OpenSSL Symmetric Key Encryption Methods (AES, ARIA, Blowfish, Camellia, ChaCha20, Cast, DES, ...)
[OpenSSL Home][Home]
In this case we will create cipher text from OpenSSL 3.x using a key derived from a password, and a salt value (defined in hex). Details of ARIA are [here][Decrypt].
|
Plaintext: Hello, Ciphertext: U2FsdGVkX18kH6hnY7hTQfCHt5uPKTY2riacbC3zhvw= Mode: aes-128-cbc Password: qwerty
Plaintext: Hello, Ciphertext: U2FsdGVkX18kH6hnY7hTQZ+x9aQ/9b8/DHe9E5n6lxA= Mode: aes-256-cbc Password: qwerty
Outline
For example for "Hello" with 256-bit AES CBC with a passphrase of "qwerty" and a salt value of "241fa86763b85341":
% echo -n "hello" | openssl enc -aes-128-cbc -pass pass:"qwerty" -e -base64 -S 241fa86763b85341 U2FsdGVkX18kH6hnY7hTQfCHt5uPKTY2riacbC3zhvw=
The value of "U2FsdGVkX18" is the word: "Salted__", and defines that the next part of the salt value. We can now decrypt the ciphertext with:
echo "U2FsdGVkX18kH6hnY7hTQfCHt5uPKTY2riacbC3zhvw=" | openssl enc -aes-128-cbc -base64 -d -pass pass:"qwerty" hello
OpenSSL Version 1.x and Version 3.x
OpenSSL is a strange program and stuck at Version 1 for decades, and then, all of a sudden jumped to Version 3. And a little annoying thing in Version 3, is that they changed the way they did symmetric key encryption. With Version 1.x, we can cipher in Linux or Windows with [here]:
Linux command: echo -n "Hello" | openssl enc -aes-128-cbc -pass pass:"qwerty" -e -base64 -S 241fa86763b85341 Windows command: echo | set /p = "Hello" | openssl enc -aes-128-cbc -pass pass:"qwerty" -e -base64 -S 241fa86763b85341 OpenSSL 1.1.1f 31 Mar 2020 Message: Hello Mode: aes-128-cbc Password: qwerty Salt: 241fa86763b85341 ======== U2FsdGVkX18kH6hnY7hTQfdhmyrMIw+cu61C/B89/Ek=
We can see the cipher is:
U2FsdGVkX18kH6hnY7hTQfdhmyrMIw+cu61C/B89/Ek=
If we convert this to binary we see:
The cipher thus starts with “Salted__”. In hex, we see the salt value:
53616C7465645F5F 241FA86763B85341 F7619B2ACC230F9CBBAD42FC1F3DFC49
But in OpenSSL 3.x, we get [here]:
Linux command: echo -n "Hello" | openssl enc -aes-128-cbc -pass pass:"qwerty" -e -base64 -S 241fa86763b85341 Windows command: echo | set /p = "Hello" | openssl enc -aes-128-cbc -pass pass:"qwerty" -e -base64 -S 241fa86763b85341 OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021) Message: Hello Mode: aes-128-cbc Password: qwerty Salt: 241fa86763b85341 ======== 92GbKswjD5y7rUL8Hz38SQ==
This time there is no “Salted__” string:
As we can see, the cipher is exactly the same:
F7619B2ACC230F9CBBAD42FC1F3DFC49
But the salt value is missing. And, so, if you want to transmit this cipher, you will have to manually add your salt value to it. If you just send the cipher, there is very little chance you will be able to decrypt it, and thus need the salt value, too. Thus, OpenSSL 3, does not have a salt value, and then needs to be added to the cipher.