Encryption between Python & PHP

[Geoff Caplan]

Hi folks,

I am looking for a practical way of sending encrypted strings back and
forth between a Python HTTP client on Windoze and an Apache/PHP server
on Linux. I am looking for a simple, lightweight symmetrical solution
using, say, blowfish: SSL would be a last resort as I suspect it will
cause fairly major installation issues on the client.

Encryption in PHP uses a wrapper around the mcrypt C library.

There is a wrapper for mcrypt in Python, but I am having trouble
getting it installed on Windows: I have contacted the author for help.

Meanwhile, I do have SSLcrypto installed: this is a very neat and fast
library. Is there any way for SSLcrypto on Python to talk to mcrypt on
PHP? My first attempts have been unsuccessful.

I have little crypto knowledge, and at first I though that something
like blowfish was a standard and different libraries should be
compatible. Now I suspect that internal implementation varies between
libraries and you have to encrypt/decrypt with the same library. Can
anyone enlighten me?

 

[Dan Sommers]

I have little crypto knowledge, and at first I though that something
like blowfish was a standard and different libraries should be
compatible. Now I suspect that internal implementation varies between
libraries and you have to encrypt/decrypt with the same library. Can
anyone enlighten me?

I can't help much with your other questions, but I do know about this
one. By definition, blowfish is blowfish is blowfish. Any (properly
implemented) blowfish library will be compatible with another; if you
encode something with one library, you will be able to decode it with
the other. It is up to you to use the same key and to make sense of the
information once you decrypt it.

That said, yes, it is possible that the internal implementation details
may vary slightly between libraries, but not in ways that the user will
notice. Think of this like calculators: although calculators use
different hardware and different display devices, they all (should) give
the same answer to the same multiplication problem (keeping the
multiplications in question simple enough so as not to cause some sort
of underflow or overflow error or loss of precision; thankfully,
blowfish implementations do not suffer even this limitation).

HTH,
Dan

 

[Geoff Caplan]

Dan,

DS> I can't help much with your other questions, but I do know about this
DS> one. By definition, blowfish is blowfish is blowfish. Any (properly
DS> implemented) blowfish library will be compatible with another; if you
DS> encode something with one library, you will be able to decode it with
DS> the other.

Thanks for that. Looks like I should persist and track down the
problem. Perhaps something to do with the keys? When I try to
decrypt I am getting binary garbage out instead of an ascii string.

Any pointers about where to start looking would be welcome!

 

[Dan Sommers]

Dan,

Not just me, thank goodness. The entire Python community. ;-)

DS> I can't help much with your other questions, but I do know about this
DS> one. By definition, blowfish is blowfish is blowfish. Any (properly
DS> implemented) blowfish library will be compatible with another; if you
DS> encode something with one library, you will be able to decode it with
DS> the other.

Thanks for that. Looks like I should persist and track down the
problem. Perhaps something to do with the keys? When I try to
decrypt I am getting binary garbage out instead of an ascii string.

Any pointers about where to start looking would be welcome!

I guess the usual pointers apply: Create the absolute smallest program
that fails. Ask the vendors/authors of the library and/or programming
language you're using. Post/Email the code, the input, the actual
output, what you expected to be the output, and why you expected that
output.

I'm pretty sure that counterpane (blowfish' creator, IIRC) has test
vectors, too. If you can encrypt *or* decrypt them, but not both, that
points at one part of your application or another as well.

Regards,
Dan

 

[Bryan Olson]

> Looks like I should persist and track down the
> problem. Perhaps something to do with the keys? When I try to
> decrypt I am getting binary garbage out instead of an ascii string.
>
> Any pointers about where to start looking would be welcome!

First check the obvious: do you have exactly the same
key/IV/ciphertext.

If that's not it, the most popular bug in Blowfish
implementations is an endian dependency. It causes
implementations to be self-consistent, but ciphertext is not
portable between big-endian and little-endian machines. Bruce
Schneier's original implementation had the bug, and many others
followed.