I'm trying to use Google's crypto-js package to AES encode data for submission to a payment portal (Sagepay using AES-128-CBC-PKCS5). The specifications of the software exactly match Sage's requirements EXCEPT they specify AES-128 encryption. The submissions are being rejected by Sage as gobbledygook however it's not clear why. The only thing I can think is that Sage provide a passphrase rather than a Hex string and it says in Google's documentation that use of a passphrase causes the software to default to AES-256 - does anyone know any way to force it to use AES-128 even with a passphrase? Also, crypto-js doesn't support PKCS5 however I've read elsewhere that PKCS7 is compatible, which is the crypto-js default.