Programmin' Prim8

By popular demand, here is a working example of encrypting/decrypting between PHP and DotNet. This uses ECB, which is not ideal (a string crypted will always generate the same crypt text), but makes the example a bit simpler.

PHP and DotNet Encryption

Note, you need the mcrypt library:
"These functions work using mcrypt. To use it, download libmcrypt-x.x.tar.gz from http://mcrypt.sourceforge.net/ and follow the included installation instructions. Windows users will find all the needed compiled mcrypt binaries at http://ftp.emini.dk/pub/php/win32/mcrypt/."

1. Run encrypt.php and it will encrypt 'This should be readable in DotNet!' into a local file called crypt_text.bin.


2. Run the DotNet app and decrypt the file (enter your path), you should get the same thing.


3. Type any text you like into the large text box and click 'encrypt'.


4. Run decrypt.php (make sure the crypt_text.bin you just generated is in the php directory) and it should produce the text you just entered.

Note, the important bits are how you handle the text encoding. I am storing the crypted text in base64 to make it easier to handle as a string, rather than binary data. In the DotNet code, any string that needs to match a string from PHP is getting converted to ASCII (DotNet uses UTF-8 encoding by default). Finally, the padding in DotNet is using PaddingMode.Zero. This does result in some garbage characters when you decrypt in php, but they are easily discarded with trim().

This has come up several times, so here is the lowdown. You may be confused why your 2 identical strings generate different key bytes in PHP and .Net. The answer lies in the encoding. In both platforms, a string is a collection of characters.

• PHP characters are ASCII encoded, with a length of 7 bits.


• .Net characters are UTF-16, 1 or more sets of 16-bit words.

If you want your strings to generate the same bytecode, you need to do some encoding. In this example, I want to make a 24 byte key that is the md5 of some plain text.

Example:

PHP:


.Net

The scenario: you've got some data you'd like to keep private, so you've encrypted it on your web server using PHP's handy mcrypt functions using (for example) TripleDES. You go to decrypt the data on client side using DotNet System.Security.Cryptography, but no dice, you just get the helpful error 'Bad Data.'.

The problem is in the padding. If you examine an 8 character string encrypted with DotNet, you get a 16 character ciphertext. DotNet apparently defaults to PKCS7 padding, which is not compatible with mcrypt and mcrypt pads with spaces. So as long as you trim your in/output, and set your:



and you should be ready to go. This method is probably preferable to reverse-engineering PKCS7 from the DotNet cipher and implementing it in PHP wrappers before noticing the .Padding property.