OpenSSL BytesToKey() standalone in C

jsmith2001

7/6/24, 9:52 PM

In evp.h, BytesToKey() generates the key from the passhphrase, IV and the MD5 digest in order to decrypt information used by the public/private keypair generation using AES-256-CBC. I am trying to isolate all the EVP_* functions into a standalone implementation for an embedded system. Does anyone have the actual function or what exactly it does?

KEY DERIVATION ALGORITHM The key and IV is derived by concatenating D_1, D_2, etc until enough data is available for the key and IV. D_i is defined as:

D_i = HASH^count(D_(i-1) || data || salt)

0 + 5

fgrieu

7/7/24, 5:20 AM

Different versions of `openssl enc` are incompatible in how they convert password to key, and unless it's a new version and an option is given the hash is not even iterated. See [this](https://crypto.stackexchange.com/a/106715/555), which also links to the actual code. In other news, iterated SHA-256 (including PBKDF2 and whatever `openssl enc` does) is a poor way to use CPU time for password-to-key derivation, because GPUs, FPGAs and ASICs are so much better at it; so the way to go is a memory-hard key stretching function, like [Argon2](https://www.rfc-editor.org/rfc/rfc9106.html).

jsmith2001

7/7/24, 6:22 AM

i just did some further research and realized that in fact MD5 is being used as the default here, even though lots of sources claim that the shift to SHA256 has been made. I was able to call `EVP_BytesToKey` externally (just a c program), using the IV from my private key and of course my passphrase and the same key was returned using MD5 as the digest. I am just looking for a function that does what `BytesToKey` does without actually using it because it depends on all these EVP functions and can't be implemented independently

fgrieu

7/7/24, 6:55 AM

Use of MD5 or SHA-256 depends on version of OpenSSL. Whatever the hash, use with a single iteration to turn a password into key (which is the only setup I know that uses MD5) is extremely insecure (essentially there's no key stretching). It was insecure when defined, and became exponentially more insecure with the advances and spread of CPUs. I see no reasonable use case in a new application. Locating the code should be easy once you have settled on a version, which you did not state.

dave_thompson_085

7/7/24, 7:01 AM

@fgrieu-onstrike+ the _default_ hash for `enc` changed in 1.1.0 (up), but BytesToKey remains compatible if you specify the hash (and don't use pbkdf2 option); see my https://crypto.stackexchange.com/questions/3298/#35614 . But it sounds like this OP might want the encryption OpenSSL uses on **'traditional' (i.e. not PKCS8) privatekey files**, which also uses BytesToKey but _always_ with MD5 (no choice) and 1 iteration, and derives only the key while `enc` does both key and IV, and _never_ uses PBKDF2.

jsmith2001

7/8/24, 6:22 PM

`OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)`

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: OpenSSL BytesToKey() standalone in C

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.