OpenSSL string decryption issue

Asked 14/6, 2013 at 21:41 Answered 21/2, 2022 at 15:42

I'll try to make this succinct as possible.

I want to be able to encrypt & decrypt simple strings using OpenSSL, which I have done before.

HOWEVER, the following conditions must be met:

Simple passphrase use (no keys)
No input/output files
No prompt for passphrase (specify via command-line options for either direction)

I'm 50% there. I can successfully perform ENCRYPTION via:

echo 'someTextIWantToEncrypt' | openssl enc -e -aes-256-cbc -nosalt -pass pass:mySecretPass

The output result is:

(??b}n??v???>??G??.?B??~?

OK, great. Now I want to DECRYPT that string. So I do:

echo -n '(??b}n??v???>??G??.?B??~?' | openssl enc -d -aes-256-cbc -pass pass:mySecretPass

or even as an alternative:

openssl enc -d -aes-256-cbc -pass pass:mySecretPass <<< '(??b}n??v???>??G??.?B??~?'

But I get this response:

bad magic number

Though I don't want to use input/output files, that method DOES work 100%:

# encrypt to file
echo -n 'someTextIWantToEncrypt' | openssl enc -e -nosalt -out test.txt -aes-256-cbc -pass pass:mySecretPass 

# decrypt from file
openssl enc -d -nosalt -in test.txt -aes-256-cbc -pass pass:mySecretPass

# result of decryption (is successful):
someTextIWantToEncrypt

So ... how can I achieve the above decryption process without using input/output files whatsoever? I feel I am close, but missing some small detail.

Thanks in advance.

Egarton answered 14/6, 2013 at 21:41 Comment(0)

The problem is that encryption uses the entire ASCII character set, including unprintable characters. If you want to be able to cut and paste the encrypted data, you need to convert it to only printable characters. You can do this with the -base64 (or -a) option:

echo 'someTextIWantToEncrypt' | \
  openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:mySecretPass

KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=

Then decrypt it the same way:

echo "KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=" | \
  openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:mySecretPass

WARNING: If you're using openssl, I can only assume the confidentiality of the data, and therefore the password, is important to you. If that's the case, you should never supply a password on the command line, because it can be exposed to anyone with the privilege to run ps.

A better solution is to store the password in an environment variable and have openssl read it from there:

export passwd="mySecretPass"
echo "KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=" | \
  openssl enc -base64 -d -aes-256-cbc -nosalt -pass env:passwd

Hofstetter answered 15/6, 2013 at 1:57 Comment(6)

You are correct, and I have figured this out -- you are correct as well as the individual who helped me. Props go to both of you. Since I am so new to this site, it wouldn't let me answer my own question for another few hours. In any case, THANK YOU! – Egarton 15/6, 2013 at 2:12

And as an aside, you're also correct about the "better" solution. All I can say is that this is a working Proof-Of-Concept, and to complement your remark, the end-goal IS to do a more secure "storing" of such information and not expose it to the command line. Kudos to you Adam Liss. – Egarton 15/6, 2013 at 2:14

In that case, I'd respectfully suggest you solicit a review by a security professional. You see a lot of plausible--but utterly vulnerable--implementations during 15+ years in the business. – Hofstetter 15/6, 2013 at 2:20

Wholeheartedly agreed - in addition, if this POC ever matures to a feasible state, it will be community driven ultimately. – Egarton 15/6, 2013 at 2:51

On short strings like this you should use a salt. Otherwise the encrypted output of the same input, using the same key will always be the same. so allowing an attacker to substitute strings, or just identify when known strings are occurring. – Whitton 9/4, 2015 at 11:1

how could this be implemented in C++? – Financier 29/6, 2016 at 13:40

Decrypt

#!/bin/bash
clear 
# encrypt to file
echo "enter choice "
echo "1-dakr"
echo "2-gakr"
read choice 
case $choice in
1 )
echo "text?"
read text
echo "pass?"
read pass

echo -n '$text' | openssl enc -e -nosalt -out test.txt -aes-256-cbc -pass pass:$pass 
;;
2 ) 
# decrypt from file
echo "pass?"
read pass
echo "path?"
read path
openssl enc -d -nosalt -in $path -aes-256-cbc -pass pass:$pass
;;
* )
echo "shcd"
;;
esac

Output of Decrypt is $text how to fix it?

Message answered 7/4, 2018 at 17:42 Comment(4)

Could you please explain exactly what the issue is? How to fix what? What are you expecting the program to do? – Kinross 7/4, 2018 at 18:10

i want to encrypt string and save in text file programd does this well but when i choose decrypt then i select file path (where encryoted text is saved) but output is $text instead of decrypted string – Message 8/4, 2018 at 12:46

could you add this to your question? This way others can understand exactly what the problem is. – Kinross 8/4, 2018 at 19:15

Use double-quotes instead of single-quotes: echo -n "$text" | openssl ... or without quotes entirely: echo $text | openssl ... – Droop 6/3, 2019 at 23:29

I know this is old, but someone else just showed me this question. I have a TCL script that achieves this easily, and can just be modified to work with whatever shell you're using, it contains these lines:

if {[catch {set lines [exec echo -n $tte | openssl enc -$cipher -a -pbkdf2 -iter $iterations -pass pass:$fkey]} msg]} {
     tk_messageBox -message $msg
     return
}

Where $tte = text to encrypt, $cipher and $iterations are self explanatory, and $fkey is the password passed to openssl. Just add a -d switch to decrypt.

Afton answered 21/2, 2022 at 15:42 Comment(0)

Recommended topics

Hot tags