I have been encrypting messages with a nodejs module like so:
var crypto = require('crypto'),
algorithm = 'aes-256-ctr',
password = 'd6F3Efeq';
function encrypt(text){
var cipher = crypto.createCipher(algorithm,password)
var crypted = cipher.update(text,'utf8','hex')
crypted += cipher.final('hex');
return crypted;
}
(from here:https://lollyrock.com/articles/nodejs-encryption/)
However, using the same secret, same algorithm and same mode I cannot decrypt this using cryptography in Python.
Here's one of the things I've tried:
crypto = AES.new(password, AES.MODE_CTR)
print(crypto.decrypt(message.decode("hex")))
Returns binary data. Encoding it in UTF-8 fails, and most interestingly:
it seems AWS.new generates a random iv each time, and the result of the decryption is different for each run!
.. Now, the nodeJS library does not return a Nonce, so I don't know what else to bring with me from the NodeJS function apart from the ciphertext and the password (secret) - any ideas?
Related
I'm encrypting a key with a public key with the cryptography library, in Python.
key_path = "key.bin"
key = secrets.token_bytes(32)
with open(key_path, "w") as key_file:
key_file.write(key.hex())
with open(public_key, "rb") as public_key_file:
public_key = serialization.load_pem_public_key(public_key_file.read())
padding_config = padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
enc_path = key_path + ".enc"
with open(enc_path, "wb") as enc_file:
bytes_array = public_key.encrypt(content, padding_config)
enc_file.write(bytes_array)
This works well, afaik, but the code reading this key is in Rust, which is simply a FFI to openssl C calls. There's not many option with openssl. You can't choose an "algorithm", a "mgf" and a "label. Padding is simply an enum, so I picked the obvious one PKCS1_OAEP.
use openssl::{
cipher::Cipher,
cipher_ctx::CipherCtx,
pkey::Private,
rsa::{Padding, Rsa},
};
pub fn decrypt(key_file: File, pk: &str, pass: &str) -> String {
let rsa = Rsa::private_key_from_pem_passphrase(pk.as_bytes(), pass.as_bytes())
.expect("Can't build RSA object from PEM");
let mut encrypted = vec![];
key_file.read_to_end(&mut encrypted).expect("Can't read encrypted key file");
let mut decrypted: Vec<u8> = vec![0; rsa.size() as usize];
rsa.private_decrypt(&encrypted, &mut decrypted, Padding::PKCS1_OAEP).unwrap();
String::from_utf8(decrypted)
}
But I get this error:
ErrorStack([
Error { code: 67571871, library: "rsa routines", function: "RSA_padding_check_PKCS1_type_2", reason: "pkcs decoding error", file: "../crypto/rsa/rsa_pk1.c", line: 251 },
Error { code: 67522674, library: "rsa routines", function: "rsa_ossl_private_decrypt", reason: "padding check failed", file: "../crypto/rsa/rsa_ossl.c", line: 500 }
])
I know that the Rust code is "right" because it was working well (with Padding::PKCS1) in a previous version when I was using subprocess calls to openssl instead of the cryptography library. And anyway there's only the Padding enum to change here.
openssl documentation tells me that
RSA_PKCS1_OAEP_PADDING
EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty encoding parameter. This mode is recommended for all new applications.
but using hashes.SHA1() didn't change anything. How should I setup my padding so that openssl accepts decrypting it?
Presumably, the posted Rust code uses the RFC8017 default values for the OAEP parameters, namely SHA-1 for the content digest and the MGF1 digest, and an empty label.
The posted Python code, on the other hand, applies SHA-256 for both digests, which is why the two codes are incompatible. You have to set both digests to SHA-256 on the Rust side (alternatively you could use SHA-1 on the Python side).
Here you can find a Rust sample implementation for OAEP. The setting of the OAEP padding is done with set_rsa_padding(Padding::PKCS1_OAEP). To avoid using the SHA-1 default value for the content digest, the content digest must be set explicitly with set_rsa_oaep_md(MessageDigest::sha256()). The MGF1 digest is implicitly set with the content digest (since contents and MGF1 digests are identical in the posted example, the MGF1 digest does not need to be explicitly set here).
If a different MGF1 digest is to be used, set_rsa_mgf1_md() must be used. If a label is to be set, set_rsa_oaep_label(). Note, however, that the label is actually always left empty (which should also not be changed for compatibility reasons).
Test:
Using the posted Python code, the base64 encoded 32 bytes key
AAECAwQFBgcICQoLDA0OD/Dx8vP09fb3+Pn6+/z9/v8=
is encrypted as follows (Base64 encoded):
oU1PwQRE0ZEr71OOfoNHLpmjXyTAfdZroeQhX4WLAhXpfTMkEMJ0YptHgFDirJ5fdZ9yRl+y1y6jZSpG7oj5wtJkDa4BeLba++Q1UZcKlne4rfYMEPDrkTCjyHyNskuJuLh3FW+HCp70tRzvgSoBpoIwyxWl3VREYRcJEAdzGwRj0d6JNCO4M3BHX7g59to5urOkTXB7MfcAEz1Ba4AdeNYrZK4XD8GjAqnI95X3Z4F8PoLGMP1eMif0fpNizxZo7hzTfEsfjdlkyfTWLZfxuZ9qZMIpkiQNNEWWMt66FmVgFyi8zngz/Tj5Tk7cNzrWOT5BDaFCxrJF1kHoHobojA==
Note that OAEP is not deterministic, i.e. repeated encryption with the same key and plaintext produces different ciphertexts.
This ciphertext can be decrypted with the following Rust code:
use openssl::encrypt::{Decrypter};
use openssl::rsa::{Rsa, Padding};
use openssl::pkey::PKey;
use openssl::hash::MessageDigest;
use base64::{engine::general_purpose, Engine as _};
fn main() {
// Import private key
let pem_private = "-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAunF5aDa6HCfLMMI/MZLT5hDk304CU+ypFMFiBjowQdUMQKYH
Z+fklB7GpLxCatxYJ/hZ7rjfHH3Klq20/Y1EbYDRopyTSfkrTzPzwsX4Ur/l25Ct
dQldhHCTMgwf/Ev/buBNobfzdZE+Dhdv5lQwKtjI43lDKvAi5kEet2TFwfJcJrBi
RJeEcLfVgWTXGRQn7gngWKykUu5rS83eAU1xH9FLojQfyia89/EykiOO7/3UWwd+
MATZ9HLjSx2/Lf3g2jr81eifEmYDlri/OZp4OhZu+0Bo1LXloCTe+vmIQ2YCX7Ea
tUOuyQMt2Vwx4uV+d/A3DP6PtMGBKpF8St4iGwIDAQABAoIBAEpSY9BMSKJippgY
RvKvEjNbNrFhuoHUDI7OjBHpbkU/9XNr+/XKtg7pucv/lAZfMfE1Cjyki6Qi7Phl
5IlSoB16xZaqDfjmEAKxthFFs7jg8HM3WD4YbqQV8Ed6F+IONZPwbGH0H2QVcwRR
CXVqyAy8gFBVjZX3RiI9gU4gKMkn8qpmpr5lvG7L3PHKIhpWdvFAvOf16sfcDs43
hqEZAh+z3EzJXPRe0sUrYcF/5NVQV5jTh2vh8xjoDv1t5NSw6iW6tsCo2U1t4lRI
NlaHY8YASzJtDLnkhqCOiLmmUjzMhRDN4BrwtvnAwSNki/2poYk1Gv1Q5U1cPyCm
0rmq/bkCgYEA3e+jND6OS6ofGYUN6G4RapHzuRAV8ux1C9eXMOdZFbcBehn/ydhz
R48LIPTW9HiRE00um27lXfW5/POCaEUvfOp1UxTWeHZ4xICo40PBo383ZKW1MbES
1oiMbjkEqSFGRnTItnLU07bKbzLA7I0UWHWCEAnv0g7HRxk973FAsm8CgYEA1w8+
olZ2POBYeYgw1a0DkeJWKMQi/4pAgyYwustZo0dHlRXQT0OI9XQ0j1PZWoQS28tF
cmoEAg6f5MUDpdM9swS0SOCPI1Lc/f/Slus3u1O3UCezk37pneSPezskDhvV2cCl
JEYH8m/zwDAUlEi4KLIt/H/jgtyDd6pbxxc78RUCgYEAiE6VAxJknM4oeakBiL6J
TdXEReY+RMu7e4F2518/lJmoe5CaTCL3cnzFTgFyQAYIvD0MIgSzNMkl6Ni6QEY1
y1fIpTVIIAZLWAzZLXPA6yTIJbWsmo9xzXdiIJQ+a433NnClkYDne/xpSnB2kxJ2
63mIX0drFq1i8STsqDH7lVsCgYBWpQmzFeqlNC3xKPGj5QTfLbVQz1TaZ7T+IdDY
MT14DyvD4PoANVFksuDKLhoP4c5HR2o/Yn8i5Ql+ffGuSaE+EtMf2XlR3fyzSPJr
Y3Ecw+nDHXu4HRW6S2+TUoyAMq7CAF+Icb6Z6ojmEXj5FSM9Iixs4omjG3zMJZK8
b5vy0QKBgQCz0W7UmxNqT4Lzhyh0xj6+4Cm5rFlWznEAPKxvNNU9/Fv1D3tV7cpz
BI880NvTmlXkML1Dffg8RVyemL8I+ooeFnatdPYuzqNXw5zHMzkDfQynIdnjQB6z
UjjMiwwgZvvsG8hwLEtk9FTvPoMywAb4mZuQBQkFn5HuC2aOZjktdA==
-----END RSA PRIVATE KEY-----";
let private_key = Rsa::private_key_from_pem(pem_private.as_bytes()).unwrap();
let private_key = PKey::from_rsa(private_key).unwrap();
// Import Base64 encoded ciphertext
let data = "oU1PwQRE0ZEr71OOfoNHLpmjXyTAfdZroeQhX4WLAhXpfTMkEMJ0YptHgFDirJ5fdZ9yRl+y1y6jZSpG7oj5wtJkDa4BeLba++Q1UZcKlne4rfYMEPDrkTCjyHyNskuJuLh3FW+HCp70tRzvgSoBpoIwyxWl3VREYRcJEAdzGwRj0d6JNCO4M3BHX7g59to5urOkTXB7MfcAEz1Ba4AdeNYrZK4XD8GjAqnI95X3Z4F8PoLGMP1eMif0fpNizxZo7hzTfEsfjdlkyfTWLZfxuZ9qZMIpkiQNNEWWMt66FmVgFyi8zngz/Tj5Tk7cNzrWOT5BDaFCxrJF1kHoHobojA==";
let encrypted = general_purpose::STANDARD.decode(&data).unwrap();
// Decrypt ciphertext
let mut decrypter = Decrypter::new(&private_key).unwrap();
decrypter.set_rsa_padding(Padding::PKCS1_OAEP).unwrap();
decrypter.set_rsa_oaep_md(MessageDigest::sha256()).unwrap();
//decrypter.set_rsa_mgf1_md(MessageDigest::sha256()).unwrap(); // implicitly set
// Create an output buffer
let buffer_len = decrypter.decrypt_len(&encrypted).unwrap();
let mut decrypted = vec![0; buffer_len];
// Encrypt and truncate buffer
let decrypted_len = decrypter.decrypt(&encrypted, &mut decrypted).unwrap();
decrypted.truncate(decrypted_len);
println!("Decrypted: {}", general_purpose::STANDARD.encode(&decrypted)); // Decrypted: AAECAwQFBgcICQoLDA0OD/Dx8vP09fb3+Pn6+/z9/v8=
}
I am using the following .NET code to generate a key from a password and salt:
static byte[] GenerateKey(string password, string salt, int size)
{
var saltBytes = Encoding.Unicode.GetBytes(salt);
var derivedBytes = new Rfc2898DeriveBytes(password, saltBytes, iterations);
var key = derivedBytes.GetBytes(size);
Console.WriteLine(string.Format("Key: {0}", Convert.ToBase64String(key)));
return key;
}
// Console.Writeline() shows
// Key: tb6yBBYGdZhyFWrpWQ5cm5A1bAI5UF0KnDdom7BhVz0=
// for password="password" and salt="salt"
I need to decode the encoded message using python, a language I am only slightly familiar with, using the same password and salt. Thanks to #Topaco I now know that there is the PBKDF2 equivalent:
def decrypt_file(filename, password, salt):
key = PBKDF2(password, salt, 32, count=12345, hmac_hash_module=SHA1)
print(f"Key: {base64.b64encode(key).decode('utf-8')}");
# more lines redacted
# print() shows
# Key: 3ohW9ctQIXoNvGnvLaKmoQTG8/jJzoFThviHXqgM9Co=
# for password="password" and salt="salt"
I'm having some trouble getting the same key from both implementations. I am not well-versed in python's encoding and decoding; it's entirely likely possible that I am generating the same key but the base64.b64encode(key).decode('utf-8') line is showing me a different translation.
What am I doing wrong here?
You have to encode the salt with UTF-16LE since Encoding.Unicode corresponds to UTF-16LE. The rest is fine:
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Hash import SHA1
import base64
password = b'password'
salt = 'salt'.encode('utf-16le')
key = PBKDF2(password, salt, 32, count=12345, hmac_hash_module=SHA1)
print(base64.b64encode(key).decode('utf-8')) # tb6yBBYGdZhyFWrpWQ5cm5A1bAI5UF0KnDdom7BhVz0=
For completeness: If the password contains non-ASCII characters, the password in the Python code must be encoded with the more specific '...'.encode('utf-8'), since the Rfc2898DeriveBytes overload used in the C# code encodes the password string with UTF-8.
I have a project written in python. I use cryptography library to encrypt and decrypt data.
I do it how is shown in their tutorial.
Here is my python code:
import base64
import os
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
password = b"my password"
salt = os.urandom(16)
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=100000,
backend=default_backend())
key = base64.urlsafe_b64encode(kdf.derive(password))
f = Fernet(key)
data = b"my data..."
token = f.encrypt(data)
Then for decryption I can just use:
f.decrypt(token)
Everything works perfectly in python but now I need to do the same thing in kotlin. I found out about fernet java-8 library but I don't know how to use it in the same way.
The problem is that I have two tools: one is written in python and another I want to write in kotlin. Both tools are meant to do the same thing - the python one is for desktop and the kotlin one is gonna be an android app. So it is really important for their encryption to be the same, so that files encrypted in python (desktop tool) can be decrypted in kotlin (android app) and vice versa.
But I don't know how to write analogous kotlin code.
You see there is a function (or class) called PBKDF2HMAC and there is also base64.urlsafe_b64encode and others. And I don't know what are analogous functions in kotlin or fernet java-8.
So how should I do it? Assuming that in kotlin I have to use password and salt I used in python.
Thanks!
In Java/Kotlin, using fernet-java8, the token generated with the Python code could be decrypted as follows:
import java.security.SecureRandom
import java.util.Base64
import javax.crypto.spec.PBEKeySpec
import javax.crypto.SecretKeyFactory
import com.macasaet.fernet.Key
import com.macasaet.fernet.Token
import com.macasaet.fernet.StringValidator
import com.macasaet.fernet.Validator
import java.time.Duration
import java.time.temporal.TemporalAmount
...
// Data from encryption
val salt = Base64.getUrlDecoder().decode("2Yb8EwpYkMlycHxoKcmHuA==")
val token = Token.fromString("gAAAAABfoAmp7C7IWVgA5urICEIspm_MPAGZ-SyGnPEVUBBNerWQ-K6mpSoYTwRkUt3FobyAFHbYfhNtiGMe_96yyLvUoeLIIg==");
// Derive Fernet key
val key = deriveKey("my password", salt)
val fernetKey = Key(key)
// Decrypt
val validator: Validator<String> = object : StringValidator {
override fun getTimeToLive(): TemporalAmount {
return Duration.ofHours(24)
}
}
val data = token.validateAndDecrypt(fernetKey, validator)
println(data) // my data...
with:
fun deriveKey(password: String, salt: ByteArray): String {
val iterations = 100000
val derivedKeyLength = 256
val spec = PBEKeySpec(password.toCharArray(), salt, iterations, derivedKeyLength)
val secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256")
val key = secretKeyFactory.generateSecret(spec).encoded
return Base64.getUrlEncoder().encodeToString(key)
}
Here the Fernet key is derived using the key derivation function PBKDF2. PBKDF2 expects various input parameters, such as a password, a digest, a salt, an iteration count and the desired key length. In the posted example the key is returned Base64url encoded.For decryption the same parameters must be used as for encryption. Since the salt is usually (as in the posted code) randomly generated during encryption, it must be passed to the decryption side along with the ciphertext (note: the salt is not a secret).
The validator sets the time-to-live (by default 60s) to 24h, see here for more details.
In the posted Python code the export of the salt has to be added, e.g. by Base64url encoding it analogous to key and token (and printing it for simplicity). In practice, salt and token could also be concatenated during encryption and separated during decryption.
Update:
The encryption part is analogous:
// Generate salt
val salt = generateSalt()
println(Base64.getUrlEncoder().encodeToString(salt))
// Derive Fernet key
val key = deriveKey("my password", salt)
val fernetKey = Key(key)
// Encrypt
val data = "my data..."
val token = Token.generate(fernetKey, data)
println(token.serialise()) // the Base64url encoded token
with
fun generateSalt(): ByteArray {
val random = SecureRandom()
val salt = ByteArray(16)
random.nextBytes(salt)
return salt
}
I'm trying to encrypt a message using AES-256-CBC but I get different behavior in Ruby and Python versions. It seems like Python's AES encryption does not add a suffix.
require 'base64'
require 'aescrypt'
key = "z\r}\xE6\xB5\xB0P:\x80D#+\x96S\xAB (\x87\xDD#3x\xB9\xF3\xB4\xE7*qTKz\xC1"
iv = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data = "\xC7u\xE7\xB7W\xED\xE60\xCD\n\xA1\x11;\xD1\x02f\x1A\xB3\x88)\xCAR\xA6B*\xB7\x82\x86/&\x86F"
Base64.encode64(AESCrypt.encrypt_data(data, key, iv, "AES-256-CBC"))
=> "ldB7M0nr+FP6I9NiogtvysUFfUC2vIt6Hj7cwzEiUEal76Cpyc+x6RTiHgkq\n6j7n\n"
Whereas in Python using cryptography:
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
import base64
backend = default_backend()
key = "z\r}\xE6\xB5\xB0P:\x80D#+\x96S\xAB (\x87\xDD#3x\xB9\xF3\xB4\xE7*qTKz\xC1"
iv = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data = "\xC7u\xE7\xB7W\xED\xE60\xCD\n\xA1\x11;\xD1\x02f\x1A\xB3\x88)\xCAR\xA6B*\xB7\x82\x86/&\x86F"
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
encryptor = cipher.encryptor()
ct = encryptor.update(data) + encryptor.finalize()
base64.b64encode(ct)
=> 'ldB7M0nr+FP6I9NiogtvysUFfUC2vIt6Hj7cwzEiUEY='
You can see the encrypted text produced by Ruby library has extra 16 bytes. I have Java code as well which produces exact same ciphertext as Ruby version. Python code is behaving oddly. How can I change the Python code so that it produces the same ciphertext?
A friend pointed out the problem: the encrypt method requires padded data:
from Crypto.Util.Padding import pad
ct = encryptor.update(pad(data,16)) + encryptor.finalize()
I'm trying to replicate the following python code in ruby. The python code works fine, the ruby code fails due to "padding check failed". I can encrypt a string and decrypt it with the private key in Ruby, but the encrypted data I need to work with is being retrieved from elsewhere. I'm unsure of the library and even language used to encrypt it, but the Python code works.
Working Python code:
def decrypt_secret(encrypted_base64, private_key):
key = RSA.importKey(open(private_key, "r").read())
pkey = PKCS1_OAEP.new(key, hashAlgo=SHA256)
encrypted_blob = base64.urlsafe_b64decode(encrypted_base64)
decrypted_string = pkey.decrypt(encrypted_blob)
return decrypted_string
Ruby Code fails "padding check failed"
def decrypt_secret(encrypted_base64, private_key)
key = File.read(private_key)
pkey = OpenSSL::PKey::RSA.new(key)
encrypted_blob = Base64.urlsafe_decode64(encrypted_base64)
decrypted_string = pkey.private_decrypt(encrypted_blob, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
return decrypted_string
end
I found the needed functions contained in the JOSE gem to support SHA256 OAEP. The following code does the job:
require 'jose'
def decrypt_secret(encrypted_base64, private_key)
key = File.read(private_key)
pkey = OpenSSL::PKey::RSA.new(key)
encrypted_blob = Base64.urlsafe_decode64(encrypted_base64)
decrypted_string = JOSE::JWA::PKCS1::rsaes_oaep_decrypt(OpenSSL::Digest::SHA256, encrypted_blob, pkey)
return decrypted_string
end
It doesn't look like Ruby's OpenSSL wrapper exposes the option to change the hash function for OAEP. You would need to change the Python code to use SHA-1 (default):
pkey = PKCS1_OAEP.new(key)