Decrypting AES-256-CBC cipher with a passcode built using PBKDF2 in Python

1
votes

I have an encrypted session key I need to decrypt using python and really have no idea how to go about that.

I've been provided with the passphrase, salt and hmac key. The string I need to decode is base64 encoded and when decoded it's a pipe delineated key and expiry date (session key + pipe delimiter + date time)

The session key is encrypted "using the AES-256-CBC cipher with a passcode built using PBKDF2 - Password-Based Key Derivation Function 2. The encrypted payload is then signed with an HMAC key."

How would I go about that using Python? What are the best libraries for this?

Below is one of my many attempts (edited based on @topaco's comment):

from base64 import b64decode
import hashlib
import pyaes
import os

PASSWORD = b"password provided"
SALT = b"Salt provided"
iv = os.urandom(16)
ciphertext = "message to decode"


passcode = hashlib.pbkdf2_hmac('sha256', PASSWORD, SALT, 1000)
aes = pyaes.AESModeOfOperationCBC(passcode, iv=iv)
encrypter = pyaes.Encrypter(pyaes.AESModeOfOperationCBC(passcode, iv))
decrypter = encrypter.feed(ciphertext)
decrypter += encrypter.feed()
1
pythonencryption
For pyaes and AEC-CBC you should use decrypter.feed() if the ciphertext is longer than 1 block (16 bytes), here and here. For other Python Crypto libraries, see e.g. here. - Topaco
@Topaco - thanks so much. I'm still not quite there, but I've updated my question based on you comment. - hammygoonan

1 Answers

0
votes

In the posted code, encryption and decryption are confused. For decryption pyaes.Decrypter is required.

The following code snippet uses PBKDF2 to generate a 32 bytes key, which is applied to encrypt the plaintext and decrypt the resulting ciphertext using AES-256-CBC: 

from base64 import b64encode
import hashlib
import pyaes
import os

plaintext = 'The quick brown fox jumps over the lazy dog'
password = b'password provided'
salt = b'Salt provided'
iterationCount = 1000

# Create random 16 bytes IV 
iv = os.urandom(16)

# Create 32 bytes key
key = hashlib.pbkdf2_hmac('sha256', password, salt, iterationCount)

# Encryption with AES-256-CBC
encrypter = pyaes.Encrypter(pyaes.AESModeOfOperationCBC(key, iv))
ciphertext = encrypter.feed(plaintext.encode('utf8'))
ciphertext += encrypter.feed()

# Decryption with AES-256-CBC
decrypter = pyaes.Decrypter(pyaes.AESModeOfOperationCBC(key, iv))
decryptedData = decrypter.feed(ciphertext)
decryptedData += decrypter.feed()

# Display results
def printData(text, data):
    print(text + " (hex):    " + data.hex()) 
    print(text + " (Base64): " + b64encode(data).decode('utf8') + "\n")

printData("16 bytes IV", iv)
printData("32 bytes Key", key)
printData("Ciphertext", ciphertext)
print("Decrypted data (UTF-8): " + decryptedData.decode('utf8') + "\n")

Note:

  • In your description the digest and iteration count are not mentioned. In the posted code SHA256 and a count of 1000 is used. Both parameters are critical, i.e. for decryption, the same parameters must be used as for encryption.

    In addition, the IV is generally generated during encryption (and not during decryption) and is passed together with the ciphertext.

  • According to your description PBKDF2, AES-CBC and HMAC are applied. Typically in this constellation, with PBKDF2 keys are generated, which are used to encrypt the plaintext (here using AES-CBC) and to generate a MAC to authenticate the message.

    Be aware that the posted code only provides decryption and not authentication. Also my code snippet is without authentication.

  • The individual algorithms can be combined in different ways. Here a possible variant is discussed. Even though this may be a well rated variant, it does not mean that the underlying encryption has to stick to it!

    The linked variant splits the generated 32 bytes key into two 16 bytes keys for encryption and authentication. This way an encryption with AES-128 is performed which is different from the AES-256 encryption you described.

    In short: To successfully perform decryption and authentication, certain information must be known. In addition to the key generation, this includes the IV generation, the MAC generation (which data are used to generate the MAC), the data concatenation (order of ciphertext, IV and MAC), etc.