Recently, I’ve been working on integrating third-party advertising bidding services. Most advertising platforms with bidding capabilities encrypt their bid prices using the AES algorithm.

When integrating with third parties, challenges arise due to varying encryption modes and the lack of SDKs (some only provide Java client code examples). Here are some practical approaches:

• Use third-party validation tools like https://tool.lmeee.com/jiami/aes for cross-verification
• Analyze Java code to identify critical encryption parameters:
  • Encryption Mode (ECB, CBC, CFB, OFB)
  • Padding Method (pkcs5padding, pkcs7padding, zeropadding)
  • Key Length (128-bit/8-char key, 192-bit/12-char key, 256-bit/16-char key)
  • IV (Initialization Vector - some require random values, others use fixed values)
  • Base64UrlSafe Encoding requirement for ciphertext

Practical Observations:

1. ECB Dominance: Many platforms use ECB mode for simplicity despite security risks, as it requires only a key (no IV).
2. CFB Implementation: Zhimeng (知盟) uses CFB with random keys but doesn’t validate IV parameters.
3. CBC with Fixed IV: RuanGaoyun (软告云) employs CBC mode but reuses the key as IV for simplicity.

Pro Tip: Always verify if platforms require URL-safe Base64 encoding for encrypted payloads. This subtle requirement is a common integration pitfall.