AES - Encryption in Java and decryption in PHP

1
votes

Why PHP decryption method can't decrypt data encrypted in Java?

When I encrypt and decrypt data using only Java or only in PHP, everything works fine.

I have Java class to encrypt/decrypt data using AES/ECB algorithm. Encryption key is always 2a925de8ca0248d7

package com.example.test.helpers;
import android.util.Base64;
import java.nio.charset.StandardCharsets;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class Encryptor {

    /**
    * @param strToEncrypt - data to encrypt
    * @param secret - 16 bytes secret
    */
    public static String encrypt(String strToEncrypt, String secret) // secret is always 2a925de8ca0248d7
    {
        try {
            Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding");
            cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(secret.getBytes(), "AES"));
            return Base64.encodeToString(cipher.doFinal(strToEncrypt.getBytes(StandardCharsets.UTF_8)), Base64.DEFAULT);
        }
        catch (Exception e)
        {
            System.out.println("Error while encrypting: " + e.toString());
        }
        return null;
    }

     /**
     * @param strToDecrypt - base64 encoded string to decrypt
     * @param secret - 16 bytes secret
     */
     public static String decrypt(String strToDecrypt, String secret) // secret is always 2a925de8ca0248d7
     {
         try {
             Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding");
        cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(secret.getBytes(), "AES"));
             return new String(cipher.doFinal(Base64.decode(strToDecrypt, Base64.DEFAULT)));
        }
        catch (Exception e) {
            System.out.println("Error while decrypting: " + e.toString());
        }
        return null;
    }
}

Encrypted data is sent to server where I try to decrypt it with PHP openssl_decrypt

openssl_decrypt($receivedEncryptedBase64Data, 'AES-256-ECB', '2a925de8ca0248d7');

Unfortunately openssl_decrypt returns an empty string.

1
javaphpencryptionaes
where is 256 bit key for Java?kelalaka
You're using a 128-bit key but specifying AES-256... Also your code is super insecure. ECB mode, no authentication... It could be trivial to retrieve the plaintext from the ciphertext. It also looks like you're going to use this for transport security, which is a terrible idea. Use TLS instead, don't try and do it yourself.Luke Joshua Park
ECB is just for now, Ultimately there will be CBC mode. I'm not going to use this for transport security, I just want to sent encoded token from Android App to PHP server where I want to decode it and check token's correctness (ultimately I'm gonna to use TSL for transport security).zsDev
Try openssl_decrypt(base64_decode($data), "METHOD", $password, OPENSSL_NO_PADDING);SilvioQ
You say you're not going to use it for transport security and then immediately describe yourself using it for transport security... Remember, with your current code, anyone who can download your Android App can decrypt the traffic between the app and your server, even of other people. Also remember that because you don't have any authentication, anyone (literally anyone, even without the app) can change the encrypted data and you won't know. Don't rely on this for any sort of security at all.Luke Joshua Park

1 Answers

1
votes

Ok, now I see. I should use AES-128-ECB in PHP insetad of AES-256-ECB or extend secret key to 256 bytes.