1

I am trying to encrypt using RC4 using openssl. I can match results with online cipher tools only with key as hex but not as plaintext.

Using password option with plaintext - DOES NOT MATCH.

# echo -ne "stackoverflow" | openssl rc4 -pass pass:"rc4cipher" -nopad -nosalt | xxd -p

Result : 8189898ec30bd96a81bca0e293

Getting the symmetric key for the password

#echo -ne "stackoverflow" | openssl rc4 -pass pass:"rc4cipher" -nopad -nosalt -p

key=1E8B649064CC6657312EE7346ED410A4

With hexa key for the above password (-k option) - MATCHES.

echo -ne "stackoverflow" | openssl rc4 -K "1E8B649064CC6657312EE7346ED410A4" -nopad -nosalt | xxd -p

Result :8189898ec30bd96a81bca0e293

I can match my result with online tools by using key as hex but not as plain text.

plain_text hexa

Can someone help please me with the option to use with openssl ?

Thanks,

Ak

AKS
  • 184
  • 2
  • 18

1 Answers1

1

Keys should consist of random binary data. They should not consist of text. If you need to perform password based encryption you need to use a password hash or, more precisely, a Password Based Key Derivation Function to turn the password into a key. Common PBKDF's are bcrypt, scrypt, PBKDF2 and Argon2.

And this is what OpenSSL (command line) does underneath: it uses a weak, OpenSSL proprietary algorithm called EVP_BytesToKey. This is basically only compatible with OpenSSL implementations or compatibility libs.

Most online tools (which you should never use to validate any implementation in the end) simply convert the text to binary using character-encoding such as UTF-8, Windows-1252 or any other - usually unspecified - encoding. This is not secure; it's as braindead as most click-bait encryption tools found online.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Thanks Maarteen, the requirement is to match my result with online tool. As you rightly mentioned I can match perfectly when I use hex code as key but i want an option to use plaintext as key. – AKS Jan 04 '18 at 11:05
  • IN the form submit I see the key_type=plain, i want the equivalent option in openssl. function=arcfour&mode=stream&key=rc4cipher&key_type=plain&iv=&phone=b91fa0ab46abb20751c8c9b1d828e8fb8356adcb&do=form-submit – AKS Jan 04 '18 at 11:08
  • Thats a stupid requirement. You could however encode your text to bytes and then to hex and then try again. These online tools often make encoding mistakes so fully matching all possible input is hard. – Maarten Bodewes Jan 04 '18 at 11:08
  • anyone know the openssl option to keep the key as plain text ? – AKS Jan 04 '18 at 11:26