php - 将 Crypto++ AES 加密移植到 PHP 的 mcrypt 时密钥大小不正确

Question

早些时候我设法将一些 C++ CryptoPP Rijndael_128 CBC 代码移植到 MCrypt PHP，但现在我遇到了 CFB 模式的问题。C++ 和 PHP 结果不匹配（好吧，第一个字节匹配，但这可能是巧合，其他一切都不匹配）。通过一些诊断，看起来 PHP 的 mcrypt 没有正确设置密钥长度？

这是 C++（为简单起见，删除了诊断和杂项）：

CFB_Mode<AES>::Encryption encryptor(g_encrypt_key, AES::DEFAULT_KEYLENGTH, g_encrypt_iv);

StringSource ss( sInput.c_str(), true, 
        new StreamTransformationFilter( encryptor, 
            new HexEncoder( new StringSink( sEncryptedOut ) )
        ));

这是PHP：

$cipher = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CFB, '')
mcrypt_generic_init($cipher, $g_encrypt_key, $g_encrypt_iv);

$sEncryptedOutput = mcrypt_generic( $cipher, $sInput);
mcrypt_generic_deinit($cipher);
mcrypt_module_close($cipher);

g_encrypt_key并且g_encrypt_iv都是 16 字节长，并且字节匹配 C++ 和 PHP 版本。对于 PHP 版本，它是由字节构造的二进制字符串（是的，我已经检查过它们是相同的）。

我添加了对 PHP 版本的调用来检查$cipher的块大小、密钥大小等。块大小和 iv 大小都是 16；支持的密钥大小报告为 16、24 和 32 - 都符合预期。

我认为问题出在哪里，密钥大小被报告为 32 字节。查看 mcrypt 文档，设置密钥大小的唯一方法是提供所需大小的密钥。但我传递了一个 16 字节的密钥！那么为什么它报告存在一个 32 字节的密钥呢？如果 CFB 模式必须使用 32 字节的密钥，那么 CryptoPP 为什么会接受它呢？解决办法是什么？我可以强制 PHP 使用已提供的 16 字节密钥吗？还是我缺少一个参数，它在 CryptoPP 中的默认设置与在 MCrypt 中的设置不同？

I am using the CFB mode because I want to minimize the length of the resulting encrypted data. The few bytes that padding would introduce, do matter in this application.

I need to be able to encrypt/decrypt in C++ but only encrypt in PHP. AES is arguably overkill for my application - the minimum I need is "a good scrambling of the bytes" so that the function of individual bytes in the data are not obvious.

Answer 1

It's been awhile, but I had some similar problems with mcrypt and openSSL using CFB a couple years ago. In the end, I discovered mcrypt used a different default feedback chain size than openssl in CFB mode. That is to say, I believe an openSSL AES128 in CFB used a block size and feedback size of 128 bits, while mcrypt used a block size of 128bits and a feedback size of 8 bits. I have no way to confirm this, it was just speculation at the time based on reading some old forum posts. Regardless of the truth of that theory, I was not the only person or first to have this particular issue.

The solution for me was to use nOFB as yourself. According to the PHP mcrypt library reference MCRYPT_MODE_NOFB forces the feedback-chain to equal the algorithm's block size, in this case a 128bit block/feedback for AES128 (Rijndael), which matches with what the manpage for the mcrypt module states about nOFB. This is good as everything I found said nOFB feedback is synchronous to the block size. Thus, both mcrypt and OpenSSL in nOFB were now 128 bit key/iv/block/feedback sizes for AES128 and everything worked fine.

As far as PHP reporting 256bit keysizes (32 bytes), the function that returns the current cipher-algorithm key size actually returns the maximum key size, which isn't clearly stated in the documentation. I know this because my little class I use all the time now for various projects works perfectly fine with openSSL and any other AES libraries in CBC or nOFB . This wouldn't be the case if mcrypt was padding my 128bit(16 char) key with an additional 128bits of null string, or whatever, and wouldn't be technically correct anyhow.

Not really a good answer, but the best I got based on a very amateurish foray into cryptography several years ago.

Answer 2

Check out phpseclib:

http://phpseclib.sourceforge.net/

You can set the key size and block size to whatever you want.

eg. $aes->setKeyLength(128) or $aes->setKeyLength(256);

Answer 3

I had this problem - couple of points. By default the PHP Rijndael mode sets the feedback loop to 8bits - to be AES is needs to be the same length as the IV/Key.

You can do this by using the mode 'ncfb' instead of 'cfb' or MCRYPT_MODE_CFB.

Full details of writing aes_cfb_128 compatible PHP are at this Security Stackexchange question: aes cfb 128 decryption /encryption problem between Erlang and PHP. The short of it is (from Tom Leek):

... for both CFB and OFB (which are distinct from each other and cannot be used interchangeably), you have to worry about the "feedback length" which is not necessarily documented with high clarity in various crypto libraries. Both encryption and decryption must use the same feedback length to interoperate.