Why can't decrypt with OpenSSL if salt changed (for CBC and ECB)

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












A file encrypted with OpenSSL (with, for example, AES 256-bit mode CBC) using the Linux command



openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


has a salt in the first 16 bytes — with the bytes 8-15 being the salt itself. When the file is decrypted, if the salt is modified, OpenSSL will throw a



bad decrypt 140338977786624:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:520:


error, while if the file was encrypted in mode CFB doesn't give you that error.



Why does this happen? What is different about CFB so that it does not produce an error when the salt is modified, compared to the other blockcipher modes of encryption which bluntly fail? Has it something to do with the padding (CBC and ECB do use padding)?



Here's an example of what I'm trying to do: With dd, just one byte is changed in the salt. When trying to decrypt, openssl with throw the error.



echo 'spam' > food.txt
openssl enc -aes-256-cbc -in food.txt -out food.enc -k IDONTLIKENOSPAM!
printf '?' | dd of=food.enc bs=1 seek=12 count=1 conv=notrunc &> /dev/null
openssl enc -d -aes-256-cbc -in food.enc -out food.bad -k IDONTLIKENOSPAM!





cbc openssl salt aes256







share|improve this question









New contributor




Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 1




    Chances are indeed that the padding is to blame, given that the last block will essentially decrypt to gibberish, you won't get the e.g. 03 03 03 sequences the padding mandates.
    – SEJPM♦
    2 hours ago






  • 1




    I could be wrong, but padding shouldn't be a problem, since the salt has nothing to do with it.
    – Sean Walsh
    2 hours ago














up vote
1
down vote

favorite












A file encrypted with OpenSSL (with, for example, AES 256-bit mode CBC) using the Linux command



openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


has a salt in the first 16 bytes — with the bytes 8-15 being the salt itself. When the file is decrypted, if the salt is modified, OpenSSL will throw a



bad decrypt 140338977786624:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:520:


error, while if the file was encrypted in mode CFB doesn't give you that error.



Why does this happen? What is different about CFB so that it does not produce an error when the salt is modified, compared to the other blockcipher modes of encryption which bluntly fail? Has it something to do with the padding (CBC and ECB do use padding)?



Here's an example of what I'm trying to do: With dd, just one byte is changed in the salt. When trying to decrypt, openssl with throw the error.



echo 'spam' > food.txt
openssl enc -aes-256-cbc -in food.txt -out food.enc -k IDONTLIKENOSPAM!
printf '?' | dd of=food.enc bs=1 seek=12 count=1 conv=notrunc &> /dev/null
openssl enc -d -aes-256-cbc -in food.enc -out food.bad -k IDONTLIKENOSPAM!





cbc openssl salt aes256







share|improve this question









New contributor




Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 1




    Chances are indeed that the padding is to blame, given that the last block will essentially decrypt to gibberish, you won't get the e.g. 03 03 03 sequences the padding mandates.
    – SEJPM♦
    2 hours ago






  • 1




    I could be wrong, but padding shouldn't be a problem, since the salt has nothing to do with it.
    – Sean Walsh
    2 hours ago












up vote
1
down vote

favorite









up vote
1
down vote

favorite











A file encrypted with OpenSSL (with, for example, AES 256-bit mode CBC) using the Linux command



openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


has a salt in the first 16 bytes — with the bytes 8-15 being the salt itself. When the file is decrypted, if the salt is modified, OpenSSL will throw a



bad decrypt 140338977786624:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:520:


error, while if the file was encrypted in mode CFB doesn't give you that error.



Why does this happen? What is different about CFB so that it does not produce an error when the salt is modified, compared to the other blockcipher modes of encryption which bluntly fail? Has it something to do with the padding (CBC and ECB do use padding)?



Here's an example of what I'm trying to do: With dd, just one byte is changed in the salt. When trying to decrypt, openssl with throw the error.



echo 'spam' > food.txt
openssl enc -aes-256-cbc -in food.txt -out food.enc -k IDONTLIKENOSPAM!
printf '?' | dd of=food.enc bs=1 seek=12 count=1 conv=notrunc &> /dev/null
openssl enc -d -aes-256-cbc -in food.enc -out food.bad -k IDONTLIKENOSPAM!





cbc openssl salt aes256







share|improve this question









New contributor




Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











A file encrypted with OpenSSL (with, for example, AES 256-bit mode CBC) using the Linux command



openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


has a salt in the first 16 bytes — with the bytes 8-15 being the salt itself. When the file is decrypted, if the salt is modified, OpenSSL will throw a



bad decrypt 140338977786624:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:520:


error, while if the file was encrypted in mode CFB doesn't give you that error.



Why does this happen? What is different about CFB so that it does not produce an error when the salt is modified, compared to the other blockcipher modes of encryption which bluntly fail? Has it something to do with the padding (CBC and ECB do use padding)?



Here's an example of what I'm trying to do: With dd, just one byte is changed in the salt. When trying to decrypt, openssl with throw the error.



echo 'spam' > food.txt
openssl enc -aes-256-cbc -in food.txt -out food.enc -k IDONTLIKENOSPAM!
printf '?' | dd of=food.enc bs=1 seek=12 count=1 conv=notrunc &> /dev/null
openssl enc -d -aes-256-cbc -in food.enc -out food.bad -k IDONTLIKENOSPAM!





cbc openssl salt aes256




cbc openssl salt aes256






share|improve this question









New contributor




Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 2 mins ago









e-sushi♦

13.3k860165




13.3k860165






New contributor




Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









Sean Walsh

86




86




New contributor




Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Sean Walsh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 1




    Chances are indeed that the padding is to blame, given that the last block will essentially decrypt to gibberish, you won't get the e.g. 03 03 03 sequences the padding mandates.
    – SEJPM♦
    2 hours ago






  • 1




    I could be wrong, but padding shouldn't be a problem, since the salt has nothing to do with it.
    – Sean Walsh
    2 hours ago












  • 1




    Chances are indeed that the padding is to blame, given that the last block will essentially decrypt to gibberish, you won't get the e.g. 03 03 03 sequences the padding mandates.
    – SEJPM♦
    2 hours ago






  • 1




    I could be wrong, but padding shouldn't be a problem, since the salt has nothing to do with it.
    – Sean Walsh
    2 hours ago







1




1




Chances are indeed that the padding is to blame, given that the last block will essentially decrypt to gibberish, you won't get the e.g. 03 03 03 sequences the padding mandates.
– SEJPM♦
2 hours ago




Chances are indeed that the padding is to blame, given that the last block will essentially decrypt to gibberish, you won't get the e.g. 03 03 03 sequences the padding mandates.
– SEJPM♦
2 hours ago




1




1




I could be wrong, but padding shouldn't be a problem, since the salt has nothing to do with it.
– Sean Walsh
2 hours ago




I could be wrong, but padding shouldn't be a problem, since the salt has nothing to do with it.
– Sean Walsh
2 hours ago










1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted










In your command:



openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


a password is supplied, which will be used to derive the key and IV for encryption. The salt stored in the file is used in conjunction with your password for this purpose. Therefore when you change the salt, you will get both a different IV and a different key in the decryption process, not just the IV. Then you will get problem decrypting in block modes such as CBC and ECB because the padding in the decrypted plaintext will not be correct (decrypted with a wrong key). While in stream modes like CFB, there is no padding, so modifying the salt won't cause a problem, but you will get wrong plaintext back.



Edit to add: the EVP_BytesToKey() function is used to turn the password and salt into the key and the IV.






share|improve this answer






















    Your Answer




    StackExchange.ifUsing("editor", function ()
    return StackExchange.using("mathjaxEditing", function ()
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    );
    );
    , "mathjax-editing");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    Sean Walsh is a new contributor. Be nice, and check out our Code of Conduct.









     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62766%2fwhy-cant-decrypt-with-openssl-if-salt-changed-for-cbc-and-ecb%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote



    accepted










    In your command:



    openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


    a password is supplied, which will be used to derive the key and IV for encryption. The salt stored in the file is used in conjunction with your password for this purpose. Therefore when you change the salt, you will get both a different IV and a different key in the decryption process, not just the IV. Then you will get problem decrypting in block modes such as CBC and ECB because the padding in the decrypted plaintext will not be correct (decrypted with a wrong key). While in stream modes like CFB, there is no padding, so modifying the salt won't cause a problem, but you will get wrong plaintext back.



    Edit to add: the EVP_BytesToKey() function is used to turn the password and salt into the key and the IV.






    share|improve this answer


























      up vote
      2
      down vote



      accepted










      In your command:



      openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


      a password is supplied, which will be used to derive the key and IV for encryption. The salt stored in the file is used in conjunction with your password for this purpose. Therefore when you change the salt, you will get both a different IV and a different key in the decryption process, not just the IV. Then you will get problem decrypting in block modes such as CBC and ECB because the padding in the decrypted plaintext will not be correct (decrypted with a wrong key). While in stream modes like CFB, there is no padding, so modifying the salt won't cause a problem, but you will get wrong plaintext back.



      Edit to add: the EVP_BytesToKey() function is used to turn the password and salt into the key and the IV.






      share|improve this answer
























        up vote
        2
        down vote



        accepted







        up vote
        2
        down vote



        accepted






        In your command:



        openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


        a password is supplied, which will be used to derive the key and IV for encryption. The salt stored in the file is used in conjunction with your password for this purpose. Therefore when you change the salt, you will get both a different IV and a different key in the decryption process, not just the IV. Then you will get problem decrypting in block modes such as CBC and ECB because the padding in the decrypted plaintext will not be correct (decrypted with a wrong key). While in stream modes like CFB, there is no padding, so modifying the salt won't cause a problem, but you will get wrong plaintext back.



        Edit to add: the EVP_BytesToKey() function is used to turn the password and salt into the key and the IV.






        share|improve this answer














        In your command:



        openssl enc -aes-256-cbc -in texte -out encrypted_texte -k password


        a password is supplied, which will be used to derive the key and IV for encryption. The salt stored in the file is used in conjunction with your password for this purpose. Therefore when you change the salt, you will get both a different IV and a different key in the decryption process, not just the IV. Then you will get problem decrypting in block modes such as CBC and ECB because the padding in the decrypted plaintext will not be correct (decrypted with a wrong key). While in stream modes like CFB, there is no padding, so modifying the salt won't cause a problem, but you will get wrong plaintext back.



        Edit to add: the EVP_BytesToKey() function is used to turn the password and salt into the key and the IV.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 1 hour ago

























        answered 1 hour ago









        Changyu Dong

        2,553712




        2,553712




















            Sean Walsh is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            Sean Walsh is a new contributor. Be nice, and check out our Code of Conduct.












            Sean Walsh is a new contributor. Be nice, and check out our Code of Conduct.











            Sean Walsh is a new contributor. Be nice, and check out our Code of Conduct.













             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62766%2fwhy-cant-decrypt-with-openssl-if-salt-changed-for-cbc-and-ecb%23new-answer', 'question_page');

            );

            Post as a guest
































































            Comments

            Post a Comment

            Popular posts from this blog

            Long meetings (6-7 hours a day): Being “babysat” by supervisor

            Image
            Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
            Read more

            Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
            Read more

            Confectionery

            Image
            Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
            Read more