About AES-256-CBC and keys

Hi TMS Crypto people. We are suscribers using your whole TMS pack.

We have this littel question: we have to make a development with these specifications. Below is our attempt.

-API-key encryption:

* The AES-256-CBC algorithm must be used.
* A specific key provided by us that you will use as a 
password encryption.
* You also need a value called IV (Initialization Vector), 
which must be generated randomly for each request.

- Data to send in the request headers:

* x-api-key: The result of encrypting the api-key.
* x-iv: The Initialization Vector used for encryption, 
converted to hexadecimal format.

All requests will ask you to send those two fields in the 
headers, the api-key of the client has to travel encrypted, 
we are going to decrypt it to be able to use it

The key you have to use to encrypt it is this 
“p@55w0rdu1tr@s3cr3t0”

The x-api-key is 
“317301cc6cbbc-87e144ce-9ed2-a397192j9900”

Ok: What we did

var
 aes: TAESEncryption;
 cipher: string;

begin
 aes:= TAESEncryption.Create;
 aes.AType:= atCBC;
 aes.KeyLength:= kl256;
 aes.Unicode := yesUni;

 aes.Key:= ‘p@55w0rdu1tr@s3cr3t0’;  //here the key…

 aes.OutputFormat:=hexa;
 aes.PaddingMode:= TpaddingMode.PKCS7;
 aes.IVMode:= TIVMode.rand;  //test says so

 cipher:= aes.Encrypt(‘317301cc6cbbc-87e144ce-9ed2-a397192j9900’);
 aes.Free;
end;

The problem is this error message

class ECryptoPack with message ‘Keylength incorrect, must be 32’.

The client gave us that key, but it is not 32 characters long.

We don’t know about the subject, what can we do?

Regards
Pablo Romero
Flexxus SA

Hi, the password has indeed 20 bytes only, which raises the exception.
You then have 3 solutions:

  • hash the password with SHA256 and use the result as the key
  • derive a key with PBKDF2 (or Argon2) and the password
  • pad the password with 12 extra bytes

In all cases, the specification is incomplete and you need to check with your customer.

1 Like