1

I'm trying to implement AES symmetric encryption using the OpenSSL library. In the encryption examples, after calling the EVP_EncryptUpdate function, the EVP_EncryptFinal_ex function is immediately called. What is the purpose of calling the EVP_EncryptFinal_ex function?

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
John
  • 63
  • 6

1 Answers1

1

This is strangely only explained in the API documentation of EVP_EncryptUpdate():

If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts the "final" data, that is any data that remains in a partial block. It uses standard block padding (aka PKCS padding) as described in the NOTES section, below. The encrypted final data is written to out which should have sufficient space for one cipher block. The number of bytes written is placed in outl. After this function is called the encryption operation is finished and no further calls to EVP_EncryptUpdate() should be made.

In general, it will perform any final calculations that cannot be performed without knowing that the last part of the message are being encrypted. Most (lower level) cryptographic libraries contain an update / final notion. Note that in case of OpenSSL the authentication tag is not considered part of the ciphertext.

Although it is considered good practice to call EVP_EncryptFinal_ex, the function doesn't really do much for modes that don't require full blocks of plaintext or padding. Most cryptographic libraries - including OpenSSL - try and encrypt the delivered plaintext as soon as possible; you should however not take that for granted.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Thanks for the answer! Please tell me why the EVP_EncryptUpdate function cannot encrypt the text completely? Why is an extra call to the EVP_EncryptFinal_ex function required? I don't understand block cipher principles well. – John Apr 06 '22 at 09:59
  • What does "final data" mean? – John Apr 06 '22 at 10:04
  • 1
    A block cipher encrypts a block at a time, for AES 16 bytes at a time. Some modes such as CBC directly encrypt the plaintext of the message. However, that might mean the algorithm has to add extra bytes to form a full block. Of course, the algorithm can only add those once it is sure that the end of the message has been received. These kind of implementations just buffer bytes until a full block is present, and then encrypt them. The *buffer* then is padded on the call to `Final`, and the final block is returned to you encrypted. – Maarten Bodewes Apr 06 '22 at 10:15
  • 1
    Block cipher modes are explained and visualized [on Wikipedia](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation), and [padding modes](https://en.wikipedia.org/wiki/Padding_(cryptography)) are explained as well. – Maarten Bodewes Apr 06 '22 at 10:16
  • Thanks for the answer! If, for example, I want to encrypt 30 bytes, then I need to call the EVP_EncryptUpdate function and pass it those 30 bytes. I can also call EVP_EncryptUpdate twice but transfer 15 bytes each time. But 30 is not divisible by 16. For this reason, we call the EVP_EncryptFinal_ex function at the end to say, that our data is already over. As a result, the encryption algorithm will understand that it needs to add 2 bytes padding to get the second block to complete the encryption. Am I understanding the algorithm correctly? – John Apr 06 '22 at 10:22
  • Also, in decryption process EVP_DecryptFinal_ex used. Is this only necessary to check whether the padding were added correctly during encryption? – John Apr 06 '22 at 10:56
  • 1
    Yes, you are understanding correctly, for CBC anyway. And yes, the call to "final" in decryption would check the padding, but note that padding is not a good method to check if the plaintext has integrity *or* that the key / ciphertext pair is correct; for instance the padded plaintext may end with one padding byte of value `0x01` by chance (1 in 256). You'd use an authentication tag for that, by using an AEAD cipher or HMAC over IV and ciphertext, for instance. – Maarten Bodewes Apr 06 '22 at 10:59
  • Thanks for the reply and recommendations. I need to encrypt the private key. Can you please tell me, if using AES together with padding is the correct solution? – John Apr 06 '22 at 11:27
  • 1
    No, I cannot tell. In principle you can get to confidentiality with AES-CBC, but I don't know the context, and giving that kind of security advice is a bit much for this question. – Maarten Bodewes Apr 06 '22 at 11:35
  • Confidentiality is what I need. Thanks for answers! – John Apr 06 '22 at 11:39