Secret Key Padding and Truncation

A tutorial example is provided to show you how OpenSSL 'enc' apply padding or truncation to get a 16-byte secret key from the value specified in the '-K' option.

In the previous tutorial, we learned how to use "bf-ecb" cipher in the "Literal Key" way to control the secret key and the IV. In this tutorial, we will do some tests on the secret key is specified using the -K option as described below:

One nice feature of the OpenSSL "enc" command is that has the "-p" option to display what are the values of secre tkey, IV and salt actually used in during the encryption process. So we are going to use in our tests from now on.

Test 1. "-K" value with 16 bytes. No padding and truncation should happen.

C:\herong>perl -e "binmode(STDOUT); print pack('H*', '0000000000000000')" 
   > 0000000000000000.txt

C:\herong>C:\local\gnuwin32\bin\openssl enc -bf-ecb -e 
   -K 0123456789ABCDEF0123456789ABCDEF -iv 0000000000000000 
   -in 0000000000000000.txt -out cipher.txt -nopad -p
salt=0200000040265701
key=0123456789ABCDEF0123456789ABCDEF
iv =0000000000000000

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" 
   < cipher.txt
245946885754369a

The ciphertext, 0x4ef997456198dd78, is correct, because it matches the test vector published at https://www.schneier.com/code/vectors.txt. Note that secret key 0x0123456789ABCDEF0123456789ABCDEF is the same as 0x0123456789ABCDEF for Blowfish algorithm, because the secret key is repeatedly concatenated to reach the size of 72 bytes.

key bytes               clear bytes             cipher bytes
0123456789ABCDEF        0000000000000000        245946885754369A

OpenSSL generated a salt value of 0x0200000040265701. But it was not used.

Test 2. "-K" value with 8 bytes. It will be padded with 0x00.

C:\herong>C:\local\gnuwin32\bin\openssl enc -bf-ecb -e
   -K 0123456789ABCDEF -iv 0000000000000000 
   -in 0000000000000000.txt -out cipher.txt -nopad -p
salt=0200000000267E00
key=0123456789ABCDEF0000000000000000
iv =0000000000000000

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" 
   < cipher.txt
9713e3a4c20e0746

The output confirms that the actual secret will have 8 bytes of 0x00 padded, if only 8 bytes of value specified in the "-K" option. So don't "-K" option with less than 16 bytes.

Test 3. "-K" value with 24 bytes. It will be truncated to 16 bytes.

C:\herong>C:\local\gnuwin32\bin\openssl enc -bf-ecb -e 
   -K 0123456789ABCDEF0123456789ABCDEF1122334455667788 
   -iv 0000000000000000 -in 0000000000000000.txt -out cipher.txt 
   -nopad -p
salt=0200000050264401
key=0123456789ABCDEF0123456789ABCDEF
iv =0000000000000000

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" 
   < cipher.txt
245946885754369a

The output confirms that the actual secret will take only the first 16 bytes from the value specified in the "-K" option.

Conclusion: when using the "-K" option, always provide a value of 16 bytes. OpenSSL will use it as the secret key with no padding or truncation.

Last update: 2015.

Table of Contents

 About This Book

 Blowfish Cipher Algorithm

 Perl Crypt::Blowfish Module

 Perl Crypt::ECB Perl Module

 Perl Crypt::CBC Module

 Perl Crypt::CFB Perl Module

OpenSSL "enc -bf-ecb" for Blowfish/ECB Encryption

 What is OpenSSL?

 Installing OpenSSL for Windows

 OpenSSL "enc" Blowfish Ciphers

 Ways to Control Secret Key and IV

 "bf-ecb" Cipher with Literal Key

 "bf-ecb" Cipher on Multiple Blocks

Secret Key Padding and Truncation

 "bf-ecb" Cipher with Salted Key

 Salted Key Generation Algorithm

 "bf-ecb" Cipher with Random Salt

 OpenSSL Default Padding - PKCS#5

 "enc -bf-ecb" Command Summary

 OpenSSL "enc -bf-cbc" for Blowfish/CBC Encryption

 OpenSSL "enc -bf-cfb" for Blowfish/CFB Encryption

 OpenSSL "enc -bf-ofb" for Blowfish/OFB Encryption

 References

 PDF Printing Version