Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why can't I make "OpenSSL with Ruby" and "Command line OpenSSL" interoperable?

Tags:

ruby

openssl

base64

encryption

While trying to setup an interoperable encryption system, I met a weird situation during a light "proof-of-concept".

I wrote the following code in Ruby to:

  • create an encrypted file from a dummy text file on my file system
  • decrypt the encrypted file
  • compare with the original file and check if they are the same

Here is the code:

require 'openssl'
require 'base64'

# Read the dummy file
data = File.read("test.txt")

# Create an encrypter
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
cipher.encrypt
key = "somethingreallyreallycomplicated"
cipher.key = key

# Encrypt and save to a file
encrypted = cipher.update(data) + cipher.final
open "encrypted.txt", "w" do |io| io.write Base64.encode64(encrypted) end

# Create a decrypter
decipher = OpenSSL::Cipher::AES.new(256, :CBC)
decipher.decrypt
decipher.key = key

# Decrypt and save to a file
encrypted_data = Base64.decode64(File.read("encrypted.txt"))
plain = decipher.update(encrypted_data) + decipher.final
open "decrypted.txt", "w" do |io| io.write plain end

# Compare original message and decrypted message
puts data == plain #=> true

Everything works fine, this script outputs "true"

Then I tried to use the openssl command-line to decrypt my file with the following command:

openssl aes-256-cbc -d -a -in encrypted.txt -k somethingreallyreallycomplicated

But I got: bad magic number

How come?

like image 831
Dirty Henry Avatar asked Jan 30 '13 10:01

Dirty Henry

1 Answers

You need to use the -K (upper case) and -iv options on the command line to specify key and IV explicitly as a string of hex digits. If you use -k (lower case), OpenSSL will derive key and IV from the password using a key derivation function. When OpenSSL derives a key, it will also use a "salted" ciphertext format which is incompatible with the plain blockwise CBC you are expecting.

Note that in your Ruby code, you are using the first 256 bits (32 bytes) of an ASCII string directly as a key, which is almost certainly not what you want for a real world application where security is an issue. You should use a (randomly generated) binary key, or derive a key from a password using a key derivation function such as PBKDF2, bcrypt or scrypt.

like image 168
Daniel Roethlisberger Avatar answered Nov 15 '22 04:11

Daniel Roethlisberger
Sign in to Comment

Related questions

Monkey patching built-in ruby classes in limited scopes
Idiomatic Analog to Ruby's `Object#tap` for Unix command Pipelines?
Which shell ruby uses as its subshell?
More natural way of Proc calling in Ruby 1.9
Ruby on Rails: Accept nested attributes for parent rather than child records?
rvm install ruby-1.9.3-p286: Error running 'make -j 9' (OSX: Mountain Lion)
Rails send_file don't play mp4
Making ruby program run on all processors
How to use rspec to test screen scraping?
Retrieving nested records in Sequel
Import SASS file from database instead of filesystem
Create a new Ruby CSV object with headers in a single csv.new() line
How to write a redirect that uses relative_url_root if defined?
Regexp search through a very large file
Why isn't this Ruby hash what I thought it would be?
Can Ruby's YAML module be used to embed comments?
Delayed Job with i18n on rails 3
Mock file input as file path on Rspec
Rails + XMPP bot in background
How to parse numbers from different locale formats?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!