New BaH.Crypto Release

BlitzMax Forums/Brucey's Modules/New BaH.Crypto Release

Brucey

(Posted 2009) [#1]

Version 1.03 adds AES encryption, and built-in stream support for message digests.

Windows users will probably need a copy of OpenSSL.

Some more information is available here and can be downloaded from here.

DavidDC

(Posted 2009) [#2]

Thanks for adding this Brucey!

Just a note to those using this mod for AES. You can test your output against a standardized list to make sure you are using the mod correctly. AES Known Answer Test (KAT) Vectors can be found on a link on this page.

Two examples for AES192 are:

	KEY = 000000000000000000000000000000000000000000000000
	IV = 00000000000000000000000000000000
	PLAINTEXT = 80000000000000000000000000000000
	CIPHERTEXT = 6cd02513e8d4dc986b4afe087a60bd0c


	COUNT = 127
	KEY = 000000000000000000000000000000000000000000000000
	IV = 00000000000000000000000000000000
	PLAINTEXT = ffffffffffffffffffffffffffffffff
	CIPHERTEXT = b13db4da1f718bc6904797c82bcf2d32

Also, just a heads up that according to this post, there apparently exists a decent attack for AES-256.

Windows users will probably need a copy of OpenSSL.

If you happen to be using a PostgreSQL db (and aren't we all?), then the .dll's you need will already be onboard. :-)

Finally, if you are feeling lazy and just want to AES some strings, the following code passes the tests above, *seems* to work and doesn't appear to leak (at least on my XP tests).

Disclaimer: I don't claim to understand AES - I've just fuddled my way through with this. If you use it, make sure you test it thoroughly!

SuperStrict

Import bah.Crypto
Import BRL.Retro

Rem
	bbdoc:   TAES
	about:   192 bit AES encryption/decryption
End Rem	
Type TAES Extends TBase

	' ----------------------------------------------------------------
	Rem
		bbdoc:   Null on error
			   _s_iv must be length 16, _s_key must be length 24
			   if _b_hex then assumes input string is a database textfield friendly hex string, eg "FFF0E1A08C02"
	End Rem	
	Function Decrypt192:String(_s_cipher_text:String, _s_key:String = "L97gspw1@jem!nm20eirqwK?", _s_iv:String = "k92jw73V9ik&uejy", _b_hex:Int = False)

		TStack.In("TAES.Decrypt192")
				
		Local s_plain_text:String
	
		'	If passed a (database text field friendly) hex string, convert it to a proper string
		If _b_hex Then _s_cipher_text = FromHex(_s_cipher_text)
		
		'	Safety checks		
		If Not _s_cipher_text
		
			TLog.Info("TAES.Decrypt192: Nothing to dencrypt")
			
		Else If Not _s_key
					
			TLog.Critical("TAES.Decrypt192: Missing key")

		Else If Not _s_iv
					
			TLog.Critical("TAES.Decrypt192: Missing iv")

			'	Valid key length
		Else	If _s_key.length <> 24 
		
			TLog.Critical("TAES.Decrypt192: INVALID key length, should be 24. Is actually:"+_s_key.length)
		
		Else	If _s_iv.length <> 16
			
			TLog.Critical("TAES.Decrypt192: INVALID iv length, should be 16. Is actually:"+_s_iv.length)

		'	Args OK, let's decrypt
		Else
						
			Local ctx:EVP_CIPHER_CTX = New EVP_CIPHER_CTX.Create()
			
			If ctx

				Local out_buffer:Byte[] = StringToByteArray(_s_cipher_text)
				Local out_length:Int = out_buffer.length
				Local temp_length:Int
				
				' Key and IV
				Local key:Byte[] 	= StringToByteArray(_s_key)
				Local iv:Byte[] 	= StringToByteArray(_s_iv)
					
				' +++++++++++++++++++++++++++++++++++++++
				' decrypt
				' +++++++++++++++++++++++++++++++++++++++
				Local in_buffer:Byte[] = out_buffer[..out_length]
				
				ctx.DecryptInit(EVP_CIPHER.aes_192_cbc(), Null, key, iv)
				
				'	Does not work throws an error
				'	If you have an exact multiple of 16 bits on plain text, you can use this
				'If Not (_s_cipher_text.length Mod 16) Then ctx.SetPadding(False)
									
				If Not ctx.DecryptUpdate(out_buffer, out_length, in_buffer, in_buffer.length) Then
				
					TLog.Critical("TAES.Decrypt192: ctx.DecryptUpdate FAILED out_length:"+out_length)
						
				Else If Not ctx.DecryptFinal(Varptr(out_buffer)[out_length], temp_length) Then
					
					TLog.Critical("TAES.Decrypt192: ctx.DecryptFINAL FAILED")
				Else
				
					out_length :+ temp_length
					s_plain_text = String.FromBytes(out_buffer, out_length)
				
				EndIf
				
				ctx.Cleanup()
			
			EndIf ' if ctx
					
		EndIf

		Return s_plain_text
		
	End Function
	
	' ----------------------------------------------------------------
	Rem
		bbdoc:   returns 192 bit AES encrypted equivalent of plain text, Null on error
			   _s_iv must be length 16, _s_key must be length 24
			   if _b_hex then output string is a database textfield friendly hex string, eg "FFF0E1A08C02"
	End Rem	
	Function Encrypt192:String(_s_plain_text:String, _s_key:String = "L97gspw1@jem!nm20eirqwK?", _s_iv:String = "k92jw73V9ik&uejy", _b_hex:Int = False)

		TStack.In("TAES.Encrypt192")
				
		Local s_encrypted:String
		
		'	Safety checks		
		If Not _s_plain_text
		
			TLog.Info("TAES.Encrypt192: Nothing to encrypt")
			
		Else If Not _s_key
					
			TLog.Critical("TAES.Encrypt192: Missing key")

		Else If Not _s_iv
					
			TLog.Critical("TAES.Encrypt192: Missing iv")

			'	Valid key length
		Else	If _s_key.length <> 24 
		
			TLog.Critical("TAES.Encrypt192: INVALID key length, should be 24. Is actually:"+_s_key.length)
		
		Else	If _s_iv.length <> 16
			
			TLog.Critical("TAES.Encrypt192: INVALID iv length, should be 16. Is actually:"+_s_iv.length)

		'	Args OK, let's encrypt
		Else
				'	Ensure we have plenty of room for the result
				Local out_buffer:Byte[1024 + _s_plain_text.length]
				Local out_length:Int
				Local temp_length:Int
					
				' Key and IV (initialization vector)
				Local key:Byte[] 	= StringToByteArray(_s_key)
				Local iv:Byte[] 	= StringToByteArray(_s_iv)
										
				' +++++++++++++++++++++++++++++++++++++++
				' encrypt
				' +++++++++++++++++++++++++++++++++++++++
				
				'	Create the cipher context
				Local ctx:EVP_CIPHER_CTX = New EVP_CIPHER_CTX.Create()
				
				'	Safety 
				If ctx
								
					'	Initialise the cipher context, flagging we want 192 bit AES with cipher block chaining
					ctx.EncryptInit(EVP_CIPHER.aes_192_cbc(), Null, key, iv)
					
					'	Commented out as I don't know how to decrypt an unpadded cipher string
					'	If you have an exact multiple of 16 bits on plain text, you can use this
					'If Not (_s_plain_text.length Mod 16) Then ctx.SetPadding(False)
					
					'	Run the initial encrypt pass
					If Not ctx.EncryptUpdate(out_buffer, out_length, _s_plain_text, _s_plain_text.length) Then
					
						TLog.Critical("TAES.Encrypt192: ctx.EncryptUpdate FAILED.")
					
					' 	Finalise encryption. 	
					Else	If Not ctx.EncryptFinal(Varptr(out_buffer)[out_length], temp_length) Then
	
						TLog.Critical("TAES.Encrypt192: ctx.EncryptFinal FAILED. out_length:" +out_length)
		
					'	Encryption OK
					Else
					
						'	Take into account finalised additions
						out_length :+ temp_length
					
						'	What we have been trying to achieve: the encrypted string
						s_encrypted = String.FromBytes(out_buffer, out_length)
						
						If _b_hex Then s_encrypted = ToHex(s_encrypted)
						
					End If
					
					'	Release our cipher context					
					ctx.Cleanup()
					
				EndIf
								
		EndIf
			
		
		TStack.Out("TAES.Encrypt")
		
		Return s_encrypted
		
	End Function
	
	' ----------------------------------------------------------------
	Rem
		bbdoc:   Expects a string of hex values eg "FE0061EE1C" - undoes "ToHex"
	End Rem
	Function FromHex:String(_s_cipher_text:String)
	
		Local s_result:String
		
		TStack.In("TAES.FromHex")
	
		If _s_cipher_text
					
			'	Must be even number of chars as each hex value is 2 chars long eg EE, A0, 02, 18
			If Not (_s_cipher_text.length & 1)
											
				For Local loop:Int = 0 Until _s_cipher_text.length Step 2
					
					'	Convert from hex to a character 
					'	$49 -> "I"				
					s_result :+ Chr(Int("$"+_s_cipher_text[loop..loop+2]))
									
				Next
								
			EndIf
		
		EndIf
		
		TStack.Out("TAES.FromHex")
		
		Return s_result
	
	End Function

	' ----------------------------------------------------------------
	Rem
		bbdoc:   Takes any string and returns the hex-string equivalent
				e.g. "babble" -> "626162626C65"
	End Rem
	Function ToHex:String(_s_cipher_text:String)
	
		Local s_result:String
		
		TStack.In("TAES.ToHex")

		If _s_cipher_text
	
			Local result:Byte[] = StringToByteArray(_s_cipher_text)
						
			For Local loop:Int = 0 Until result.length
			
				Local s_hex:String = Hex(Int(result[loop]))
				
				'	The result is in the final two chars
				s_hex = s_hex[s_hex.length-2..]
		
				s_result = s_result + s_hex
			Next
		
		EndIf
		
		TStack.Out("TAES.ToHex")
		
		'Print "HEX:" +s_result
		
		Return s_result
	
	End Function
End Type

' Stubs
Type TStack
	Function In(_s_text:String) 
		'DebugLog "In: " +_s_text
	End Function
	Function Out(_s_text:String)	
		'DebugLog "Out: " +_s_text 
	End Function
End Type
Type TLog
	Function Critical(_s_text:String) DebugLog "Crit: " +_s_text; End Function
	Function Info(_s_text:String) DebugLog "Info: " +_s_text; End Function
End Type
Type TBase End Type

Don't forget to pass your own iv (initialisation vector) and pass!

Example:

SuperStrict
Import "AES.bmx" ' ie the file containing the TAES type

Local s_hex_text:String = "80000000000000000000000000000000"
Local s_key:String = TAES.FromHex("000000000000000000000000000000000000000000000000")
Local s_iv:String = TAES.FromHex("00000000000000000000000000000000")
Local s_plain_text:String = TAES.FromHex(s_hex_text)
Local s_cipher_text:String

'	We compare against this standard
Local s_standard:String = "6cd02513e8d4dc986b4afe087a60bd0c".ToUpper()

Print "HEX input plain text: " +s_hex_text

' Encrypt to hex string
s_cipher_text = TAES.Encrypt192(s_plain_text,s_key,s_iv,True)
Print "Encrypted:" +s_cipher_text
Print "Standard :" +s_standard

' Decrypt From Hex String
Print "Decrypted:" +TAES.ToHex(TAES.Decrypt192(s_cipher_text,s_key,s_iv, True))

' ** TEST against standard

'	The result is twice the expected length because padding is ON. ctx.SetPadding(False) to remove this, but then you need to have input an exact multiple of 16 bits
'	Also, I can't seem to decrypt an unpadded cipher string. Ideas welcome!
If s_cipher_text[..s_cipher_text.length/2] = s_standard
	Print "AES 192 is VALID!"
Else
	Print "AES 192 is *NOT* VALID!"
EndIf

' Final simple test
Print  TAES.Decrypt192(TAES.Encrypt192("The result is twice the expected length because padding is ON. ctx.SetPadding(False) to remove this, but then you need to have input an exact multiple of 16 bits"))

GW	(Posted 2009) [#3]

I use this one: http://www.blitzbasic.com/codearcs/codearcs.php?code=2292
From what i've read, its not as susceptible to attack as aes and some others.