1

I am attempting to follow the example in this question: Where is the salt on the OpenSSL AES encryption? but I'm having some trouble decrypting using the key and initialization vector.

When I encrypt as follows, using "abc" as the passphrase: 

$ echo -n Polaco | openssl enc -aes-256-cbc -a -p
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
salt=0EEC20170C1B2A76
key=33945888AB044FE34F69289E3186FEA7DB914BF2ED37C2DE123117FB494ACDD8
iv =0C4CAA4A27FE3BFB05399AF217D24357
U2FsdGVkX18O7CAXDBsqdsqiOcaoPpa2OcFAtk2jQGY=

I can decrypt the resulting text using the same passphrase: 

$ echo U2FsdGVkX18O7CAXDBsqdsqiOcaoPpa2OcFAtk2jQGY= |  openssl enc -d -a -aes-256-cbc -p
enter aes-256-cbc decryption password:
salt=0EEC20170C1B2A76
key=33945888AB044FE34F69289E3186FEA7DB914BF2ED37C2DE123117FB494ACDD8
iv =0C4CAA4A27FE3BFB05399AF217D24357
Polaco

But when I try to decrypt using the key and initialization vector instead of the passphrase, it fails: 

$ echo U2FsdGVkX18O7CAXDBsqdsqiOcaoPpa2OcFAtk2jQGY= |  openssl enc -d -a -aes-256-cbc -p -K 33945888AB044FE34F69289E3186FEA7DB914BF2ED37C2DE123117FB494ACDD8 -iv 0C4CAA4A27FE3BFB05399AF217D24357
salt=1250FC9CF97F0000
key=33945888AB044FE34F69289E3186FEA7DB914BF2ED37C2DE123117FB494ACDD8
iv =0C4CAA4A27FE3BFB05399AF217D24357
bad decrypt
4294956672:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:531:

Note that the salt extracted from the encrypted text is wrong.

I'm using an x86_64 machine, running Cygwin on Windows 10, if it matters. 

$ openssl version
OpenSSL 1.0.2n  7 Dec 2017

I feel like I must be missing something basic.

SOLVED by @mvy The problem was that a salt is randomly generated by default, but when you are specifying the key and iv for decryption, there should not be a salt. I need to suppress the salt using the -nosalt option. 

$ echo -n Polaco | openssl enc -aes-256-cbc -nosalt -p -out /tmp/pol1
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
key=900150983CD24FB0D6963F7D28E17F72EA0B31E1087A22BC5394A6636E6ED34B
iv =2EFFA65AF1C5EB20572E2F9896B90FEB

$ openssl enc -d -aes-256-cbc -nosalt -p -in /tmp/pol1 -K 900150983CD24FB0D6963F7D28E17F72EA0B31E1087A22BC5394A6636E6ED34B -iv 2EFFA65AF1C5EB20572E2F9896B90FEB
key=900150983CD24FB0D6963F7D28E17F72EA0B31E1087A22BC5394A6636E6ED34B
iv =2EFFA65AF1C5EB20572E2F9896B90FEB
Polaco
echawkes
  • 113
  • 1
  • 1
  • 4

1 Answers1

2

When using the password form of the command, the salt is output at the start of the data stream. When using -a you are encoding the salt into the base64 data.

The Key + IV method does not need salt, and openssl does not remove it from the decoded base64 string.

You should try again by encoding with -nosalt at the start of your encoding command.

Edit: as @forest said in the comments, do not use the password option with -nosalt, it is unsecure and the Key/IV method supposes the pair has been secured securely.

If you need to first use the password method, I suggest that you read about how the salted data is inserted at start of the data stream, and remove it. It might be incompatible with the base64 output.

M'vy
  • 13,053
  • 3
  • 48
  • 69
  • You have correctly diagnosed the problem. When I use -nosalt encryption and decryption using the key and iv work as expected. – echawkes Jun 26 '18 at 21:22
  • @echawkes Just a warning, if you do _not_ use `-iv` to specify the IV and use `-nosalt`, then the IV is derived deterministically from the key so two keys will automatically have the same IV. – forest Jun 26 '18 at 21:45
  • Or discard the stored salt e.g. `echo U2FsdGVkX18O7CAXDBsqdsqiOcaoPpa2OcFAtk2jQGY= | openssl base64 -d | (dd bs=16 count=1 &>/dev/null; openssl enc -d -aes-256-cbc -K ... -iv ...)` or use `head -c16 >/dev/null` on GNUish systems @forest: nope; for `-K key` if you omit `-iv` (and on recent versions if it's needed) it just fails; if you specify a _password_ then IV and key are both derived from the password plus salt if any, but not either one from the other – dave_thompson_085 Jun 27 '18 at 08:33
  • @dave_thompson_085 Good point. I meant if you use lowercase K. – forest Jun 28 '18 at 01:33
  • @mvy I don't need to use the passphrase method at all: that was just the example I was trying to reproduce. As far as securing the Key/IV pair, my understanding is that the key must be secured, but the IV does not need to be secret. – echawkes Jun 29 '18 at 21:37
  • The IV doesn't need to be secret, but it has to be random, since the password method is used to derived a Key and an IV, that's why you need a salt. – M'vy Jul 01 '18 at 00:24