How does openssl construct the derived key from password with PBKDF2?

0
votes

I'm working on a Java module to decrypt messages encrypted by openssl,

openssl aes-256-cbc -k *** -a -pbkdf2 -iter 1 -md sha256

but without success.

After some investigation, the problem was found that I can't get the correct KEY and IV from a given passphrase and the salt.

Here is the code:

$ openssl aes-256-cbc -k hi -a -S 4142434445464748 -md sha256 -pbkdf2 -iter 1 -P
salt=4142434445464748
key=187DC06E1AF1278348E5EFE761FDE3133DF42B03CF64E1B286E50E58238AEFB5
iv =1949A8BB58205A5C04BB28AD1947016C

$ echo hiABCDEFGH | hd
00000000  68 69 41 42 43 44 45 46  47 48 0a                 |hiABCDEFGH.|
0000000b

$ echo -n hiABCDEFGH | sha256sum 
8c8a825dbab83fbe7fb58552e26bb98aa3af20e7e6294e04ae6422a86906606b  -

According to EVP_BytesToKey function,

Key Derivation Algorithm

The key and IV is derived by concatenating D_1, D_2, etc until enough data is available for the key and IV . D_i is defined as:

D_i = HASH^count(D_(i-1) || data || salt) where || denotes concatentaion, D_0 is empty, HASH is the digest algorithm in use, HASH^1(data) is simply HASH (data), HASH^2(data) is HASH ( HASH (data)) and so on.

so, for a single iteration, the key should be:

KEY = SHA256(password || salt)

that is 8c8a825d... However, the result from openssl is 187DC06E...

So, how does openssl compute the derived key?

1
opensslpbkdf2

1 Answers

1
votes

You used the "-pbkdf2" flag which means you are using the PBKDF2 a key derivation function (KDF) not the legacy KDF implemented EVP_BytesToKey.

PBKDF2 is defined in RFC 2898 here: https://www.ietf.org/rfc/rfc2898.txt

The relevant OpenSSL function is documented here: https://www.openssl.org/docs/man1.1.1/man3/PKCS5_PBKDF2_HMAC.html

The RFC above refers to a pseudo-random function (PRF). Since you have specified a digest of SHA256, the PRF used is HMAC-SHA256 with the password as the key.