Encryptor | A password encryptor package for Linux | Encryption library

GCM is a stream cipher mode and therefore does not require padding. During encryption, an authentication tag is implicitly generated, which is used for authentication during decryption. Also, an IV/nonce of 12 bytes is recommended for GCM.

The posted Python code unnecessarily pads and doesn't take the authentication tag into account, unlike the JavaScript code, which may be the main reason for the different ciphertexts. Whether this is the only reason and whether the JavaScript code implements GCM correctly, is difficult to say, since the getMessageEncoding() method was not posted, so testing this was not possible.

Also, both codes apply a 16 bytes IV/nonce instead of the recommended 12 bytes IV/nonce.

Cryptography offers two possible implementations for GCM. One implementation uses the architecture of the non-authenticating modes like CBC. The posted Python code applies this design, but does not take authentication into account and therefore implements GCM incompletely. A correct example for this design can be found here.
Cryptography generally recommends the other approach for GCM (s. the Danger note), namely the AESGCM class, which performs implicit authentication so that this cannot be accidentally forgotten or incorrectly implemented.

The following implementation uses the AESGCM class (and also takes into account the optional additional authenticated data):

The referenced Python code uses P-384 (aka secp384r1) as elliptic curve. This is compatible with the WebCrypto API, which supports three curves P-256 (aka secp256r1), P-384 and P-521 (aka secp521r1), see EcKeyImportParams.

The following WebCrypto code generates a shared secret using ECDH and derives an AES key from the shared secret using HKDF. In detail the following happens:

• To allow comparison of the derived key with that of the referenced Python code, predefined EC keys are applied. The private key is imported as PKCS#8, the public key as X.509/SPKI. Note that due to a Firefox bug concerning the import of EC keys, the script below cannot be run in the Firefox browser.
• After the import the shared secret is created with ECDH using deriveBits() (and not deriveKey()).
• The shared secret is imported with importKey() and then the AES key is derived using HKDF, again with deriveBits().

The VB code derives the key from the passhprase with MD5. TripleDES (aka 3DES) with a 16 bytes key (2TDEA) is used as the algorithm. ECB is applied as the mode. A possible decryption with CryptoJS is:

The C and C# code differ only in the IV. In the C code, EVP_EncryptInit_ex() passes a NULL as 5th parameter, which results in a zero IV, i.e. an IV consisting only of 0x00 values. In contrast, the C# code uses a random IV created when Aes.Create() is called.

The C# code is therefore functionally identical to the C code if a zero vector is applied in the C# code. To do this, add below the line aesAlg.Key = key:

Encryption uses the recipient's public key so that only the recipient can decrypt the ciphertext with their private key. In contrast, signing uses the signer's private key, whereby verification is performed with the associated public key. In the given case a message is to be encrypted, so the recipient's public key is to be applied.

In the posted code, the import of the key with RSA.import_key() is missing, which causes the error. If the import is added, the encryption is successful:

In the tempEncrypt() method, I had to close the file then re-open using File.OpenRead() for it to decrypt properly. I guess test.txt was still empty even though I used file.Write() to write to the file. Here is the working method:

The posted C++ code is fine. It returns the posted ciphertext STpu...0lWJ on my machine and the ciphertext can be decrypted with the decrypt() method.

In contrast, although the posted C# code returns the posted ciphertext tIDl...RoEM=, the ciphertext cannot be decrypted using the Decrypt() method. This has two reasons:

• In the Encrypt() and in the Decrypt() method different keys are used. The key of the Decrypt() method matches the key applied in the C++ code. With regard to a comparison of the ciphertexts of both codes, the key in the Encrypt() method should be replaced.
• The ciphertext is Base64 encoded in the Encrypt() method, but not Base64 decoded in the Decrypt() method (but ASCII encoded instead). Here a Base64 decoding must be done in the Decrypt() method (note that an ASCII decoding in the Encrypt() method is not an alternative, since this would corrupt the ciphertext).

If these two bugs are fixed, the ciphertexts of C++ and C# code match except for the end. This last mismatch is caused by different paddings. In the C++ code PKCS7 padding is used, in the C# code Zero padding. If the padding in the C# code (in the Encrypt() and Decrypt() methods) is changed to PaddingMode.PKCS7, the ciphertexts match.

Other problems in the C# code are:

• In the Encrypt() method Encoding.Default is used, in the Decrypt() method Encoding.ASCII. Here a consistent encoding, e.g. Encoding.UTF8 should be applied.
• The specified 128-bit key size is not consistent with the 256-bit key used. This has no effect because the explicit key specification automatically corrects the key size (nevertheless, the key size should be specified correctly or completely omitted).

Also, it should be noted that a static IV is insecure (for testing purposes, of course, that's OK).

In the first code snippet, you've assigned values to the Key and IV properties of the symmetric algorithm object so you don't need to pass them again when you create the crypto transform. In this case, use the parameterless overload which uses the already assigned Key and IV to create the encryptor/decryptor.

You have two issues here:

Problem 1: You try to read the result before it is ready. You need to close the StreamWriter first: