted = mcrypt_decrypt (MCRYPT_RIJNDAEL_128, $key, $csEncrypted, MCRYPT_MODE_CBC, $iv);
echo 'Decrypted PHP string: "' . $phpDecrypted . '"<br/>' .
'Decrypted CS string: "' . $csDecrypted . '"';
}
And the C# version:
public static void DecryptionTest ()
{
System.Console.WriteLine ("Testing Decryption for PHP and CS generated base64 strings!");
string phpBase64 = "yzwIdowhLj+cMOFPMuHSA80pWQ6R8yfFQlEsLx5kIzUOJdFykLjsaKfK4VfaBGRv";
string csBase64 = "yzwIdowhLj+cMOFPMuHSA80pWQ6R8yfFQlEsLx5kIzUg74mGEQf9iW+OQ68m6cpp";
byte [] phpEncrypted = System.Convert.FromBase64String (phpBase64);
byte [] csEncrypted = System.Convert.FromBase64String (csBase64);
string phpDecrypted;
string csDecrypted;
byte [] encryptedData;
byte [] key = System.Text.ASCIIEncoding.UTF8.GetBytes ("abcdefghijklmnopqrstuvwxyz012345");
byte [] iv = System.Text.ASCIIEncoding.UTF8.GetBytes ("1234567890123456");
RijndaelManaged cryptor = new RijndaelManaged ();
cryptor.Key = key;
cryptor.IV = iv;
cryptor.BlockSize = 128;
cryptor.Mode = CipherMode.CBC;
ICryptoTransform decryptor = cryptor.CreateDecryptor (cryptor.Key, cryptor.IV);
using (MemoryStream msDecrypt = new MemoryStream (csEncrypted))
{
using (CryptoStream csDecrypt = new CryptoStream (msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader swDecrypt = new StreamReader (csDecrypt) )
{
csDecrypted = swDecrypt.ReadToEnd ();
}
}
}
System.Console.WriteLine ("Decrypted CS string: \"" + csDecrypted + "\"");
using (MemoryStream msDecrypt = new MemoryStream (phpEncrypted))
{
using (CryptoStream csDecrypt = new CryptoStream (msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader swDecrypt = new StreamReader (csDecrypt) )
{
phpDecrypted = swDecrypt.ReadToEnd ();
}
}
}
System.Console.WriteLine ("Decrypted PHP string: \"" + phpDecrypted + "\"");
}
The PHP results:
Decrypted PHP string: "This is the original String! How cool is that?"
Decrypted CS string: "This is the original String! How cool is that?"
And the C# results:
Decrypted CS string: "This is the original String! How cool is that?"
CryptographicException: Bad PKCS7 padding. Invalid length 0.
at Mono.Security.Cryptography.SymmetricTransform.ThrowBadPaddingException (PaddingMode padding, Int32 length, Int32 position) [0x0005c] in > /Applications/buildAgent/work/84669f285f6a667f/mcs/class/corlib/Mono.Security.Cryptography/SymmetricTransform.cs:363
So, basically, the PHP code can successfully decrypt both base64 strings, but the C# code can only decrypt base64 strings that were created by its own decryptor.
A lot of this is code I found on the internet and modified to suit my needs. Like I said, I'm a newbie with cryptography, but I've gotten decently far here. I could theorize and test all day, but it's starting to eat into my schedule so I'm looking for insights from others as to why it isn't working. Thank you!

You need to use the PHPSecLib because the PHP implementation is not compatible with C++/C#. It has a different padding size (not a crypto expert here but this is what I found after days of testing). So use the native implementations in the phpseclib and it will work.
Bumped into this issue a while ago myself. But with C++ / CryptoAPI and PHP.

Categories

Resources