I’m attempting to write a C# method that will spit out the same encrypted string (Base64) as the openssl binary does, but am having a heck of a time getting things to match up.
Lots of terminal-output and C# to follow… 😛
We’re going to use the very exciting example of encrypting the string “a” with the password “123”.
First is openssl when I provide my static salt and a password (this is how the command will be ideally run, and is what I want my C# output to match to):
dev@magoo ~# echo -n a | openssl enc -aes-128-cbc -S cc77e2a591358a1c -pass pass:123 -a -p
salt=CC77E2A591358A1C
key=7B2AD689138A44AD32297BBAAA5B0EEE
iv =EC4F0416B2E9A9B2FEEF2E66FF982159
U2FsdGVkX1/Md+KlkTWKHOtnt1ftHSKyWiz6GxkBVck=
Second is openssl when I provide my static salt, and the key and iv that are derived from that salt (C+P’d from the output of the first command) but no password (since even the docs say that would be a not-good idea):
dev@magoo ~# echo -n a | openssl enc -aes-128-cbc -S cc77e2a591358a1c -K 7b2ad689138a44ad32297bbaaa5b0eee -iv ec4f0416b2e9a9b2feef2e66ff982159 -a -p
salt=E85778B7FFFFFFFF
key=7B2AD689138A44AD32297BBAAA5B0EEE
iv =EC4F0416B2E9A9B2FEEF2E66FF982159
62e3V+0dIrJaLPobGQFVyQ==
This strikes me as odd. Adding the key and iv values from the “debug” output (-p param) in the first command to the same salt, I somehow get a different salt! (CC77E2A591358A1C vs E85778B7FFFFFFFF [the 4 bytes of 0xff here seem interesting maybe]).
Third is the output of my application:
dev@magoo ~# mono aestest.exe "a" "123"
==> INPUT : a
==> SECRET : 123
==> SALT : cc77e2a591358a1c
==> KEY : 7b2ad689138a44ad32297bbaaa5b0eee
==> IV : ec4f0416b2e9a9b2feef2e66ff982159
==> ENCRYPTED : 62e3V+0dIrJaLPobGQFVyQ==
So, the C# matches the output of the openssl command when I manually specified the key and IV myself (that then somehow generated a different salt), but that seems wrong somehow. In my mind the C# application’s output should match to the first set of OpenSSL’s output, shouldn’t it?
C# code:
public static string EncryptString(string plainText, string password)
{
byte[] salt = Encryption.GetStaticSalt();
byte[] key, iv;
Encryption.DeriveKeyAndIV(password, salt, out key, out iv);
var amAes = new AesManaged();
amAes.Mode = CipherMode.CBC;
amAes.KeySize = 128;
amAes.BlockSize = 128;
amAes.Key = key;
amAes.IV = iv;
var icTransformer = amAes.CreateEncryptor();
var msTemp = new MemoryStream();
var csEncrypt = new CryptoStream(msTemp, icTransformer, CryptoStreamMode.Write);
var sw = new StreamWriter(csEncrypt);
sw.Write(plainText);
sw.Close();
sw.Dispose();
csEncrypt.Clear();
csEncrypt.Dispose();
byte[] bResult = msTemp.ToArray();
string sResult = Convert.ToBase64String(bResult);
if (System.Diagnostics.Debugger.IsAttached)
{
string debugDetails = "";
debugDetails += "==> INPUT : " + plainText + Environment.NewLine;
debugDetails += "==> SECRET : " + password + Environment.NewLine;
debugDetails += "==> SALT : " + Encryption.ByteArrayToHexString(salt) + Environment.NewLine;
debugDetails += "==> KEY : " + Encryption.ByteArrayToHexString(amAes.Key) + " (" + amAes.KeySize.ToString() + ")" + Environment.NewLine;
debugDetails += "==> IV : " + Encryption.ByteArrayToHexString(amAes.IV) + Environment.NewLine;
debugDetails += "==> ENCRYPTED : " + sResult;
Console.WriteLine(debugDetails);
}
return sResult;
}
private static string ByteArrayToHexString(byte[] bytes)
{
StringBuilder sbHex = new StringBuilder();
foreach (byte b in bytes)
sbHex.AppendFormat("{0:x2}", b);
return sbHex.ToString();
}
public static byte[] GetStaticSalt()
{
// Just random bytes.
return new byte[]
{
0xcc,
0x77,
0xe2,
0xa5,
0x91,
0x35,
0x8a,
0x1c
};
}
// largely hijacked from http://stackoverflow.com/a/8011654/97423
public static void DeriveKeyAndIV(string password, byte[] bSalt, out byte[] bKey, out byte[] bIV)
{
int keyLen = 16;
int ivLen = 16;
byte[] bPassword = Encoding.UTF8.GetBytes(password);
using (var md5Gen = MD5.Create())
{
List<byte> lstHashes = new List<byte>(keyLen + ivLen);
byte[] currHash = new byte[0];
int preHashLength = bPassword.Length + bSalt.Length;
byte[] preHash = new byte[preHashLength];
Buffer.BlockCopy(bPassword, 0, preHash, 0, bPassword.Length);
Buffer.BlockCopy(bSalt, 0, preHash, bPassword.Length, bSalt.Length);
currHash = md5Gen.ComputeHash(preHash);
lstHashes.AddRange(currHash);
while (lstHashes.Count < (keyLen + ivLen))
{
preHashLength = currHash.Length + password.Length + bSalt.Length;
preHash = new byte[preHashLength];
Buffer.BlockCopy(currHash, 0, preHash, 0, currHash.Length);
Buffer.BlockCopy(bPassword, 0, preHash, currHash.Length, password.Length);
Buffer.BlockCopy(bSalt, 0, preHash, currHash.Length + password.Length, bSalt.Length);
currHash = md5Gen.ComputeHash(preHash);
lstHashes.AddRange(currHash);
}
bKey = new byte[keyLen];
bIV = new byte[ivLen];
lstHashes.CopyTo(0, bKey, 0, keyLen);
lstHashes.CopyTo(keyLen, bIV, 0, ivLen);
}
}
Am I missing something really obvious here, or is this something more subtle? I’ve looked around SO and have seen a lot about C#, OpenSSL and AES, but nothing about this specific issue… so, halp? 😉
If you specify a key and IV directly, then the salt does not even get into play. The salt is needed to convert the pass phrase into a key using a key derivation function (the proprietary
EVP_BytesToKeyin the case of OpenSSL). Hence you probably get inconsequential output for the salt.Now the first output of OpenSSL in 1) contains a header (check the ASCII values :), the salt and then the cipher text, this is the base 64 string in hexadecimals:
Your application 3) and the openssl command in 2) both output
so every little thing seems to be alright.