There are 2 projects. A web project made in Python (Flask) and a desktop application for people who do not have access to the network, written in Delphi XE 5. The application in Delphi, in turn, is able to upload the results of working with the program to a file in Json format. The file must be encrypted using the AES method for subsequent transfer to the web application, in which it is decrypted and loaded into the database.

Question number 1: There are various online data encryption services, I will not even provide links - there are a million of them. I am very surprised that each of them gives me different results (the encrypted text looks different), although the same text and password are transmitted to all. Why? (256 bit key is used everywhere and the same encryption method)

Question number 2: I turned to online services from the fact that I can not decrypt the file in Python, which is encrypted in Delphi, and vice versa. Although everyone can decrypt what he encrypted.

Express your assumptions ...

  • It depends on what you use for encryption in Delphi. According to my observations, the most correct thing to use is that it fits easily with implementations in Java, ObjectiveC and RoR is the standard Windows API. DCPCrypt (the easiest to use) did not want to dock, alas. - kami
  • @kami DCPCrypt because clumsy and crooked, the implementation of almost half of the methods in it is far from the standard. - Vladimir Martyanov
  • Do they say something to you: the initialization vector (IV — why each file should have its own and why the same text can look differently encrypted), CFB, CTR modes? Show how you encrypt / decrypt the type of similar code . In addition to encryption options, there may be an error when reading data from a disk or when transmitting over a network. Try to encrypt a small string with the specified key and add to the question (like base64). - jfs
  • In addition, as far as I know, when generating a key from a password, a hash function is used, which can also be used for different services. - Alekcvp

1 answer 1

Different encryption results for different services arise for obvious reasons, differences in implementations. There is an encryption standard ( PDF document ), but in its implementation, some parts of the algorithm can be omitted or made in their own way. Here article on Habré about implementation of AES-128 on Phyton as an example. If you read the article, then in its conclusion, the author directly says that there is a nuance with the encryption of the "tail" of the block, if it is less than 16 bytes, and tells about how he acted. Another author of the implementation of the same algorithm may well act differently and process the "tail" somehow differently, and in the end we will get what it would seem, 2 implementations of the same algorithm "make friends" will not work. And this is just one example of these differences and the likely cause of your described problem.

On the other hand, I am somewhat confused by the fact that you yourself say that there is

desktop application for people who do not have access to the network.

So why are you trying to work with online services, if the desktop client still does not have access to the network?

In your situation, it seems to me, the solution would be to use the same implementation for the web application and for the desktop.

How exactly this will be done is a different question. And the first thing that comes to mind is the implementation through a DLL, which will be used both there and there (if it is technically possible to tie the DLL to your web application and pull the encryption functions from it).

Or we take a ready-made implementation of the encryption algorithm in one of the languages ​​designated by you (and at least the same example on Python following the link above) and meticulously, methodically copy it into another language (Delphi). And even then, it seems to me that, just like that, there will be no guarantee of full compatibility, for example, due to differences in the implementation of types or features of working with memory.

The third option could be to use another, more "friendly" algorithm, or use your own encryption mechanism, which only you know). Or, in general, use a different way of working with data ( [irony on] data transfer in a password-protected archive 7z [irony off] ).

  • 2
    Even the same implementation can return different results for the same text and key due to different initialization vectors, modes - jfs
  • And how is the "data transfer in the password-protected 7z archive" bad and you do not recommend it? Why irony? - Vlad Chapl
  • @VladChapl, it’s not that bad; it's just rather the fact that this is the “old grandfather’s method” that was relevant in the 90s-2000s, and now it’s just morally obsolete. Especially if you consider that now for secure data transmission there are a lot of standards, algorithms, methods. Let my gurus throw in slippers, but hacking a password-protected 7z archive with a complex long password does not seem to me such a simple task. Easier to intercept the password for its packing / unpacking. But that is another question. - BlackWitcher