Problems with DES3 method in PHP openssl library

Question

I have a web service where I send encrypted data in format "TripleDES, ECB mode, key size 192 and padding Zeros". The Provider show me the example of raw value and expected result:

raw string = IA000001 encrypted string (to send to web service) = aVR5J/0Lph0=;

In PHP, openssl_encrypt() function work fine for this string, but raise a data not multiple of block length SSL error.

I did a script to show all the problem (with comments):

<?php

$key = '1234567890123456ABCDEFGH';
$expected_result = 'aVR5J/0Lph0=';

function test_results($expected_value, $return_value) {
    echo openssl_error_string() . "\n";
    $compare = var_export($return_value == $expected_value, 1);
    echo "'$return_value' == '$expected_value' => {$compare}\n" ;
}

echo "Function value == Expected Value => same strings?\n";

// This works with $data == 'IA000001'
$data = 'IA000001';
$resultado_function = @openssl_encrypt($data, 'DES3', $key, OPENSSL_ZERO_PADDING);
test_results($expected_result, $resultado_function); // true

// but if I change string value (i.e. $data == 'IA000001T')
// openssl function fail:
//  error:0607F08A:digital envelope routines:EVP_EncryptFinal_ex:data not multiple of block length
$data = 'IA000001T';
$resultado_function = @openssl_encrypt($data, 'DES3', $key, OPENSSL_ZERO_PADDING);

// if change options to OPENSSL_RAW_DATA, errors gone, but strings aren't equals
$data = 'IA000001';
$resultado_function = @openssl_encrypt($data, 'DES3', $key, OPENSSL_RAW_DATA);
test_results($expected_result, $resultado_function); // false

// results are encoded in base64? not equal, but almost equal
$resultado_function = @openssl_encrypt($data, 'DES3', $key, OPENSSL_RAW_DATA);
$decoded_result = base64_encode($resultado_function);
test_results($expected_result, $decoded_result); // false but...

// Compare the firsts 11 chars:
// aVR5J/0Lph0=
// aVR5J/0Lph05HiLWyHnDqg==
//          ^-- Until this char, the strings are equal.

What am I doing wrong? Block size? not encoded key or data?

Note: I have not control over web service implementation.

John Conde · Accepted Answer · 2020-04-25T23:14:49.500

I am not an encryption guru but had to solve a similar problem when switching from mcrypt to openssl recently. I believe your data needs to be of a length that is divisible by eight (i.e. blocks of 8 characters). That string is nine characters long and not 8 or sixteen so you get this error.

You can overcome this by padding it with null characters to get to the desired length (i.e. a multiple of 8).

I wrapped the encryption code into a function to better encapsulate the logic:

$key = '1234567890123456ABCDEFGH';
$expected_result = 'aVR5J/0Lph0=';

function test_results($expected_value, $return_value) {
    echo openssl_error_string() . "\n";
    $compare = var_export($return_value == $expected_value, 1);
    echo "'$return_value' == '$expected_value' => {$compare}\n" ;
}

function encrypt($text, $key) {
    $block_size = 8;
    if (strlen($text) % $block_size) {
        $text = str_pad($text, strlen($text) + $block_size - strlen($text) % $block_size, "\0");
    }
    return base64_encode(@openssl_encrypt($text, 'DES3', $key, OPENSSL_RAW_DATA | OPENSSL_NO_PADDING));
}

foreach (['IA000001', 'IA000001T'] as $data) {
    $resultado_function = encrypt($data, $key);
    test_results($expected_result, $resultado_function);
}

Output:

'aVR5J/0Lph0=' == 'aVR5J/0Lph0=' => true

'aVR5J/0Lph21RT9SWL7RSg==' == 'aVR5J/0Lph0=' => false

Problems with DES3 method in PHP openssl library

1 Answers1