codeigniterencryptionaessymmetric-key

Which key length is possible in Codeigniter encryption?


I am using CI's own encryption and need confirmation about key length used by AES-256 with CBC. I am using both 32 Bytes and 64 Bytes, and all is working. How about using a 128 Bytes (1024 bits) key?


Solution

  • AES has a fixed block size of 128 bit and supports key sizes of 128, 192 and 256 bit. It does not support key sizes of 512 bit (64 byte). Rijndael, which AES is based on, supports block sizes of 128, 192 and 256 bit with the same key sizes as AES.

    If you're using system/libraries/Encrypt.php, then you're using Rijndael-256 (default; not AES, because the block size (256) is different) with a key size of 256 bit. Every "key" that you pass in will be hashed with MD5 which is actually only 128 bit in size, but it is Hex-encoded and therefore needlessly inflated to 256 bit without extra security. Needless to say, this is rather old and should never be used anymore.

    If you're using system/libraries/Encryption.php, then you're using AES-128 (here 128 actually means the key size) with authentication. The key that you pass in is used for both encryption and authentication. The encryption key is derived from the passed key through HKDF with HMAC-SHA512, so it will be effectively hashed and then clamped to 128 bit. You should still need to pass at least 16 byte keys in to have 128 bit security.

    Although the key is hashed in both cases to get the appropriate size (it's actually bigger, but the underlying drivers take only the first byte that they need), don't try to pass in passwords, because they have much less entropy than real randomly generated keys of at least 16 bytes.

    How about using a 128 Bytes (1024 bits) key?

    This wouldn't give you more security, because the actual encryption key that is derived from the key you pass in is actually only 256 bit long.