如何在iOS中使用通过AES128加密的Openssl工具解密数据 [英] How to decrypt data with Openssl tool encrypted with AES128 in iOS

问题描述

我有很多代码片段，它们使用AES128加密数据(如果您提供有效的实现，我将非常感激)例如以下示例:

I have many snippets of code, which encrypt the data with AES128 (If you provide your working implementation I will be very thankfull) For example this one:

- (NSData*)AES128EncryptWithKey:(NSString*)key {
    // 'key' should be 16 bytes for AES128, will be null-padded otherwise
    char keyPtr[kCCKeySizeAES128 + 1]; // room for terminator (unused)
    bzero(keyPtr, sizeof(keyPtr)); // fill with zeroes (for padding)

    // fetch key data
    [key getCString:keyPtr maxLength:sizeof(keyPtr) encoding:NSUTF8StringEncoding];

    NSUInteger dataLength = [self length];

    //See the doc: For block ciphers, the output size will always be less than or
    //equal to the input size plus the size of one block.
    //That's why we need to add the size of one block here
    size_t bufferSize           = dataLength + kCCBlockSizeAES128;
    void* buffer                = malloc(bufferSize);

    size_t numBytesEncrypted    = 0;

    CCCryptorStatus cryptStatus = CCCrypt(kCCEncrypt, kCCAlgorithmAES128, kCCOptionECBMode + kCCOptionPKCS7Padding,
                                          keyPtr, kCCKeySizeAES128,
                                          NULL /* initialization vector (optional) */,
                                          [self bytes], dataLength, /* input */
                                          buffer, bufferSize, /* output */
                                          &numBytesEncrypted);

    if (cryptStatus == kCCSuccess)
    {
        //the returned NSData takes ownership of the buffer and will free it on deallocation
        return [NSData dataWithBytesNoCopy:buffer length:numBytesEncrypted];
    }

    free(buffer); //free the buffer;
    return nil;
}

数据经过base64编码后，使用在线工具将其保存到 data.bin

After it the data is base64 encoded, with online tool I save it to data.bin

我想做的事情是使用OpenSSl解密此数据. 但是，当我打电话

The thing I want to do is to decrypt this data with OpenSSl. But, when I call

openssl enc -aes-128-ecb -in data.bin -out out.bin -d -pass pass:0123456789123456

它告诉我错误的魔术数字

如果我使用

openssl enc -aes-128-ecb -in data.bin -out out.bin -d -pass pass:0123456789123456 -nosalt

它告诉我错误的解密

请帮助.

推荐答案

这里有几个问题.首先，您正在使用CBC模式(CCCrypt的默认设置)进行加密，但是会在ECB模式下进行解密.很少有理由使用ECB模式.

There are several problems here. First, you're encrypting with CBC mode (which is the default for CCCrypt) but decrypting in ECB mode. There is very seldom reason to use ECB mode.

您正在使用字符串(我假设为"0123456789123456")作为密钥而不是密码进行加密.这些是不同的东西.我不确定openssl如何将密码转换为密钥.我在enc(1)页上没有看到关于它的解释.我假设它使用PBKDF2，但尚不清楚(并且没有给出迭代次数).您应该使用-K选项传递实际密钥.在这种情况下，您还需要显式地传递IV.您没有正确生成IV或盐.应该，然后将它们传递给openssl.

You're encrypting with a string (I assume "0123456789123456") as the key, not the password. These are different things. I'm not certain how openssl translates a password into a key. I don't see an explanation of that on the enc(1) page. I assume it uses PBKDF2, but it's not clear (and the number of iterations isn't given). You should be passing the actual key with the -K option. In that case, you also need to pass the IV explicitly. You're not correctly generating an IV, or a salt. You should be, and you then should be passing them to openssl.

要了解如何正确对其进行加密，请参见使用CommonCrypto使用AES正确加密.一旦您对某些内容进行了正确的加密，那么您就应该拥有一个正确的密钥，一个盐和一个IV.使用aes-128-cbc(假设使用128位AES)将所有这些文件交给enc，它应该可以工作.

To understand how to encrypt this correctly, see Properly encrypting with AES with CommonCrypto. Once you have something properly encrypted, you should then have a proper key, a salt, and an IV. Hand all of these to enc, using aes-128-cbc (assuming 128-bit AES), and it should work.

编辑

在这里有必要说明一下明显的地方:如果双方都使用相同的工具箱，则加密/解密要容易得多.要执行您想做的事情，您确实必须了解CCCrypt()和OpenSSL的细节，这就是我在讨论它们的原因.即使您发现了似乎可以正常工作"的东西，但如果您没有意识到这一点，其安全性很容易变得很差. AES128EncryptWithKey:是此示例.它看起来不错并且可以运行"，但是它有几个安全问题.如果可能的话，我要么在两边都使用OpenSSL，要么在两边都使用CCCrypt.

It's worth stating the obvious here: Encryption/decryption is much easier if you use the same toolkit on both sides. To do what you're trying to do, you really do have to understand the nuts and bolts of both CCCrypt() and OpenSSL, which is why I'm discussing them. Even if you find something that "seems to work," the security can easily be very poor without you realizing it. AES128EncryptWithKey: is an example of this; it looks fine and it "works," but it has several security problems. If possible, I'd either use OpenSSL on both sides, or CCCrypt on both sides.

这篇关于如何在iOS中使用通过AES128加密的Openssl工具解密数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！