与 OpenSSL 命令兼容的密钥功能的密码?

Posted

技术标签:

【中文标题】与 OpenSSL 命令兼容的密钥功能的密码?【英文标题】:Password to key function compatible with OpenSSL commands? 【发布时间】:2012-03-18 08:04:55 【问题描述】:

例如命令:

openssl enc -aes-256-cbc -a -in test.txt -k pinkrhino -nosalt -p -out openssl_output.txt

输出类似:

key = 33D890D33F91D52FC9B405A0DDA65336C3C4B557A3D79FE69AB674BE82C5C3D2
iv  = 677C95C475C0E057B739750748608A49

该密钥是如何生成的? (C 代码作为答案太棒了,不能要求 :)) 另外,iv是如何生成的?

在我看来像是某种十六进制。

【问题讨论】:

【参考方案1】:

如果有人通过这里寻找在 Haskell 中工作的、高性能的参考实现,这里是:

import Crypto.Hash
import qualified Data.ByteString    as B
import Data.ByteArray               (convert)
import Data.Monoid                  ((<>))

evpBytesToKey :: HashAlgorithm alg =>
    Int -> Int -> alg -> Maybe B.ByteString -> B.ByteString -> (B.ByteString, B.ByteString)
evpBytesToKey keyLen ivLen alg mSalt password =
    let bytes       = B.concat . take required . iterate go $ hash' passAndSalt
        (key, rest) = B.splitAt keyLen bytes
    in (key, B.take ivLen rest)
  where
    hash'       = convert . hashWith alg
    required    = 1 + ((keyLen + ivLen - 1) `div` hashDigestSize alg)
    passAndSalt = maybe password (password <>) mSalt
    go          = hash' . (<> passAndSalt)

它使用cryptonite 包提供的哈希算法。参数是所需的密钥和 IV 大小(以字节为单位)、要使用的哈希算法(例如 (undefined :: MD5))、可选的盐和密码。结果是 key 和 IV 的元组。

【讨论】:

【参考方案2】:

这是 mbedTLS / Polar SSL 的一个版本 - 已测试并且可以正常工作。


typedef int bool;
#define false 0
#define true (!false)
//------------------------------------------------------------------------------
static bool EVP_BytesToKey( const unsigned int nDesiredKeyLen, const unsigned char* salt,
                            const unsigned char* password, const unsigned int nPwdLen,
                            unsigned char* pOutKey, unsigned char* pOutIV )

    // This is a re-implemntation of openssl's password to key & IV routine for mbedtls.
    //  (See openssl apps/enc.c and /crypto/evp/evp_key.c) It is not any kind of
    //  standard (e.g. PBKDF2), and it only uses an interation count of 1, so it's
    //  pretty crappy. MD5 is used as the digest in Openssl 1.0.2, 1.1 and late
    //  use SHA256. Since this is for embedded system, I figure you know what you've
    //  got, so I made it compile-time configurable.
    //
    //  The signature has been re-jiggered to make it less general. 
    //
    //  See: https://wiki.openssl.org/index.php/Manual:EVP_BytesToKey(3)
    //  And: https://www.cryptopp.com/wiki/OPENSSL_EVP_BytesToKey

#define IV_BYTE_COUNT     16

#if BTK_USE_MD5
#  define DIGEST_BYTE_COUNT 16 // MD5
#else
#  define DIGEST_BYTE_COUNT 32 // SHA
#endif

    bool bRet;
    unsigned char md_buf[ DIGEST_BYTE_COUNT ];
    mbedtls_md_context_t md_ctx;
    bool bAddLastMD = false;
    unsigned int nKeyToGo = nDesiredKeyLen;  // 32, typical
    unsigned int nIVToGo  = IV_BYTE_COUNT;

    mbedtls_md_init( &md_ctx );

#if BTK_USE_MD5
    int rc = mbedtls_md_setup( &md_ctx, mbedtls_md_info_from_type( MBEDTLS_MD_MD5  ), 0 ); 
#else
    int rc = mbedtls_md_setup( &md_ctx, mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ), 0 ); 
#endif

    if (rc != 0 )
    
        fprintf( stderr, "mbedutils_md_setup() failed -0x%04x\n", -rc );
        bRet = false;
        goto exit;
    

    while( 1 )
    
        mbedtls_md_starts( &md_ctx );  // start digest

        if ( bAddLastMD == false )  // first time
        
            bAddLastMD = true;      // do it next time
        
        else
        
            mbedtls_md_update( &md_ctx, &md_buf[0], DIGEST_BYTE_COUNT );
        

        mbedtls_md_update( &md_ctx, &password[0], nPwdLen );
        mbedtls_md_update( &md_ctx, &salt[0], 8 );
        mbedtls_md_finish( &md_ctx, &md_buf[0] );

        //
        // Iteration loop here in original removed as unused by "openssl enc"
        //

        // Following code treats the output key and iv as one long, concatentated buffer
        //   and smears as much digest across it as is available. If not enough, it takes the
        //   big, enclosing loop, makes more digest, and continues where it left off on
        //   the last iteration.
        unsigned int ii = 0;  // index into mb_buf

        if ( nKeyToGo != 0 )    // still have key to fill in?
        
            while( 1 )
            
                if ( nKeyToGo == 0 )               // key part is full/done
                    break;
                if ( ii == DIGEST_BYTE_COUNT )     // ran out of digest, so loop
                    break;

                *pOutKey++ = md_buf[ ii ];         // stick byte in output key
                nKeyToGo--;
                ii++;
            
        

        if ( nIVToGo != 0                    // still have fill up IV
             &&                              // and
             ii != DIGEST_BYTE_COUNT         // have some digest available
           )
        
            while( 1 )
            
                if ( nIVToGo == 0 )              // iv is full/done
                    break;
                if ( ii == DIGEST_BYTE_COUNT )   // ran out of digest, so loop
                    break;
                *pOutIV++ = md_buf[ ii ];        // stick byte in output IV
                nIVToGo--;
                ii++;
            
        

        if ( nKeyToGo == 0  && nIVToGo == 0 )    // output full, break main loop and exit
            break;
     // outermost while loop

    bRet = true;

  exit:
    mbedtls_md_free( &md_ctx );
    return bRet;

【讨论】:

【参考方案3】:

如果有人想在 SWIFT 中实现相同的功能 我在swift中转换了EVP_BytesToKey

 /*
 - parameter keyLen: keyLen
 - parameter ivLen:  ivLen
 - parameter digest: digest e.g "md5" or "sha1"
 - parameter salt:   salt
 - parameter data:   data
 - parameter count:  count

 - returns: key and IV respectively
 */
open static func evpBytesToKey(_ keyLen:Int, ivLen:Int, digest:String, salt:[UInt8], data:Data, count:Int)-> [[UInt8]] 
    let saltData = Data(bytes: UnsafePointer<UInt8>(salt), count: Int(salt.count))
    var both = [[UInt8]](repeating: [UInt8](), count: 2)
    var key = [UInt8](repeating: 0,count: keyLen)
    var key_ix = 0
    var iv = [UInt8](repeating: 0,count: ivLen)
    var iv_ix = 0

    var nkey = keyLen;
    var niv = ivLen;

    var i = 0
    var addmd = 0
    var md:Data = Data()
    var md_buf:[UInt8]

    while true 

        addmd = addmd + 1
        md.append(data)
        md.append(saltData)

        if(digest=="md5")
            md = NSData(data:md.md5()) as Data
        else if (digest == "sha1")
            md = NSData(data:md.sha1()) as Data
        

        for _ in 1...(count-1)

            if(digest=="md5")
                md = NSData(data:md.md5()) as Data
            else if (digest == "sha1")
                md = NSData(data:md.sha1()) as Data
            
        
        md_buf = Array (UnsafeBufferPointer(start: md.bytes, count: md.count))
        //            md_buf = Array(UnsafeBufferPointer(start: md.bytes.bindMemory(to: UInt8.self, capacity: md.count), count: md.length))
        i = 0
        if (nkey > 0) 
            while(true) 
                if (nkey == 0)
                    break
                
                if (i == md.count)
                    break
                
                key[key_ix] = md_buf[i];
                key_ix = key_ix + 1
                nkey = nkey - 1
                i = i + 1
            
        
        if (niv > 0 && i != md_buf.count) 
            while(true) 
                if (niv == 0)
                    break
                
                if (i == md_buf.count)
                    break
                
                iv[iv_ix] = md_buf[i]
                iv_ix = iv_ix + 1
                niv = niv - 1
                i = i + 1
            
        
        if (nkey == 0 && niv == 0) 
            break
        

    
    both[0] = key
    both[1] = iv

    return both


我使用CryptoSwift 作为哈希值。 这是一种更简洁的方式,因为苹果不推荐在 ios 中使用 OpenSSL

更新:Swift 3

【讨论】:

“这是一种更简洁的方式,因为苹果不推荐在 iOS 中使用 OpenSSL……” - OpenSSL 得到更新; iOS 被抛弃了。从长远来看,不要依赖苹果。 @jww 根据我的经验,当苹果说“不推荐”时必须认真对待。我同意你所说的,但我的应用程序没有被拒绝。我知道很多人仍然在 iOS 中使用 OpenSSL(我也这样做了)。我真的很害怕苹果会做出什么决定 这个 Swift 版本真的有效吗?您没有使用“addmd”变量,并且在第一次通过循环之后省略了最后一个摘要的反馈到下一个... 我认为这是因为在您使用的第一个循环中,摘要足够大,可以填充您的密钥和 IV。如果您必须通过多次使用外循环来创建更多摘要,则输出的“右端”将是错误的。这些坏字节可能落在输出键的右端或 IV 中,具体取决于请求的 keyLen 的大小。【参考方案4】:

OpenSSL 使用函数EVP_BytesToKey。您可以在apps/enc.c 中找到对它的调用。如果您没有使用 -md 参数指定不同的摘要,enc 实用程序在密钥派生算法 (KDF) 中默认使用 MD5 摘要。现在它默认使用 SHA-256。这是一个使用 MD5 的工作示例:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/evp.h>

int main(int argc, char *argv[])

    const EVP_CIPHER *cipher;
    const EVP_MD *dgst = NULL;
    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
    const char *password = "password";
    const unsigned char *salt = NULL;
    int i;

    OpenSSL_add_all_algorithms();

    cipher = EVP_get_cipherbyname("aes-256-cbc");
    if(!cipher)  fprintf(stderr, "no such cipher\n"); return 1; 

    dgst=EVP_get_digestbyname("md5");
    if(!dgst)  fprintf(stderr, "no such digest\n"); return 1; 

    if(!EVP_BytesToKey(cipher, dgst, salt,
        (unsigned char *) password,
        strlen(password), 1, key, iv))
    
        fprintf(stderr, "EVP_BytesToKey failed\n");
        return 1;
    

    printf("Key: "); for(i=0; i<cipher->key_len; ++i)  printf("%02x", key[i]);  printf("\n");
    printf("IV: "); for(i=0; i<cipher->iv_len; ++i)  printf("%02x", iv[i]);  printf("\n");

    return 0;

示例用法:

gcc b2k.c -o b2k -lcrypto -g
./b2k
Key: 5f4dcc3b5aa765d61d8327deb882cf992b95990a9151374abd8ff8c5a7a0fe08
IV: b7b4372cdfbcb3d16a2631b59b509e94

生成与此 OpenSSL 命令行相同的密钥:

openssl enc -aes-256-cbc -k password -nosalt -p < /dev/null
key=5F4DCC3B5AA765D61D8327DEB882CF992B95990A9151374ABD8FF8C5A7A0FE08
iv =B7B4372CDFBCB3D16A2631B59B509E94

OpenSSL 1.1.0c changed the digest algorithm 用于一些内部组件。以前使用MD5,1.1.0改用SHA256。请注意,EVP_BytesToKeyopenssl enc 等命令中的更改不会影响您。

【讨论】:

这救了我的命。我无法使用密码和盐(在 ios 中)获取 openssl 的密钥和 iv。将 openssl 库嵌入到我的项目后,我就可以使用它了。 crypto++中是否有此功能或类似功能的实现? @Troy:我不知道。您可能应该将其作为问题而不是评论来提问。 是否可以像使用 C:\>openssl enc –e -in data.bin -out data.enc -aes-256-cbc -p 这样的方法来加密 char* 或文件–nosalt ,其中 data.bin 是输入文件,data.enc 是加密文件? 请注意,默认为 SHA-256 的 enc 仅适用于 1.1.0,截至 2016 年 6 月仍处于测试阶段。

以上是关于与 OpenSSL 命令兼容的密钥功能的密码?的主要内容,如果未能解决你的问题,请参考以下文章

openssl与java(读取加密码的密钥)

openssl 怎样生成公钥和密钥 x509格式

OpenSSL 功能介绍

openssl命令详解

OpenSSL 功能介绍

Linux自学笔记——OpenSSL命令行工具