[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    Re: What problem have this Rijndael(.NET&PHP) code?
From:       "Jamie Riden" <jamesr () europe ! com>
Date:       2006-12-15 19:42:04
Message-ID: 17b0fcab0612151142y59d54453oe98c5ee745921232 () mail ! gmail ! com
[Download RAW message or body]

On 15/12/06, ±è¿µÀÏ <zero12a@naver.com> wrote:
> Dear, web security Professionals.
>
> I have a AES problem.
>
> I want to send confidential data.
>
> STEP is bottom...
>
>
>
> * STEP
> 1. Encrypt confidential-data by C#.NET.
>
> 2. Send encrypted data on HTTP(80) protocol.
>
> 2. Decrypt encyrpted data by PHP &amp; mcrypt(2.4.x)

I got PHP's mcrypt talking to the Botan library in C++ and I think one
of the issues was the padding scheme - not the actual mechanics of the
encryption itself. Unfortunately, I don't have access to the source
code any more, and I don't  know the .NET implementation.

The Botan doc states : "In the case of the ECB and CBC modes, a
padding method can also be specified. If it is not supplied, ECB
defaults to not padding, and CBC defaults to using PKCS #5/#7
compatible padding. The padding methods currently available are
"NoPadding", "PKCS7", "OneAndZeros", and "CTS". CTS padding is
currently only available for CBC mode, but the others can also be used
in ECB mode."

I seem to remember that I had to use 'NoPadding' to interoperate with
PHP - the PHP docs are kind of vague on this. Google suggests you may
need "RijndaelCipher.Padding = PaddingMode.None;" in your .NET stuff.

(You know that ECB mode isn't a great one to use unless you don't have
any patterns in your plaintext? CBC is probably best for encrypting
data etc.)

Hope this helps a bit.

cheers,
 Jamie
-- 
Jamie Riden, CISSP / jamesr@europe.com / jamie.riden@gmail.com
NZ Honeynet project - http://www.nz-honeynet.org/

[prev in list] [next in list] [prev in thread] [next in thread]