LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 07-25-2012, 07:15 PM   #1
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,956
Blog Entries: 1

Rep: Reputation: 81
openssl: any simple examples no how to use openssl to do some decryption?


Hi!

I will have to do a little decryption to an application we are working on. I was wondering if there are simple examples of c development to do this.

I have created an encrypted file with openssl:

Code:
openssl aes-256-cbc -a -salt -in strace.kded4.txt.gz -out resultado.gz
Now I'd like to decode it with a c program I'll do for testing/learning about the openssl api.

Thanks in advance.
 
Old 07-26-2012, 01:02 AM   #2
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Posts: 118

Rep: Reputation: 32
My notes on openssl includes this...

http://www.ict.griffith.edu.au/antho.../openssl.hints

Also see my notes in
http://www.ict.griffith.edu.au/antho..._encrypt.hints

I have a C program the uses openssl to do file encryption.
I downloaded it from
http://tldp.org/LDP/LGNET/87/vinayak.html
It makes for good reading on just how to do it.


WARNING: the openssl password hashing function (user passphrase to cryptographic key) used for file encryption, is just a single pass hasshing function (PBKDF1.5, its very fast). This is appropriate for one time data stream use, but not for long term file encryption.

A fast hashing function basically makes a dictionary attack (just try every reasonable password) on an encrypted file quite feasible.


However the openssl library has the newer iteritive hash function included. this uses the hashing function hundreds (or thousands) of times, so that it takes about 1/2 a second to convert a user passphrase to cryptographic key. That makes a dictionary attack (with the salt) too long to be really useful.

Unfortunatally this function PKCS5_PBKDF2_HMAC_SHA1() is not available from the command line. But trival C programs can make it accessable to command line.
http://www.imagemagick.org/Usage/software/#pbkdf2

I created a perl equivelent to create my own encrypt file program with a well documented encryption technique (using standard encryption methods) whcih produces a openssl file encryption, but using this iterated hashing function for added security.
Download from...
http://www.ict.griffith.edu.au/antho...re/#encryption

The program is very readable with lots of comments. It works in a very similar way to "aespipe", though that uses the less secure, default openssl file encryption methods.

NOTE: the encryption used is the same, only a interactive hashing method is used, which also needs a file header to encrypted file.

I have in fact implemented the equivelent openssl file encryptin in a perl script like the above, just to verify exactly what is being done.

Last edited by A.Thyssen; 07-26-2012 at 01:18 AM.
 
1 members found this post helpful.
Old 07-26-2012, 09:03 AM   #3
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,956
Blog Entries: 1

Original Poster
Rep: Reputation: 81
Thanks.... I'll take a look at your stuff plus I found this:

http://www.ibm.com/developerworks/li...ssl/index.html
 
Old 07-26-2012, 09:07 AM   #4
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,956
Blog Entries: 1

Original Poster
Rep: Reputation: 81
ANd linked from that article:

http://www.linuxjournal.com/article/4822
http://www.linuxjournal.com/article/5487
 
Old 07-26-2012, 11:09 AM   #5
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,956
Blog Entries: 1

Original Poster
Rep: Reputation: 81
I decided to get it straight from the horse's mouth so downloaded openssl's code. I have reached this in the openssl code:

Code:
fp->func(argc,argv);
Roughly line 490-495 in apps/openssl.c... however I can't figure out where this is taking me (considering I'm making the call to openssl as I said in my first post). Where would I land when working with aes-256-cbc?

Thanks in advance.
 
Old 07-26-2012, 11:17 AM   #6
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,956
Blog Entries: 1

Original Poster
Rep: Reputation: 81
Just to provide more info... if I look in fp->name, I get aes-256-cbc which is fine. However I don't know where the FUNCTION structure is set up for aes (which would lead me to where func() is going, right?)
 
Old 07-26-2012, 11:26 AM   #7
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,956
Blog Entries: 1

Original Poster
Rep: Reputation: 81
Would it be easier to use mcrypt instead?
 
Old 07-26-2012, 07:57 PM   #8
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Posts: 118

Rep: Reputation: 32
Quote:
Originally Posted by eantoranz View Post
Would it be easier to use mcrypt instead?
mcrypt is good, with much of the configuration (encryption method to use) set via environment variables.

however when I looked at it I noted that...

1/ The passphrase can not be provided by a file descriptor.
For example you can not make use of a GUI password prompter (like "ssh-askpass")
Though perhaps a named pipe can be substituted.

2/ It also does not use the PBKDF2 iterative hashing of the passphrase to cryptographic key
(jsut like "openssh enc")

That second point was why I ended up creating the "encrypt.pl" script. It also does not read the passphrase from a file descriptor, but as it is interpreted perl, that can be easilly added as future options.

ASIDE: I have updated the "encrypt" script so that its ability to decrypt "openssl enc" files is performed using the Crypt::CBC perl module. This was done to avoid the need to call "openssl" command from the perl, and validate that the the actual AES data encryption used is the same. The script just uses the improved the passphrase hashing technique for added security.

I would prefer to see openssl enc improved with the same hashing technique. It has all the parts, just needs to be implemented on command line (with appropriate file magic change).

---

NOTE: You may also like to look at my "ks" script which saves encrypted files in hashed filenames in a "key store", (looks like a EncFS filesystem but actually isn't). It also stores a command (and other information) with the encrypted data, and normally uses that command to process the encrypted data.

That command can be a simple 'read-only display' program.

More commonly, it is encrypted file system mounting command, which uses the encrypted data,
(the master key and configuration data for that mount) to do the mount. This means the users
password unlockes the key-store. The Key store unlocks and mounts the larger ENCFS directory-level encrypted file system, (which may be kept 'in-the-cloud').

This seperates encryption info from the encryption file system (more secure), uses a stronger binary key for the actual encrypted file system, and allows users to change their password, without needed to re-encrypt that whole file system. LUKS dmcrypt under linus also uses a similar technqiue.

Last edited by A.Thyssen; 07-26-2012 at 09:11 PM.
 
  


Reply

Tags
decrypt, dev, openssl, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
install of openssl-0.9.8b-8.3.el5 conflicts with file from package openssl-0.9.8b-8.3 arun5002 Linux - Server 1 09-26-2011 01:02 PM
OpenSSL rozilla Linux - Software 3 12-30-2008 10:38 AM
oops openssl-0.9.8e over openssl-0.9.8d bad install now 2 copies? rcorkum Slackware 4 06-29-2007 01:58 AM
Openssl velan Programming 1 05-16-2005 12:28 AM
OpenSSL 0.9.6k kojiroh Solaris / OpenSolaris 2 10-09-2003 10:51 AM


All times are GMT -5. The time now is 09:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration