How to use with ABAP strings? about aes HOT 18 CLOSED

The encryption/decryption basically works between binaries. Besides that, we will also need to convert back and forth between String and binary, which is encoding specific.

When you use some encoding to convert String to binary/xstring (UTF-8 for example), you will need to use the same encoding to convert it back to string.

I am not sure about how OpenSSL encryption works exactly, but you I think you can try the two steps above:
decrypt -> convert to String using some encoding

Please let me whether it helps.

from aes.

Ok, so here is what I am trying. First we get the key of a password using OpenSSL:

openssl aes-128-cbc -nosalt -P -pass pass:unserGeheimesPasswort
key=445C778701C4DE527283AA00BF1BD0BA
iv =0B86DAC67E3B11A76CD672667A8224F1

Then I encrypt a string using OpenSSL, incl. base64 encoding:

echo "geheime_Kundenaten" | openssl enc -aes-128-cbc -a -nosalt -pass pass:unserGeheimesPasswort

Then in ABAP I convert both the data and the key to xstring:

"Convert encrypted payload string to binary xstring format
CALL FUNCTION 'SCMS_STRING_TO_XSTRING'
  EXPORTING
    text   = 'Q6lCAevFmyNfuyFG4nd9vUqo4twoU2u3x80nYfWS+lE=' "geheime_Kundenaten
  IMPORTING
    buffer = lv_x_value.

"Convert the OpenSSL encryption key string to binary xstring format
CALL FUNCTION 'SCMS_STRING_TO_XSTRING'
  EXPORTING
    text   = '445C778701C4DE527283AA00BF1BD0BA' "unserGeheimesPasswort
  IMPORTING
    buffer = lv_x_key.

Then I decrypt the string using your class:

CALL METHOD lr_aes_util->decrypt_xstring(
  EXPORTING
    i_data = lv_x_value
    i_key  = lv_x_key
  IMPORTING
    e_data = lv_x_result ).

Then I convert the xstring back to a string:

DATA lo_conv TYPE REF TO cl_abap_conv_in_ce.
CALL METHOD cl_abap_conv_in_ce=>create
  EXPORTING
    encoding    = 'UTF-8'
    endian      = 'L'
    ignore_cerr = 'X'
    replacement = '#'
    input       = lv_x_result
  RECEIVING
    conv        = lo_conv.

CALL METHOD lo_conv->read
  IMPORTING
    data = lv_result.

And finally I base64 decode the result again:

DATA: base64 TYPE REF TO cl_http_utility.
CREATE OBJECT base64.
CALL METHOD base64->decode_base64
  EXPORTING
    encoded = lv_result
  RECEIVING
    decoded = lv_result.

However, that result is not the original string I have encrypted via OpenSSL.
Any ideas?

from aes.

First, Base64 and Hex are both representations of binaries:
Hex: each character (0 - F, 2 ^ 4) represents 4 bits
Bases64 is a little more complicated: It uses 4 characters (out of 64, 2 ^ 6, every 6 bits is a unit) to represent 3 bytes (6 * 4 = 8 * 3)

Here is what I thought:

When you use openssl to encrypt:
PlainText ---(encoding, UTF-8?)--> Binaries representing the String ---encrypt--> Ciphertext (Binaries) ---Base64 Encoding--> Ciphertext (readable, binaries represented by Base64)

To decrypt it in ABAP, we need the ciphertext and the key

Ciphertext is in the format of Base64, and it needs to be converted to Hex. There might be some ABAP Function Module / Class doing that already, I assume.

Key is already in the format of Hex: key=445C778701C4DE527283AA00BF1BD0BA
32 characters of 0-F: 4 bit * 32 = 128 bit, it is already the 128 bit binary key represented by Hex.

We can decrpt now, should be getting another Hex String, representing the binaries of the plain text. However, to convert this binary to String, we will need to know the encoding openssl is using. Hopefully it is UTF-8.

That's all, it should be exactly the opposite process of openssl encryption.

from aes.

But I only get garbage after the process I described above, What step(s) am I missing from your point of view?

from aes.

I can see 3:

1. The key (445C778701C4DE527283AA00BF1BD0BA) is already Xstring (Hex), No need to convert it.
2. The ciphertext (Q6lCAevFmyNfuyFG4nd9vUqo4twoU2u3x80nYfWS+lE=) is in Base64, and it needs to be converted to Xstring (Hex).
3. After decryption, no need to do Base64 decoding, just use String decoding (Probably UTF-8, This one I am not sure, depending on what openssl uses to convert string to binary, use the same)

from aes.

Ok thanks, I will give that a try and let you know!

from aes.

Did some research and found something I did not know before:
The encryption uses cbc:
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29

My code does not support this, and it is a special way to use AES:
Take your situation for example:

1. Base64 to Hex
   Q6lCAevFmyNfuyFG4nd9vUqo4twoU2u3x80nYfWS+lE= ->
   43A94201EBC59B235FBB2146E2777DBD4AA8E2DC28536BB7C7CD2761F592FA51
2. Split Hex into blocks, 128 bit in this case
   43A94201EBC59B235FBB2146E2777DBD
   4AA8E2DC28536BB7C7CD2761F592FA51
3. Decrypt each block using the key
   29E1BFAE1B527CC2339D07081EE74A90
   37CC2C23CBC8912A56B2284FEB7E74B4
4. Make an XOR to each decrypted block using previous encrypted block, The first decrypted block, using the IV:
   29E1BFAE1B527CC2339D07081EE74A90 XOR 0B86DAC67E3B11A76CD672667A8224F1 =>
   2267656865696D655F4B756E64656E61
   37CC2C23CBC8912A56B2284FEB7E74B4 XOR 43A94201EBC59B235FBB2146E2777DBD =>
   74656E22200D0A090909090909090909
5. You got the Hex of the original String:
   2267656865696D655F4B756E64656E6174656E22200D0A090909090909090909
6. Convert it to String
   "geheime_Kundenaten"

from aes.

So do I understand you correctly, that it is not possible to decrypt using your code in ABAP of a string encrypted with OpenSSL?

from aes.

Yes, you can.

But you will need to some additional work yourself, it is not hard at all.

1. Slice the encrypted Hex into blocks
2. decrypt each block separately, using the same key
3. Apply the XOR conversion back.

You are welcome to extend my codes here, so that others could use it later :)
I would love to add it myself too, but I have to take care of some other weird code at work first :P

from aes.

I am not sure whether you have finished your work, but I just added more encryption mode into this class, including CBC.

from aes.

Ohh that sounds great, thanks. So does it work with my example now?

from aes.

It does, but only to the decryption part.
Before that, you will need to convert from BASE64 to HEX
After that, you will need to convert from HEX to String

DECRYPT_XSTRING

 Import parameter

       I_KEY                                445C778701C4DE527283AA00BF1BD0BA
       I_DATA                               43A94201EBC59B235FBB2146E2777DBD4AA8E2DC28536BB7C7CD2761F592FA51
       I_INITIALIZATION_VECTOR              0B86DAC67E3B11A76CD672667A8224F1
       I_ENCRYPTION_MODE                 CBC

 Export params

       E_DATA                               2267656865696D655F4B756E64656E6174656E22200D0A090909090909090909

from aes.

I see, thanks. For converting from Base64 to HEX, and then from HEX to String, do you use SAP standard functions?

from aes.

Base64 -> xstring
SCMS_BASE64_DECODE_STR

xstring to string
SCMS_XSTRING_TO_BINARY
SCMS_BINARY_TO_STRING, This one you will need to know what encoding openssl is using

from aes.

That's aweseome, thanks a lot!
I will give it a try next week and let you know then.

from aes.

Hey, now it works well, also with data from OpenSSL using AES-CBC:
Thanks a lot for your quick fix, helped me a lot.

Only one question left: Any chance that you could also implement to support a salt for AES, as used in OpenSSL? Or should I open another ticket for that?

from aes.

Salt is not really something related to encryption, it is some conversion to the plaintext to introduce randomness. Since aes can reversely decrypt, you don't even need to know what the salt is exactly, but only how salt is added. After decryption, you can just remove the salt from the result.

There might be multiple ways to add salt, and if you can figure out how openssl adds salt, the reverse operation should be fairly easy, probably just some substring operation.

from aes.

Ok thanks.

from aes.