Encrypting in PHP (mcrypt), Decrypting in Ruby (OpenSSL::Cipher)

Question

I'm working on a cross language project wrapping a ruby/Sinatra API in PHP to be consumed by another team. None of the information exposed by the API is sensitive, but we would prefer it not be easily accessible to a casual observer guessing the URL.

    private function generateSliceIDToken($key){
    $currentEpoch = time();
    $ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
    $iv = mcrypt_create_iv($ivSize, MCRYPT_RAND);
    $encryptedBytes = mcrypt_encrypt(
        MCRYPT_RIJNDAEL_128,
        $key,
        $currentEpoch.**Passcode**,
        MCRYPT_MODE_CBC, $iv
    );
    $ivAndEncryptedBytes = $iv . $encryptedBytes;

    return urlencode(urlencode(base64_encode($ivAndEncryptedBytes)));

The code above Encrypts a password and time stamp using mcrypt's RIJNDAEL implementation and encodes it to send off to the ruby API

if identifier.validate_token Base64.decode64(URI.unescape( URI.unescape(params[:token])))

Sinatra grabs it and decodes it

def validate_token(token)
  cipher = OpenSSL::Cipher::AES.new(128, 'CBC')
  cipher.decrypt
  cipher.key = **key**
  cipher.iv = token[0,16]

  plain = cipher.update(token[16..-1]) + cipher.final
  return plain[10,8] == **Passcode**
end

and passes it along to be decrypted

The problem is, the decryption fails with a 'Bad Decrypt' Error

I was lead to believe Mcrypt's RIJNDAEL and Cipher's AES were compatible, but is this assumption incorrect? Any help I can get one this would be most helpful.

Answer 1

I was lead to believe Mcrypt's RIJNDAEL and Cipher's AES were compatible, but is this assumption incorrect?

You need to slightly tweak data being encoded to make it AES compatible. Data must be right padded, with character and amount depending of its current width:

$encode = $currentEpoch.'**Passcode**';
$len = strlen($encode);
$pad = 16 - ($len % 16);
$encode .= str_repeat(chr($pad), $pad);

Also remember to have $key exactly 16 characters long. If it is shorter, ruby throws CipherError, while php pads key with null bytes. If it is longer, ruby uses only first 16 character but php pads it again, and uses last 16 characters.