pycryprodome AES CBC mismatch after decryption in Python

Question

my goal is to have a very simple AES 128 CBC scheme which encrypts a plaintext and then decrypts it based on a given key in Python. I'm using pycryptodome framework and I couldnt find any documentation with an example of the AES CBC scheme.

Following is my code. The decrypted data is not same as the data before encryption. Will be fantastic if someone can help me identify what is going wrong here.

key = b'Sixteen byte key'
data = 'Jeevan B Manoj'.encode("UTF-8")
data = pad(data,16)
cipher = AES.new(key, AES.MODE_CBC)
print("data before encryption")
print(data)
ciphertext = cipher.encrypt(data)
cipher = AES.new(key, AES.MODE_CBC)
plaintext = cipher.decrypt(ciphertext)
print(plaintext)

You'll have to use an IV. When not passing an IV to `AES.new` it creates a random IV. — t.m.adam, Apr 11 '18 at 13:53

score 3 · Answer 1 · edited May 22 '18 at 04:17

As t.m.adam noted, the CBC mode of operation requires an initialization vector (IV) to work. Because the IV is commonly forgotten (also that it has to be unique and unpredictable, e.g. random), Pycryptodome creates a random one when a cipher object is initialized.

The IV must be unique for each encryption and is required for decryption. Common practice (source?) is to put the IV at the start of the ciphertext (the IV does not to need to be secret).

To make your example work:

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad

# Do not use raw passwords as keys,
# use a derivation functions to generate keys from them
key = b'Sixteen byte key'  
data = 'Jeevan B Manoj'.encode("UTF-8")
data = pad(data, AES.block_size)
encryptor = AES.new(key, AES.MODE_CBC)
iv = encryptor.IV
decryptor = AES.new(key, AES.MODE_CBC, IV=iv)

ciphertext = encryptor.encrypt(data)
plaintext = decryptor.decrypt(ciphertext)

assert plaintext == data

Important note: The ciphertext and IV must be authenticated for security (so data cannot be tampered with). For that, Pycryptodome offers AEAD modes like EAX and GCM as pointed out by Hans-Peter Jansen on GitHub. For many of them padding is not required.

score 0 · Answer 2 · answered Apr 12 '18 at 04:16

If you use MODE_ECB instead of MODE_CBC it works. I also didn't know what padding routine you are using so I used this one. I have several other examples here: https://github.com/SolarDon/pycryptodome/tree/master/Examples

from Crypto.Cipher import AES
 # Padding for the input string --not related to encryption itself.
BLOCK_SIZE = 16  # Bytes
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)
unpad = lambda s: s[:-ord(s[len(s) - 1:])]

key = b'Sixteen byte key'
data = 'Jeevan B Manoj'.encode("UTF-8")
data = pad(data)
cipher = AES.new(key, AES.MODE_ECB) # AES.MODE_CBC
print("data before encryption")
print(data)
ciphertext = cipher.encrypt(data)
cipher = AES.new(key, AES.MODE_ECB) # MODE_CBC
plaintext = cipher.decrypt(ciphertext)
print(unpad(plaintext))

https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption — Ilmari Karonen, Apr 12 '18 at 04:21

pycryprodome AES CBC mismatch after decryption in Python

2 Answers2