OpenSSL error message when decrypting Ethereum encrypted private key

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL error message when decrypting Ethereum encrypted private key

Chris B
I'm trying to help someone recover his password for an older format ethereum encrypted private key (EPK). My plan has been to use his best guess at the password to brute force the actual password.

The EPK is a 132 character string, and it looks something like this: U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a

(That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)

This article (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/) seems to describe a very similar EPK. The author of that post decrypted their key with the following command:

openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"

I have tried this same approach, but I'm getting an error:

EVP_DecryptFinal_ex:wrong final block length

Here's an example:

/usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out recovered.key -pass pass:TheBig7ebowski

And here's the output:

bad decrypt

140220549330848:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:

I'm not sure how to interpret that output. I could interpret it as:
o Your system for decrypting the password is perfect, but: this is not the right password.
o There's something wrong with the EPK -- its length must be a multiple of the AES block length.
o There's something wrong with the unencrypted private key -- its length must be a multiple of the AES block length.
o Something else entirely

Can anyone help me understand how to interpret this error message?

Thanks,
Chris

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL error message when decrypting Ethereum encrypted private key

OpenSSL - User mailing list

For CBC the encrypted text will be a multiple of the cipher size.  So your use of CBC is wrong.  The quoted post uses aes256; you were using aes-cbc

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL error message when decrypting Ethereum encrypted private key

Chris B
Hi Rich,

Thank you very much for the reply.

I get the same error message using -aes256 as -aes-256-cbc

/usr/bin/openssl enc -d -aes256 -a -in enc_private_key.txt -out recovered.key -pass pass:TheBig7ebowski


bad decrypt

140383648536480:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:


Thanks,
Chris

On Sun, Jan 14, 2018 at 10:39 AM, Salz, Rich via openssl-users <[hidden email]> wrote:

For CBC the encrypted text will be a multiple of the cipher size.  So your use of CBC is wrong.  The quoted post uses aes256; you were using aes-cbc

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL error message when decrypting Ethereum encrypted private key

Viktor Dukhovni
In reply to this post by Chris B


> On Jan 14, 2018, at 10:26 AM, Chris B <[hidden email]> wrote:
>
> I'm trying to help someone recover his password for an older format ethereum encrypted private key (EPK). My plan has been to use his best guess at the password to brute force the actual password.
>
> The EPK is a 132 character string, and it looks something like this: U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a
>
> (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)

This input is base64 encoded:

$ openssl base64 -d <<END | od -c
U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCK
Dy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE
8e2a
END
0000000    S   a   l   t   e   t   _   _   9   3 326  \0   k 375 273 246
0000020    a   / 027   0 271 246 242 310 343 025 253 003 252   . 031   P
0000040  261 320   G 211 366 317 003 315 341 256 006 326  \t   <   0 212
0000060  017   -   & 363   L 257 035 324 030  \f 303 332 370   |   /    ؓ
0000100   **   ۸  **   b   M 241   C   ! 025   j   \   A   m   U 027 000
0000120   \0 313   K   X   o 265 255 277   o 210   E   f   s   r 233 004
0000140  361 100 232

This does indeed look a lot like "openssl enc" output:

$ echo foobar | openssl enc -aes256 -pass pass:foobar | od -c
0000000    S   a   l   t   e   d   _   _ 263   f 243  \0 242   ~ 031   3
0000020  266 035   Y 310 367 300 366 264 247   :   $   s 236 266   4 340
0000040

Except that for some reason the "d" in "Salted" is a "t".  Funny that these
are the voiced and unvoiced variants of the same consonant, but note also
that the ASCII code for 'd' = 0x64 and 't' = 0x74, so this is a 1 bit change.
Any chance this is data corruption?

>
> This article (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/)
> seems to describe a very similar EPK.

In that sample, the base64-decoded data starts with "Salted__" as expected.

> The author of that post decrypted their key with the following command:
>
> openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"

Hard to say whether that's correct, rather depends on the format of "FILE_OF_KEYS".
You could try a dictionary attack on the actual 132-byte string, after base64-decoding,
provided it is not corrupted.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL error message when decrypting Ethereum encrypted private key

Chris B
>Any chance this is data corruption?

Brilliant!  You caught me.  Although this key is encrypted I wasn't comfortable making it public on the interwebs.  So, I randomly changed several of the characters.  If I run openssl base64 -d... on the actual key it does indeed begin with Salted__:

$ openssl base64 -d -in enc_private_key.txt | od -c


0000000   S   a   l   t   e   d   _   _


>You could try a dictionary attack on the actual 132-byte string, after base64-decoding,

>provided it is not corrupted.

This is basically what I was trying to do, although I was simply running a few hundred thousand strings that are related to the best guess password, rather using a dictionary attack.

Is there a better command to proceed with a brute force attack than this one?

/usr/bin/openssl enc -d -aes-256-cpc -a -in enc_private_key.txt -out recovered.key


As I understand:

  • openssl enc -d => decrypt using openssl
  • -aes-256-cpc   => use the AES 256 CPC algorithm
  • -a             => base64 decrypt
  • -in            => read the encrypted string from enc_private_key.txt
  • -out           => write the unencrypted string to recovered.key

I tried running openssl in two steps: first doing the base64 decoding, then decrypting with -aes256, which I believe is functionally the same as the command mentioned above:

$ openssl base64 -d -in enc_private_key.txt | openssl enc -d -aes256 -out recovered.key

enter aes-256-cbc decryption password:

bad decrypt

139845090879392:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:


Which brings me back to the original question.  Does anyone know how to interpret "EVP_DecryptFinal_ex:wrong final block length" 

Thanks!
-Chris

On Sun, Jan 14, 2018 at 11:21 AM, Viktor Dukhovni <[hidden email]> wrote:


> On Jan 14, 2018, at 10:26 AM, Chris B <[hidden email]> wrote:
>
> I'm trying to help someone recover his password for an older format ethereum encrypted private key (EPK). My plan has been to use his best guess at the password to brute force the actual password.
>
> The EPK is a 132 character string, and it looks something like this: U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a
>
> (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)

This input is base64 encoded:

$ openssl base64 -d <<END | od -c
U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCK
Dy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE
8e2a
END
0000000    S   a   l   t   e   t   _   _   9   3 326  \0   k 375 273 246
0000020    a   / 027   0 271 246 242 310 343 025 253 003 252   . 031   P
0000040  261 320   G 211 366 317 003 315 341 256 006 326  \t   <   0 212
0000060  017   -   & 363   L 257 035 324 030  \f 303 332 370   |   /    ؓ
0000100   **   ۸  **   b   M 241   C   ! 025   j   \   A   m   U 027 000
0000120   \0 313   K   X   o 265 255 277   o 210   E   f   s   r 233 004
0000140  361 100 232

This does indeed look a lot like "openssl enc" output:

$ echo foobar | openssl enc -aes256 -pass pass:foobar | od -c
0000000    S   a   l   t   e   d   _   _ 263   f 243  \0 242   ~ 031   3
0000020  266 035   Y 310 367 300 366 264 247   :   $   s 236 266   4 340
0000040

Except that for some reason the "d" in "Salted" is a "t".  Funny that these
are the voiced and unvoiced variants of the same consonant, but note also
that the ASCII code for 'd' = 0x64 and 't' = 0x74, so this is a 1 bit change.
Any chance this is data corruption?

>
> This article (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/)
> seems to describe a very similar EPK.

In that sample, the base64-decoded data starts with "Salted__" as expected.

> The author of that post decrypted their key with the following command:
>
> openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"

Hard to say whether that's correct, rather depends on the format of "FILE_OF_KEYS".
You could try a dictionary attack on the actual 132-byte string, after base64-decoding,
provided it is not corrupted.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL error message when decrypting Ethereum encrypted private key

Matt Caswell-2
In reply to this post by Chris B


On 14/01/18 15:26, Chris B wrote:

> I'm trying to help someone recover his password for an older format
> ethereum encrypted private key (EPK). My plan has been to use his best
> guess at the password to brute force the actual password.
>
> The EPK is a 132 character string, and it looks something like this:
> U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a
>
> (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)
>
> This article
> (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/)
> seems to describe a very similar EPK. The author of that post decrypted
> their key with the following command:
>
> openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"
>
> I have tried this same approach, but I'm getting an error:
>
> EVP_DecryptFinal_ex:wrong final block length

What version of OpenSSL are you using. The quoted article was written 2
years ago so definitely wasn't using OpenSSL 1.1.0. If you *are* using
1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Old
OpenSSL "enc" output defaulted to md5. The current default is sha256:

https://www.openssl.org/docs/faq.html#USER3

Try adding "-md md5" onto your command line.

Matt


>
> Here's an example:
>
> /usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out
> recovered.key -pass pass:TheBig7ebowski
>
> And here's the output:
>
> bad decrypt
>
> 140220549330848:error:0606506D:digital envelope
> routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:
>
> I'm not sure how to interpret that output. I could interpret it as:
> o Your system for decrypting the password is perfect, but: this is not
> the right password.
> o There's something wrong with the EPK -- its length must be a multiple
> of the AES block length.
> o There's something wrong with the unencrypted private key -- its length
> must be a multiple of the AES block length.
> o Something else entirely
>
> Can anyone help me understand how to interpret this error message?
>
> Thanks,
> Chris
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL error message when decrypting Ethereum encrypted private key

Chris B
Hi Matt,

>If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0.
Awesome thought, but I'm also using 1.0.2:

$ openssl version

OpenSSL 1.0.2k-fips  26 Jan 2017


(I also tried adding -md md5 to the previous command, but I got the same error message).

Thanks,
Chris

On Sun, Jan 14, 2018 at 6:03 PM, Matt Caswell <[hidden email]> wrote:


On 14/01/18 15:26, Chris B wrote:
> I'm trying to help someone recover his password for an older format
> ethereum encrypted private key (EPK). My plan has been to use his best
> guess at the password to brute force the actual password.
>
> The EPK is a 132 character string, and it looks something like this:
> U2FsdGV0X185M9YAa/27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ9s8DzeGuBtYJPDCKDy0m80yvHdQYDMPa+Hwv2JPbuGJNoUMhFWpcQW1VF+EAy0tYb7Wtv2+IRWZzcpsE8e2a
>
> (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)
>
> This article
> (https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/)
> seems to describe a very similar EPK. The author of that post decrypted
> their key with the following command:
>
> openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"
>
> I have tried this same approach, but I'm getting an error:
>
> EVP_DecryptFinal_ex:wrong final block length

What version of OpenSSL are you using. The quoted article was written 2
years ago so definitely wasn't using OpenSSL 1.1.0. If you *are* using
1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Old
OpenSSL "enc" output defaulted to md5. The current default is sha256:

https://www.openssl.org/docs/faq.html#USER3

Try adding "-md md5" onto your command line.

Matt


>
> Here's an example:
>
> /usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out
> recovered.key -pass pass:TheBig7ebowski
>
> And here's the output:
>
> bad decrypt
>
> 140220549330848:error:0606506D:digital envelope
> routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:
>
> I'm not sure how to interpret that output. I could interpret it as:
> o Your system for decrypting the password is perfect, but: this is not
> the right password.
> o There's something wrong with the EPK -- its length must be a multiple
> of the AES block length.
> o There's something wrong with the unencrypted private key -- its length
> must be a multiple of the AES block length.
> o Something else entirely
>
> Can anyone help me understand how to interpret this error message?
>
> Thanks,
> Chris
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

Sands, Daniel
On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote:
Hi Matt,

>If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0.
Awesome thought, but I'm also using 1.0.2:

$ openssl version

OpenSSL 1.0.2k-fips  26 Jan 2017


(I also tried adding -md md5 to the previous command, but I got the same error message).

Option #1 from the possibilities you mentioned below seems to be the most logical to me. If you use the wrong key, the padding data in the last block will also be decrypted to the wrong values, so the padding block check will fail. The padding is a necessary part of decryption because it needs to know how much plaintext is actually represented by that last block.


> I'm not sure how to interpret that output. I could interpret it as:
> o Your system for decrypting the password is perfect, but: this is not
> the right password.
> o There's something wrong with the EPK -- its length must be a multiple
> of the AES block length.
> o There's something wrong with the unencrypted private key -- its length
> must be a multiple of the AES block length.
> o Something else entirely


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

Chris B
Hi Daniel,

>Option #1 from the possibilities you mentioned below seems to be the most logical to me.
Thank you, that's very helpful.

Thanks,
Chris

On Mon, Jan 15, 2018 at 1:29 PM, Sands, Daniel <[hidden email]> wrote:
On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote:
Hi Matt,

>If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0.
Awesome thought, but I'm also using 1.0.2:

$ openssl version

OpenSSL 1.0.2k-fips  26 Jan 2017


(I also tried adding -md md5 to the previous command, but I got the same error message).

Option #1 from the possibilities you mentioned below seems to be the most logical to me. If you use the wrong key, the padding data in the last block will also be decrypted to the wrong values, so the padding block check will fail. The padding is a necessary part of decryption because it needs to know how much plaintext is actually represented by that last block.


> I'm not sure how to interpret that output. I could interpret it as:
> o Your system for decrypting the password is perfect, but: this is not
> the right password.
> o There's something wrong with the EPK -- its length must be a multiple
> of the AES block length.
> o There's something wrong with the unencrypted private key -- its length
> must be a multiple of the AES block length.
> o Something else entirely


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

Chris B
Thank you to everyone that has weighed in on my question.  Unfortunately, I have yet to find an answer that I'm fully satisfied with.

I'm trying a different approach: I would like to create a sample encrypted Ethereum private key that shares the same 132 character PEM format as the string I'm trying to decrypt.  I can then attempt to decrypt that string with an incorrect password, and see if I get the EVP_DecryptFinal_ex:wrong final block length error.  Does that make sense?

Here's my basic approach.  I'm starting with Vincent Kobel's excellent "Create a Full Ethereum Wallet, Keypair and Address" article (https://kobl.one/blog/create-full-ethereum-keypair-and-address/)

He creates a 132-character PEM formatted unencrypted private key with this command:

openssl ecparam -name secp256k1 -genkey -noout

Unless I have completely failed at reading the man page correctly, there's no way to assign a password from the ecparam command.

I write the 132 character unencrypted private key (not the -----BEGIN/END EC PRIVATE KEY-----  characters) to a file named sample_pk.pem and I encrypt it with openssl:

openssl enc -e -aes-256-cbc -a -in sample_pk.pem -out sample_epk.pem -pass pass:secret


I now have a 256 character encrypted private string.  (Note, the string length is 256 characters whether I use AES-128 or AES-256.  That's probably obvious to all of you, but it wasn't to me).

If I decrypt that string with the correct password


openssl enc -d -aes256 -a -in sample_epk.pem -out recovered.key -pass pass:secret


I get my original unencrypted private key back.  Excellent!


However, If I decrypt that string with an incorrect password:

openssl enc -d -aes256 -a -in sample_epk.pem -out recovered.key -pass pass:secr3t

I get a new error message:

EVP_DecryptFinal_ex:bad decrypt


And, that message does not match the EVP_DecryptFinal_ex:wrong final block length error message I was hoping to get.


I think that all that I have proven with this exercise is that the original unencrypted private key was:

  • not a 132 character PEM formatted unencrypted private key
  • and/or
  • it was not encrypted using the -aes-256-cbc encryption algorithm
So, on to the question!  Can anyone help me figure out how to create an Ethereum private key such that when it is encrypted it is a 132 character long PEM formatted string?

Alternately, is there a process for taking an encrypted string, and "backing in" to the details of how it was created?  (ie what algorithm, etc?)
 
Thanks,
Chris


On Mon, Jan 15, 2018 at 2:01 PM, Chris B <[hidden email]> wrote:
Hi Daniel,

>Option #1 from the possibilities you mentioned below seems to be the most logical to me.
Thank you, that's very helpful.

Thanks,
Chris

On Mon, Jan 15, 2018 at 1:29 PM, Sands, Daniel <[hidden email]> wrote:
On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote:
Hi Matt,

>If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0.
Awesome thought, but I'm also using 1.0.2:

$ openssl version

OpenSSL 1.0.2k-fips  26 Jan 2017


(I also tried adding -md md5 to the previous command, but I got the same error message).

Option #1 from the possibilities you mentioned below seems to be the most logical to me. If you use the wrong key, the padding data in the last block will also be decrypted to the wrong values, so the padding block check will fail. The padding is a necessary part of decryption because it needs to know how much plaintext is actually represented by that last block.


> I'm not sure how to interpret that output. I could interpret it as:
> o Your system for decrypting the password is perfect, but: this is not
> the right password.
> o There's something wrong with the EPK -- its length must be a multiple
> of the AES block length.
> o There's something wrong with the unencrypted private key -- its length
> must be a multiple of the AES block length.
> o Something else entirely


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users