3

I'm trying to encrypt data with OpenSSL library in Ruby using passphrase. Ruby code looks like this:

require('openssl')
require('base64')

cipher = OpenSSL::Cipher.new ('AES-256-CBC')
cipher.encrypt
cipher.iv = iv = cipher.random_iv

pwd = 'topsecret'
salt = OpenSSL::Random.random_bytes 8
iter = 10000
key_len = cipher.key_len
digest = OpenSSL::Digest::SHA256.new

key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
cipher.key = key

puts "salt=#{salt.unpack('H*')[0]}"
puts "key=#{key.unpack('H*')[0]}"
puts "iv=#{iv.unpack('H*')[0]}"

encrypted = cipher.update 'my data to encrypt'
encrypted << cipher.final

puts "encrypted=#{Base64.strict_encode64(encrypted)}"

# it returns:
# salt=1332e5603cbc018a
# key=11a168cf01556a5ee3e22e049f0e65d3adcd75f39e32c7d19aec32a0ccb40d93
# iv=35a08f2d3e719abbee78a0f4fe47c938
# encrypted=E3Ag6cRL2R+xytgw01i6tKSFpV7s7bKoiiWvPA1FYxM=

Unfortunately, when I try to decrypt this, I get error bad magic number:

$ echo "E3Ag6cRL2R+xytgw01i6tKSFpV7s7bKoiiWvPA1FYxM=" | openssl enc -aes-256-cbc -base64 -d -p -pass pass:topsecret
bad magic number

However, when I try this in terminal by running openssl enc command, it works:

$ echo 'my data' | openssl enc -aes-256-cbc -base64 -p -pass pass:topsecret                            
salt=8135837A305553F2
key=8B4373ABD786BAC107F4112640E95E920C77C017FCEC18E1BD919CED42F0298E
iv =910637CE50FADF27D944B7A8DD239E6D
U2FsdGVkX1+BNYN6MFVT8oWa5P/oxZFwzMk1DRCSSGg=

$ echo "U2FsdGVkX1+BNYN6MFVT8oWa5P/oxZFwzMk1DRCSSGg=" | openssl enc - aes-256-cbc -d -p -base64 -pass pass:topsecret
salt=8135837A305553F2
key=8B4373ABD786BAC107F4112640E95E920C77C017FCEC18E1BD919CED42F0298E
iv =910637CE50FADF27D944B7A8DD239E6D
my data

I think I tried every possible combination of generating key/IV from passphrase but I get error every time. Is anyone able to spot where is the problem with this way? I've spent entire day on this.

mightymatth
  • 93
  • 1
  • 10
  • @kelalaka excuse me, I've pasted wrong line of code when I was trying out. Still doesn't work with `-base64`. Thanks for pointing this out. – mightymatth Dec 24 '18 at 18:52
  • 1
    next problem, [PBKDF2](https://www.openssl.org/docs/manmaster/man1/openssl-enc.html) you use -md but in your code, you generate form PBKDF2. You must use the same parameters, too – kelalaka Dec 24 '18 at 19:03
  • @kelalaka another silly wrong attempt. thanks. Still doesn't work. – mightymatth Dec 24 '18 at 19:16
  • are you sure you are using the same parameters? you should post it, too. – kelalaka Dec 24 '18 at 19:17
  • @kelalaka which parameters exactly? I think that you can reproduce it just by copy pasting it in terminal. I run it on macOS, ruby 2.4.1, system openssl (libressl) 2.7.7 – mightymatth Dec 24 '18 at 19:21
  • The keygen part must be matched. libressl doesn't support PBKDF2, as I can see. Change the Ruby part to match. – kelalaka Dec 24 '18 at 19:41
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/185742/discussion-between-niflheim-and-kelalaka). – mightymatth Dec 24 '18 at 22:15

0 Answers0