Zip Component, Email Component, Encryption Component ActiveX Control for Zip Compression .NET Components for ASP.NET
ActiveX and .NET Components for Zip Compression, Encryption, Email, XML, S/MIME, HTML Email, Character Encoding, Digital Certificates, FTP, and more ASP Email ActiveX Component


Index of Chilkat Blog Posts

January 17, 2008

PHP 256-bit AES Encryption is Non-Standard

PHP is "broken" when it comes to 256-bit CBC AES encryption.

Check out these three blog posts:
http://www.chilkatsoft.com/p/p_459.asp
http://www.chilkatsoft.com/p/p_458.asp
http://www.chilkatsoft.com/p/p_457.asp

The posts above demonstrate how Chilkat matches PHP with ECB-128, CBC-128, and Chilkat matches the .NET Framework (C#) with CBC-256.

Before we get to 256-bit AES in PHP, a few notes about the intialization vector and padding for AES:

1) The IV is equal to the block size of the encryption algorithm, not the key length. The standard block size of AES is 16-bytes. It doesn’t matter if it’s 128-bit, 192-bit, or 256-bit encryption, the block size is always 16 bytes.

2) AES output is padded to a multiple of the block size (16-bytes).

It seems that PHP is using a non-standard 32-byte block size for 256-bit AES encryption. It requires a 32-byte IV, and the output is padded to a multiple of 32-bytes. Therefore, PHP 256-bit AES encryption is going to be incompatible with most other systems.

Chilkat’s recommendation is to use 128-bit AES encryption in PHP.


Privacy Statement. Copyright 2000-2011 Chilkat Software, Inc. All rights reserved.
Send feedback to support@chilkatsoft.com
Components for Microsoft Windows XP, 2000, 2003 Server, Vista, Windows 7, and Windows 95/98/NT4.