[WEB SECURITY] Re: What problem have this Rijndael(.NET&PHP) code?

Jamie Riden jamesr at europe.com
Fri Dec 15 14:42:04 EST 2006

On 15/12/06, 김영일 <zero12a at naver.com> wrote:
> Dear, web security Professionals.
> I have a AES problem.
> I want to send confidential data.
> STEP is bottom...
> * STEP
> 1. Encrypt confidential-data by C#.NET.
> 2. Send encrypted data on HTTP(80) protocol.
> 2. Decrypt encyrpted data by PHP & mcrypt(2.4.x)

I got PHP's mcrypt talking to the Botan library in C++ and I think one
of the issues was the padding scheme - not the actual mechanics of the
encryption itself. Unfortunately, I don't have access to the source
code any more, and I don't  know the .NET implementation.

The Botan doc states : "In the case of the ECB and CBC modes, a
padding method can also be specified. If it is not supplied, ECB
defaults to not padding, and CBC defaults to using PKCS #5/#7
compatible padding. The padding methods currently available are
"NoPadding", "PKCS7", "OneAndZeros", and "CTS". CTS padding is
currently only available for CBC mode, but the others can also be used
in ECB mode."

I seem to remember that I had to use 'NoPadding' to interoperate with
PHP - the PHP docs are kind of vague on this. Google suggests you may
need "RijndaelCipher.Padding = PaddingMode.None;" in your .NET stuff.

(You know that ECB mode isn't a great one to use unless you don't have
any patterns in your plaintext? CBC is probably best for encrypting
data etc.)

Hope this helps a bit.

Jamie Riden, CISSP / jamesr at europe.com / jamie.riden at gmail.com
NZ Honeynet project - http://www.nz-honeynet.org/

More information about the websecurity mailing list