Quantcast

id-aes256-GCM command line encrypt+decrypt fail

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

id-aes256-GCM command line encrypt+decrypt fail

fuzic
Hello,
I am trying to encrypt and decrypt a string using command-line openssl (1.0.1c) with the id-aes256-GCM algorithm, but every time it fails

echo -n "bla" | openssl enc -e -id-aes256-GCM -nosalt -a -out t.out
openssl enc -d -id-aes256-GCM -nosalt -a -in t.out

bad decrypt

This is true whether I use manually specified key/IV or password, with or without salt. The same commands work with other algorithms. What am I missing?

Thanks
Mark
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: id-aes256-GCM command line encrypt+decrypt fail

Matt Caswell (frodo@baggins.org)
See:
http://marc.info/?l=openssl-users&m=134867395821086&w=2


On 11 October 2012 17:19, [hidden email] <[hidden email]> wrote:
Hello,
I am trying to encrypt and decrypt a string using command-line openssl (1.0.1c) with the id-aes256-GCM algorithm, but every time it fails

echo -n "bla" | openssl enc -e -id-aes256-GCM -nosalt -a -out t.out
openssl enc -d -id-aes256-GCM -nosalt -a -in t.out

bad decrypt

This is true whether I use manually specified key/IV or password, with or without salt. The same commands work with other algorithms. What am I missing?

Thanks
Mark

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: id-aes256-GCM command line encrypt+decrypt fail

Erik Tkal
In reply to this post by fuzic

I think Steve posted a while back that those ciphers require special handling and do not work with the enc command yet.


....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, October 11, 2012 12:19 PM
To: [hidden email]
Subject: id-aes256-GCM command line encrypt+decrypt fail

 

Hello,

I am trying to encrypt and decrypt a string using command-line openssl (1.0.1c) with the id-aes256-GCM algorithm, but every time it fails

 

echo -n "bla" | openssl enc -e -id-aes256-GCM -nosalt -a -out t.out

openssl enc -d -id-aes256-GCM -nosalt -a -in t.out

 

bad decrypt

 

This is true whether I use manually specified key/IV or password, with or without salt. The same commands work with other algorithms. What am I missing?

 

Thanks

Mark

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: id-aes256-GCM command line encrypt+decrypt fail

michel-60
In reply to this post by fuzic
I am guessing that 'special handling' is linked to the 'no additional
authentication data' issue discussed in :
http://incog-izick.blogspot.fr/2011_08_01_archive.html

Le 11/10/2012 22:33, Erik Tkal a écrit :
> I think Steve posted a while back that those ciphers require special handling and do not work with the enc command yet.
>
> ....................................
> Erik Tkal
> Juniper OAC/UAC/Pulse Development
>
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: id-aes256-GCM command line encrypt+decrypt fail

Dr. Stephen Henson
On Fri, Oct 12, 2012, Michel wrote:

> I am guessing that 'special handling' is linked to the 'no
> additional authentication data' issue discussed in :
> http://incog-izick.blogspot.fr/2011_08_01_archive.html
>

It's to do with the fact that additional parameters are required with GCM and
how the tag should be handled. It might be appropriate to handle this by
appending it to the output but that adds complications on decrypt in that you
don't know in advance where the tag is and would need to buffer tag bytes
of data until you hit EOF.

None of this is handled by the cipher BIO used by the enc command some
additional functionality will be needed for this (and CCM).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: id-aes256-GCM command line encrypt+decrypt fail

michel-60
In reply to this post by michel-60
Thanks for the explanation Mr. Henson.

I do not wish to take up too much of your time, but as I am still trying
to understand OpenSSL, I would be grateful if you can add a few words on
how you cope with this in TLS, and point me to the corresponding source
code.

Thanks again,

Michel.

Le 12/10/2012 19:26, Dr. Stephen Henson a écrit :

> On Fri, Oct 12, 2012, Michel wrote:
>
>> I am guessing that 'special handling' is linked to the 'no
>> additional authentication data' issue discussed in :
>> http://incog-izick.blogspot.fr/2011_08_01_archive.html
>>
> It's to do with the fact that additional parameters are required with GCM and
> how the tag should be handled. It might be appropriate to handle this by
> appending it to the output but that adds complications on decrypt in that you
> don't know in advance where the tag is and would need to buffer tag bytes
> of data until you hit EOF.
>
> None of this is handled by the cipher BIO used by the enc command some
> additional functionality will be needed for this (and CCM).
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Loading...