Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
Exactly, that's my point, I have to integrate with a third party API, so I can't do anything else but to send the ciphered text as expected. Anyway, thanks for your explanation on this issue, I'll take it into account and try to contact third party support team. Thanks. 2015-11-25 11:23 GMT+01:00 Viktor Dukhovni: > On Wed, Nov 25, 2015 at 11:14:48AM +0100, David García wrote: > > > Viktor, you pointed me to the right way. I was missing the -nopad flag in > > the openssl command. > > Not using padding is fragile and can lead to subtle data corruption. > Perhaps not padding is safe and correct in your case, but I am > skeptical and you should be too. If you're constrained to interoperate > with existing code that is not padding, that code is questionable, > but you may have no choice but to follow suite. If you're free to > choose formats, you should probably pad. > > -- > Viktor. > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- David ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
On Wed, Nov 25, 2015 at 09:18:15AM +0100, David García wrote: > H6cr2yN8oWV6AUY/JlknQw== Decrypting in ECB mode you get: $ echo H6cr2yN8oWV6AUY/JlknQw== | openssl base64 -d | openssl enc -d -des-ede3 -K 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -nopad | hexdump -ve '/1 "%02x"'; echo 3030353836332fa02cdc247ba662 > but is not exactly the same result I get for the same input in my Java and > PHP examples. In those ones I get: > > H6cr2yN8oWUVY3a6/Vaaow== Decrypting in ECB mode you get: $ echo H6cr2yN8oWUVY3a6/Vaaow== | openssl base64 -d | openssl enc -d -des-ede3 -K 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -nopad | hexdump -ve '/1 "%02x"'; echo 3030353836332fa72bdb237ca165 The initial 8-byte blocks are identical, but the trailing blocks differ subtly. The hexdump of the OpenSSL ciphertext is: $ echo H6cr2yN8oWV6AUY/JlknQw== | openssl base64 -d | hexdump -ve '/1 "%02x"'; echo 1fa72bdb237ca1657a01463f26592743 If you XOR the common first block of ciphertext into each of the second decrypted blocks you get: $ perl -le ' for ( (0x2fa02cdc247ba662, 0x2fa72bdb237ca165) ) { printf "%016x\n", ($_ ^ 0x1fa72bdb237ca165) }' 3007070707070707 3000 What you see is the effect of PKCS#5 padding in the case of OpenSSL, and zero-padding (which is not reversible and not suitable for encrypting ciphertext that is a not a multiple of 8 bytes in length) in Java. You've failed to configure the correct padding mode. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
Viktor, you pointed me to the right way. I was missing the -nopad flag in the openssl command. I don't need to do the padding through the cipher algorithm because I do the 0 padding manually before executing the ciphering. Now it matches. This is the command I am using (for this manual example I am providing an already multiple of 8 string, so I have removed the first char of the input string for testing): echo -n 05863330 | openssl enc -e -des-ede3-cbc -K 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nopad | openssl enc -base64 Thanks Viktor. 2015-11-25 10:39 GMT+01:00 Viktor Dukhovni: > On Wed, Nov 25, 2015 at 09:18:15AM +0100, David García wrote: > > > H6cr2yN8oWV6AUY/JlknQw== > > Decrypting in ECB mode you get: > > $ echo H6cr2yN8oWV6AUY/JlknQw== | > openssl base64 -d | > openssl enc -d -des-ede3 -K > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -nopad | > hexdump -ve '/1 "%02x"'; echo > 3030353836332fa02cdc247ba662 > > > but is not exactly the same result I get for the same input in my Java > and > > PHP examples. In those ones I get: > > > > H6cr2yN8oWUVY3a6/Vaaow== > > Decrypting in ECB mode you get: > > $ echo H6cr2yN8oWUVY3a6/Vaaow== | > openssl base64 -d | > openssl enc -d -des-ede3 -K > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -nopad | > hexdump -ve '/1 "%02x"'; echo > 3030353836332fa72bdb237ca165 > > The initial 8-byte blocks are identical, but the trailing blocks > differ subtly. The hexdump of the OpenSSL ciphertext is: > > $ echo H6cr2yN8oWV6AUY/JlknQw== | > openssl base64 -d | > hexdump -ve '/1 "%02x"'; echo > 1fa72bdb237ca1657a01463f26592743 > > If you XOR the common first block of ciphertext into each of the > second decrypted blocks you get: > > $ perl -le ' > for ( (0x2fa02cdc247ba662, 0x2fa72bdb237ca165) ) { > printf "%016x\n", ($_ ^ 0x1fa72bdb237ca165) > }' > 3007070707070707 > 3000 > > What you see is the effect of PKCS#5 padding in the case of OpenSSL, > and zero-padding (which is not reversible and not suitable for > encrypting ciphertext that is a not a multiple of 8 bytes in length) > in Java. You've failed to configure the correct padding mode. > > -- > Viktor. > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- David ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
On Wed, Nov 25, 2015 at 11:14:48AM +0100, David García wrote: > Viktor, you pointed me to the right way. I was missing the -nopad flag in > the openssl command. Not using padding is fragile and can lead to subtle data corruption. Perhaps not padding is safe and correct in your case, but I am skeptical and you should be too. If you're constrained to interoperate with existing code that is not padding, that code is questionable, but you may have no choice but to follow suite. If you're free to choose formats, you should probably pad. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
Thanks, you are rigth. I did a test with echo -n 005863330 and echo 005863330 and the last one adds the new line character. I also checked that openssl is not adding this new line character. Now with this command: echo -n 005863330 | openssl enc -e -des-ede3-cbc -K 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | openssl enc -base64 I get: H6cr2yN8oWV6AUY/JlknQw== but is not exactly the same result I get for the same input in my Java and PHP examples. In those ones I get: H6cr2yN8oWUVY3a6/Vaaow== In the Java and PHP examples the input data is hardcoded in text: text "005863330" key "b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b" Regards. 2015-11-24 18:19 GMT+01:00 Jay Foster: > It is very likely that your text file also contains a newline at the end, > so getting the same result as with the echo command would be expected. If > it is indeed the newline that is making the difference, you could try using > the echo command with the '-n' option to suppress it. > > Jay > > > On 11/24/2015 9:12 AM, David García wrote: > > Sorry, still not getting the same result, now with the command: > > echo 005863330 | openssl enc -e -des-ede3-cbc -K > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | > openssl enc -base64 > > I get: > > H6cr2yN8oWXn2RxiDqnXLg== > > but I should get: > > H6cr2yN8oWUVY3a6/Vaaow== > > > BTW I get the same result if the text in the echo is between '' or is read > from a text file. > > 2015-11-24 18:07 GMT+01:00 David García : > >> You are right Viktor, that was my problem. >> >> Thank you very much for your help Viktor and Michael. >> >> 2015-11-24 18:00 GMT+01:00 Viktor Dukhovni < >> openssl-us...@dukhovni.org>: >> >>> On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote: >>> >>> > openssl enc -e -des-ede3-cbc -in myfile.txt -k >>> > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv >>> -nosalt | >>> > openssl enc -base64 >>> >>> Please read Michael's message carefully. Note the comment about >>> "-k" vs. "-K" (upper-case). >>> >>> -- >>> Viktor. >>> ___ >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >>> >> >> >> >> -- >> David >> > > > > -- > David > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- David ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
It is very likely that your text file also contains a newline at the end, so getting the same result as with the echo command would be expected. If it is indeed the newline that is making the difference, you could try using the echo command with the '-n' option to suppress it. Jay On 11/24/2015 9:12 AM, David García wrote: Sorry, still not getting the same result, now with the command: echo 005863330 | openssl enc -e -des-ede3-cbc -K 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | openssl enc -base64 I get: H6cr2yN8oWXn2RxiDqnXLg== but I should get: H6cr2yN8oWUVY3a6/Vaaow== BTW I get the same result if the text in the echo is between '' or is read from a text file. 2015-11-24 18:07 GMT+01:00 David García>: You are right Viktor, that was my problem. Thank you very much for your help Viktor and Michael. 2015-11-24 18:00 GMT+01:00 Viktor Dukhovni >: On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote: > openssl enc -e -des-ede3-cbc -in myfile.txt -k > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | > openssl enc -base64 Please read Michael's message carefully. Note the comment about "-k" vs. "-K" (upper-case). -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- David -- David ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
You are right Viktor, that was my problem. Thank you very much for your help Viktor and Michael. 2015-11-24 18:00 GMT+01:00 Viktor Dukhovni: > On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote: > > > openssl enc -e -des-ede3-cbc -in myfile.txt -k > > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | > > openssl enc -base64 > > Please read Michael's message carefully. Note the comment about > "-k" vs. "-K" (upper-case). > > -- > Viktor. > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- David ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
Sorry, still not getting the same result, now with the command: echo 005863330 | openssl enc -e -des-ede3-cbc -K 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | openssl enc -base64 I get: H6cr2yN8oWXn2RxiDqnXLg== but I should get: H6cr2yN8oWUVY3a6/Vaaow== BTW I get the same result if the text in the echo is between '' or is read from a text file. 2015-11-24 18:07 GMT+01:00 David García: > You are right Viktor, that was my problem. > > Thank you very much for your help Viktor and Michael. > > 2015-11-24 18:00 GMT+01:00 Viktor Dukhovni : > >> On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote: >> >> > openssl enc -e -des-ede3-cbc -in myfile.txt -k >> > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt >> | >> > openssl enc -base64 >> >> Please read Michael's message carefully. Note the comment about >> "-k" vs. "-K" (upper-case). >> >> -- >> Viktor. >> ___ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > > > -- > David > -- David ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote: > openssl enc -e -des-ede3-cbc -in myfile.txt -k > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | > openssl enc -base64 Please read Michael's message carefully. Note the comment about "-k" vs. "-K" (upper-case). -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
On Tue, Nov 24, 2015 at 06:12:59PM +0100, David García wrote: > Sorry, still not getting the same result, now with the command: > > echo 005863330 | openssl enc -e -des-ede3-cbc -K > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | > openssl enc -base64 Please also read his comment about newlines (aka LF characters) appended by "echo", or read from a file containing a line of text. (Hint: instead of "echo 005863330" try "printf 005863330"). -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
I am sorry, I pasted an invalid key I was playing with to check some other things. Next, the real key and now reading the value from a file instead from echo (BTW I am using a linux terminal): openssl enc -e -des-ede3-cbc -in myfile.txt -k 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv -nosalt | openssl enc -base64 myfile.txt (edited with vim) contains the string: 005863330 The value I get is: SYqzNH5u8ExzyakWO3Cj/A== meanwhile the one I am getting from Java and PHP examples is: H6cr2yN8oWUVY3a6/Vaaow== Regards. 2015-11-24 16:28 GMT+01:00 Michael Wojcik: > > > echo 'text_to_cypher' | openssl enc -e -des-ede3-cbc -k > 'b2aec78eb50e04f2a60b9efa20b82c903e3cad4f3bd2027g' -iv -nosalt | > openssl enc -base64 > > That echo command will append a LF (x'0a') byte (if this is a conventional > UNIX or Linux system, or Cygwin, etc, and you're running under one of the > standard shells). Do you have that byte in the value of your "cleartext" > variable in the Java code? You failed to supply that. (Also, the > single-quote characters are unnecessary, unless you're running a very odd > shell.) > > The value of the -k argument you're passing to "openssl enc" ends with > "g", which is not a hexadecimal digit; the rest of the value appears to be > hexadecimal. But it's not clear why you're using -k anyway. Perhaps you > mean to use -K (uppercase K, with an actual hexadecimal argument)? > > > -- > Michael Wojcik > Technology Specialist, Micro Focus > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- David ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openssl des-ede3-cbc does not match with Java one
Hi, I am trying to use openssl command line tool for des-ede3-cbc encryption, but it does not mach with the one I have in Java (and that I know that works ok). I try to generate a des-ede3-cbc encryption with an IV = 0,0,0,0,0,0,0,0. Then I launch following command: echo 'text_to_cypher' | openssl enc -e -des-ede3-cbc -k 'b2aec78eb50e04f2a60b9efa20b82c903e3cad4f3bd2027g' -iv -nosalt | openssl enc -base64 But I don't get the same result as the one I get in Java using Cipher: private final byte [] IV = {0, 0, 0, 0, 0, 0, 0, 0}; . DESedeKeySpec desKeySpec = new DESedeKeySpec(toByteArray(hexKey)); SecretKey desKey = new SecretKeySpec(desKeySpec.getKey(), "DESede"); Cipher desCipher = Cipher.getInstance("DESede/CBC/NoPadding"); desCipher.init(Cipher.ENCRYPT_MODE, desKey, new IvParameterSpec(IV)); //text 0 padding to get it multilpe of 8 byte[] ciphertext = desCipher.doFinal(cleartext); new String(Base64.encodeBase64(ciphertext), "UTF-8"); Could anyone point me to what I am doing worng in this command line call? Thanks in advance. -- David ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl des-ede3-cbc does not match with Java one
> echo 'text_to_cypher' | openssl enc -e -des-ede3-cbc -k > 'b2aec78eb50e04f2a60b9efa20b82c903e3cad4f3bd2027g' -iv -nosalt | > openssl enc -base64 That echo command will append a LF (x'0a') byte (if this is a conventional UNIX or Linux system, or Cygwin, etc, and you're running under one of the standard shells). Do you have that byte in the value of your "cleartext" variable in the Java code? You failed to supply that. (Also, the single-quote characters are unnecessary, unless you're running a very odd shell.) The value of the -k argument you're passing to "openssl enc" ends with "g", which is not a hexadecimal digit; the rest of the value appears to be hexadecimal. But it's not clear why you're using -k anyway. Perhaps you mean to use -K (uppercase K, with an actual hexadecimal argument)? -- Michael Wojcik Technology Specialist, Micro Focus ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users