Bug in internal Kodular encryption module

Found a bug in internal Kodular AES256 encryption module

I have made a test app. In the companion as in the apk, AES 256 fails both times.

AES128 is functioning.

encryption_test.aia (3.8 KB)

1 Like

Thanks for reporting it :+1:
I’ll change how we generate AES 256 so I can check if it’s a problem of how we do now


The behavior of the AES128-key is not in line with expectations.

  • When I use a key not exactly 16 characters long, the AES128 encryption result is ‘empty’.
  • When I use a key exactly 16 characters long, the AES128 encryption works.

It seems to me that 16 hexadecimal characters (=128 bits) are expected, But when I change one of the originally choosen characters (1234567890123456) in a random character (change the 6 in a %), the encryption still works. As long as the key length stays 16 characters long, it is excepted. That is not a normal situation, because I do not know the strength of the encryption key.

How about the AES256 key, because I expect the length to be 32 hex characters (=256 bits) and which characters are excepted for the key?

I believe that is correct and the algorithm requires 128 bits


The module requires 16 characters, but not 16 hexadecimal characters, so the key is not guaranteed to be 128 bits.
The key (hexadecimal) 123456789ABCDEF is accepted but also 123456789% BCDEF and the last one is not hexadecimal. This way the module requires 16 characters.

dear friend, plataform of kodular has been update a couple days ago and aren’t same result’s. Look

encrypt aes128 result are diferent to before last days. I stay very interesting in understand new algorit or modifications to compatibili with myself other devices

@cs_omar We had issues-report on AES 128/256 encryption / decryption and as result put in updates for it. Are you having issue decrypting to get back the original text? Is this for both 128 and 256? While waiting for your response, we’ll check into it.

Update: Here is a quick test that I just ran (using latest companion):

1 Like

Thanks for response. Look, before that update, my devices and my app were comunicate without problem. Encrypt responded of app was same of my devices and onlinetool aes128 encryptation. Now (after kodulaar platform was updated ), encode aes128 get another response, like algoritm was modify. look this is encriptation in my devices
i confirm with online tool image
but in app not same response
image .

Encrypt decrypt working fine, but internal algorithm has changed. my first impression is a special process internal for key.
Please we need modify or know why aes128 module does not match anymore.

We might be using a different algorithm than the online tool. I’ll check into it.

UPDATE: My further investigation shows, that these online tools are using AES Cipher NOT AES/CBC/PKCS5PADDING, even though they say that they are actually using AES/CBC/PKCS5PADDING

Before the update of kodular, it worked and they matched all results.

Some special treatment internal to key before use to encrypt?.

Anyway, for the blocks encrypt decrypt it work fine. But, i have to equal change in my external devices. Thit is tha situation.

Or some other padding method https://www.cryptosys.net/pki/manpki/pki_paddingschemes.html
because me too use PKCS5PADDING, and was comatible. but no more.

Update: I found it. Now blocks are using optional IV in encryptation process.

1 Like

Internal algorithm is changed by them from AES ECB to AES CBC. Now it’s working for 128 bit. It’s not working for 256 bit

What is optional IV set inside?

Does anybody know the IV (=initialization vector) in the meanwhile? :slightly_smiling_face: