Re: Encrypt with RijndaelManaged and decrypt with OpenSSL

From: Michel Gallant (neutron_at_istar.ca)
Date: 04/24/05

Next message: Michel Gallant: "Re: Encrypt with RijndaelManaged and decrypt with OpenSSL"

Previous message: Robert Ginsburg: "Re: AzMan threading problems"
In reply to: Michel Gallant: "Re: Encrypt with RijndaelManaged and decrypt with OpenSSL"
Next in thread: Michel Gallant: "Re: Encrypt with RijndaelManaged and decrypt with OpenSSL"
Reply: Michel Gallant: "Re: Encrypt with RijndaelManaged and decrypt with OpenSSL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 24 Apr 2005 11:49:12 -0400

Also, I forgot to add that yes this also produces the exact aes key (32 bytes)
and IV (16 bytes) for your initial sample command:
OpenSSL> enc -aes-256-cbc -in MyInputFile -out MyOutputFile

In that case, you need to invoke the algorithm iteration 3 times to build
up 48 bytes total. Here is sample output from the C# application (for
hash iteration count of 1, and 3 algorithm passes:

C:\.....\DeriveKeyM>DeriveKeyM test 3065AD204B46DD02 1 3

Contatenated pswd || salt
746573743065AD204B46DD02

Computing hash 1 times over 3 algorithm iterations

D_1
5DC4CC9BCEFC482B7208C7A077519EB1

D_2
EE5C334761228D9F712387F331F73B9F

D_3
EDE37C9B8333573CFE4ABCAEBE6F05F2

Contatenated key data:
5DC4CC9BCEFC482B7208C7A077519EB1EE5C334761228D9F712387F331F73B9FEDE37C9B8333573C
FE4ABCAEBE6F05F2

AES Key is:
5DC4CC9BCEFC482B7208C7A077519EB1EE5C334761228D9F712387F331F73B9F

AES IV is:
EDE37C9B8333573CFE4ABCAEBE6F05F2

- Mitch

"Michel Gallant" <neutron@istar.ca> wrote in message news:%23nJ%232RHSFHA.3336@TK2MSFTNGP10.phx.gbl...
> OK I think I have figured out the problem! (or my lack of understanding).
> I implemented the documented keygen algorithm described here in C#:
>
> http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
>
> D_i = HASH^count(D_(i-1) || data || salt)
>
> And, for a given salt, this produces (for MD5) exactly the same key
> as that generated in Java by PBEWithMD5AndDES, using a test count
> of say 2048 (which I *thought* was the default count for PBKD hashing).
>
> The Java implemention only exposes the IV value, but that
> is sufficient to show the agreement. Java follows the PKCS #5 v1.5
> spec. which is exatly what the multi-hashing algorithm is!
>
> However, try as I might, using:
> OpenSSL enc -des -p -in cleartxt.txt -out decenc.txt
> I could NOT get the correct key and iv for the same salt. (Since MD5
> is 16 bytes and DES key and iv are both 8 bytes, no "non standard extension"
> is required in this case.
>
> However, looking at the openssl enc.c source code and the call to EVP_BytesToKey(),
> the count parameter is 1 !!
>
> Applying that to my C# implemention produces exactly the same
> IV and Key values as output by openssl enc .....
>
> So, that is strange .. that openssl enc does not provide an option to
> change the iteration count for PBKD keys! Or did i miss something?
>
> Anyway so that is how one reproduces the openssl enc .. key and iv
> values for the (randomly generated) salt. Pick a single iteration count
> for standard PKCS #5 v1.5 PDKD.
>
> If anyone wishes to see the C# implementation, i'll post it.
>
> - Mitch Gallant
> MVP Security
>
>
> "chlock" <taylor@innovaworks.net> wrote in message news:1114208337.806518.29820@z14g2000cwz.googlegroups.com...
> > Yeah....I doubt you're as confused as I am.
> >
> > The answer from Sipura is that I can not pass the key to the device. I
> > have to pass the password, and of course the salt must be prepended to
> > the file.
> >
> > So. Anybody seen a port of the PKCS5_PBE_keyivgen() function done in
> > C#? I found it in p5_crpt.c.
> >
> > So far I can't nail down what hash they use. And here's another
> > question(s):
> >
> > A hash always returns the same number of bits. So why would iterating
> > generate any extra bits for the IV? If I use SHA256 and hash 1000
> > times, I'm still going to have 256 bits. Where do they come up with the
> > extra bytes for the IV? And if they use MD5, how do they ever get 256
> > bits out of it?
> >
> > Man, I have a lot to learn, I'm afraid.
> >
>
>

Next message: Michel Gallant: "Re: Encrypt with RijndaelManaged and decrypt with OpenSSL"

Previous message: Robert Ginsburg: "Re: AzMan threading problems"
In reply to: Michel Gallant: "Re: Encrypt with RijndaelManaged and decrypt with OpenSSL"
Next in thread: Michel Gallant: "Re: Encrypt with RijndaelManaged and decrypt with OpenSSL"
Reply: Michel Gallant: "Re: Encrypt with RijndaelManaged and decrypt with OpenSSL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Short koan-like code snippets (was: coerce for arbitrary types)
... (defun bfs6 (test children pending) ... The algorithm seems to be a tail-recursive expression of what ... I don't like using tail recursion to emulate iteration, ...
(comp.lang.lisp)
Iterative subspace decomposition
... Subspace Tracking," IEEE Transactions on Signal Processing, vol. 43, ... the PASTd algorithm does not produce orthogonal ... it is not producing the eigendecomposition I ...
(sci.math.num-analysis)
Re: OO Style with Ada Containers
... The most important part of STL is the notion of range-based iteration. ... Every single algorithm that iterates over something gets a pair of ... But there's nothing that precludes that in Ada: ... procedure Generic_Algorithm (First, Back: Cursor); ...
(comp.lang.ada)
Re: rapidly converging rational sqrt
... Note that after iteration 6 we have ... > more than 100 significant digits. ... I don't wish to denigrate your algorithm unduly, but square root algorithms ...
(sci.math.research)
Re: smallest disk covering a set of points
... If there is a 4th point outside the second circle on ... iteration" when an algorithm is found to fail more often fails ... my intuition tells me that it will converge to ...
(comp.programming)