php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60705 rijndael iv problem
Submitted: 2012-01-10 23:08 UTC Modified: 2014-03-04 15:45 UTC
Votes:6
Avg. Score:4.0 ± 1.5
Reproduced:5 of 5 (100.0%)
Same Version:4 (80.0%)
Same OS:4 (80.0%)
From: erno dot kovacs at freemail dot hu Assigned:
Status: Not a bug Package: mcrypt related
PHP Version: 5.3.8 OS: linux/windows
Private report: No CVE-ID: None
 [2012-01-10 23:08 UTC] erno dot kovacs at freemail dot hu
Description:
------------
Cryptography basics: IV is always the same as the block size, which is 16 bytes (128 bits) in case of AES(Rijndael). However, when you use RIJNDAEL_192 or RIJNDAEL_256 with an IV of 16 bytes in CBC mode, you got a warning "mcrypt_generic_init() [function.mcrypt-generic-init]: Iv size incorrect; supplied length: 16, needed: 32". This is bullshit.

This way if you try to decrypt data encrypted by a 32 byte (256 bit) key with 16 byte (128 bit) IV with RIJNDAEL_256 in CBC mode, the decrypted data is WRONG. Even worse, if you modify the constant to RIJNDAEL_128, it decrypts the ciphertext correctly. This is a major failure.

Tested with PHP 5.3.4 Win32 and 5.3.8 Linux.


Test script:
---------------
http://pastebin.com/X1S7bUXV

Expected result:
----------------
decrypted : hello world

decrypted : *garbage*



Actual result:
--------------
Warning: mcrypt_generic_init() [function.mcrypt-generic-init]: Iv size incorrect; supplied length: 16, needed: 32 in ...
decrypted : ц2‘в АЭ/(ѕвy7YЃƒ0z=/оч|µ8„0Г£

decrypted : hello world

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-26 20:11 UTC] ab@php.net
After looking at the mcrypt implementation it turns out, that the way you're doing 
that in perl is non standard. The init vector SHOULD have the same size the block 
does. In your case 32 bytes. Looking at some other libs, for instance 
http://msdn.microsoft.com/en-
us/library/system.security.cryptography.symmetricalgorithm.iv.aspx
the stuff is handled the same way - vi size = block size.
 [2012-02-26 21:25 UTC] erno dot kovacs at freemail dot hu
you are absolutly wrong. the iv must have the same size as the ciphers block size.

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
 [2012-02-26 21:27 UTC] erno dot kovacs at freemail dot hu
it seems you dont recognize the difference between the cipher block size and the input plaintext data...
 [2012-02-26 21:30 UTC] erno dot kovacs at freemail dot hu
AES blocksize is constant 16 bytes, so is the IV.
 [2012-10-02 10:01 UTC] miha dot vrhovnik at domenca dot com
I have the same problem as the reporter of this bug.
However the library used to decode the data is openssl 1.0.1c and I'd really doubt that they messed this up.
 [2012-10-02 12:28 UTC] miha dot vrhovnik at domenca dot com
Or maybe just the docs are foobar.
http://www.chilkatsoft.com/p/php_aes.txt
 [2014-03-04 15:35 UTC] narf at devilix dot net
This is not a bug, just something that is often confused.

AES does indeed have a fixed block size of 16 bytes and it is based on Rijndael. However, it is only based on Rijndael-128, allowing different key sizes. Rijndael-192 and Rijndael-256 have different block sizes and are NOT AES-compatible. 

If you want to use AES-192, AES-256 with MCrypt, you just have to use Rijndael-128 with a 24 or 32-byte key respectively.
 [2014-03-04 15:45 UTC] nikic@php.net
-Status: Open +Status: Not a bug
 [2014-03-04 15:45 UTC] nikic@php.net
As the last comments pointed, there's no bug here. AES-128, AES-192 and AES-256 are all handled by Rijndael-128.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 08:01:36 2024 UTC