RE: Command-line file encryption
Hello, So what you are saying is that if I encrypt a file with a password according to my interpretation of PKCS#5/PBKDF2, then it might not decrypt properly (with the same password) using the command-line openssl function? Yes, this function internally looks like PBKDF2 and has similar use but has some difference. Under some circumstances this may be compatible with PBKDF1 - but I did't check this. You may check this with attached example. (CIPHER parameter is used only for getting key/iv size) Best regards, -- Marek Marcola [EMAIL PROTECTED] #include string.h #include openssl/x509.h #include openssl/evp.h #include openssl/hmac.h int print_hex(unsigned char *buf, int len) { int i; int n; for(i=0,n=0;ilen;i++){ if(n 7){ printf(\n); n = 0; } printf(0x%02x, ,buf[i]); n++; } printf(\n); return(0); } int main() { char *pass = password; char *salt = 1234; int ic = 1; unsigned char buf[1024]; ic = 1; PKCS5_PBKDF2_HMAC_SHA1(pass, strlen(pass), (unsigned char*)salt, strlen(salt), ic, 32+16, buf); printf(PKCS5_PBKDF2_HMAC_SHA1(\%s\, \%s\, %d)=\n, pass, salt, ic); print_hex(buf, 32+16); ic = 1; EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), (unsigned char*)salt, (unsigned char*)pass, strlen(pass), ic, buf, buf+32); printf(EVP_BytesToKey(\%s\, \%s\, %d)=\n, pass, salt, ic); print_hex(buf, 32+16); return(0); }
RE: Command-line file encryption
Hello, Ok, it looks like these values are computed from the password... Is the algorithm for computing the key and IV from the password published ? PBKDF2 from PKCS#5 realized by EVP_BytesToKey() in OpenSSL. I don't remember exactly but there was some incompatibility with this standard ... Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Command-line file encryption
Thanks for the reply. So what you are saying is that if I encrypt a file with a password according to my interpretation of PKCS#5/PBKDF2, then it might not decrypt properly (with the same password) using the command-line openssl function? R. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Wednesday, August 23, 2006 11:53 PM To: openssl-users@openssl.org Subject: RE: Command-line file encryption Hello, Ok, it looks like these values are computed from the password... Is the algorithm for computing the key and IV from the password published ? PBKDF2 from PKCS#5 realized by EVP_BytesToKey() in OpenSSL. I don't remember exactly but there was some incompatibility with this standard ... Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Command-line file encryption
Ok, it looks like these values are computed from the password... Is the algorithm for computing the key and IV from the password published ? R. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Turner Sent: Wednesday, August 23, 2006 1:40 PM To: openssl-users@openssl.org Subject: Command-line file encryption Using the following command... openssl enc -aes-256-cbc -salt -in plain text file -out encrypted file I can create an AES-encrypted file. Subsequently I can use the -d option to decrypt the same file if I use the same key (when prompted) that I used to encrypt the file. I think the same initialization vector (IV) has to be used to decrypt the file as well. Is the decryption code mentioned above able to find the original IV used to encrypt the file somewhere in the encrypted file itself? How does it know this? Thanks! Randy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]