Search code examples
encryptionopensslaespyopensslecb

Decrypt String with OpenSSL Issue Output

I've got a Encrypted String, and I need to decrypt it:

The information that I have:

  • Encryption Used: RFC3826 (AES-128 ECB)
  • Encrypted String: AjL4iV8YSGnNOCQYOJXIP97GjCAYp2k0QLm56XxJN0p/yu5xQh5uitX3UmfP3bzZaXDd2u6hMwp6cxO3cNL1cg==
  • Key: MySecretKey

When I use the following website, I can decrypt it with no problem:

(https://www.devglan.com/online-tools/aes-encryption-decryption)

Final Result:

  • Base64: ZTY3OTkzMmQtMTJiMi00OGEyLThlZjctMzAxY2RiOWFiNTdiMjg5WUgzSVRJWFJI
  • Plain Text: e679932d-12b2-48a2-8ef7-301cdb9ab57b289YH3ITIXRH

When I am trying to use OpenSSL to Decrypt It, I've got special characters:

openssl enc -aes-128-ecb -d -a -nopad -nosalt -pass pass:MySecretKey -in string.txt

Output String: ûUzÊVmwN☺+æ¨+\˨Ì┬cåÁ⌂▄B░×H·4é▀+>╦ G├[ëæ│_i(A&1·:0>▼è³0r

Am I doing something wrong?

Solution

  • From the (limited) description of what you are doing, two flaws can be identified.

    First, the website that you are using does apply padding when encrypting data. The plaintext that you provided consists of 48 bytes:

    $ echo -n 'e679932d-12b2-48a2-8ef7-301cdb9ab57b289YH3ITIXRH' | wc -c
      48

    This is a multiple of 16. But the ciphertext is 64 bytes long. This can be seen by base64 decoding the ciphertext string before feeding it into wc:

    $ echo -n 'AjL4iV8YSGnNOCQYOJXIP97GjCAYp2k0QLm56XxJN0p/yu5xQh5uitX3UmfP3bzZaXDd2u6hMwp6cxO3cNL1cg==' | openssl base64 -A -d | wc -c
      64

    The fact that 16 bytes are added to the ciphertext even though your plaintext was a multiple of 16 bytes long means that padding is applied. So in your openssl command, you should not use the -nopad option.

    Secondly, your openssl command provides the secret key as a passphrase, whereas the website does not interpret the 'Secret Key' input field as a passphrase. In stead of using -pass in your openssl command(s), you should be using -K, which gives the key as an actual sequence of byte values.

    As an example, the following openssl commands can be successfully reproduced in the website form:

    $ echo -n '1234567890123456' | openssl enc -aes-128-ecb -K 6162636465666768696a6b6c6d6e6f70 -nosalt -base64 -A -out string.txt
$ cat string.txt
M3q3c85LGdEj9k8iep/J145kzoc/F027JCP82BRYDhU=

    for encryption and

    $ cat string.txt | openssl enc -d -aes-128-ecb -K 6162636465666768696a6b6c6d6e6f70 -nosalt -base64 -A
1234567890123456

    for decryption.

    To achieve the same results in the website, the string to be used in the plaintext input field is 1234567890123456 and the string to be used in the Secret Key input field is abcdefghijklmnop. The contents of the field "AES Encrypted Output" will be the same as the contents of string.txt, and that is what you need to enter into the field "text to be Decrypted" as well.

    (The -n flag for echo and the -A flag for openssl enc are used to avoid newlines being added at the end).