AES-128 success of decryption in PHP depends on the length of encrypted string?? (sent from iOS xcode)

Question

1. I followed : https://tharindufit.wordpress.com/2011/12/15/aes128-encryption-in-ios-and-decryption-in-php/ to develop client encryption in Xcode and server decryption in PHP.

2. i used the key : 0123456789abcdef, which is 16-bytes long as required for AES128.

3. But if the user of the app enters a password that is either too long or too short,

the server can't decrypt it.

Why is that?? What makes this happen?? Decryption fails if the encrypted string is either too long to too short.

My exact code is below. You can copy & paste the codes and it'll work.

Client-side in Xcode:

#import "ViewController.h"
#import "NSString+AESCrypt.h"

static NSString *const KEY = @"0123456789abcdef";

@interface ViewController (){
    NSString *rawPassword;
    NSMutableData *receivedData;
}

@end

@implementation ViewController

- (void)viewDidLoad {
    [super viewDidLoad];
} 
- (IBAction)send:(UIButton *)sender {
    rawPassword = @"passwordHere";
    [self sendRequest];
}

- (void) sendRequest {
    NSString *rawUserid = @"useridHere";

    // Encrypt with key
    NSString *encoded_usr = [rawUserid AES128EncryptWithKey: KEY];
    NSString *encoded_pwd = [rawPassword AES128EncryptWithKey: KEY];

    NSString *parameter = [NSString stringWithFormat:
              @"userid=%@&password=%@",encoded_usr, encoded_pwd];

    NSLog(@"sending:%@", parameter);
    NSData *parameterData = [parameter dataUsingEncoding:NSUTF8StringEncoding];

    NSURL *url = [NSURL URLWithString: @"http://mywebsite.com/server.php"];
    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];
    [request setHTTPBody:parameterData];

    [request setHTTPMethod:@"POST"];
    [request addValue: @"application/x-www-form-urlencoded; charset=utf-8"  forHTTPHeaderField:@"Content-Type"];
    NSURLConnection *connection = [[NSURLConnection alloc]initWithRequest:request delegate:self];


    if(connection){
        receivedData = [[NSMutableData alloc]init];
        NSLog(@"CONNECTING");
    } else {
        NSLog(@"NO CONNECTING");
    }
}

#pragma mark NSURLConnection delegates
-(void) connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)response
{
    [receivedData setLength:0];
}
-(void) connection:(NSURLConnection *)connection didReceiveData:(NSData *)data
{
    [receivedData appendData:data];
}
-(void) connection:(NSURLConnection *)connection didFailWithError:(NSError *)error
{
    NSLog(@"CONNECTION FAILED");
    return;
 }
-(void) connectionDidFinishLoading:(NSURLConnection *)connection
 {
    NSString* newStr = [[NSString alloc] initWithData:receivedData encoding:NSUTF8StringEncoding];
    NSLog(@"connectionDidFinishLoading:%@", newStr);
 }
 @end

Server-side PHP:

<?php

$encoded_pwd = $_POST['password'];
$encoded_usr = $_POST['userid'];
$device      = $_POST['device'];

$decoded_pwd = decrypt_password( $encoded_pwd , "0123456789abcdef");
$decoded_usr = decrypt_password( $encoded_usr , "0123456789abcdef");

echo "decoded userid:".$decoded_usr."  decoded password:".$decoded_pwd;

function decrypt_password($pass,$key)
{
 $base64encoded_ciphertext = $pass;

 $res_non = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($base64encoded_ciphertext), MCRYPT_MODE_ECB);

 $decrypted = $res_non;
 $dec_s2 = strlen($decrypted);

 $padding = ord($decrypted[$dec_s2-1]);
 $decrypted = substr($decrypted, 0, -$padding);

 return  $decrypted;
}
?>

Answer 1

The problem is embedded in your question. A password is not a key. A key for AES needs to be 16, 24 or 32 bytes (for AES-128, AES-192 and AES-256 respectively). Furthermore, those bytes should be indistinguishable from random. This is not the case for passwords as passwords consist of specific characters.

To use a password as key you need to run a password based key derivation function or PBKDF. Well known ones are bcrypt and PBKDF2.

Alternatively you could have the user type in 32 hex characters and decode that to a 16 byte key. Note though that most persons won't be able to remember 32 hex digits.