Encrypt text in PHP and decrypt in Python

Question

I am using following code snippet to encrypt a text in PHP7:

$plaintext = "message to be encrypted";
$cipher = "aes-256-cbc";
$ivlen = openssl_cipher_iv_length($cipher);
$iv = "0123456789012345";
$key = "akshayakshayaksh";
$ciphertext = openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv);
print $ciphertext;

Output: cUXDhOEGz19QEo9XDvMzXkGFmg/YQUnXEqKVpfYtUGo=

Now, when I try to decrypt this in Python3 it gives error:

from Crypto.Cipher import AES
obj2 = AES.new('akshayakshayaksh', AES.MODE_CBC, '0123456789012345')
ciphertext = "cUXDhOEGz19QEo9XDvMzXkGFmg/YQUnXEqKVpfYtUGo="
obj2.decrypt(ciphertext)

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/anaconda3/lib/python3.6/site-packages/Crypto/Cipher/blockalgo.py", line 295, in decrypt return self._cipher.decrypt(ciphertext) ValueError: Input strings must be a multiple of 16 in length

I get that AES is a block cipher algorithm. However, how should I fix my PHP code so that it generates "padded" cipher, any clues?

Answer 1

The main issue here is that you're using different key-size. PHP's openssl_encrypt determines the key size from the encryption algorithm string ("aes-256-cbc" in this case) so it expects a 256 bit key. If the key is shorter it is padded with zero bytes, so the actual key used by openssl_encrypt is:

"akshayakshayaksh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"

Pycryptodome determines the key size from the actual size of the key, so your Python code uses AES-128-CBC. Also, as mentioned in the coments by kelalaka, the ciphertext is base64 encoded (openssl_encrypt base64-encodes the ciphertext by default - we can get raw bytes if we use OPENSSL_RAW_DATA in $options). Pycryptodome doesn't decode the ciphertext, so we must use b64decode().

key = b'akshayakshayaksh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
obj2 = AES.new(key, AES.MODE_CBC, b'0123456789012345')
ciphertext = b"cUXDhOEGz19QEo9XDvMzXkGFmg/YQUnXEqKVpfYtUGo="
print(obj2.decrypt(b64decode(ciphertext)))
#b'message to be encrypted\t\t\t\t\t\t\t\t\t'

The extra \t characters at the end is the padding - CBC requires padding. Pycryptodome doesn't remove padding automatically but it provides padding functions in Crypto.Util.Padding.

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from base64 import b64decode

key = b'akshayakshayaksh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
obj2 = AES.new(key, AES.MODE_CBC, b'0123456789012345')
ciphertext = b"cUXDhOEGz19QEo9XDvMzXkGFmg/YQUnXEqKVpfYtUGo="
plaintext = obj2.decrypt(b64decode(ciphertext))
plaintext = unpad(plaintext, AES.block_size)

---

Although PHP's openssl accepts arbitrary sized keys, it's best to use key size specified in the algorithm string, to prevent confusion at the very least. Also the key bytes should be as random as possible.

As noted by Maarten Bodewes in the comments this key uses a limited range of bytes and so it's very weak. Furthermore it is created by repeating a word and that makes it vulnerable to dictionary attacks (which are much faster than bruteforce attacks).

In PHP we can get cryptographically secure random bytes with random_bytes(),

$key = random_bytes(32);  

and in Python with os.urandom()

key = os.urandom(32)

(You can use the same functions to create the IV; you shouldn't use a static IV, the IV must be unpredictable)

You could also derive a key from your password with a KDF. In this case it is important to use a random salt and a high enough number of iterations. PHP provies a PBKDF2 algorithm with the hash_pbkdf2 function, and Python with hashlib.pbkdf2_hmac.