This question already has answers here:
Why does RSA encrypted text give me different results for the same text
(2 answers)
Closed 5 years ago.
I generate private/public keys, and a small text file,
openssl genrsa -out priv.pem
openssl rsa -out pub.pem -in priv.pem -pubout
echo "A" > plain.txt
When you encrypt the text file with the public key twice, as so,
openssl rsautl -encrypt -pubin -inkey pub.pem -in plain.txt -out cipher.txt
you will see that the two cipher.txt differ. This is what I do not understand.
When you encrypt the text file with the public key twice ... you will see that the two cipher.txt differ. This is what I do not understand.
This is called probabilistic encryption (versus deterministic encryption). Its that way by design so that the same message encrypted twice does not produce the same cipher text. Its due to the masking function and padding functions used by RSA.
If encryption produced the same cipher text, then your adversary could gain information. For example, if your adversary sees a message he does not understand but observers your army attacks his army the next morning, he might guess that the message was "Attack at dawn". If he sees that same encrypted message again, he's probably going to be ready for an attack at dawn the next day.
The folks on the crypto stack exchange might be able to help you further if you want the details of MGFs, OAEP and the like. Also, Dr. Steve Bellovin has a very approachable introduction to cryptography at An Introduction to Cryptography.
Related
I have a salt that while decoded is not in an openSSL readable format. The salt is in the DES3 encryption standard and looks something like this Salted__}..O.G....^..GZ LbvbJ5eYm...R...,#.M.U...
I know that this flag is formatted incorrectly since whenever I execute openssl des3 -d -salt -in file.des3 -out file.txt -k <password> it returns bad decrypt. I was wondering how the flag is supposed to be formatted and if outside the dots there are any other characters that dont belong
Thank you
Someone's here for picoCTF... eheheh
In the openssl encryption format, for that cipher, the first 8 bytes are the ascii codes for the string "Salted__" and the next 8 bytes represent the salt...
So if we have the following "Salted__12345678", as the first 16 bytes from the file, the Salt is "12345678"...
But, when trying to decrypt a file using the OpenSSL tool, the tool already knows how to get the salt, and knows the value of the salt, so there's no need for you to get that value, unless you want to use another tool.
(Just a small side-note)
If you're indeed doing the picoCTF, you should use the Webshell for the decryption, because of the version of OpenSSL. For some people it worked...
Hope it answered your question.
I got a 15KB encrypted file (containing a long base64 string) , and a rsa private key file. I have to decrypt this file using the private key, but I am receiving an error while trying to do so with openssl.
This is the command I tried:
openssl rsautl -decrypt -inkey ./id_rsa -in encrypted_file.enc -out output.bin
The error I'm receiving is as follows:
RSA operation error 140360486789312:error:0406506C:rsa
routines:rsa_ossl_private_decrypt:data greater than mod
len:../crypto/rsa/rsa_ossl.c:391:
I would appreciate to get help how to do it right.
Thanks in advance.
RSA is not designed to encrypt (large) data, use symmetric encryption such as AES to encrypt data.
If you really need asymmetric encryption, that is separate encryption and decryption keys, use hybrid encryption. Hybrid encryption creates a Ranson symmetric key, encrypts the data with symmetric encryption, encrypts that symmetric key with asymmetric encryption and packaged the two together.
The size of the data that can be encrypted is less than the key size minus padding. To RSA encrypt a 15KB file would require an RSA key > 17,000 bits and that is currently unreasonable. Also asymmetric encryption (RSA) is orders of magnitude slower than symmetric encryption (AES).
But one question: do you really need asymmetric encryption, would symmetric encryption suffice for your needs?
I am trying to encrypt a text file with opensslusing aes-128-cbc encryption and I was wondering if there was a way I could encrypt it only using the key and not the iv?
Everytime I try to run:
openssl enc -aes-128-cbc -e -in dummy_file.txt -out dummy.aes-128-cbc.bin -K 00112233445566778889aabbccddeeff
I get the error saying iv undefined and the encrypted file it generates is empty and it is not even a binary file.
No, that's not possible, CBC requires an IV. You can however set the IV to all zeros. As the IV is XOR'ed with the first block of plaintext before encryption, this comes down to having no IV at all: you would directly encrypt the first block of plaintext with the block cipher.
Note that creating multiple ciphertext with the same key and IV will not result in a secure cipher. For CBC it is required to have a random (or at least unpredictable) IV. Otherwise an attacker can at least see which plaintext start with identical blocks of data.
The IV always consists of 16 bytes for AES, which comes down to 32 hexadecimal zeros, of course for the -iv command line parameter of openssl.
When I want to encrypt large files, I have found the following command:
openssl smime -encrypt -binary -aes-256-cbc \
-in large_file.img -out large_file.img.dat \
-outform DER \
public-rsa2048.pem
The private/public keys have been created like this:
openssl req -x509 -nodes -newkey rsa:2048 \
-keyout private-rsa2048.pem -out public-rsa2048.pem
So I am using aes-256-cbs as well as an rsa-key.
Which one is now responsible for the encrpytion?
Which one does impact the performance and how?
If I increase/lower the public key (rsa512 vs rsa4096), does this impact the performance?
If I choose a different aes algorithm, does this impact the performance as well?
Could someone bring some light into this matter please?
Are there any other methods to encrypt large files?
Using the openssl smime command to encrypt data encrypts it in such a way that it can be received and decrypted by a recipient using email. This means that it uses certificates representing various entities (sender, recipient) and containing keys uniquely associated with those entities to both sign, encrypt, decrypt, and verify signatures on the contained data.
As Artjom pointed out in their comment, a hybrid cryptosystem is used. This means a combination of symmetric and asymmetric encryption algorithms are used, as each has benefits and drawbacks. Symmetric encryption (such as AES) is extremely fast in comparison to asymmetric encryption (such as RSA). However, AES/CBC provides only confidentiality, not integrity, authentication, or non-repudiation. Asymmetric encryption can provide integrity, authentication, and non-repudiation. Asymmetric encryption also has fairly low limits for the amount of data it can encrypt (for example, an RSA-4096 bit key can encrypt at most 446 bytes at once). By combining both methods, we can exercise each for their strengths and mitigate the weaknesses of the other.
In this case, let our message be M. An AES/CBC key Kaes of length 256 bits is generated and used to encrypt the raw data such that the cipher text C is C = E(Kaes, M). The recipient's public key Krpub is then used to encrypt Kaes as C' = E(Krpub, Kaes). The cost of encrypting this small amount of data is relatively low, even though we are using an expensive operation.
Note prior to encrypting the ephemeral session key, it is likely signed using the sender's private key Kspriv unless digital signing is disabled. I am not 100% certain with S/MIME, but this is how PGP works, as when sending to multiple recipients, it would be much more expensive to encrypt the session key with n recipient's public keys and then sign each encrypted key with the sender's private key O(2n) vs. O(n+1) (not really Big-O notation, but effective for communicating the point). The signature of the session key is the same regardless of recipient because it depends only on the sender's private key.
Now all that is left is to concatenate the encrypted session key C' and the cipher text C and transmit them to the recipient. In a real S/MIME message, the identifying information about the sender's public key is transmitted as well in order to facilitate signature verification. The recipient parses the complete encrypted message, decrypts the session key using the recipient's private key Krpriv and then uses the session key Kaes to decrypt the cipher text C.
However, it seems like all of this may be overkill for your situation. If you do not need to integrate with an email communication system and are simply trying to encrypt large files for storage, openssl also offers a simple enc command. You can use it as follows:
Password-based encryption:
$ openssl enc -aes-256-cbc -in large_plain_file.dmg -out large_encrypted_file.enc -k thisIsABadPassword
-k allows you to enter a password on the command line from which the key will be derived. OpenSSL uses a deterministic key derivation function (KDF) (effectively key, iv = MD5(password||salt)). You can run this command with -p on the end to get the key, salt, and IV printed to the console. The IV is deterministically derived from the password and salt. A KDF like PBKDF2 is recommended but the library function in OpenSSL does not expose it to the command-line tool for some reason.
Warning you can run this and specify -nosalt to skip the salt generation, but this is not recommended as it makes an already extremely weak KDF even weaker.
Keyed encryption:
$ openssl enc -aes-256-cbc -in large_plain_file.dmg -out large_encrypted_file.enc K 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 -IV 0123456789ABCDEFFEDCBA9876543210
Running with the actual key and IV provided. The key is 32 bytes (256 bits) and the IV is 16 bytes (the size of one AES block).
To decrypt the data, run the command with the -d flag:
$openssl enc -aes-256-cbc -d -in large_encrypted_file.dmg -out large_decrypted_file.enc
This is going to be simpler for you (no certificates/key pairs needed) and faster (no RSA encryption).
Something to keep in mind for all of this is that the password/key will be kept in terminal history if you provide it in the command invocation. Running without -k or -K will prompt the password to be entered in a secure prompt. Or use -pass to read from an environment variable, file, or file descriptor.
Update to address original questions explicitly:
The AES key is responsible for encrypting the data. The RSA key is used to encrypt the AES key.
Both impact the performance. The AES key is encrypting much more data, but is much faster than RSA encryption.
Yes, changing the size of the RSA key impacts performance, (higher key sizes are slower), but for a large file this is unlikely to be the limiting factor on performance.
Yes, changing the AES mode of operation may have a substantial impact on performance. AES/CBC, AES/OFB, and AES/CFB are similar in that they are serial operations (depending on the result of one block operation to proceed to the next), but AES/CTR operates as a stream cipher and can be parallelized to provide both encryption and decryption.
See answer above.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Is there a way to tell if a file has been encrypted already if I know the Algorithm was AES?
I would have been the one to encrypt it, so information to decrypt or encrypt is not a problem. However, if you try to decrypt a file that has not been encrypted you'll lose all the data. If you encrypt it twice, you get a double encryption. You can reverse a double encryption but you need to know that it is encrypted twice.
Is there a way to determine programatically?
I'm doing this in Java.
there is no way to tell if anything has been encrypted with AES, it doesnt leave a signature, thats part of the point. although you can infer that its probably been encrypted with AES or some other 128bit block cipher by testing if the length of the data in bytes is a multiple of 16, suggesting a 128bit block cipher with padding on the last block
It depends on the unencrypted file format. If your unencrypted file has a specific file header, you can search for that header. If you find it, the file is unencrypted. If you don't find it the file could be encrypted.
If your unencrypted file does not have a specific file header ... then tough luck.
If you're open to using an external program, you can use openssl to attempt to decrypt the data. As long as you provide a non-blank password on unencrypted data it will return with a "bad magic number" error. Not sure yet exactly how openssl is generating that message (if I could you could do that in your code), but it's a start.
$ openssl enc -d -aes-256-cbc -in /Applications/Wireshark.app/Contents/MacOS/Wireshark
enter aes-256-cbc decryption password:
bad magic number
Another method would be to check the first 8 characters of the file are "Salted__" and the following 8 characters are the salt (provided the encryption was salted which the openssl binary does by default but can be disabled).
0000000: 5361 6c74 6564 5f5f 70d6 3655 ae12 58de Salted__p.6U..X.