perfect Video for beginners with all kind of options explained. You answered all my questionmarks (in my brain :) ) in few minutes, thanks for sharing !!!
When an encrypted file is provided with the right symmetric key, but nothing is know about the type of encryption or algorithm used. How to determine these information via OpenSSL? Because without knowing if it’s AES or DES, decryption is not possible. Thanks
Good Question.. The answer is NO. It's not possible to know how a data was encrypted just by looking at that encrypted byte data. ..and you're right without knowing about the encryption algorithm, it's going to be difficult to decrypt an encrypted data. I view this as an extra security. 🙂 Along with the encryption key, you also have to tell the other party about the algorithm used. Most programs and protocols do this by passing algorithm related info. For example, XML encryption passes algorithm info inside encrypted XML file. CMS passes this information inside enveloped data.
When you refer to 'password' during the usage of password based key derivation, are you referring to the key that is supplied as a file for encryption?
That is correct, password is used as a key for encryption in both cases. A password string or a string of characters inside a key file is used by OpenSSL for encrypting data.
Hi. Thanks very much for the fantastic tutorial. You mentioned that using pbkdf2 approach is good cause the alg salt the password you enter (I did not see you enter the password -- I believe that you meant enc.key, didn't you?) You mentioned that 100k iterations are done and hash is calculated. I believe that the randomly choosing the one among the 100k is the reason for doing iterations. But in that case the decryption -- requiring the iter parameter exactly same as 100k does not make sense to me -- because it violates the randomness nature. I am writing this with the sole objective of learning. I really appreciate your work!!
Hello, you're welcome! Yes, 'enc.key' is a file containing the data that will be used as an input by PBKDF2, to derive an encryption key. I generated it using 'openssl rand -out enc.key 32'. The encryption key is not picked randomly from 100k iteration; it is the final result of 100k iterations.Therefore, changing the number of iteration would result in a different key value, causing decryption to fail. I hope this clear any doubts. good question 🙂 I appreciate you taking time to watch my content.
@@CyberHashira Pleasure watching your series :) Just a quick question then -- how does iteration really impact the procedure? I mean -- how come 100k is better than just 10 iteration?
@@BhavinMoriya-i8i Iteration is the number of times a PRF is executed on an input data in PBKDF2. The more iterations, the more scrambled the output becomes. NIST recommends a minimum of 1,000 iterations for PBKDF2 (SP 800-132). A higher number of iterations increases the difficulty of guessing, calculating, brute-forcing, or reassembling the output back to the original input. Imagine that I have a piece of paper with some secret information printed on it. Instead of giving you that paper as it is, I tear it into many pieces. Which one do you think would be more difficult to reassemble: paper torn into 10, 100, or 1000 pieces?
I'm glad this video was helpful to you; encryption.key is contains the secret key data for encrypting using a Secret Key algorithm. Whereas key.pri contains the private key. Private key can decrypt and sign data. Public key can encrypt and verify.
Dose the encrypted file with a password (to produce Earth.enc file) include the hashed password in the header of the file so when I take it to a different computer or send it to someone, it can be decrypted on that new computer with the correct password? If so then I want to see that hashed password in Earth.enc. How can I do that? I want to see also in the header of the Earth.enc the random salt that was used when you added -pbkdf2.
@@CyberHashira So how would openssl tool know if I do not entered the correct password or if I do not enter the correct -pbkdf2 flag or if I do not enter the correct number of -iter and as a result of that it writes to me an error message? Also, how does openssl know what random salt was used so when I want the openssl tool to remove the encryption for me, it adds that exact salt to the password that I enter (at the time I want to remove the encryption) and hash them together the correct number of times to decrypt the file for me? By the way, I found online that -pbkdf2 is called "Password Based Key Derivation Function 2" --- "Function" instead of "Format".
@@CyberHashira How the openssl utility get to know that the decryption failed to show me an error message? It is not a human. It would not know the difference between text that has meaning (to determine that the operation has succeeded) and gibberish (to determine that the operation has failed).
When I create random hex data with (256 - 11 = 245) bytes using OpenSSL and use it to encrypt with RSA, I get the padding error. However, when I instead use (256 - 12 = 244), it works. So, I started to wonder when the byte count is specified in OpenSSL (openssl rand -hex -out data 244), does the count start from 0, instead of 1? In which case 0 to 244 would be indeed 245 bytes in total. But it is not the case. When you specify openssl rand -hex 10 as an example, it generates exactly 10 bytes and not 11.
Are you sure you're generating 245 bytes of data? I think a non-readable character is getting introduced somewhere such as CRLF, CR, or LF. Also "openssl rand -hex -out data 244" to generate 244 bytes of data is wrong. -hex would encode data as hex string doubling the size of it. Please try "openssl rand -out data 244" instead. If you're using echo then please use -n echo -n "1234567812345678" is 16 bytes echo "1234567812345678" is 17 bytes
@@CyberHashira Thanks for your timely response. Yes, I realised that -hex would double the byte length and the max I can use in this case is 122. However, with removing hex, I still have to use 244 binary bytes and not 245. I will try it on a different OpenSSL version and compare. Currently, I'm using 3.0.9
@@CyberHashira I retried everything from scratch, generating the data as well as the RSA keys and it worked with 245 bytes. Not sure what was happening previously. I'm on Fedora 38. Sorry for the confusion :)
@@CyberHashira yes it same question..but I still confuse what correlation between open ssl and sha256..sha256 create by NSA, open SSL create by different organization..or SHA256 is library of openSSL?
@@mm-wm6uh SHA1, SHA2 and SHA3 are all hashing algorithms. They're used for checking the integrity.. OpenSSL is a Cryptographic toolkit that has all algorithms implemented in it. If you're unaware of hashing then I'd strongly suggest learning some basic cryptography.. All the best!
You do not explain the meaning of: the exponent used in creating the private key, the modules the exponent and the 2 prime numbers, the coefficient that appear when you examine the private key the difference between digest-algorithms and cipher-algorithms
That's because the focus of this video is OpenSSL. I don't want to make a lengthy video covering every fundamental aspect, as there are plenty of other online resources available for that. If you're unfamiliar with terms like digests and ciphers, it might be helpful to start with those before diving into OpenSSL.
@@dono42 Gomenasai 🙂 I've learned a bit of Japanese solely through watching anime for many years, so my Japanese is flawed in many areas. I appreciate the correction. Arigato gozaimasu. Kanpai
![Digital Circus Episode 4 [TRAILER]](http://i.ytimg.com/vi/abZtsmMUbJo/mqdefault.jpg)
Thanks Sam for helping out with these videos. Much appreciated.
Especially this use case can be very handy in conducting POCs !
Thank you Yatharth.. I'm glad this video was helpful to you.. There will be more contents like this.. Stay tuned !
Thank you for explaining so well! Im trying to learn Openssl and your vids have been of great help! Cheers!
I'm glad the videos are helpful; best wishes on your learning journey!
perfect Video for beginners with all kind of options explained. You answered all my questionmarks (in my brain :) ) in few minutes, thanks for sharing !!!
Thank you, I appreciate your comment.
When an encrypted file is provided with the right symmetric key, but nothing is know about the type of encryption or algorithm used. How to determine these information via OpenSSL? Because without knowing if it’s AES or DES, decryption is not possible. Thanks
Good Question.. The answer is NO. It's not possible to know how a data was encrypted just by looking at that encrypted byte data.
..and you're right without knowing about the encryption algorithm, it's going to be difficult to decrypt an encrypted data. I view this as an extra security. 🙂
Along with the encryption key, you also have to tell the other party about the algorithm used. Most programs and protocols do this by passing algorithm related info. For example, XML encryption passes algorithm info inside encrypted XML file. CMS passes this information inside enveloped data.
When you refer to 'password' during the usage of password based key derivation, are you referring to the key that is supplied as a file for encryption?
That is correct, password is used as a key for encryption in both cases. A password string or a string of characters inside a key file is used by OpenSSL for encrypting data.
@@CyberHashira Thank you. Much appreciate for your reply.
Hi. Thanks very much for the fantastic tutorial. You mentioned that using pbkdf2 approach is good cause the alg salt the password you enter (I did not see you enter the password -- I believe that you meant enc.key, didn't you?) You mentioned that 100k iterations are done and hash is calculated. I believe that the randomly choosing the one among the 100k is the reason for doing iterations. But in that case the decryption -- requiring the iter parameter exactly same as 100k does not make sense to me -- because it violates the randomness nature. I am writing this with the sole objective of learning. I really appreciate your work!!
Hello, you're welcome!
Yes, 'enc.key' is a file containing the data that will be used as an input by PBKDF2, to derive an encryption key. I generated it using 'openssl rand -out enc.key 32'. The encryption key is not picked randomly from 100k iteration; it is the final result of 100k iterations.Therefore, changing the number of iteration would result in a different key value, causing decryption to fail. I hope this clear any doubts. good question 🙂
I appreciate you taking time to watch my content.
@@CyberHashira Pleasure watching your series :) Just a quick question then -- how does iteration really impact the procedure? I mean -- how come 100k is better than just 10 iteration?
@@BhavinMoriya-i8i Iteration is the number of times a PRF is executed on an input data in PBKDF2. The more iterations, the more scrambled the output becomes. NIST recommends a minimum of 1,000 iterations for PBKDF2 (SP 800-132). A higher number of iterations increases the difficulty of guessing, calculating, brute-forcing, or reassembling the output back to the original input.
Imagine that I have a piece of paper with some secret information printed on it. Instead of giving you that paper as it is, I tear it into many pieces. Which one do you think would be more difficult to reassemble: paper torn into 10, 100, or 1000 pieces?
Thanks a lot That was Really Helpfull but what is the Differnte between Secret key and private key (between encryption.key and key.pri)
I'm glad this video was helpful to you; encryption.key is contains the secret key data for encrypting using a Secret Key algorithm. Whereas key.pri contains the private key. Private key can decrypt and sign data. Public key can encrypt and verify.
Dose the encrypted file with a password (to produce Earth.enc file) include the hashed password in the header of the file so when I take it to a different computer or send it to someone, it can be decrypted on that new computer with the correct password? If so then I want to see that hashed password in Earth.enc. How can I do that? I want to see also in the header of the Earth.enc the random salt that was used when you added -pbkdf2.
encrypted file contains encrypted data and nothing else.
@@CyberHashira So how would openssl tool know if I do not entered the correct password or if I do not enter the correct -pbkdf2 flag or if I do not enter the correct number of -iter and as a result of that it writes to me an error message?
Also, how does openssl know what random salt was used so when I want the openssl tool to remove the encryption for me, it adds that exact salt to the password that I enter (at the time I want to remove the encryption) and hash them together the correct number of times to decrypt the file for me?
By the way, I found online that -pbkdf2 is called "Password Based Key Derivation Function 2" --- "Function" instead of "Format".
@@HutS-e5c openssl utility would expect the user to enter all required information correctly; failed cryptographic operations would return an error.
@@CyberHashira How the openssl utility get to know that the decryption failed to show me an error message? It is not a human. It would not know the difference between text that has meaning (to determine that the operation has succeeded) and gibberish (to determine that the operation has failed).
@@HutS-e5c padding scheme checks after decrypt is one way to see if decrypt was successful.
Is there any chance to get the same key while using 'openssl genrsa'?? I got the same-looking text
Likelihood is very slim but not impossible. Key are generated using PRNG. What do you mean by 'same-looking text'? same key as shown in the video?
when did you create encryption.key file? What is inside that?
at 01:52 . openssl rand -out encryption.key 32.. don't use -hex
oh you're correct I'm sorry. Subscribed@@CyberHashira
@@worldwide6626 No problem, cheers!
Great explanation thanks
You're welcome, thanks..
When I create random hex data with (256 - 11 = 245) bytes using OpenSSL and use it to encrypt with RSA, I get the padding error. However, when I instead use (256 - 12 = 244), it works. So, I started to wonder when the byte count is specified in OpenSSL (openssl rand -hex -out data 244), does the count start from 0, instead of 1? In which case 0 to 244 would be indeed 245 bytes in total. But it is not the case. When you specify openssl rand -hex 10 as an example, it generates exactly 10 bytes and not 11.
Are you sure you're generating 245 bytes of data? I think a non-readable character is getting introduced somewhere such as CRLF, CR, or LF.
Also "openssl rand -hex -out data 244" to generate 244 bytes of data is wrong. -hex would encode data as hex string doubling the size of it.
Please try "openssl rand -out data 244" instead. If you're using echo then please use -n
echo -n "1234567812345678" is 16 bytes
echo "1234567812345678" is 17 bytes
@@CyberHashira Thanks for your timely response. Yes, I realised that -hex would double the byte length and the max I can use in this case is 122. However, with removing hex, I still have to use 244 binary bytes and not 245. I will try it on a different OpenSSL version and compare. Currently, I'm using 3.0.9
@@CyberHashira Not using echo, just the openssl. "openssl rand -out data 245"
@@DeepakRamanath Interesting!
I'm also using OpenSSL 3.0.9 and I don't see this issue happening (Ubuntu/Mac OS)..
@@CyberHashira I retried everything from scratch, generating the data as well as the RSA keys and it worked with 245 bytes. Not sure what was happening previously. I'm on Fedora 38. Sorry for the confusion :)
can you explain what difference and correlation between openSSL and SHA256
Are you referring to the download page? You posted a similar comment on another one of my video..
@@CyberHashira yes it same question..but I still confuse what correlation between open ssl and sha256..sha256 create by NSA, open SSL create by different organization..or SHA256 is library of openSSL?
@@mm-wm6uh SHA1, SHA2 and SHA3 are all hashing algorithms. They're used for checking the integrity.. OpenSSL is a Cryptographic toolkit that has all algorithms implemented in it.
If you're unaware of hashing then I'd strongly suggest learning some basic cryptography.. All the best!
@@CyberHashira so all the code or formula (SHA256) are inside of openSSL folder right?
@@mm-wm6uhyes, that is correct
You do not explain the meaning of:
the exponent used in creating the private key, the modules
the exponent and the 2 prime numbers, the coefficient that appear when you examine the private key
the difference between digest-algorithms and cipher-algorithms
That's because the focus of this video is OpenSSL. I don't want to make a lengthy video covering every fundamental aspect, as there are plenty of other online resources available for that. If you're unfamiliar with terms like digests and ciphers, it might be helpful to start with those before diving into OpenSSL.
rengoku
iye, watashino namaywa Cyber Hashira desu.
@@CyberHashira Japanese doesn't have "ye" or "ay". You must mean "iie" (いいえ) and "namae" (名前) . Hi from Japan.
@@dono42 Gomenasai 🙂
I've learned a bit of Japanese solely through watching anime for many years, so my Japanese is flawed in many areas. I appreciate the correction. Arigato gozaimasu. Kanpai