Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-25 Thread David García 
Exactly, that's my point, I have to integrate with a third party API, so I
can't do anything else but to send the ciphered text as expected.

Anyway, thanks for your explanation on this issue, I'll take it into
account and try to contact third party support team.


Thanks.

2015-11-25 11:23 GMT+01:00 Viktor Dukhovni :

> On Wed, Nov 25, 2015 at 11:14:48AM +0100, David García wrote:
>
> > Viktor, you pointed me to the right way. I was missing the -nopad flag in
> > the openssl command.
>
> Not using padding is fragile and can lead to subtle data corruption.
> Perhaps not padding is safe and correct in your case, but I am
> skeptical and you should be too.  If you're constrained to interoperate
> with existing code that is not padding, that code is questionable,
> but you may have no choice but to follow suite.  If you're free to
> choose formats, you should probably pad.
>
> --
> Viktor.
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-25 Thread Viktor Dukhovni 
On Wed, Nov 25, 2015 at 09:18:15AM +0100, David García wrote:

> H6cr2yN8oWV6AUY/JlknQw==

Decrypting in ECB mode you get:

$ echo H6cr2yN8oWV6AUY/JlknQw== |
openssl base64 -d |
openssl enc -d -des-ede3 -K 
'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -nopad |
hexdump -ve '/1 "%02x"'; echo
3030353836332fa02cdc247ba662

> but is not exactly the same result I get for the same input in my Java and
> PHP examples. In those ones I get:
> 
> H6cr2yN8oWUVY3a6/Vaaow==

Decrypting in ECB mode you get:

$ echo H6cr2yN8oWUVY3a6/Vaaow== |
openssl base64 -d |
openssl enc -d -des-ede3 -K 
'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -nopad |
hexdump -ve '/1 "%02x"'; echo
3030353836332fa72bdb237ca165

The initial 8-byte blocks are identical, but the trailing blocks
differ subtly.  The hexdump of the OpenSSL ciphertext is:

$ echo H6cr2yN8oWV6AUY/JlknQw== |
openssl base64 -d |
hexdump -ve '/1 "%02x"'; echo
1fa72bdb237ca1657a01463f26592743

If you XOR the common first block of ciphertext into each of the
second decrypted blocks you get:

$ perl -le '
for ( (0x2fa02cdc247ba662, 0x2fa72bdb237ca165) ) {
printf "%016x\n", ($_ ^ 0x1fa72bdb237ca165)
}'
3007070707070707
3000

What you see is the effect of PKCS#5 padding in the case of OpenSSL,
and zero-padding (which is not reversible and not suitable for
encrypting ciphertext that is a not a multiple of 8 bytes in length)
in Java.  You've failed to configure the correct padding mode.

-- 
Viktor.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-25 Thread David García 
Viktor, you pointed me to the right way. I was missing the -nopad flag in
the openssl command.

I don't need to do the padding through the cipher algorithm because I do
the 0 padding manually before executing the ciphering.

Now it matches. This is the command I am using (for this manual example I
am providing an already multiple of 8 string, so I have removed the first
char of the input string for testing):

echo -n 05863330 | openssl enc -e -des-ede3-cbc -K
'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nopad |
openssl enc -base64


Thanks Viktor.

2015-11-25 10:39 GMT+01:00 Viktor Dukhovni :

> On Wed, Nov 25, 2015 at 09:18:15AM +0100, David García wrote:
>
> > H6cr2yN8oWV6AUY/JlknQw==
>
> Decrypting in ECB mode you get:
>
> $ echo H6cr2yN8oWV6AUY/JlknQw== |
> openssl base64 -d |
> openssl enc -d -des-ede3 -K
> 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -nopad |
> hexdump -ve '/1 "%02x"'; echo
> 3030353836332fa02cdc247ba662
>
> > but is not exactly the same result I get for the same input in my Java
> and
> > PHP examples. In those ones I get:
> >
> > H6cr2yN8oWUVY3a6/Vaaow==
>
> Decrypting in ECB mode you get:
>
> $ echo H6cr2yN8oWUVY3a6/Vaaow== |
> openssl base64 -d |
> openssl enc -d -des-ede3 -K
> 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -nopad |
> hexdump -ve '/1 "%02x"'; echo
> 3030353836332fa72bdb237ca165
>
> The initial 8-byte blocks are identical, but the trailing blocks
> differ subtly.  The hexdump of the OpenSSL ciphertext is:
>
> $ echo H6cr2yN8oWV6AUY/JlknQw== |
> openssl base64 -d |
> hexdump -ve '/1 "%02x"'; echo
> 1fa72bdb237ca1657a01463f26592743
>
> If you XOR the common first block of ciphertext into each of the
> second decrypted blocks you get:
>
> $ perl -le '
> for ( (0x2fa02cdc247ba662, 0x2fa72bdb237ca165) ) {
> printf "%016x\n", ($_ ^ 0x1fa72bdb237ca165)
> }'
> 3007070707070707
> 3000
>
> What you see is the effect of PKCS#5 padding in the case of OpenSSL,
> and zero-padding (which is not reversible and not suitable for
> encrypting ciphertext that is a not a multiple of 8 bytes in length)
> in Java.  You've failed to configure the correct padding mode.
>
> --
> Viktor.
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-25 Thread Viktor Dukhovni 
On Wed, Nov 25, 2015 at 11:14:48AM +0100, David García wrote:

> Viktor, you pointed me to the right way. I was missing the -nopad flag in
> the openssl command.

Not using padding is fragile and can lead to subtle data corruption.
Perhaps not padding is safe and correct in your case, but I am
skeptical and you should be too.  If you're constrained to interoperate
with existing code that is not padding, that code is questionable,
but you may have no choice but to follow suite.  If you're free to
choose formats, you should probably pad.

-- 
Viktor.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-25 Thread David García 
Thanks, you are rigth. I did a test with

echo -n 005863330

and

echo 005863330

and the last one adds the new line character.

I also checked that openssl is not adding this new line character. Now with
this command:

echo -n 005863330 | openssl enc -e -des-ede3-cbc -K
'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nosalt |
openssl enc -base64

I get:

H6cr2yN8oWV6AUY/JlknQw==

but is not exactly the same result I get for the same input in my Java and
PHP examples. In those ones I get:

H6cr2yN8oWUVY3a6/Vaaow==


In the Java and PHP examples the input data is hardcoded in text:

text "005863330"
key "b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b"


Regards.

2015-11-24 18:19 GMT+01:00 Jay Foster :

> It is very likely that your text file also contains a newline at the end,
> so getting the same result as with the echo command would be expected.  If
> it is indeed the newline that is making the difference, you could try using
> the echo command with the '-n' option to suppress it.
>
> Jay
>
>
> On 11/24/2015 9:12 AM, David García wrote:
>
> Sorry, still not getting the same result, now with the command:
>
> echo 005863330 | openssl enc -e -des-ede3-cbc -K
> 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nosalt |
> openssl enc -base64
>
> I get:
>
> H6cr2yN8oWXn2RxiDqnXLg==
>
> but I should get:
>
> H6cr2yN8oWUVY3a6/Vaaow==
>
>
> BTW I get the same result if the text in the echo is between '' or is read
> from a text file.
>
> 2015-11-24 18:07 GMT+01:00 David García :
>
>> You are right Viktor, that was my problem.
>>
>> Thank you very much for your help Viktor and Michael.
>>
>> 2015-11-24 18:00 GMT+01:00 Viktor Dukhovni < 
>> openssl-us...@dukhovni.org>:
>>
>>> On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote:
>>>
>>> > openssl enc -e -des-ede3-cbc -in myfile.txt -k
>>> > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv 
>>> -nosalt |
>>> > openssl enc -base64
>>>
>>> Please read Michael's message carefully.  Note the comment about
>>> "-k" vs. "-K" (upper-case).
>>>
>>> --
>>> Viktor.
>>> ___
>>> openssl-users mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>>
>>
>>
>>
>> --
>> David
>>
>
>
>
> --
> David
>
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>


-- 
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-24 Thread Jay Foster 
It is very likely that your text file also contains a newline at the 
end, so getting the same result as with the echo command would be 
expected.  If it is indeed the newline that is making the difference, 
you could try using the echo command with the '-n' option to suppress it.


Jay

On 11/24/2015 9:12 AM, David García wrote:

Sorry, still not getting the same result, now with the command:

echo 005863330 | openssl enc -e -des-ede3-cbc -K 
'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  
-nosalt | openssl enc -base64


I get:

H6cr2yN8oWXn2RxiDqnXLg==

but I should get:

H6cr2yN8oWUVY3a6/Vaaow==


BTW I get the same result if the text in the echo is between '' or is 
read from a text file.


2015-11-24 18:07 GMT+01:00 David García >:


You are right Viktor, that was my problem.

Thank you very much for your help Viktor and Michael.

2015-11-24 18:00 GMT+01:00 Viktor Dukhovni
>:

On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote:

> openssl enc -e -des-ede3-cbc -in myfile.txt -k
> 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv
 -nosalt |
> openssl enc -base64

Please read Michael's message carefully. Note the comment about
"-k" vs. "-K" (upper-case).

--
Viktor.
___
openssl-users mailing list
To unsubscribe:
https://mta.openssl.org/mailman/listinfo/openssl-users




-- 
David





--
David


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-24 Thread David García 
You are right Viktor, that was my problem.

Thank you very much for your help Viktor and Michael.

2015-11-24 18:00 GMT+01:00 Viktor Dukhovni :

> On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote:
>
> > openssl enc -e -des-ede3-cbc -in myfile.txt -k
> > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nosalt |
> > openssl enc -base64
>
> Please read Michael's message carefully.  Note the comment about
> "-k" vs. "-K" (upper-case).
>
> --
> Viktor.
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-24 Thread David García 
Sorry, still not getting the same result, now with the command:

echo 005863330 | openssl enc -e -des-ede3-cbc -K
'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nosalt |
openssl enc -base64

I get:

H6cr2yN8oWXn2RxiDqnXLg==

but I should get:

H6cr2yN8oWUVY3a6/Vaaow==


BTW I get the same result if the text in the echo is between '' or is read
from a text file.

2015-11-24 18:07 GMT+01:00 David García :

> You are right Viktor, that was my problem.
>
> Thank you very much for your help Viktor and Michael.
>
> 2015-11-24 18:00 GMT+01:00 Viktor Dukhovni :
>
>> On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote:
>>
>> > openssl enc -e -des-ede3-cbc -in myfile.txt -k
>> > 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nosalt
>> |
>> > openssl enc -base64
>>
>> Please read Michael's message carefully.  Note the comment about
>> "-k" vs. "-K" (upper-case).
>>
>> --
>> Viktor.
>> ___
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
>
> --
> David
>



-- 
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-24 Thread Viktor Dukhovni 
On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote:

> openssl enc -e -des-ede3-cbc -in myfile.txt -k
> 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nosalt |
> openssl enc -base64

Please read Michael's message carefully.  Note the comment about
"-k" vs. "-K" (upper-case).

-- 
Viktor.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-24 Thread Viktor Dukhovni 
On Tue, Nov 24, 2015 at 06:12:59PM +0100, David García wrote:

> Sorry, still not getting the same result, now with the command:
> 
> echo 005863330 | openssl enc -e -des-ede3-cbc -K
> 'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nosalt |
> openssl enc -base64

Please also read his comment about newlines (aka LF characters)
appended by "echo", or read from a file containing a line of text.

(Hint: instead of "echo 005863330" try "printf 005863330").

-- 
Viktor.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-24 Thread David García 
I am sorry, I pasted an invalid key I was playing with to check some other
things. Next, the real key and now reading the value from a file instead
from echo (BTW I am using a linux terminal):

openssl enc -e -des-ede3-cbc -in myfile.txt -k
'b2aec78eb50e05f2a60b9efa20b82c903e6cad4f3bd2027b' -iv  -nosalt |
openssl enc -base64

myfile.txt (edited with vim) contains the string:

005863330

The value I get is:

SYqzNH5u8ExzyakWO3Cj/A==

meanwhile the one I am getting from Java and PHP examples is:

H6cr2yN8oWUVY3a6/Vaaow==


Regards.

2015-11-24 16:28 GMT+01:00 Michael Wojcik :

>
> > echo 'text_to_cypher' | openssl enc -e -des-ede3-cbc -k
> 'b2aec78eb50e04f2a60b9efa20b82c903e3cad4f3bd2027g' -iv  -nosalt |
> openssl enc -base64
>
> That echo command will append a LF (x'0a') byte (if this is a conventional
> UNIX or Linux system, or Cygwin, etc, and you're running under one of the
> standard shells). Do you have that byte in the value of your "cleartext"
> variable in the Java code? You failed to supply that. (Also, the
> single-quote characters are unnecessary, unless you're running a very odd
> shell.)
>
> The value of the -k argument you're passing to "openssl enc" ends with
> "g", which is not a hexadecimal digit; the rest of the value appears to be
> hexadecimal. But it's not clear why you're using -k anyway. Perhaps you
> mean to use -K (uppercase K, with an actual hexadecimal argument)?
>
>
> --
> Michael Wojcik
> Technology Specialist, Micro Focus
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-24 Thread David García 
Hi,

I am trying to use openssl command line tool for des-ede3-cbc encryption,
but it does not mach with the one I have in Java (and that I know that
works ok). I try to generate a des-ede3-cbc encryption with an IV =
0,0,0,0,0,0,0,0. Then I launch following command:


echo 'text_to_cypher' | openssl enc -e -des-ede3-cbc -k
'b2aec78eb50e04f2a60b9efa20b82c903e3cad4f3bd2027g' -iv  -nosalt |
openssl enc -base64


But I don't get the same result as the one I get in Java using Cipher:

private final byte [] IV = {0, 0, 0, 0, 0, 0, 0, 0};
.
DESedeKeySpec desKeySpec = new DESedeKeySpec(toByteArray(hexKey));
SecretKey desKey = new SecretKeySpec(desKeySpec.getKey(), "DESede");
Cipher desCipher = Cipher.getInstance("DESede/CBC/NoPadding");
desCipher.init(Cipher.ENCRYPT_MODE, desKey, new IvParameterSpec(IV));

//text 0 padding to get it multilpe of 8

byte[] ciphertext = desCipher.doFinal(cleartext);
new String(Base64.encodeBase64(ciphertext), "UTF-8");



Could anyone point me to what I am doing worng in this command line call?

Thanks in advance.
-- 
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl des-ede3-cbc does not match with Java one

2015-11-24 Thread Michael Wojcik 

> echo 'text_to_cypher' | openssl enc -e -des-ede3-cbc -k 
> 'b2aec78eb50e04f2a60b9efa20b82c903e3cad4f3bd2027g' -iv  -nosalt | 
> openssl enc -base64

That echo command will append a LF (x'0a') byte (if this is a conventional UNIX 
or Linux system, or Cygwin, etc, and you're running under one of the standard 
shells). Do you have that byte in the value of your "cleartext" variable in the 
Java code? You failed to supply that. (Also, the single-quote characters are 
unnecessary, unless you're running a very odd shell.)

The value of the -k argument you're passing to "openssl enc" ends with "g", 
which is not a hexadecimal digit; the rest of the value appears to be 
hexadecimal. But it's not clear why you're using -k anyway. Perhaps you mean to 
use -K (uppercase K, with an actual hexadecimal argument)?


-- 
Michael Wojcik
Technology Specialist, Micro Focus

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users