0

We are currently using OpenSSL 1.0.1 to encrypt a token as below:

Encryption:

echo $TOKEN | openssl enc -aes-256-cbc -e -kfile <path of kfile> -md sha256 | base64 -w 0

Decryption:

echo $TOKEN | base64 -w 0 -d | openssl enc -aes-256-cbc -d -kfile <path of kfile> -md sha256

The above commands work fine on a host with OpenSSL version 1.0.1.  But we have a requirement where we need to encrypt a token in 1.0.1 and decrypt in version 1.1.1.

I tried the same decryption command (as above), but I get bad decrypt error:

]▒ad decrypt
140437674784640:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:643:
Improve this question
1
  • 1
    Please fix your question to show the proper code. Don't put it in the comments because then people have to look in two different places and work out which one is more recent.
    – Chris Davies
    Commented Apr 29 at 9:01

2 Answers 2

Reset to default
2

Seeing as OpenSSL 1.0.1 has been out of support since 1st January 2017, and indeed has significant security advisories associated with it, I can only confirm that once the usage errors have been fixed the code works with what is a current 3.0.11 (Debian stable with security patches)

Encryption

token='hello, world'
kfile='kfile'
echo 'Secret surprise' >"$kfile"

encoded=$(
    printf '%s' "$token" |
    openssl enc -aes-256-cbc -e -k "$kfile" -md sha256 |
    base64 -w0
)
echo "$encoded"

Output

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

U2FsdGVkX1+OA++hZRtIx8hSXmw19lUpHJbH4/jbNIo=

Decryption

output=$(
    printf '%s' "$encoded" |
    base64 -d |
    openssl enc -aes-256-cbc -d -k "$kfile" -md sha256
)
echo "$output"

Output

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

hello, world

Refer to OpenSSL 1.1.1b warning: Using -iter or -pbkdf2 would be better while decrypting a file encrypted using OpenSSL 1.1.0g for hints on resolving the WARNING messages. (For example, adding the -pbkdf2 flag to both encryption and decryption calls.)

Improve this answer
0
0

Apologies for the confusion, i was using the wrong kfile while decrypting hence the error. I have added the correct kfile and it works but only thing is it generates the warning message as below

*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .