AesBridge is a modern, secure and cross-language AES encryption library that supports CBC, GCM, and Legacy CBC modes. The goal is to ensure secure, interoperable encryption across multiple platforms and programming languages.
It is the spiritual successor of the AES Everywhere project, with updated cryptography standards and cleaner APIs.
- 🛡️ AES-256 encryption - Industry-standard 256-bit encryption
- 🔐 Multiple modes - GCM and CBC with HMAC
- 🔄 Legacy CBC - For backward compatibility with projects using AES Everywhere.
- 🌍 Cross-language compatibility - Unified implementation across languages
- ✨ Secure defaults - Modern modes use secure key derivation and cryptographic best practices
- ⭐ Authenticated encryption - GCM and CBC+HMAC modes provide integrity checking and tamper protection
- ✅ Tested interoperability - Verified compatibility between all implementations
- C++: AesBridge CPP
- C# (.NET): AesBridge .NET
- GO: AesBridge GO
- Java: AesBridge Java
- JavaScript: AesBridge JS
- PHP: AesBridge PHP
- Python: AesBridge Python
- Ruby: AesBridge Ruby
The following table compares the different encryption modes available in AesBridge, including their cryptographic primitives, key derivation, and output formats.
| Mode | Cipher | Hash Algo | KDF | Iterations | Output Structure | Authentication |
|---|---|---|---|---|---|---|
| GCM | AES-256-GCM | SHA256 | PBKDF2 | 100,000 | salt(16) + nonce(12) + ciphertext + tag(16) | GCM Tag (16 bytes) |
| CBC | AES-256-CBC | SHA256 | PBKDF2 | 100,000 | salt(16) + iv(16) + ciphertext + hmac(32) | HMAC-SHA256 (32 bytes) |
| Legacy CBC (deprecated) | AES-256-CBC | MD5 | Iterative MD5 | N/A | 'Salted__' + salt(8) + ciphertext | None |
- Mode: The encryption mode used.
- Cipher: The underlying AES variant.
- Hash Algo: The hash function used in key derivation or authentication.
- KDF: Key Derivation Function.
- Iterations: Number of iterations for key derivation (N/A for legacy mode as it uses a custom iterative MD5 approach).
- Output Structure: The binary format of the encrypted data (before optional base64 encoding). Note that in legacy mode, the IV is derived and not explicitly stored in the output.
- Authentication: Mechanism for integrity and authenticity checking. Legacy mode lacks authentication, making it vulnerable to tampering.
This comparison highlights the security improvements in modern modes (GCM and CBC) over the legacy mode, which is provided for compatibility purposes only. It is recommended to use GCM or CBC for new applications.
-
AES-256-GCM: A modern mode providing both encryption and built-in authentication via a tag for integrity checks. It supports associated data (non-encrypted but authenticated metadata) and offers high performance through parallelization. Best for new projects requiring maximum security and efficiency.
-
AES-256-CBC with HMAC: A proven mode for block encryption, enhanced with HMAC for authentication and integrity. It uses a secure Encrypt-then-MAC approach to verify data authenticity. Suitable for applications needing reliable encryption with explicit integrity verification.
-
Legacy CBC (backward compatibility): Do not use for encrypting new data. Replicates the behavior of older libraries like AES Everywhere for decrypting legacy data. It lacks built-in authentication, making it not secure; use only for compatibility, not new encryption.
Each implementation provides equivalent core methods with consistent behavior across languages. Method naming follows each language's conventions while maintaining functional parity.
| Base name | Mode | Format | Description |
|---|---|---|---|
encrypt_gcm() |
GCM | Base64 | Encrypt with GCM, return Base64-encoded |
decrypt_gcm() |
GCM | Base64 | Decrypt GCM Base64-encoded data |
encrypt_gcm_bin() |
GCM | Binary | Encrypt with GCM, return binary |
decrypt_gcm_bin() |
GCM | Binary | Decrypt GCM binary data |
encrypt_cbc() |
CBC | Base64 | Encrypt with CBC, return Base64-encoded |
decrypt_cbc() |
CBC | Base64 | Decrypt CBC Base64-encoded data |
encrypt_cbc_bin() |
CBC | Binary | Encrypt with CBC, return binary |
decrypt_cbc_bin() |
CBC | Binary | Decrypt CBC binary data |
encrypt_legacy() |
Legacy CBC | Base64 | Do not use for encrypting new data. Encrypt with AES Everywhere legacy format, return Base64-encoded. |
decrypt_legacy() |
Legacy CBC | Base64 | Decrypt with AES Everywhere legacy format, decrypts Base64-encoded data |
Base name in the table shows the core functionality in snake_case format, but actual implementations follow language-specific conventions, for example:
- C#:
AesBridge.Gcm.EncryptBin() - Go:
aesbridge.EncryptGCMBin() - Java:
AesBridge.GCM.encryptBin() - JavaScript:
encryptGcmBin() - PHP:
AesBridge\Gcm::encryptBin() - Python:
encrypt_gcm_bin() - Ruby:
AesBridge.encrypt_gcm_bin()
Each implementation contains its own README with exact syntax and usage examples.
This library provides full compatibility with the legacy AES Everywhere formats, including insecure cryptographic constructions. These are provided only to allow decryption of historical data.
We strongly discourage their use for any new encryption.
- 🔒 Use GCM or CBC with HMAC-SHA256 for new encryption
- 🔑 Always use a strong passphrase; weak passwords reduce encryption security
⚠️ Never use Legacy CBC mode unless decrypting old AES Everywhere data
All AesBridge implementations guarantee:
- Identical cryptographic behavior across all implementations
- Same parameter order (data, passphrase)
- Identical output formats (binary structure or Base64 encoding)
- Matching API structure (following language conventions)
- Interoperable encrypted data - encrypt in one language, decrypt in another
Each language repository includes comprehensive automated CI tests that verify:
- Correct encryption/decryption for all supported modes (GCM, CBC, Legacy CBC)
- Proper handling of both string and binary data inputs
- Consistent output formats across all implementations
To ensure perfect interoperability, all implementations share:
- Identical test data (plaintexts and passphrases)
- Pre-generated encrypted samples for all modes:
The main repository includes automated CI tests that verify interoperability across all implementations by Round-Trip Encryption/Decryption:
- Encrypts test data in each language
- Decrypts it in every other supported language
- Validates that the output matches the original input
This rigorous testing ensures bit-for-bit compatibility across all supported platforms.
AesBridge provides consistent, secure, and interoperable encryption across many languages, removing the need to reimplement crypto logic per platform. While libsodium/OpenSSL are great tools, they often differ in output formats, parameter ordering, and defaults. AesBridge solves that pain point.