#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2014
    Posts
    5
    Rep Power
    0

    AES CBC with openssl


    Hi,

    I'm trying to encrypt the data in the database, first tested on the website aes(dot)online-domain-tools(dot)com
    data text
    123456789012345678901234567890abcdefghijklmnopqr
    data HEX
    3132333435363738393031323334353637383930313233343536373839306162636465666768696a6b6c6d6e6f707172
    key
    3ce1a2d4876fd8d2b88fae7d7d16b203
    iv
    0e1bde0c6edd8854df6f83e117a2f67b
    result
    C7A138607044AE40131979737DFA58B3F32E84B830FDD74012 EAEFAAF4DB2E1C4896AF3B2433FA96C43EF73EFCB1FBB0ABCA 5533F74287FE5258A80037276670
    then try to decipher with openssl and plain date is different
    $ echo -n 'C7A138607044AE40131979737DFA58B3F32E84B830FDD74012EAEFAAF4DB2E1C4896AF3B2433FA96C43EF73EFCB1FBB0ABC A5533F74287FE5258A80037276670' | xxd -p -r | openssl enc -aes-128-cbc -d -nosalt -nopad -K 3ce1a2d4876fd8d2b88fae7d7d16b203 -iv 0e1bde0c6edd8854df6f83e117a2f67b | xxd -p | tr -d "\n" && echo

    139d59d4e776258c8ca074f0ce43d5668975817c776cff5633dbdc82efd41be1f6e92a7e5c73a69afb8001cca398aed128cf 0557aebea6be7d1304d76b8422fb
    the above data encryption
    $ echo -n '139d59d4e776258c8ca074f0ce43d5668975817c776cff5633dbdc82efd41be1f6e92a7e5c73a69afb8001cca398aed128c f0557aebea6be7d1304d76b8422fb' | xxd -p -r | openssl enc -aes-128-cbc -nosalt -nopad -K 3ce1a2d4876fd8d2b88fae7d7d16b203 -iv 0e1bde0c6edd8854df6f83e117a2f67b | xxd -p | tr -d "\n" && echo

    c7a138607044ae40131979737dfa58b3f32e84b830fdd74012eaefaaf4db2e1c4896af3b2433fa96c43ef73efcb1fbb0abca 5533f74287fe5258a80037276670
    the same result like on the website, but plain data is different


    What am I doing wrong that it does not work the same as the algorithm on the website ?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    the website expects a raw key, not an encoded one. See the explanations below the form.

    Note, however, that you're restricted to certain ASCII characters (no idea why that is), so you can't reuse your example key. You need to come up with a new one.

    And contrary to your OpenSSL command, the site does use padding.
    Last edited by Jacques1; February 1st, 2014 at 03:53 PM.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2014
    Posts
    5
    Rep Power
    0
    Originally Posted by Jacques1
    the website expects a raw key, not an encoded one. See the explanations below the form.
    You mean this explanation?
    Security note: Data are transmitted over the network in an unencrypted form! Please do not enter any sensitive information into the form above as we cannot guarantee you that your data won't be compromised.
    English is not my native language, but if I understand well. That is only security note.


    Originally Posted by Jacques1
    Note, however, that you're restricted to certain ASCII characters (no idea what that is), so you can't reuse your example key. You need to come up with a new one.
    I did not understand this, the data is in hex.
    Why can not I use my example key again ?

    Originally Posted by Jacques1
    And contrary to your OpenSSL command, the site does use padding.
    That's right, because when I tried
    $ openssl
    without
    -nopad
    then "openssl" ended with an error while decrypting

    Demo application on this site crypto(dot)hurlant(dot)com/demo/
    encrypts the data in the same way like my "openssl" command.
    Why on the site from my first post algorithm AES work different, is this a modification of AES algorithm ?

    However, my goal is to use the "openssl" (or another program) to encrypt the data in the same way as the algorithm contained on the website, which I gave in the first post.

    Does anyone have an idea how to do it?
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    You don't understand. This online-domain-tools website and OpenSSL both use the exact same algorithm, but they expect your input parameters in different formats.

    The website expects the key as 16 unencoded bytes. In addition to that, you're only allowed to use ASCII characters. So, for example, this would be a valid key:

    Code:
    notexactlysecret
    Your example plaintext was:

    Code:
    123456789012345678901234567890abcdefghijklmnopqr
    And the IV:
    Code:
    0e1bde0c6edd8854df6f83e117a2f67b
    The result is

    Code:
    7232686037e02e53722765b08809086892dad293f50a4c1492803f8a352639123dab035a3f2b47f3f5ddd3d995389d6d7f9d55d09980a3339f25922869c1d834
    Now the same thing in OpenSSL.

    Note that this time, the key is expected in hexadecimal encoding:

    Code:
    6e6f7465786163746c79736563726574
    So the full command is

    bash Code:
    echo -n 123456789012345678901234567890abcdefghijklmnopqr \
    |  openssl enc -aes-128-cbc -K 6e6f7465786163746c79736563726574 -iv 0e1bde0c6edd8854df6f83e117a2f67b\
    | xxd -p\
    | tr -d "\n" && echo

    You now get the exact same result:

    Code:
    7232686037e02e53722765b08809086892dad293f50a4c1492803f8a352639123dab035a3f2b47f3f5ddd3d995389d6d7f9d55d09980a3339f25922869c1d834
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2014
    Posts
    5
    Rep Power
    0
    Thank you for the further explanation, except for the missing "-nopad" in syntax "openssl" everything works as it should.

    But... I have a "BlackBox", on input I give him:
    - key(HEX)
    - iv(HEX)
    - plain_data(HEX)

    as output, I get:

    - encrypted_data(HEX)

    This output encrypted_data from "BlackBox" is same like output data from online-domain-tools website when i give my example key, iv and plain_data.
    Output encrypted data from "BlackBox" can be decrypted using online-domain-tools website.

    My problem is, how decrypt data from "BlackBox" without online-domain-tools website.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    bash Code:
    echo -n 7232686037e02e53722765b08809086892dad293f50a4c1492803f8a352639123dab035a3f2b47f3f5ddd3d995389d6d\
    | xxd -p -r\
    | openssl enc -nopad -aes-128-cbc -d -K 6e6f7465786163746c79736563726574 -iv 0e1bde0c6edd8854df6f83e117a2f67b
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2014
    Posts
    5
    Rep Power
    0
    Yeah!
    Now I understand, you are absolutely right.
    So in my case to do what I wanted to achieve, my "BlackBox" works in the same way as an application on the website, which means "BlackBox" interprets key as plain text - ASCII characters(I thought that as a HEX, my mistake). So To get the same effect by using "openssl" I have to give the program a plain text ASCII characters, but in "openssl"

    man enc(1)
    -K key - the actual key to use: this must be represented as a string comprised only of hex digits
    So, first I need to convert my key to HEX:
    ASCII characters
    3ce1a2d4876fd8d2b88fae7d7d16b203
    HEX representation
    3363653161326434383736666438643262383866616537643764313662323033
    Now key is 256bit
    option cipher is "aes-256-cbc"

    and

    $ echo -n 'C7A138607044AE40131979737DFA58B3F32E84B830FDD74012EAEFAAF4DB2E1C4896AF3B2433FA96C43EF73EFCB1FBB0ABC A5533F74287FE5258A80037276670' | xxd -p -r | openssl enc -aes-256-cbc -d -nosalt -nopad -K 3363653161326434383736666438643262383866616537643764313662323033 -iv 0e1bde0c6edd8854df6f83e117a2f67b && echo
    voilà
    123456789012345678901234567890abcdefghijklmnopqr
    edit
    =========================================
    funny, but now on website is option to change input key format
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Yes. But I have no idea why you're putting so much effort into reproducing the result from the website. That's just some stupid little test site. It's not relevant for anything.

    If you wanna make sure that your OpenSSL works correctly and you're using it the right way, there are plenty of official test vectors for AES. Use those.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2014
    Posts
    5
    Rep Power
    0
    So that interested me, data protection, cryptography, etc. I started to analyze simple applications that further protect data by encrypting variables, data blocks, etc. With the help of reverse engineering applications, I check what level of security is maintained.
    Something has to be safe, it is really safe when we examine some application data. I learn this ... because it's interesting ...
    I'm not a programmer, just getting started, however, analyzed the program, a part of it was the "BlackBox" about which I knew almost nothing, after analysis and reverse engineering, I know what it does, and how to decrypt the data, because the key was permanently saved in the application code and IV as part of the chain encrypted data transmitted over the network.

IMN logo majestic logo threadwatch logo seochat tools logo