OpenSSL Default Padding - PKCS#5

A tutorial example is provided to show you how to OpenSSL controls padding on plaintext. OpenSSL uses the PKCS#5 padding algorithm by default, unless you specify the '-nopad' option.

So far, we have tested OpenSSL "enc -bf-ecb" command in different ways to control the secret key and the IV for full blocks of plaintext. Now let's do some tests on how "enc -bf-ecb" command applies padding to plaintext.

According to the OpenSSl manual, we have only two choices:

Here is my first test to see how a full plaintext block is padded:

C:\herong> \
   perl -e "binmode(STDOUT); print pack('H*', '0000000000000000')" \
   > 0000000000000000.txt

C:\herong>\local\gnuwin32\bin\openssl enc -bf-ecb -e 
   -pass pass:MySecret -salt -in 0000000000000000.txt 
   -out cipher.txt -p
salt=63D41A7556E28924
key=CCEE47F3EA58410816530220BA58AF7E
iv =006CE0BE79AA564D

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" \
   < cipher.txt
   
53616c7465645f5f63d41a7556e289247788d64a1a048e5e8a776326ae006a6a

C:\herong>\local\gnuwin32\bin\openssl enc -bf-ecb -d \
   -pass pass:MySecret -salt -in cipher.txt \
   -out decrypted.txt -nopad -p
   
salt=63D41A7556E28924
key=CCEE47F3EA58410816530220BA58AF7E
iv =006CE0BE79AA564D

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" \
   < decrypted.txt
   
00000000000000000808080808080808
                ----------------
                     padding                

The output matches my expectation. A new plaintext block is added with 8 of 0x08.

Here is another test to see how a partial plaintext block is padded:

C:\herong>perl -e "print 'HALF'" > HALF.txt

C:\herong>\local\gnuwin32\bin\openssl enc -bf-ecb -e -pass pass:MySecret \
   -salt -in HALF.txt -out cipher.txt -p
   
salt=92E3161234643D32
key=53B4D4AF1049CED9FBED0C1062A493E7
iv =0BC4238EA48D61D3

C:\herong>\local\gnuwin32\bin\openssl enc -bf-ecb -d -pass pass:MySecret \
   -salt -in cipher.txt -out decrypted.txt -nopad -p

salt=92E3161234643D32
key=53B4D4AF1049CED9FBED0C1062A493E7
iv =0BC4238EA48D61D3

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" \
   < decrypted.txt
   
48414c4604040404
        --------
         padding

The output also matches my expectation. The a partial plaintext block is padded with 4 of 0x04.

Conclusion: OpenSSL uses the PKCS#5 padding algorithm by default, unless you specify the "-nopad" option.

Last update: 2018.

Table of Contents

 About This Book

 Blowfish Cipher Algorithm

 Perl Crypt::Blowfish Module

 Perl Crypt::ECB Perl Module

 Perl Crypt::CBC Module

 Perl Crypt::CFB Perl Module

OpenSSL "enc -bf-ecb" for Blowfish/ECB Encryption

 What is OpenSSL

 Installing OpenSSL for Windows

 OpenSSL "enc" Blowfish Ciphers

 Ways to Control Secret Key and IV

 "bf-ecb" Cipher with Literal Key

 "bf-ecb" Cipher on Multiple Blocks

 Secret Key Padding and Truncation

 "bf-ecb" Cipher with Salted Key

 Salted Key Generation Algorithm

 "bf-ecb" Cipher with Random Salt

OpenSSL Default Padding - PKCS#5

 "enc -bf-ecb" Command Summary

 OpenSSL "enc -bf-cbc" for Blowfish/CBC Encryption

 OpenSSL "enc -bf-cfb" for Blowfish/CFB Encryption

 OpenSSL "enc -bf-ofb" for Blowfish/OFB Encryption

 PHP Mcrypt Extension for Blowfish

 Blowfish 8-Bit Cipher in PHP

 References

 Full Version in PDF/EPUB