1

I have an API URL with specific access token which was encrypted with C#(Below Code) and I want to Decrypt it using PHP post request by passing access token to parameters. Can anyone help me out to solve this problem.

Thanks in Advance!!

C# Code for Encryption:

private String AES_encrypt(String Input)
   {
   var aes = new RijndaelManaged();
   aes.KeySize = 256;
   aes.BlockSize = 256;
   aes.Padding = PaddingMode.PKCS7;
   aes.Key =Convert.FromBase64String("QdZx1B0ZIcLK7DPNRK09wc/rjP4WnxtE");
   aes.IV = Convert.FromBase64String("hBSE4tn6e/5c3YVKFZ54Iisi4MiDyCO0HJO+WZBeXoY=");
   var encrypt = aes.CreateEncryptor(aes.Key, aes.IV);
   byte[] xBuff = null;
   using (var ms = new MemoryStream())
   {
   using (var cs = new CryptoStream(ms, encrypt, CryptoStreamMode.Write))
   {
     byte[] xXml = Encoding.UTF8.GetBytes(Input);
     cs.Write(xXml, 0, xXml.Length);
   }
     xBuff = ms.ToArray();
   }
     String Output = Convert.ToBase64String(xBuff);
     return Output;
   }

So far I tried to decrypt it with the below code

function strippadding($string)
    {
        $slast = ord(substr($string, -1));
        $slastc = chr($slast);
        $pcheck = substr($string, -$slast);
        if(preg_match("/$slastc{".$slast."}/", $string)){
        $string = substr($string, 0, strlen($string)-$slast);
            return $string;
        } else {
            return false;
        }
   }
function decrypt($string)
    {
        $key = base64_decode("DZR");
        $iv = base64_decode("Shravan");
        $string = base64_decode($string);
        return strippadding(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_CBC, $iv));
    }

Fill out the items below:

Use this key and iv that are below.

key = QdZx1B0ZIcLK7DPNRK09wc/rjP4WnxtE

iv= hBSE4tn6e/5c3YVKFZ54Iisi4MiDyCO0HJO+WZBeXoY=

Run some text through your AES_encrypt() function and whatever comes out paste on the next line.

encrypted text = put your encrypted text here.

Joseph_J
  • 3,654
  • 2
  • 13
  • 22
Sravan Vadla
  • 29
  • 7
  • What have you tried so far? – Joseph_J Jan 16 '19 at 05:36
  • I see that you are new, just letting you know that you should not post code blocks in the comments. Edit your question and place the code blocks in your post. – Joseph_J Jan 16 '19 at 05:42
  • Is the key and IV that you are using shared between api and client? – Joseph_J Jan 16 '19 at 05:48
  • So you are sending the key and the iv in the url?? – Joseph_J Jan 16 '19 at 05:51
  • So you are sending an encrypted message with the key used to encrypt it? – Joseph_J Jan 16 '19 at 05:54
  • Usually keys are not sent with the data.. They are usually know by both parties before hand. – Joseph_J Jan 16 '19 at 05:55
  • Can you make a sample of your encrypted text using a key and iv that you can share and post it in your question please. Thanks – Joseph_J Jan 16 '19 at 06:01
  • Can you please post an output from your encryption function using the key and iv that you posted in your question. – Joseph_J Jan 16 '19 at 06:44
  • I mean can you encrypt something using the function with the key and iv that you posted in your question then after you encrypt it post the encrypted text in you question. – Joseph_J Jan 16 '19 at 06:51
  • Look at the bottom of the your question.. I added some stuff. Fill in the values of those. I want to see your encrypted text after it has been encrypted, the key that you used to encrypt it and the iv used. – Joseph_J Jan 16 '19 at 06:59
  • You have to do reverse the encoding to decrypt it with same IV and KEY then you will be able to decrypt it. – Rahul Dhamecha Jan 16 '19 at 07:13
  • Where is the encypted text? And that key and iv are no where close to the correct sizes. – Joseph_J Jan 16 '19 at 07:48

2 Answers2

0
$xXml = openssl_decrypt(
   $Output, #openssl_decrypt works with base64 encoded data
   'AES-256-CBC',
   base64_decode("QdZx1B0ZIcLK7DPNRK09wc/rjP4WnxtE"), #key
   OPENSSL_RAW_DATA,
   base64_decode("hBSE4tn6e/5c3YVKFZ54Iisi4MiDyCO0HJO+WZBeXoY=") #IV
);

Now $xXml is the binary form of the input string in UTF-8 encoded.

And make sure openssl is included in your PHP build.

shingo
  • 18,436
  • 5
  • 23
  • 42
  • I don't think this will work. The OP is using a block size of 256 bits. AES is standardized to to a block size of 128 bits. The "256" in the `AES-256-CBC` refers to the key size. This is somewhat confusing because the mcrypt notation `MCRYPT_RIJNDAEL_256` does actually refer to the block size. – Joseph_J Jan 16 '19 at 07:39
0

You have not provided me with any encrypted text to be able to test this with.

Here is what I think you need to do:

In your C# code you need to change the block size to 128 bits:

aes.BlockSize = 128;

In your C# code your IV needs to be 128 bits or 16 bytes long. It needs to equal your selected block size.

So for now this needs to be your IV:

IV = HWeR102dxMjRHZlxTqL2aA==

Your key is set for 256 bits: So here is a 256 bit key:

Key = aZUEBKSsYRKA6CGQbwFwvIS8rUnW7YA2hVMNHnnf844=

C# has functions that will automatically generate a cryptographically strong string for you of a certain length. I suggest you find these functions and learn how to use them so you can generate your own keys and IVs.

Now for the PHP portion.

You should use the OpenSSL library instead of the Mcrypt library. Mcrypt is deprecated and is no longer supported. So here is an OpenSSL solution.

Since the block size is now 128 bits and the key size is 256 bits it will now be compatible with the openssl library's AES-256-CBC function.

$key = 'aZUEBKSsYRKA6CGQbwFwvIS8rUnW7YA2hVMNHnnf844='; //256 bit key.  
$iv = 'HWeR102dxMjRHZlxTqL2aA=='; //128 bit IV length.  The same as the block size that is set in the C#.

function decrypt($string, $key, $iv){

  $cipherText = base64_decode($string);  //We are going to use raw data.
  return openssl_decrypt($cipherText, 'AES-256-CBC', base64_decode($key), OPENSSL_RAW_DATA, base64_decode($iv));
  //Note that I did not specify no padding in the function.  By default it is PKCS#7 which is what is set in the C# code.
}

The best I can tell this should work for you. This assumption is predicated on the fact that your AES_encrypt() is working correctly and that you have OpenSSL on your machine. Which you probably do.

Hope it helps!

Joseph_J
  • 3,654
  • 2
  • 13
  • 22
  • Thanks for your answer but it is not working for me. – Sravan Vadla Jan 16 '19 at 09:46
  • Are these access tokens stored on a database somewhere or are they being generated before they are being sent in the url? – Joseph_J Jan 16 '19 at 09:53
  • I did not get any errors & access token was not stored in the database they are generated – Sravan Vadla Jan 16 '19 at 09:59
  • Can you please post your most current code in your question? – Joseph_J Jan 16 '19 at 10:00
  • I'll tell whole scenario see.. C# Developer created encrypted code from their end and passed their data using access token. The Challenge is from my end I want to access that token and want to Decrypt the data whichever sent by C# Developer........................ And one more thing is they gave one more option that they created both Encryption and Decryption and binded it to one API. Now how I should call that API and make it to Decrypt. – Sravan Vadla Jan 16 '19 at 10:01
  • I would suggest that you post all your applicable PHP code and the name of the API you are using. I would follow the instructions on how to call the API. Once your PHP script can get the encoded information then I can help you with this question. If you can't figure out how to use the API then post another question relating to that issue. ~Cheers – Joseph_J Jan 16 '19 at 10:48
  • Whatever the Code I have that was posted top. The thing is I want to access the token using the POST METHOD with FIDDLER from Decrypt API link. – Sravan Vadla Jan 16 '19 at 11:05