I am new to PHP and my first assignment. The secretword is encrypted using c# (TripleDES /
CBC). On comparison, I found that the IV, and the secretword bytes do match, but not the key.
This is the c# code that works fine...
string epws = secretWord;
byte[] rawdata = Convert.FromBase64CharArray(char[] aArr);
mCryptoService = new TripleDESCryptoServiceProvider();
string key = ASCIIEncoding.ASCII.GetString(rawdata);
key = key.Substring(0, 24);
mCryptoService.Key = ASCIIEncoding.ASCII.GetBytes(key);
byte[] ivB = new byte[8];
Buffer.BlockCopy(rawdata, 31, ivB, 0, 8);
mCryptoService.IV = ivB;
byte[] epwb = Convert.FromBase64String(epws);
ICryptoTransform cryptoTransform = mCryptoService.CreateDecryptor();
MemoryStream ms = new MemoryStream(epwb, 0, epwb.Length);
CryptoStream cs = new CryptoStream(ms, cryptoTransform, CryptoStreamMode.Read);
StreamReader sr = new StreamReader(cs);
return sr.ReadToEnd();
This is the PHP code that I need help...
<?php
// dkey is the rawdata passed in as string from database
$byteArray = unpack('C*', $dkey);
$mkey = implode(array_map('chr', $byteArray));
$mkey = base64_decode($mkey);
$iv = substr($mkey, 31, 8);
$mkey = substr($mkey, 0, 24);
// the encrypted secretword passed in as string from database
$epws = base64_decode($epws);
$ok= trim(mcrypt_decrypt(MCRYPT_3DES, $mkey, $epws, MCRYPT_MODE_CBC, $iv));
?>
These are the keys that are different. IF I substitute the c# key in php, it works fine.
From c#
key = (35, 63, 63,43, 63,49,20, 63, 63,97,21,24, 63,97, 63, 63,125,98,125,15,62,108,55,70)
From php
key = (35,229,239,43,244,49,20,141,144,97,21,24,200,97,196,216,125,98,125,15,62,108,55,70)
^ ^ ^ ^ ^ ^ ^ ^
Don't know what else to do.
A key consists of bytes, not characters. If you need a key displayed as string - usually you don't - then you should encode it to hexadecimals. If you want to use it later on, you can decode the hexadecimals to a byte array again.
ASCII only has values from 0 to 127, of which the bottom 32 characters as well as the value 127 isn't printable. So your C# code is in that sense worse than your PHP code, and it needs the biggest change.
Currently the C# code is simply replacing bytes outside the ASCII range (0-127) with question marks (3F hex, or 63 in decimals - check the print out of the key). You can simply replace each value of 128 or higher with the value 63.
Obviously that means that your key loses entropy, on average it will only be half as strong (true in your example, with 8 bytes replaced). If you are unlucky then all bytes are converted into question marks (about once in 65536) or anything in between, leaving you extremely vulnerable to attack.