0

Openssl compatibility issue between 0.9.8h and 1.1.1k

In our application previously we were using openssl 0.9.8h and we have upgraded it to Openssl 1.1.1k. After upgrading Openssl we didn't make any change in command for encryption we are using below command: "enc -aes-256-cbc -a -salt -pass pass:Password"

for decryption: "enc -aes-256-cbc -a -d -salt -pass pass:Password"

In that case it was giving a warning: *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better.

So, I have added -pbkdf2 and -iter in command so now command for encryption is: "enc -aes-256-cbc -a -salt -pass pass:Password -pbkdf2 -iter 10000"

and for decryption: "enc -aes-256-cbc -a -d -salt -pass pass:Password -pbkdf2 -iter 10000"

Now if we install the application everything works fine but problem comes when we upgrade the application as previously data was encrypted with openssl 0.9.8h. Now, to support backward compatibility I have added -md md5(which is not recommended) but in that case after fresh install apllication does not works properly.

is there any way to use multiple message digest in command? or any other solution we can implement?

shubham
  • 21
  • 3
  • 3
    OpenSSL uses without _-pbkdf2_ or _-iter_ (both since v1.1.1) the deprecated key derivation function (KDF) _EVP_BytesToKey()_ with an iteration count of 1. MD5 is applied as default digest, SHA256 as of v1.1.0. _-pbkdf2_ specifies PBKDF2 as KDF, as well as _-iter_, which also explicitly sets the iteration count. Thus, to be compatible with v0.9.8h, in v1.1.1k neither _-pbkdf2_ nor _-iter_ may be set and the digest must be set explicitly with _-md md5_. However, this key derivation is, as mentioned, deprecated. – Topaco Jun 06 '21 at 18:40
  • 1
    `enc -md md5` and NOT `-pbkdf2 [-iter]` should be compatible with files older than 1.1.0, albeit with the annoying warning. Explain exactly what you mean by 'not works roperly'. – dave_thompson_085 Jun 06 '21 at 20:13

0 Answers0