hudac hudac - 2 months ago 28
Linux Question

Encryption/decryption doesn't work well between two different openssl versions

I've downloaded and compiled

openssl-1.1.0
.

I can encrypt and decrypt using the same exe of
openssl
(as is here)

me@ubuntu:~/openssl-1.1.0$ LD_LIBRARY_PATH=. ./apps/openssl aes-256-cbc -a -salt -in file.txt -out file.txt.enc
enter aes-256-cbc encryption password: 123
Verifying - enter aes-256-cbc encryption password:
me@ubuntu:~/openssl-1.1.0$ LD_LIBRARY_PATH=. apps/openssl aes-256-cbc -a -d -in file.txt.enc -out file.txt.dec
enter aes-256-cbc decryption password: 123


This
openssl
uses:
libcrypto.so.1.1, libssl.so.1.1


When I try to decrypt with the
openssl
installed on my ubuntu, which uses:
/lib/x86_64-linux-gnu/libssl.so.1.0.0, /lib/x86_64-linux-gnu/libcrypto.so.1.0.0


I get an error:

me@ubuntu:~/openssl-1.1.0$ openssl aes-256-cbc -a -d -in file.txt.enc -out file.txt.dec2
enter aes-256-cbc decryption password: 123
bad decrypt
140456117421728:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:


What may cause this?
Thanks

Answer

The default digest was changed from MD5 to SHA256 in Openssl 1.1

Try using -md md5

cgs@ubuntu:~$ echo "it-works!" > file.txt
cgs@ubuntu:~$ LD_LIBRARY_PATH=~/openssl-1.1.0/ openssl-1.1.0/apps/openssl aes-256-cbc -a -salt -in ~/file.txt -out ~/file.txt.enc -md md5
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
cgs@ubuntu:~$ LD_LIBRARY_PATH=~/openssl-1.0.1f/ openssl-1.0.1f/apps/openssl aes-256-cbc -a -in ~/file.txt.enc -d
enter aes-256-cbc decryption password:
it-works!

The ugly details:

The entered password is not used as is by aes (or other encryption) but the command implicitly derives a key from it. The key derivation uses message digest that was changed in openssl 1.1 Use SHA256 not MD5 as default digest.

In case you want to keep it simple password, and not start messing with the keying martial (-K,-iv) just force the same digest with -md