How to Do Aes Decryption Using Openssl

How to use OpenSSL to encrypt/decrypt files?

Security Warning: AES-256-CBC does not provide authenticated encryption and is vulnerable to padding oracle attacks. You should use something like age instead.

Encrypt:

openssl aes-256-cbc -a -salt -pbkdf2 -in secrets.txt -out secrets.txt.enc

Decrypt:

openssl aes-256-cbc -d -a -pbkdf2 -in secrets.txt.enc -out secrets.txt.new

More details on the various flags

AES-256 encryption/decryption

Convert Key and IV to HEX.

echo g+rR+egh2MCHFnYe0XJM7g== | openssl enc -d -a -aes-256-cbc -nosalt -out deco.dec -p -K 3342314332444441413837324632384134434443423333323433393435363942  -iv 30303030303030303030303030303030

OpenSSL expects the Key and IV in HEX. When you provide Key as 3B1C2DDAA872F28A4CDCB3324394569B , it is padded with addtional zeros to make it

"3B1C2DDAA872F28A4CDCB3324394569B00000000000000000000000000000000".

Similarly IV is converted to

"00000000000000000000000000000000".

Hence OpenSSL ends up using wrong key and IV and decryption fails even though you provided the correct ones.

Note : Pass flag "-p" and openSSL will show what Key and IV are used.

How to encrypt a file so that OpenSSL can decrypt it without providing the IV manually

In order to decrypt an AES encrypted file you need both key and IV. IV is not a secret and is usually store at the encrypted file.

OpenSSL uses a key derivation function to generate these two using the provided password and a random salt. then after encryption it stores the salt at the header of the file with Salted__ prefix, so at the decryption it could use it along with the password to produce the same key and IV.

package main

import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/rand"
    "crypto/sha256"
    "io"
    "os"
    "golang.org/x/crypto/pbkdf2"
)

func main() {

    keySize := 32;
    // its only for demonstration purpose
    password := []byte("TESTPASSWORD1234TESTPASSWORD1234");
    bReader, err := os.Open("doc.docx")
    defer bReader.Close();
    if err != nil {
        panic(err)
    }

    salt := make([]byte, 8)
    if _, err := io.ReadFull(rand.Reader, salt[:]); err != nil {
        panic(err)
    }

    computed := pbkdf2.Key(password, salt, 10000, keySize + aes.BlockSize , sha256.New)
    key := computed[:keySize]
    iv := computed[keySize:]

    block, err := aes.NewCipher(key)                                    
    if err != nil {
        panic(err)
    }
    stream := cipher.NewOFB(block, iv)

    bWriter, err := os.Create("doc-encrypted.docx")
    if err != nil {
        panic(err)
    }
    defer bWriter.Close()

    prefix := []byte("Salted__");
    header := append(prefix[:], salt...);
  bWriter.Write(header)
    sWriter := &cipher.StreamWriter{S: stream, W: bWriter}
    if _, err := io.Copy(sWriter, bReader); err != nil {
        panic(err)
    }

}

and you can decrypt it with openssl enc -in doc-encrypted.docx -out doc-decrypted.docx -d -aes-256-ofb -pbkdf2 -pass pass:TESTPASSWORD1234TESTPASSWORD1234

How to do AES decryption using OpenSSL

There's no size given because the block sizes for AES are fixed based on the key size; you've found the ECB mode implementation, which isn't suitable for direct use (except as a teaching tool).

ECB, CBC, CFB128, etc, are all short names for the modes of operation that are in common use. They have different properties, but if you never touch ECB mode, you should be alright.

I suggest staying further away from the low-level code; use the EVP_* interfaces instead, if you can, and you can move some of these decisions into a text configuration file, so your users could easily select between the different ciphers, block sizes, and modes of operation if there should ever be a good reason to change away from the defaults.

My sympathies, OpenSSL documentation feels worse than it is, and it isn't that great. You may find Network Security with OpenSSL a useful book. I wish I had found it sooner the last time I needed to use OpenSSL. (Don't let the silly title fool you -- it should have been titled just "OpenSSL". Oh well.)

Edit I forgot to mention the initialization vectors. They are used to make sure that if you encrypt the same data using the same key, the ciphertext won't be identical. You need the IV to decrypt the data, but you don't need to keep the IV secret. You should either generate one randomly for each session (and send it along with an RSA or El Gamal or DH-encrypted session key) or generate it identically on both endpoints, or store it locally with the file, something like that.

Openssl aes-256-cbc encryption from command prompt and decryption in PHP (and vice versa)

The OpenSSL statement generates a random 8 bytes salt during encryption, which is used together with the password to derive a 32 bytes key and a 16 bytes IV with the OpenSSL function EVP_BytesToKey().

With key and IV the encryption is performed with AES-256 in CBC mode. The result consists of the concatenation of the ASCII encoding of Salted__, followed by the salt and the actual ciphertext, all Base64 encoded.

The decryption in PHP/OpenSSL must be implemented as follows:

  • Determination of salt and actual ciphertext.
  • Using salt, password and EVP_BytesToKey() to get key and IV.
  • Using key and IV to perform decryption with AES-256 in CBC mode.

One possible implementation is:

<?php
function EVP_BytesToKey($salt, $password) {
    $bytes = '';
    $last = '';
    while(strlen($bytes) < 48) {
        $last = hash('md5', $last . $password . $salt, true);
        $bytes.= $last;
    }
    return $bytes;
} 
    
$saltCiphertext = base64_decode('U2FsdGVkX18ruQUgA9LEOOvdOUQXv/o8z6ZNO820MKzSIbMjFcyfNo1efQwAOINxMY9+UxZjxaT+JEWmlUyYQw==');
$salt = substr($saltCiphertext, 8, 8);
$ciphertext = substr($saltCiphertext, 16);
$keyIv = EVP_BytesToKey($salt, 'sw8/M!CLl:=cmgtHts?v/Wb7C$Vk9Sy-{go.*+E;[GAg~KQi*rI!1#z;x/KT');
$key = substr($keyIv, 0, 32);
$iv = substr($keyIv, 32);
echo openssl_decrypt($ciphertext, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); // {un:est@test.com,upass:klkKJS*dfd!j@d76w}
?>

In earlier versions OpenSSL used MD5 as digest in EVP_BytesToKey() by default, from version V1.1.0 SHA256. In the posted example, decryption with MD5 is successful, so obviously MD5 was used in encryption.

Note that key derivation with EVP_BytesToKey() is deemed insecure nowadays.


Related Topics

Purpose of Explicit Default Constructors

Stringify Template Arguments

What Optimization Does Move Semantics Provide If We Already Have Rvo

The Std::Transform-Like Function That Returns Transformed Container

Virtual Inheritance: Error: No Unique Final Overrider

How to Build Openssl with Mingw in Windows

What Are _Mm_Prefetch() Locality Hints

What's a Good and Stable C++ Tree Implementation

How to Wrap Around a Range

How to Use Capturestackbacktrace to Capture the Exception Stack, Not the Calling Stack

Calling C++ from Objective-C

C++ Remove_If on a Vector of Objects

How to Use Unicode in C++

How to Build Libcxx and Libcxxabi by Clang on Centos 7

What Is Void* and to What Variables/Objects It Can Point To

Propagate Constness to Data Pointed by Member Variables

Advice on Mocking System Calls

Possible to Add an Imported Library to Target_Link_Libraries That Takes Care of Include Directories Too


Leave a reply



Submit