I am trying to decrypt a video file using openssl. But 16 byte aes key has a line feed (LF) character in it.
x
yÏï:YÛI?þbl
Because of the LF, when I copy the key to the terminal, it sends only "x" not the whole key.
How can I type this key on terminal?
openssl aes-128-cbc -d -in input.ts -out output.ts -pass [aes_key]
Try parameter -K
from openssl help:
-K/-iv key/iv in hex is the next argument
So something like this should work
openssl aes-128-cbc -d -in input.ts -out output.ts -K 00EF45....
where 00EF45.... will be your aes key in hexadecimal format.
Related
The thing is, i want to encrypt some information on my disk.
The method i choose to encrypt my text is:
read pwd
key=${pwd}
iv=${pwd}
encrypt_info = $(echo ${text} | openssl enc -e -A -aes-256-cbc -a -K ${key} -iv ${iv} -nosalt)
But I do not want to enter my password every time I encrypt my information. So i put my "pubkey" somewhere public. The "pubkey" is generated in this way:
read password
pubkey=$(echo ${password} | openssl enc -e -A -aes-256-cbc -a -K ${password} -iv ${password} -nosalt)
I only enter my password every time i want to decrypt my text. Steps to decrypt:
Enter password
Calculate "pubkey" in the way above
If the pubkeys match, the password is the correct one.
Use the correct password to decrypt my information.
You see my steps. My question is, if some one get my "pubkey" and know that the "pubkey" is generated by the way above, can he/she crash my password?
openssl enc -e -A -aes-256-cbc -a -K ${password} -iv ${password} -nosalt)
With aes-256 the key needs to have 32 bytes and iv needs to have 16 bytes, so properly you cannot use the same value (it works for aes-128 though).
You are using the password as a key (-K parameter), so let's use a proper denotation key, which in this case should be 32 bytes hex encoded.
if some one get my "pubkey" and know that the "pubkey" is generated by the way above, can he/she crash my password?
no, that shouldn't be possible
If the pubkeys match, the password is the correct one.
Use the correct password to decrypt my information.
I don't really understand the reason behind the step. You can just try to decrypt the file and if the key is not current, the decryption fails on invalid padding.
Or - do you want to validate the key once when provided by the user? In that case you could validate a hash of the password
echo 'some password' | openssl dgst -sha256
Usually storing a simple hash of a user password is not secure enough, but assuming you provide a random 256 bit key, it should be ok.
iv=${pwd}
This seems to be a vulnerability, the cbc mode needs a random IV to be secure. Reusing the IV for multiple encryptions is not secure.
Maybe just let the openssl generate a random salt (and derive the key and IV from the salt and password) would solve the problem.
echo -n 'some text' | openssl enc -e -A -aes-128-cbc -k 'password' -a
I have generated a public/private keypair with OpenSSL. I want to use the private key now to sign my message using OpenSSL, and I was thinking to stay in a bash environment. I am required to use SHA-RSA1.
So far, I was suggested the following code but I am not happy with it:
openssl.exe dgst -sha1 -sign C:\...\path\to\key\privatekey.pem -binary C:\...\path\to\message\message.txt
I don't want to have my message be stored in a file (message.txt) to generate a signature and in any case, I would need to use openssl base64 afterwards to get the base64 representation.
Is there a more proper way to achieve what I want (and a one liner would be great)?
Use openssl itself to encode base64
echo "$msg" | openssl dgst ... -binary | openssl enc -base64
I am trying to decrypt a file (part444.txt) with message:
y2EdLtmNQsZkvwwf8jf3fM6c1thfzF0sQfblayGIBik=
This is base64 encoded encrypted text under 128 bit AES in CBC mode. It is not padded. The IV is the first 16 bytes of the encrypted text and the key is h4ckth1sk3yp4d16.
I know that people received the bad magic number error from problems with Base64 but now I get the "error reading input file" and not sure where to go from here.
I have tried:
openssl enc -base64 -d part444.txt | openssl aes-128-cbc -d -k h4ckth1sk3yp4d16
Why am I encountering the errors "bad magic number" and "error reading input file"?
This is sort of a pain to do with openssl, because openssl's encryption makes assumptions about padding and deriving a salted key from the entered password that you have to deliberately turn off.
It's much easier to do in python with say PyCrypto, where these assumptions aren't made.
>>> import base64
>>> data = base64.b64decode('y2EdLtmNQsZkvwwf8jf3fM6c1thfzF0sQfblayGIBik=')
>>> from Crypto.Cipher import AES
>>> aes_crypter = AES.new('h4ckth1sk3yp4d16', AES.MODE_CBC, data[:16])
>>> aes_crypter.decrypt(data[16:]) # this gives the encrypted secret.
It is possible to do this with openssl, but you have to read the base64 encoded data -- take out the first 16 bytes and remember it as your $IV (after encoding it back to hex that openssl expects), start reading all the bytes after the first 16 and remember it as the $CIPHERTEXT (and say re-encode in base64). Similar for the $KEY, you have to convert it from ASCII to bytes in hex. Assuming you stored these in variables, then the following would work:
IV=`base64 -d part444.txt | xxd -p -l 16`
CIPHERTEXT=`base64 -d part444.txt | cut -b 17- | base64`
KEY=`echo -n h4ckth1sk3yp4d16 |xxd -p`
echo $CIPHERTEXT | openssl aes-128-cbc -d -a -nopad -K $KEY -iv $IV && echo ""
Note base64 -d decodes base64 to binary (using base64 from GNU coreutils; on BSD replace with base64 -D), base64 b64 encodes binary data, cut -b 17- reads from the 17th byte of data to the end of the file, and xxd -p converts binary to hex.
I am trying to get a base64 encoded sha1 hash in a windows batch file.
The first thing I tried was with perl:
perl -M"Digest::SHA1 qw(sha1_base64)" -e "open(F,shift) or die; binmode F; print sha1_base64(<F>), qq(=\n)" "test.mxf"
This works great, but only for small files. With big files it says "Out of memory".
Then I downloaded an openssl version for windows and tried this:
"C:\openssl.exe" dgst -sha1 -binary -out "hash_sha1.txt" "C:\test.mxf"
set /p hash_sha1=<"hash_sha1.txt"
del "hash_sha1.txt"
echo !hash_sha1!
echo -n '!hash_sha1!' | "C:\openssl.exe" enc -base64
But the output of the openssl method is different from the Perl output and I know that the Perl method produces the correct output. What do I have to change?
There's no -n parameter of echo so -n AND single quotes are part of the output.
The intermediate files and variables aren't needed, use piping.
The entire code:
openssl dgst -sha1 -binary "C:\test.mxf" | openssl enc -base64
If you create a Digest::SHA1 object, you can use the add method to calculate the hash incrementally
There is also no need to explicitly open files passed as command-line parameters. They are opened automatically using the built-in file handle ARGV, and can be read with the empoty diamond operator <>
perl -Mopen=IN,:raw -MDigest::SHA1 -e"$d=Digest::SHA1->new; $d->add($_) while <>; print $d->b64digest, qq{=\n}" 5GB.bin
This command line was quite happy to generate the SHA1 hash of a 5GB file, but if you are unlucky enough to have a very big file that contains no linefeeds then you will have to set a read block size with something like
local $/ = \(1024*1024)
I'm trying to encrypt some form data with OpenSSL on Windows and I'm having a hard time figuring out what's the correct syntax. With the following command, OpenSSL returns a PKCS7 message, but still gives me a & was unexpected at this time message.
(openssl smime -sign -signer client-public.pem -inkey client-private.pem -outform der -nodetach -binary^
formkey1=formvalue1^
formkey2=formvalue2^
formkey3=formvalue3^
^
^
) | openssl smime -encrypt -des3 -binary -outform pem server-public.pem
I feel like my pipeline is causing some problem in there but I have no idea what I should do to have a clean, error-free result.
There is no need to split it into multiple lines.
So you should first test if it works on a single line.
Then you could use the multiline caret, but don't forget to add a space in the next line, else it will paste the complete text together without any delimiters.
And the caret just before the closing parenthesis, will fail, as a multiline caret escapes the first character of the next line, so your closing parenthesis will not close anything.
This should work
(openssl smime -sign -signer client-public.pem -inkey client-private.pem -outform der -nodetach -binary^
formkey1=formvalue1^
formkey2=formvalue2^
formkey3=formvalue3^
^
^
) | openssl smime -encrypt -des3 -binary -outform pem server-public.pem