Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Error - AES-256 CBC encrypting using EVP routines and decrypting using command line

310 views
Skip to first unread message

~ Kunal Sharma ~

unread,
May 25, 2010, 8:30:02 AM5/25/10
to
Friends,

I'm trying to verify that my encryption and decryption routines work ok. One way I do it is to encrypt the data and save it to a file. The I feed the encrypted file to my decryption routine and write the decrypted data to another file. I compare the original data and the contents of the decrypted file and they are same. So the routines work fine in tandem.

Another method I want to use it to encrypt the data and save it to a file. Then I feed the encrypted file to Openssl command line to decrypt.

I get my encrypted data in the file rgconf_encrypted. Then I run the following command:
openssl enc -d -aes-256-cbc -in rgconf_encrypted
I enter the decryption password "As different as chalk and cheese" which I used to encrypt the data. But I get the error "bad magic number".

Am I missing something here ? I need to be able to use a simple phrase as my encryption password so I can decrypt it on command line as well. Please provide any pointers on what could be wrong here.

Below is the code for my encryption routine.

Thanks,
Kunal

++++++++++++++++++++++++++++++++++++++++++
int encrypt(void)
{
EVP_CIPHER_CTX ctx;
unsigned char ibuf[1024],obuf[1024];
int rfd, wfd,ilen,olen,tlen;

unsigned char key32[] = "As different as chalk and cheese";
unsigned char iv[] = "As dark as pitch";
EVP_CIPHER_CTX_init(&ctx);
if(!EVP_CipherInit_ex(&ctx, EVP_aes_256_cbc(),NULL,key32, iv,AES_ENCRYPT) ) {
console_printf("Couldnt initialize cipher\n");
return 1;
}
/* read the original contents that are stored in file /etc/rgconf */
if((rfd = open("/etc/rgconf",O_RDONLY) ) == -1) {
console_printf("Couldnt open input file\n");
return 1;
}

/* open a file /et.rgconf_encrypted to store encrypted data */
if((wfd = creat("/etc/rgconf_encrypted",0644) ) == -1) {
console_printf("Couldn't open output file for writing\n");
return 1;
}
while((ilen = read(rfd,ibuf,1024) ) > 0) {
if(EVP_CipherUpdate(&ctx,obuf,&olen,ibuf,ilen)){
write(wfd,obuf,olen);
}
else {
console_printf("Encryption error\n");
return 1;
}
}
if(!EVP_CipherFinal_ex(&ctx,obuf+olen,&tlen)) {
console_printf("Trouble with padding the last block\n");
return 1;
}

write(wfd,obuf+olen,tlen);
EVP_CIPHER_CTX_cleanup(&ctx);
close(rfd);
close(wfd);
console_printf("AES 256 CBC encryption complete\n");
return 0;
}
++++++++++++++++++++++++++++++++++++++++++




~ Kunal Sharma ~

unread,
May 25, 2010, 10:01:41 AM5/25/10
to
Thanks Francesco, Anand for the tip.

I guess I need to supply the iv in hex format. Is it as simple as replacing each ascii character of iv string with the equivalent hex value or something else ?

I use the passphrase "As different as chalk and cheese" and iv "As dark as pitch". What would my iv be in the format Openssl expects it to be ?

Thanks again,
Kunal


On Tue, May 25, 2010 at 6:32 PM, Anand Patel <anand....@gmail.com> wrote:
You need to use same iv and key for decryption. 
I believe the command is
openssl enc -d -aes-256-cbc -K <key used to encrypt> -iv <iv used to encrypt> -in rgconf_encrypted -out rgconf_decrypted. 

-Anand

Dave Thompson

unread,
May 25, 2010, 9:21:53 PM5/25/10
to
> From: owner-ope...@openssl.org On Behalf Of ~ Kunal Sharma ~
> Sent: Tuesday, 25 May, 2010 10:02

> I guess I need to supply the iv in hex format. Is it as simple as
replacing
> each ascii character of iv string with the equivalent hex value or
something else ?

> I use the passphrase "As different as chalk and cheese" ...



> On Tue, May 25, 2010 at 6:32 PM, Anand Patel
<anand....@gmail.com> wrote:

> You need to use same iv and key for decryption.
> I believe the command is
> openssl enc -d -aes-256-cbc -K <key used to encrypt> -iv <iv

used to encrypt> ...

Both -K key and -iv iv must be hex; yes, character by character,
using whatever charset was used for your program. There are (still)
some machines that use EBCDIC, but you would be aware if you were
on one, so yes you were almost certainly in the ASCII subset common
to any likely charset (8859, Unicode, or Windows).

PS- You used that string directly as the key. Usually, including openssl,
something called a passphrase or password is not used directly as a key
but instead is run through a 'Key Derivation Function' such as PKCS5,
basically an iterated hash sometimes with other bits thrown in.
To avoid confusion I suggest you call the key a key.

I noticed you got exactly the right lengths (32 and 16 bytes).
I hope you are making any users aware they cannot just choose strings
they like (and can remember), and such limitation is OK with them.
Usually it isn't, which is part of the reason a KDF is used.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

~ Kunal Sharma ~

unread,
May 26, 2010, 4:54:18 AM5/26/10
to
Thanks guys. It worked for me !!

- Kunal
0 new messages