Ok, this is not really a web based question but I am interested in implementing it in some of my server code so here goes…
I have very limited knowledge about ciphers, but am aware of how AES works. What I was wondering was… how standardized are the implementations of ciphers (specifically AES)… for example, if I encrypt some data using aespipe or gpg (using --symmetric), will I be able to decrypt the data in PHP using the mcrypt library… or do different libraries use different implementations of the ciphers?
I am aware that for programs that encrypt files or even entire disks, they create their own file formats and encode extra info into the files, but this is for simple ‘data streams’…
Thx
AES is very highly standartized, so there sould not be any problems. You have to bear in mind though, what kind of [url=https://secure.wikimedia.org/wikipedia/en/wiki/Block_cipher_modes_of_operation]Block cipher operation mode is used (plainly encrypting each block is ECB mode). The thing that might differ from one implementation to other is how input is expected to be encoded and output is encoded for transmission (base64, hex, no-encoding at all etc)
Thanks Aleksejs, I think that I will mainly be using CBC mode… it seems a bit more secure, and the encoded data will be base64 encoded. Thanks for the help, am going to run some tests to see if I can get multiple scripts to encode / decode the same data.
Thx
I wonder how everything went. Especially, since you use CBC mode, how is IV transmitted?
Hey Aleksejs. From my tests this seems to be one of those things that works in theory but not in practice.
I am having a lot of trouble getting different implementations to produce exactly identical results… and CBC is a non starter.
As far as EBC goes, it seems like most of the differences occur in the handling of keys. Different implementations handle the padding of keys in different ways and many apply different hashing functions to the keys too.
Yes I totally agree - implementing it is really major PITA. CBC does not clearly specify, how other party gets the IV.
Is it plainly prepended? Or is it ECB encrypted before prepending?
Anyhow - here is my experiments with CBC (using just PHP mcrypt library). I tried to demonstrate stateless session cookies and for that needed to encrypt cookie value (functions checktoken and maketoken - comments in Latvian, sorry):
http://paste.php.lv/7692?lang=php