Re: Hitting seg fault in AES_wrap_key() when Key is 512 bits in length
Thanks Dave for your great support... you rock... after changing KEYBITS, it worked... my ignorance that i mistook it for Key and set it to 512... Please find my response below... Firstly Jeff, 256 is valid KEK and max one. Key can be of 'n' blocks each block being 64 bits in size and 'n' should ne min of 2 blocks On Fri, Apr 6, 2012 at 5:16 AM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of pkumarn Sent: Wednesday, 04 April, 2012 05:41 I need to wrap 512bit key with 256 bit KEK key. When i do this, i am hitting seg fault in AES_wrap_key(). When i do gdb, it points to memcpy(). snip #define KEY512 0 #if KEY512 #define KEYLEN 64 #define KEYBITS 512 #else #define KEYLEN 32 #define KEYBITS 256 #endif #if (!KEY512) static const unsigned char kek[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }; #else static const unsigned char kek[] = { 0xbc, 0x54, 0xd8, 0xa0, 0x6e, 0xab, 0x3b, 0x4c, 0x06, 0xf5, 0xbe, 0x01, 0xc5, 0x77, 0x28, 0x3d, 0x92, 0xda, 0xfb, 0xe8, 0x3f, 0xe0, 0x59, 0x57, 0xff, 0xbe, 0xfa, 0x5b, 0xe0, 0xd4, 0xfb, 0xb7 }; #endif #if (!KEY512) static const unsigned char key[] = snip: 32 bytes #else static const unsigned char key[] = snip: 64 bytes #endif Suggestion: for hardcoded data like this which is supposed to be an exact size, it's usually best to verify it is the correct size before using it, because it's easy for humans to mis-count and/or mistakenly change it. In real use of course your key data should not be hardcoded (because then it provides no actual security benefit) so this issue doesn't arise; instead you should allocate the correct size (by declaration or malloc/etc) and get correct size data by some other means (e.g. RAND_bytes). I will add this checks in my code... int ret, i; unsigned char *otmp, *dtmp; AES_KEY actx, dctx; printf(\n keylen = %d; kebits= %d, KEYLEN, KEYBITS); Get out of the habit of outputting 'partial' lines (not terminated by \n) in C. Sometimes it works and sometimes it doesn't. It appears in this case on your system it didn't. The standard requires complete lines to work (up to possibly a reasonable documented length limit) and if they don't (and you didn't screw up something else) you can complain to your implementor; incomplete lines are formally undefined behavior which means the implementation can do anything it likes and needn't even document it, although in practice implementors try to do something reasonably sane if possible. Above printf() is just for my reference ( i knew it was wrong). I had added them as a checkpoint. if (AES_set_encrypt_key(kek, KEYBITS, actx)) printf(\n Error seeting AES key ); This is the actual error. The KEK is an AES key and can't ever be 512 bits. Your declarations above actually define kek as 32 bytes = 256 bits for either setting of KEY512, which is valid, so use 256 as kek length. Alternatively choose a KEK which is another valid AES size and use that size. Got that. i added another macro and it worked... otmp = (unsigned char *) malloc(sizeof(char) * (KEYLEN+8)); dtmp = (unsigned char *) malloc(sizeof(char) * KEYLEN); Don't cast malloc in C, and in real code check for failure. Or for a small known size like this don't malloc at all. Yes i need to add checks. Many of them advice me to cast malloc. What would go wrong if i followed the above approach? ret = AES_wrap_key(actx, default_iv, otmp, key, KEYLEN); Because AES_set_encrypt_key failed (but you ignored the failure) this screws up; it does so differently on different systems, and the only system I have where it segfaults (Windows) I can't currently debug for 1.0.0. In any case it doesn't work as desired. In my earlier code, ret was 72 which was right as i was wrapping 64 bytes + 8 bytes of IV. Is my understanding right? printf(\n AES wrap ; ret = %d, ret); if (ret 0) printf(\n AES wrap key failed); printf(\n Wrapped key : ); for (i = 0; i (KEYLEN + 8); i++) printf( %02x, otmp[i]); if (AES_set_decrypt_key(kek, KEYBITS, dctx)) printf(\n Error setting decrypt key ); Same here. ret = AES_unwrap_key(dctx, default_iv, dtmp, otmp, ret); printf(\n AES unwrap ; ret = %d, ret); if (ret == 0) printf(\n AES unwrapping failed ); printf(\n Original key : ); for (i = 0; i KEYLEN ; i++) printf( %02x, dtmp[i]); printf(\n); free(otmp); free(dtmp); } With set_{en,de}crypt_key fixed it works for me.
Re: Hitting seg fault in AES_wrap_key() when Key is 512 bits in length
Dave, I had a suggestion for AES_unwrap() function. As of now, if IV doesn't match it return 0. It would be good to change this to some other error value which can be eye catchy. Normally the fist thing which comes to mind when we see return 0 is things are fine... my 2cents On Fri, Apr 6, 2012 at 1:41 PM, Prashanth kumar N prashanth.kuma...@gmail.com wrote: Thanks Dave for your great support... you rock... after changing KEYBITS, it worked... my ignorance that i mistook it for Key and set it to 512... Please find my response below... Firstly Jeff, 256 is valid KEK and max one. Key can be of 'n' blocks each block being 64 bits in size and 'n' should ne min of 2 blocks On Fri, Apr 6, 2012 at 5:16 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of pkumarn Sent: Wednesday, 04 April, 2012 05:41 I need to wrap 512bit key with 256 bit KEK key. When i do this, i am hitting seg fault in AES_wrap_key(). When i do gdb, it points to memcpy(). snip #define KEY512 0 #if KEY512 #define KEYLEN 64 #define KEYBITS 512 #else #define KEYLEN 32 #define KEYBITS 256 #endif #if (!KEY512) static const unsigned char kek[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }; #else static const unsigned char kek[] = { 0xbc, 0x54, 0xd8, 0xa0, 0x6e, 0xab, 0x3b, 0x4c, 0x06, 0xf5, 0xbe, 0x01, 0xc5, 0x77, 0x28, 0x3d, 0x92, 0xda, 0xfb, 0xe8, 0x3f, 0xe0, 0x59, 0x57, 0xff, 0xbe, 0xfa, 0x5b, 0xe0, 0xd4, 0xfb, 0xb7 }; #endif #if (!KEY512) static const unsigned char key[] = snip: 32 bytes #else static const unsigned char key[] = snip: 64 bytes #endif Suggestion: for hardcoded data like this which is supposed to be an exact size, it's usually best to verify it is the correct size before using it, because it's easy for humans to mis-count and/or mistakenly change it. In real use of course your key data should not be hardcoded (because then it provides no actual security benefit) so this issue doesn't arise; instead you should allocate the correct size (by declaration or malloc/etc) and get correct size data by some other means (e.g. RAND_bytes). I will add this checks in my code... int ret, i; unsigned char *otmp, *dtmp; AES_KEY actx, dctx; printf(\n keylen = %d; kebits= %d, KEYLEN, KEYBITS); Get out of the habit of outputting 'partial' lines (not terminated by \n) in C. Sometimes it works and sometimes it doesn't. It appears in this case on your system it didn't. The standard requires complete lines to work (up to possibly a reasonable documented length limit) and if they don't (and you didn't screw up something else) you can complain to your implementor; incomplete lines are formally undefined behavior which means the implementation can do anything it likes and needn't even document it, although in practice implementors try to do something reasonably sane if possible. Above printf() is just for my reference ( i knew it was wrong). I had added them as a checkpoint. if (AES_set_encrypt_key(kek, KEYBITS, actx)) printf(\n Error seeting AES key ); This is the actual error. The KEK is an AES key and can't ever be 512 bits. Your declarations above actually define kek as 32 bytes = 256 bits for either setting of KEY512, which is valid, so use 256 as kek length. Alternatively choose a KEK which is another valid AES size and use that size. Got that. i added another macro and it worked... otmp = (unsigned char *) malloc(sizeof(char) * (KEYLEN+8)); dtmp = (unsigned char *) malloc(sizeof(char) * KEYLEN); Don't cast malloc in C, and in real code check for failure. Or for a small known size like this don't malloc at all. Yes i need to add checks. Many of them advice me to cast malloc. What would go wrong if i followed the above approach? ret = AES_wrap_key(actx, default_iv, otmp, key, KEYLEN); Because AES_set_encrypt_key failed (but you ignored the failure) this screws up; it does so differently on different systems, and the only system I have where it segfaults (Windows) I can't currently debug for 1.0.0. In any case it doesn't work as desired. In my earlier code, ret was 72 which was right as i was wrapping 64 bytes + 8 bytes of IV. Is my understanding right? printf(\n AES wrap ; ret = %d, ret); if (ret 0) printf(\n AES wrap key failed); printf(\n Wrapped key : ); for (i = 0; i (KEYLEN + 8); i++) printf( %02x, otmp[i]); if (AES_set_decrypt_key(kek, KEYBITS, dctx)) printf(\n Error setting decrypt key ); Same here. ret = AES_unwrap_key(dctx, default_iv
Re: Random number generator
You can use the below API's RAND_bytes() RAND_pseudo_bytes() On Thu, Apr 5, 2012 at 12:33 AM, Jeremy Farrell jeremy.farr...@oracle.comwrote: http://lmgtfy.com/?q=openssl+random+number From: Alex Chen [mailto:alex_c...@filemaker.com] There is a 'rand' command in the openssl command line tool to generate 'pseudo' random number generator. But I cannot find the API from either the 'ssl' or 'crypto' man pages. Can someone point me to the API page if it is available? Is this RNG implementation different in the regular distribution and the FIPS Object module? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to do encryption using AES in Openssl
Stephen, Does it mean we can't use AES without IV ? As per XTS support in Openssl, i find the following function but don't see any implementation for the same AES_xts_encrypt(). I found the below link form which what i understand is new file called e_aes_xts.c should be present... am i missing something? lpermalink.gmane.org/gmane.comp.encryption.openssl.devel/18755 On Thu, Mar 29, 2012 at 4:07 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Mar 29, 2012, Prashanth kumar N wrote: Thanks Marek. I will try the attached code in the attached files. In many of the examples i have come across, i see IV is always being. Is it not possible to use this API by setting IV to NULL? (As i understand for CBC IV is a must) . In AES_Encrypt(), we don't use IV. Does this mean this does stream ciphering (byte by byte)? The IV should be random and must be set to the same value on encrypt and decrypt. The information isn't security sensitive and can be sent in plain text. If you use AES_encrypt you're effectively using ECB mode. Does any one know if Openssl supports AES-XTS? Reason is we are exploring to see if we can employ this. When i Googled, i did see some change request log which said AES-XTS has been added to Openssl in v1.1.0 which i am not able to find for download... Any idea on this? XTS mode is very new and only supported in OpenSSL 1.0.1 and later. You use EVP_CIPHER functions EVP_aes_128_xts() and EVP_aes_256_xts(). Note that the key length is double that for nomal AES. You can get the key length of any cipher (provided you use EVP) using EVP_CIPHER_key_length(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to do encryption using AES in Openssl
Bit confusing... are you saying that i need to add NULL termination at the end of encrypted data? Isn't this wrong? I assume i shouldn't be NULL terminating the input string which needs to be encrypted. On Thu, Mar 29, 2012 at 7:10 PM, Ken Goldman kgold...@us.ibm.com wrote: On 3/29/2012 1:40 AM, Prashanth kumar N wrote: Thanks Ken for pointing out the mistake... after changing to AES_Decrypt(), it worked but i still see issue when i print the decrypted output as it has extra non-ascii characters in it. That's what happens in C if you try to printf an array that's not NUL terminated. The printf just keeps going, right past the end of the buffer, until it either hits a \0 or segfaults. You encrypted 16 bytes, not nul terminated, decrypted to the same 16 bytes, then pretended that it was nul terminated and tried to printf. Below is the input unsigned char text[]=test12345678abc2; After decryption, i get the following string: Decrypted o/p: test12345678abc2Ȳu�z�B��� ��A��S�� Few questions... 1. If we use AES, will decrypted files have same number of bytes as encrypted file? (I assume it should be same) It depends on the mode and padding scheme. Some (CTR, OFB) don't pad, some (CFC) do pad. If you're just playing, fine. But if this is a real product you're designing, you shouldn't be asking this question. It's time to hire a crypto expert. Otherwise, your product will be insecure. My requirement is mainly to support AES XTS but the reason for asking the above question was to understand if their is addition of extra bytes to encrypted data as it might consume more space when written to a drive... does my question make sense? __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to do encryption using AES in Openssl
Thanks Marek. If i select CBC mode encryption and i have data which is not aligned to block, i assume padding will be taken by the API's itself. -Prashanth On Thu, Mar 29, 2012 at 7:50 PM, marek.marc...@malkom.pl wrote: Hello, If your data to encrypt is not exactly 16 bytes (AES block length), you should add block padding before encryption and remove padding after decryption. In your case you have string virident (8bytes), you should add 16-8=8 bytes of padding before encryption (fill last 8 bytes with value 8). After decryption remove last 8 bytes (filed with value 8). For printf() you may fill this last 8 bytes to 0. Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 03/29/2012 04:02:17 PM: Prashanth kumar N prashanth.kuma...@gmail.com Sent by: owner-openssl-us...@openssl.org 03/29/2012 04:03 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: How to do encryption using AES in Openssl Bit confusing... are you saying that i need to add NULL termination at the end of encrypted data? Isn't this wrong? I assume i shouldn't be NULL terminating the input string which needs to be encrypted. On Thu, Mar 29, 2012 at 7:10 PM, Ken Goldman kgold...@us.ibm.com wrote: On 3/29/2012 1:40 AM, Prashanth kumar N wrote: Thanks Ken for pointing out the mistake... after changing to AES_Decrypt(), it worked but i still see issue when i print the decrypted output as it has extra non-ascii characters in it. That's what happens in C if you try to printf an array that's not NUL terminated. The printf just keeps going, right past the end of the buffer, until it either hits a \0 or segfaults. You encrypted 16 bytes, not nul terminated, decrypted to the same 16 bytes, then pretended that it was nul terminated and tried to printf. Below is the input unsigned char text[]=test12345678abc2; After decryption, i get the following string: Decrypted o/p: test12345678abc2Ȳu�z�B��� ��A��S�� Few questions... 1. If we use AES, will decrypted files have same number of bytes as encrypted file? (I assume it should be same) It depends on the mode and padding scheme. Some (CTR, OFB) don't pad, some (CFC) do pad. If you're just playing, fine. But if this is a real product you're designing, you shouldn't be asking this question. It's time to hire a crypto expert. Otherwise, your product will be insecure. My requirement is mainly to support AES XTS but the reason for asking the above question was to understand if their is addition of extra bytes to encrypted data as it might consume more space when written to a drive... does my question make sense? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to do encryption using AES in Openssl
Here is the modified program #include stdio.h 2 #include openssl/aes.h 3 4 static const unsigned char key[] = { 5 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 6 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 7 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 8 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f 9 }; 10 11 void main() 12 { 13 unsigned char text[]=test12345678abcf; 14 unsigned char out[16]; 15 unsigned char decout[16]; 16 int i; 17 18 AES_KEY ectx; 19 AES_KEY dectx; 20 21 AES_set_encrypt_key(key, 256, ectx); 22 AES_encrypt(text, out, ectx); 23 24 printf(encryp data = %s\n, out); 25 26 AES_set_encrypt_key(key, 256, dectx); 27 AES_decrypt(out, decout, dectx); 28 printf( Decrypted o/p: %s \n, decout); 29 30 for (i = 0;i 16; i++) 31 printf( %02x, decout[i]); 32 } 33 As i read min AES block size is 128 bits which can go up to 256 bits in multiples of 32-bits. Is this correct? I do know encrypted data is binary but when i pass the same data to AES_decrypt() fucntion and print using %s, i get non-readable characters. * *What i notice is when i change the input plain text, i do see o/p vaires. On Tue, Mar 27, 2012 at 11:24 PM, Ken Goldman kgold...@us.ibm.com wrote: On 3/27/2012 1:33 PM, pkumarn wrote: I am trying to write a sample program to do AES encryption using Openssl. I tried going through Openssl documentation( it's a pain), could not figure out much. I went through the code and found the API's using which i wrote a small program as below (please omit the line numbers). I don't see any encryption happening... am i missing something? Define I don't see any encryption happening. PS: I don't get any errors upon compilation. 1 #includestdio.h 2 #includeopenssl/aes.h 3 4 static const unsigned char key[] = { 5 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 6 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 7 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 8 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f 9 }; It's strange to define a 256 bit key and use 128 bits. 10 11 void main() 12 { 13 unsigned char text[]=virident; The input must be equal to the AES block size. 14 unsigned char out[10]; The output must be equal to the AES block size. 15 unsigned char decout[10]; Same here. 16 17 AES_KEY wctx; 18 19 AES_set_encrypt_key(key, 128,wctx); 20 AES_encrypt(text, out,wctx); This is a raw encrypt, which assumes input and output are one AES block. 21 22 printf(encryp data = %s\n, out); The encrypted data is binary, not a printable C string. 23 24 AES_decrypt(out, decout,wctx); 25 printf( Decrypted o/p: %s \n, decout); 26 27 28 } Please help me to figure this out... __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to do encryption using AES in Openssl
I tried to use EVP but let if of go due to bad documentation... On Wed, Mar 28, 2012 at 2:49 AM, Jakob Bohm jb-open...@wisemo.com wrote: On 3/27/2012 10:42 PM, Jeffrey Walton wrote: On Tue, Mar 27, 2012 at 4:26 PM, Ken Goldmankgold...@us.ibm.com wrote: On 3/27/2012 3:51 PM, Jakob Bohm wrote: On 3/27/2012 9:37 PM, Dr. Stephen Henson wrote: You should really be using EVP instead of the low level routines. They are well documented with examples. Where, precisely? I didn't find it either when I was looking a few years ago, so I settled on the obvious low level APIs too. In fact, neither the low level or the EVP APIs are documented. I don't see any AES documentation at all. Digest (search for openssl evp digest example): http://www.openssl.org/docs/**crypto/EVP_DigestInit.htmlhttp://www.openssl.org/docs/crypto/EVP_DigestInit.html At least this one is outdated, it recommends SHA1, does not mention any of the larger algorithms and still shows the old SSL MD5+SHA1 288 bit length as the maximum MD size. openssl/evp.h has later definitions but no documentation in it. This document also gives two good reason not to use this interface when retrofitting existing code: 1. The state structure (EVP_MD_CTX) requires an extra call to free internal memory, which may not fit into existing code that doesn't have such a requirement of its own. 2. The EVP_DigestInit_ex() function is documented as loading a specific implementation if NULL is passed, thus almost certainly ensuring that said specific implementation will be linked into programs that don't use it at all. It is also unclear how referencing a specific engine avoids loading the entire feature set of that engine when only a subset is needed. Such granularity issues basic questions one should always consider in any library design. Encrypt (search for openssl evp encrypt example): http://www.openssl.org/docs/**crypto/EVP_EncryptInit.htmlhttp://www.openssl.org/docs/crypto/EVP_EncryptInit.html Sign (search for openssl evp sign example): http://www.openssl.org/docs/**crypto/EVP_SignInit.htmlhttp://www.openssl.org/docs/crypto/EVP_SignInit.html Verify (search for openssl evp verify example): http://www.openssl.org/docs/**crypto/EVP_VerifyInit.htmlhttp://www.openssl.org/docs/crypto/EVP_VerifyInit.html (I have not checked out those yet). Explicitly adding the word EVP to those searches was non-obvious because as a programmer I tend not to consider parts of identifiers as separate search words (except when doing a raw grep). And besides, how should a newcomer to OpenSSL guess that something called EVP is of any significance? -- Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 call: +4531131610 This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL Wiki (was: How to do encryption using AES in Openssl)
Jeff.. this is good idea... so are you going to start one? -Prashanth On Wed, Mar 28, 2012 at 6:15 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Mar 27, 2012 at 4:26 PM, Ken Goldman kgold...@us.ibm.com wrote: On 3/27/2012 3:51 PM, Jakob Bohm wrote: On 3/27/2012 9:37 PM, Dr. Stephen Henson wrote: You should really be using EVP instead of the low level routines. They are well documented with examples. Where, precisely? I didn't find it either when I was looking a few years ago, so I settled on the obvious low level APIs too. In fact, neither the low level or the EVP APIs are documented. I don't see any AES documentation at all. Perhaps its time to bring up a wiki style documentation (again). Under wiki, users who get get frustrated enough about lack of/dated documentation can spend some time copy/pasting code in between pre tags. It would also relieve the docmaster from updating the current documentation. He or she could approve wiki account requests instead. Wiki style documentation has worked well for other similar libraries, such as OWASP ESAPI and Crypto++. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to do encryption using AES in Openssl
I agree with this as it has made many life's easy ... On Wed, Mar 28, 2012 at 12:48 PM, nudge nudge...@fastmail.fm wrote: As an independent follower of this list, I'd just like say that even if the documentation has its critics, the support provided here is incredibly good ! On Wed, Mar 28, 2012, at 12:32 PM, Prashanth kumar N wrote: I tried to use EVP but let if of go due to bad documentation... On Wed, Mar 28, 2012 at 2:49 AM, Jakob Bohm jb-open...@wisemo.com wrote: On 3/27/2012 10:42 PM, Jeffrey Walton wrote: On Tue, Mar 27, 2012 at 4:26 PM, Ken Goldmankgold...@us.ibm.com wrote: On 3/27/2012 3:51 PM, Jakob Bohm wrote: On 3/27/2012 9:37 PM, Dr. Stephen Henson wrote: You should really be using EVP instead of the low level routines. They are well documented with examples. Where, precisely? I didn't find it either when I was looking a few years ago, so I settled on the obvious low level APIs too. In fact, neither the low level or the EVP APIs are documented. I don't see any AES documentation at all. Digest (search for openssl evp digest example): http://www.openssl.org/docs/**crypto/EVP_DigestInit.html http://www.openssl.org/docs/crypto/EVP_DigestInit.html At least this one is outdated, it recommends SHA1, does not mention any of the larger algorithms and still shows the old SSL MD5+SHA1 288 bit length as the maximum MD size. openssl/evp.h has later definitions but no documentation in it. This document also gives two good reason not to use this interface when retrofitting existing code: 1. The state structure (EVP_MD_CTX) requires an extra call to free internal memory, which may not fit into existing code that doesn't have such a requirement of its own. 2. The EVP_DigestInit_ex() function is documented as loading a specific implementation if NULL is passed, thus almost certainly ensuring that said specific implementation will be linked into programs that don't use it at all. It is also unclear how referencing a specific engine avoids loading the entire feature set of that engine when only a subset is needed. Such granularity issues basic questions one should always consider in any library design. Encrypt (search for openssl evp encrypt example): http://www.openssl.org/docs/**crypto/EVP_EncryptInit.html http://www.openssl.org/docs/crypto/EVP_EncryptInit.html Sign (search for openssl evp sign example): http://www.openssl.org/docs/**crypto/EVP_SignInit.html http://www.openssl.org/docs/crypto/EVP_SignInit.html Verify (search for openssl evp verify example): http://www.openssl.org/docs/**crypto/EVP_VerifyInit.html http://www.openssl.org/docs/crypto/EVP_VerifyInit.html (I have not checked out those yet). Explicitly adding the word EVP to those searches was non-obvious because as a programmer I tend not to consider parts of identifiers as separate search words (except when doing a raw grep). And besides, how should a newcomer to OpenSSL guess that something called EVP is of any significance? -- Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10call: +4531131610 This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to do encryption using AES in Openssl
Thanks Ken for pointing out the mistake... after changing to AES_Decrypt(), it worked but i still see issue when i print the decrypted output as it has extra non-ascii characters in it. Below is the input unsigned char text[]=test12345678abc2; After decryption, i get the following string: Decrypted o/p: test12345678abc2Ȳu�z�B�����A��S�� Few questions... 1. If we use AES, will decrypted files have same number of bytes as encrypted file? (I assume it should be same) 2. When i did Google and found few examples on AES using CBC mode, many of them add extra buffer while decrypting ie., sample eg: unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; 10 unsigned char iv[] = {1,2,3,4,5,6,7,8}; 11 unsigned char outbuf[1024]; 12 unsigned char decrebuf[1024]; 13 int outlen,outlen2, tmplen; 14 unsigned char text[]=test12345678abc2; 15 char outfile[]= encfile; if(!EVP_EncryptUpdate(ctx, outbuf, outlen, intext, strlen(intext))) 26 { 27 /* Error */ 28printf(\n Error:EVP_EncryptUpdate ); 29return 0; 30} 31 32if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, tmplen)) 33 { 34 /* Error */ 35 printf(\n Error: EVP_EncryptFinal_ex); 36 return 0; 37 } EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv); 45 46 if(!EVP_DecryptUpdate(ctx, decrebuf, outlen2, outbuf, outlen)) 47 { 48 printf(\n Error : EVP_DecryptUpdate); 49 return 0; 50 } EVP_DecryptFinal_ex(ctx, decrebuf + outlen2, tmplen ) Here i see even thought decrebuf is 1024, we still offset it by outlen and pass the address to Decrytpion function? 3. Why is it like we have to choose 1024 as array size... when i know my encryption text is only 16bytes. Any reasons? -Prashanth On Wed, Mar 28, 2012 at 7:29 PM, Ken Goldman kgold...@us.ibm.com wrote: On 3/28/2012 3:01 AM, Prashanth kumar N wrote: Here is the modified program [snip] 18 AES_KEY ectx; 19 AES_KEY dectx; 20 21 AES_set_encrypt_key(key, 256, ectx); 22 AES_encrypt(text, out, ectx); 23 24 printf(encryp data = %s\n, out); 25 26 AES_set_encrypt_key(key, 256, dectx); AES_set_decrypt_key() 27 AES_decrypt(out, decout, dectx); __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to do encryption using AES in Openssl
Thanks Marek. I will try the attached code in the attached files. In many of the examples i have come across, i see IV is always being. Is it not possible to use this API by setting IV to NULL? (As i understand for CBC IV is a must) . In AES_Encrypt(), we don't use IV. Does this mean this does stream ciphering (byte by byte)? Does any one know if Openssl supports AES-XTS? Reason is we are exploring to see if we can employ this. When i Googled, i did see some change request log which said AES-XTS has been added to Openssl in v1.1.0 which i am not able to find for download... Any idea on this? -Prashanth On Wed, Mar 28, 2012 at 8:26 PM, marek.marc...@malkom.pl wrote: Hello, If you want to use low-level AES functions to encrypt more then 16 bytes you should use AES in CBC mode. You can implement this mode using AES_encrypt () or better use AES_cbc_encrypt(). Using AES_encrypt() block-by-block is called ECB mode. Look at: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation Example of using AES_cbc_encrypt() attached (pay attension of block padding). Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 03/28/2012 09:01:25 AM: Prashanth kumar N prashanth.kuma...@gmail.com Sent by: owner-openssl-us...@openssl.org 03/28/2012 09:03 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: How to do encryption using AES in Openssl Here is the modified program #include stdio.h 2 #include openssl/aes.h 3 4 static const unsigned char key[] = { 5 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 6 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 7 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 8 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f 9 }; 10 11 void main() 12 { 13 unsigned char text[]=test12345678abcf; 14 unsigned char out[16]; 15 unsigned char decout[16]; 16 int i; 17 18 AES_KEY ectx; 19 AES_KEY dectx; 20 21 AES_set_encrypt_key(key, 256, ectx); 22 AES_encrypt(text, out, ectx); 23 24 printf(encryp data = %s\n, out); 25 26 AES_set_encrypt_key(key, 256, dectx); 27 AES_decrypt(out, decout, dectx); 28 printf( Decrypted o/p: %s \n, decout); 29 30 for (i = 0;i 16; i++) 31 printf( %02x, decout[i]); 32 } 33 As i read min AES block size is 128 bits which can go up to 256 bits in multiples of 32- bits. Is this correct? I do know encrypted data is binary but when i pass the same data to AES_decrypt() fucntion and print using %s, i get non-readable characters. What i notice is when i change the input plain text, i do see o/p vaires. On Tue, Mar 27, 2012 at 11:24 PM, Ken Goldman kgold...@us.ibm.com wrote: On 3/27/2012 1:33 PM, pkumarn wrote: I am trying to write a sample program to do AES encryption using Openssl. I tried going through Openssl documentation( it's a pain), could not figure out much. I went through the code and found the API's using which i wrote a small program as below (please omit the line numbers). I don't see any encryption happening... am i missing something? Define I don't see any encryption happening. PS: I don't get any errors upon compilation. 1 #includestdio.h 2 #includeopenssl/aes.h 3 4 static const unsigned char key[] = { 5 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 6 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 7 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 8 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f 9 }; It's strange to define a 256 bit key and use 128 bits. 10 11 void main() 12 { 13 unsigned char text[]=virident; The input must be equal to the AES block size. 14 unsigned char out[10]; The output must be equal to the AES block size. 15 unsigned char decout[10]; Same here. 16 17 AES_KEY wctx; 18 19 AES_set_encrypt_key(key, 128,wctx); 20 AES_encrypt(text, out,wctx); This is a raw encrypt, which assumes input and output are one AES block. 21 22 printf(encryp data = %s\n, out); The encrypted data is binary, not a printable C string. 23 24 AES_decrypt(out, decout,wctx); 25 printf( Decrypted o/p: %s \n, decout); 26 27 28 } Please help me to figure this out... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to use AES_wrap_key() in openssl
Hi Dave, I was going through the RFC of AES and it does say we get the IV upon unwrapping . Check the below link http://www.ietf.org/rfc/rfc3394.txt -Prashanth On Fri, Mar 23, 2012 at 9:24 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of pkumarn Sent: Wednesday, 21 March, 2012 02:02 One more thanks from side for replying to this query.,.. my comments inline... Aside: Usenet convention is response lines, including 'inline' ones, have no prefix, and (all) quoted lines do, usually (as I have) a greater-than sign. That is unambiguous and easier to see at a glance than your embedded marks. So are you saying that their is no way to extract IV and check back if the decrypted key matches the encrypted key? I feel this would give space for more vulnerabilities as one needs to make sure before using the decryted key it is the right key. Or is it like AES_unwrap() will fail on decryption? Not clear on this part... Yes, there is no way to extract the IV from AES_unwrap_key, and it will return 0 if you don't give the correct IV. As with other IV-based modes, the decryptor MUST provide the same IV the encryptor used. In most uses the encryptor chooses the IV randomly, and therefore the IV must be transmitted or stored along with the ciphertext. But for key wrapping like this, assuming your data keys are random as they should be, you don't really need nonce IVs, and you could have both wrap and unwrap use the default in those routines (8 x A6) or some other fixed value. Dave Thompson-5 wrote: From: owner-openssl-us...@openssl.org On Behalf Of pkumarn Sent: Monday, 19 March, 2012 09:17 I have a requirement of wrapping a 512-bit DEK witk 256 bit KEK. I picked up openssl API and figured out that it provides AES_wrap_key() to do the job. I OpenSSL's AES_{wrap,unwrap}_key does *a* key wrapping, but not the only possible one. You need to make sure the unwrap matches it (easy if you do the unwrap yourself). wrote a small program (snippet below) to get the job done but when i check out the values in dek, i see all values as zero. Not sure what i am missing? See below. Also is their anyway i can extract the IV when i do the reverse of above logic using AES_unwrap_key()? No, as with other chain modes you must transmit the IV used at encrypt to decrypt -- unless you always make it the same which should be okay here, since the wrappee (data) keys should be unique so duplicate IV (+key) doesn't risk identifying repeats as it would for more generic data. Although internally it is used differently; instead of chaining forward in both encrypt and decrypt, this decrypt (unwrap) chains backward and then verifies the IV; if it extracted the IV instead it would probably be vulnerable to some tampering attacks. : In my case, i would be storing the wrapped key and not the original key. So when user tries to decrypt the wrapped key, he would get the original key but how do i make sure that is the right key. So the suggestion is to see if i can get the same IV i have used to encrypt which indirectly proves that the key decrypted is the right one. Even if you could recover the IV instead of supplying it, as this wrap algorithm *could* do (unlike normal CBC etc.), it doesn't prove the unwrapped=decrypted key is correct. CBC modes are often vulnerable to blockwise attacks (although I haven't worked out this one specifically). In general most encryption schemes don't attempt to provide integrity protection and shouldn't be relied on for that; even the common practice of checking PKCS#5 padding (for varying data in a block mode) is weak and many cryptosystems that relied on 'if it decrypts sensibly it must be correct' have been broken precisely that way. This is even more true where the encrypted data is a key which is just bits. If you want a check on the key unwrap (and usually people do, because of the impact if it is wrong), do a check. One common technique is for the wrapper to (separately) use the original key to encrypt a known block, such as all 0 or KEY CHECK VALUE, and transmit/store that value along with the wrapped key, or a portion of it like the first 4 bytes or so. The unwrapper uses the recovered key to do the same encryption and compares. More generic methods are to add an MDC (a hash) to the original key before wrapping, or a MAC (such as a keyed hash) after; but for the latter you now need to share (and manage) the MAC key as well as the wrap=encryption key. In the last few years special modes have been developed which do provide both encryption and integrity (or authentication). TLSv1.2 defines some ciphersuites using Galois Counter Mode (GCM) which are apparently implemented in brand-new 1.0.1. #define KEY_LEN 32 u8 dek[KEY_LEN + 8]; static const