Openssl Command Line for Triple DES HMAC like C# MACTripleDES

Question

Can anyone explain how to make a TDES MAC in OpenSSL command line?

I am trying to duplicate some functionality of a working C# program in C for the OpenSSL API, and am having trouble duplicating the .Net MACTripleDES.ComputeHash function in openssl. Here is an example with bogus data and key:

        using (MACTripleDES hmac = new MACTripleDES(Utilities.HexStringToByteArray("112233445566778899aabbccddeeff00")))
        {
            // Compute the hash of the input file.
            byte[] hashValue = hmac.ComputeHash(Utilities.HexStringToByteArray("001000000000000000000000000000008000000000000000"));
            string signature = Utilities.ByteArrayToHexString(hashValue);
            PrintToFeedback("Bogus Signature = " + signature);
        }

The result is "Bogus Signature = A056D11063084B3E" My new C program has to provide the same hash of that data in order to interoperate with its wider environment. But the way to do this in openSSL eludes me. This shows that the openssl data starts out the same as the C# data:

cmd>od -tx1 bsigin
0000000 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000020 80 00 00 00 00 00 00 00

stringified, 001000000000000000000000000000008000000000000000 MATCHes the c# string.

cmd>openssl dgst -md5 -mac hmac -macopt hexkey:112233445566778899aabbccddeeff00 bsigin
HMAC-MD5(bsigin)= 7071d693451da3f2608531ee43c1bb8a

That data is too long, and my expected data is not a substring. Same for -sha1 etc. I tried encrypting and making the digest separately, no good. MS does not say what kind of hash it does, and I can't find documentation of how to set up a MAC with TDES in openssl.

So I'm hoping someone here knows enough about both platforms to give me a decent hint.

Turns out MS does show its work: https://github.com/microsoft/referencesource/tree/master/mscorlib/system/security/cryptography — Larry Martin, Apr 16 '20 at 20:22
If I encrypt with -des-ede-cbc I get a 32 byte result. Bytes 16..23 hold the desired "signature", i.e. match MS ComputeHash. But many articles here say that's bad, I should not roll my own crypto code. This one made the case in big letters: https://stackoverflow.com/questions/25932550/what-happens-behind-computehash-of-mactripledes-c-sharp-function — Larry Martin, Apr 17 '20 at 11:45

score 0 · Answer 1 · answered Apr 20 '20 at 11:31

Command line answer:

cmd>openssl enc -des-ede-cbc -K 112233445566778899aabbccddeeff00 -iv 0000000000000000 -in bsigin -out bsigout
cmd>od -tx1 bsigout
0000000 7c de 93 c6 5f b4 03 21 aa c0 89 b8 ae f3 da 5d
0000020 a0 56 d1 10 63 08 4b 3e 4c 03 41 d6 dd 9e e4 32
        ^^^^^^^^^^^^^^^^^^^^^^^

That is, the command line form returns 32 bytes, and bytes 16..23 contain the hmac.

API answer:

    DES_key_schedule SchKey1,SchKey2;
    DES_cblock iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
    DES_set_key((C_Block *)Key1, &SchKey1);
    DES_set_key((C_Block *)Key2, &SchKey2);
    DES_ede3_cbc_encrypt( (unsigned char*)input_data, (unsigned char*)cipher, inputLength, &SchKey1, &SchKey2, &SchKey1, &iv, DES_ENCRYPT);

Where Key1 is the Lkey or left 8 bytes of the 16 byte TDES key, and Key2 is the Rkey or right 8 bytes of the 16 byte TDES key. This call only populates 24 bytes of cipher, as opposed to the 32 byte return of the command line version. You still take bytes 16..23. Hopefully the supporting declarations are intuitive.

Openssl Command Line for Triple DES HMAC like C# MACTripleDES

1 Answers1