Mike Cook wrote:
> Mike Cook wrote:
>> Michael Graff wrote:
>>> Don't worry, you know what an IV is and why using 0 is bad, so I won't
>>> 'yell' at you :)
>>>
>>> You are probably running into padding issues. Since AES is a block
>>> cypher, each block must be exactly the correct length I suspect.
>>>
>>> How are you calling the decrypt code? You're just feeding data into
>>> the encryption system and after you are all done with the data,
>>> calling final? That should work, but I do not have any way to write
>>> code in Flash to test this. If you could have Flash encrypt
>>> something, perhaps 101 bytes or so long (odd to ensure padding
>>> occurs), and send the plaintext, the key, and the encrypted string
>>> (uuencode, hex dump, whatever) I can experiment.
>>>
>>> --Michael
>>
>> Hi,
>>
>> Thanks... Definitely appears to be padding issues. We are using Bouncy
>> Castle CTS AES encrypt. The openSSL appears to be using CBC. I'm no
>> expert... In looking at the RFC, it appears there is a difference
>> between how CBC and CBC/CTS handles padding. There is a reference in
>> the rfc to swapping within the last partial block as part of the
>> process... not sure how/whether this is implemented.
>>
>> Below is the output from my irb session. The clear text is supposed to
>> be:
>> AAAAAAAABBBBBBBBAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDCCCCCCCCDDDDDDDDAAAAAAAABBBBBBBBAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDCCCCCCCCDDDDDDDDXXXYYY
>>
>> key: 4b1114cc73fed8b5428c3dee60d7773a
>>
>>
>> Please notice that the first part of the message is decrypted
>> correctly.... the partial at the end is not.
>>
>>
>>
>>
>> irb(main):821:0> a= OpenSSL::Cipher::Cipher.new('aes-256-cbc')
>> => #<OpenSSL::Cipher::Cipher:0xb79b9378>
>>
>> irb(main):822:0> a.key=d
>> => "4b1114cc73fed8b5428c3dee60d7773a"
>>
>> irb(main):823:0>
>> a.iv='00000000000000000000000000000000'.unpack('a2'*32).map{|x|
>> x.hex}.pack('c'*32)=>
>> "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
>>
>> irb(main):824:0>
>> data='TmI9HrNrsMBxSfwApvSaQrLIDsLboNhIW/FawPjNUB0x/G0ZDf+gfk4JaTc/tGxDg1s4mrIRFOoBJemK+txUF0+aPw8bxIgzxmB3gq18aJRoSo5PWqbzS8FCCHrb3leKf4UUNFaIAaVVY1a5ymZ/HMPhwAKbii8x9Uk/S0MxaDofHTluc1E='.unpack('m')[0]
>> =>
>> "Nb=\036\263k\260\300qI\374\000\246\364\232B\262\310\016\302\333\240\330H[\361Z\300\370\315P\0351\374m\031\r\377\240~N\ti7?\264lC\203[8\232\262\021\024\352\001%\351\212\372\334T\027O\232?\017\e\304\2103\306`w\202\255|h\224hJ\216OZ\246\363K\301B\bz\333\336W\212\177\205\0244V\210\001\245UcV\271\312f\177\034\303\341\300\002\233\212/1\365I?KC1h:\037\0359nsQ"
>>
>> irb(main):825:0> s=a.update(data)
>> =>
>> "AAAAAAAABBBBBBBBAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDCCCCCCCCDDDDDDDDAAAAAAAABBBBBBBBAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD8\300u\003|\200\243jf\bkf\005\251\327\242"
>>
>> irb(main):826:0> s<<a.final
>> OpenSSL::Cipher::CipherError: wrong final block length
>> from (irb):826:in `final'
>> from (irb):826
>> from :0
>> irb(main):827:0>
>
> As a follow on, I was just reading an interesting article on Wikipedia.
>
> Here's a snippet from it:
>
> CBC ciphertext stealing decryption using a standard CBC interface
>
> 1. Dn = Decrypt (K, Cn−1). Decrypt the second to the last ciphertext
> block.
> 2. Cn = Cn || Tail (Dn, B−M). Pad the ciphertext to the nearest
> multiple of the block size using the last B−M bits of block cipher
> decryption of the second-to-last ciphertext block.
> 3. Swap the last two ciphertext blocks.
> 4. Decrypt the ciphertext using the standard CBC mode.
> 5. Truncate the plaintext to the length of the original ciphertext.
>
>
> Looks like the above is the mechanism to translate the last couple of
> blocks of ciphertext to a form understandable by the CBC interface.
>
> I think I understand points 1, 3, 4, and 5. I'm having a tougher time
> with number 2, but I get the basic idea.
>
> Let's say the the message is 134 bytes long. Then, I'd do 134 % 16 and
> I get 6. If my block size is 128 bits (16 bytes*8 bits), then I'd
> subtract 48 bits (6 bytes * 8 bits). That means 80 bits would be used
> as a repeated pattern to pad the end of the message to make it evenly
> divisible by 16. So, I'd add in one iteration (10 bytes) in this case,
> to bring the message to 144 bytes (evenly divisible by the block size -
> 16).
>
> Anyway, that's what I'm going to try. Please wish me luck ;-)
>
> Mike
Well... not what I was hoping for... Below is the Ruby code I wrote to
try to implement what I thought Wikipedia was getting at...
When I try to decipher the next to last block, the result comes back
nil. Therefore, there is nothing to pad to the end of the cipher
string.
The good news is, a colleague of mine pointed me to some c code. I was
experimenting with it last night and I was able to decipher characters
at the end of the string. That implementation called for the Xor of the
final blocks. It's not in a script yet... was working in IRB. Will
post that solution once I've completed it today.
But would really appreciate any comments on whether the Wikipedia
reference is correct, and if so, what the heck is wrong with the way I
tried to implement it.
Thanks!
Mike
require 'openssl'
require 'digest'
#set the cipher text and unpack
ct='TmI9HrNrsMBxSfwApvSaQrLIDsLboNhIW/FawPjNUB0x/G0ZDf+gfk4JaTc/tGxDg1s4mrIRFOoBJemK+txUF0+aPw8bxIgzxmB3gq18aJRoSo5PWqbzS8FCCHrb3leKf4UUNFaIAaVVY1a5ymZ/HMPhwAKbii8x9Uk/S0MxaDofHTluc1E='.unpack('m')[0]
aes=nil
#set the cipher
aes = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
#set it to decrypt mode
aes.decrypt
#set the decryption key
aes.key='4b1114cc73fed8b5428c3dee60d7773a'
#set up the IV
aes.iv='00000000000000000000000000000000'.unpack('a2'*32).map{|x|
x.hex}.pack('c'*32)
#mod the string to find the partial block length
partialBlockLength = ct.length % 16
#this is the index of the cbc decrypted output:
endOfOutput = ct.slice(0..ct.length-16-partialBlockLength).length
#grab the next to last block
section = ct.slice(ct.length-partialBlockLength-16..ct.length -
partialBlockLength-1)
#decipher the next to last block
decihperedLastCompleteBlock = aes.update(section)
#pad the end of the cipher with the last blockSize-partialBlockLength
ct<<decihperedLastCompleteBlock.slice(decihperedLastCompleteBlock.length-(16-partialBlockLength)..decihperedLastCompleteBlock.length-1)
#swap the last two blocks
src=ct.slice(0..endOfOutput) + ct.slice(ct.length-16..ct.length-1) +
ct.slice(ct.length-32..ct.length-17)
aes=nil
#set the cipher
aes = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
#set it to decrypt mode
aes.decrypt
#create the digest
d=Digest::MD5.hexdigest('7R]c\'1z<q\\O%eybO:michael_cook_611')
#set the decryption key
aes.key=d
#set up the IV
aes.iv='00000000000000000000000000000000'.unpack('a2'*32).map{|x|
x.hex}.pack('c'*32)
output = aes.update src
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
