I'm trying to make a encrypted pass-file, but receive an error:
bad decrypt
3872:error:0607F08A:digital envelope routines:EVP_EncryptFinal_ex:data not multiple of block length:.\crypto\evp\evp_enc.c:414:
please, provide a solution for present error
here is command for making file:
openssl enc -des-ede-cbc -K 16161616161616161515151515151515 -iv
000000000000000 -in C:\OpenSSL\bin\ssl\key\pass.txt -out
C:\OpenSSL\bin\ssl\key\pass.enc -nopad
pass.txt contains just one line with pass
Thanks
It's working for me if I leave out the "-nopad" argument:
openssl enc -des-ede-cbc -K 16161616161616161515151515151515 -iv
000000000000000 -in C:\OpenSSL\bin\ssl\key\pass.txt -out
C:\OpenSSL\bin\ssl\key\pass.enc
Related
Me and my colleagues are trying to exchange encrypted config files. Person A is able to decrypt a file encrypted-dev.enc encrypted by person B. But I can't decrypt it, and person B can't decrypt a file I send her. The error is
bad decrypt
4672347584:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:610:
From reading around (for example this answer), this error refers to the algorithm openssl uses for the message digest. To fix it, people always tell you to specify the algorithm with an argument like -md md5. But our command already includes that argument.
Person A is on openssl 1.1.1f.
Person B is on openssl 1.1.1i.
I am on openssl 1.1.1j.
To encrypt, we're using this command:
export CONFIG_KEY='[ key ]'
openssl enc -md sha1 -aes-256-cbc -pbkdf2 -pass env:CONFIG_KEY -out ./tests/e2e/config/encrypted-dev.enc -in ./tests/e2e/config/config-dev.json
To decrypt, we're doing this:
export CONFIG_KEY='[ key ]'
openssl enc -md sha1 -aes-256-cbc -pbkdf2 -d -pass env:CONFIG_KEY -in ./tests/e2e/config/encrypted-dev.enc -out ./tests/e2e/config/config-dev.json
Has anybody else run into this situation?
To investigate your issue, add -p flag to dump the key and IV, they must be identical when ciphering and deciphering. Add -nosalt to disable salting password (with a random value) to make password to key computation constant.
$ openssl enc -p -nosalt -md sha1 -aes-256-cbc -pbkdf2 -pass env:CONFIG_KEY -out ./tests/e2e/config/encrypted-dev.enc -in ./tests/e2e/config/config-dev.json
key=27D3CEEB44142947B9ADFA4E6D7F6EB731EB6828A6CD4C49257079470599A443
iv =35E21E3684C06DB2F182D69D99BD6E9C
in your case, you will get two differents values, that's your problem.
The parameter name CONFIG_KEY is not accurate, because you are setting a password nota key, CONFIG_PASSW would be more suitable.
If your goal was to use a key (not a password), you can use this syntax
$ openssl enc -e -aes-256-cbc -nosalt -K AC7CBA91D9523EA2A9166341EC66D9DDCB14D3F6BCE33ADB59B16BE8F40AE607 -iv 208DE031141C4ACA18EA7B71B2EAA935 -in test.txt -out test.enc
$ openssl enc -d -aes-256-cbc -nosalt -K AC7CBA91D9523EA2A9166341EC66D9DDCB14D3F6BCE33ADB59B16BE8F40AE607 -iv 208DE031141C4ACA18EA7B71B2EAA935 -in test.enc
Hello world !!!
Given this command:
openssl enc -aes-128-ecb -nosalt -base64 -pass pass:aaaca -in flag.txt -out flag.txt.enc -md sha256
What's the format to decrypt openssl file? My openssl ubuntu version is 1.0.2g.
I'm asking because I tried using openssl enc -d -aes-128-ecb -pass pass:aaaca -in flag.txt.enc -out pass.txt but it says bad magic number with aaaca as password, and when I tried openssl enc -d -aes-128-ecb -nosalt -base64 -md sha256 -in flag.txt.enc -out pass.txt -pass pass:aaaaa (with different password), it says bad decrypt. At this point, I'm not sure anymore. Thanks!
Edit: If you're wondering why am I purposely inputting the wrong password, it's because I'm trying to test out on brute forcing password for one of my assignment. Help appreciated ><
and when I tried openssl enc -d -aes-128-ecb -nosalt -base64 -md sha256 -in flag.txt.enc -out pass.txt -pass pass:aaaaa (with different password), it says bad decrypt.
Yes, of course, because the openssl command line will perform PKCS#7 compatible padding and unpadding by default. So if you decrypt with a wrong key then there is about a 255/256 chance of getting "bad decrypt" because the unpadding fails. If you're "lucky" the incorrect plaintext will contain a valid padding and you'll just get a wrong / randomized plaintext in the output.
So if you get into that situation then you'll have to check if the plaintext message does fit what you expect. If you have nothing to compare the possibly bad plaintext against, well, then you're in trouble as you may find multiple solutions to your problem.
The ciphertext is encrypted by Javascript using the AES algorithm in hexadecimal format. I first coded it in Base64 and then decrypted it using OpenSSL.
But it failed, I don't know where it is wrong.
And I am using a Windows compiled version of OpenSSL.
http://gnuwin32.sourceforge.net/packages/openssl.htm
The command is as follows:
openssl enc -aes-128-cbc -a -A -in Cipherbase64.txt -out PlainText.txt -K 31323334353637383930303030303030 -iv 31323334353637383930303030303030 -d
result:
bad decrypt
6396:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:./crypto/evp/evp_enc.c:461:
Ciphertext (HEX)
4cb4eb49df960e82c14e158ac418ca918736e4fbb730f532fc37d226e0e8b0e3ce0571ce4c146a6a9e037b9b79d8077568326d7fe2a3f9a91d266cfeb8bfac5668f526bc4d5ee1a21cbe85c8efab8cd1fe29b4a2b412468c6d97b7a3bfd2f69c50691e181fde43710bc61ffff2c6e7cbab59de70b97d993707c16e4a909273cc873d9156dda0ad03214e29048ac39532b8ec11c071174219fefa85e0d489468036154d19d2b683b20b07589abb9f4d863fcd17598d43a8b82d37236ceee7588d08a22f4c9662bba7f4cf6595f28b0e7b7e62f9be2d42f1b11f5c06aca7ed7568d8922d9155c229a8d57b251695c2bd645cb44539e4278b4431ac60a318fbd22afe18b204f9730f86a07c43355ce89f9646be5810e0c6bd2043066d359efe73c8e0ac7f581e048ed1809ad2720ea96f528d0acc7fd622b86d3073e8b1ac0b5d70f4e92b045e8cdf1fb6c999332ba2c279ebab2262589082a8214187a8904671a2c4eec8828335dc7f49fe438fb4e34c762e9f7febe30672a9ced8b0a2b66373d3a3b9efbe46e63f4d8b2723ebe85736f5
Thanks to Topaco for your help. Because of my negligence, mistake CTR for CBC, causing confusion.
You can try the following:
openssl enc -aes-128-cbc -a -A -in Cipherbase64.txt -out PlainText.txt -K 31323334353637383930303030303030 -iv 31323334353637383930303030303030 -d
After the -K and -iv options, the input must be a hexadecimal string, i.e. instead of 1234567890000000 you have to use 31323334353637383930303030303030. The -A option says that the Base64-encoded ciphertext is contained in one single line, here. So there is no need to use line breaks.
Update:
It turned out that the JavaScript-code actually applied to generate the posted ciphertext uses CTR-mode for encryption (instead of CBC-mode). Therefore, the OpenSSL-statement which can be used to decrypt the posted ciphertext is:
openssl enc -aes-128-ctr -a -A -in Cipherbase64.txt -out PlainText.txt -K 31323334353637383930303030303030 -iv 31323334353637383930303030303030 -d
The decrypted text is:
{"sign":"13adab9285fe86206b73e029ff0d290fc0e31237","timestamp":1570608017,"logid":"MTU3MDYwODA2MjAzMjAuMTMzMjE0Nzc2OTIxNTgxNDY=","uk":3012946979,"shareid":547370362,"fid_list":"[\"482622974717034\"]","input":"aaxb","vcode":"33324238656332346361663334656637323237633636373637643239666664336662393132313032313738303030303030303030303030303031353730363038303530B0D6C0036A1909217D2CDCD5B76B46FB"}
which can be easily verified here.
I wanted to know how I can go about encrypting particular values in a properties file using openssl or gpg.
Most of the examples seem to consist of the below I have seen seem to encrypt the entire file. But I just wanted to use it to encrypt stored passwords.
To Encrypt
openssl enc -aes-256-cbc -in un_encrypted.data -out encrypted.data
To Decrypt
openssl enc -d -aes-256-cbc -in encrypted.data -out un_encrypted.data
You can easily use openssl to encrypt any string you want:
$ echo 12345678901 | openssl enc -e -base64 -aes-256-cbc -k MySecretPassword
U2FsdGVkX18z9p14y9XRhDdRBRoeJfIkdLQXQmGfKag=
In your case you could use a bash script like this:
encrypted=`grep "the.name.of.my.property" myFile.properties|cut -d'=' -f2|openssl enc -e -base64 -aes-256-cbc -k MySecretPassword`
sed "/the.name.of.my.property=/ s/=.*/=$encrypted/" myFile.properties > newFile.properties
This will produce a new file named newFile.properties with the encrypted field.
Using openssl-1.0.1g command line for simple file encryption/decryption, when I issue the commands
openssl enc -aes-256-cbc -k secret -in file.txt -out file.ssl
openssl enc -d -aes-256-cbc -k secret -in file.ssl
The contents of file.txt go to stdout as expected. However, when I issue the commands
openssl enc -aes-256-gcm -k secret -in file.txt -out file.ssl
openssl enc -d -aes-256-gcm -k secret -in file.ssl
The contents of file.txt go to stdout but the string "bad decrypt" goes to stderr.
Am I missing something or is there a bug in the openssl gcm implementation?
I have tried substituting "-pass pass:secret" for "-k secret" and get the same results.