Linux – Different results from GnuPG and OpenSSL when using AES256 encryption

encryptiongpglinuxopenssl

Text: apple
Pass: password

openssl aes-256-cbc -e -a -in  apple.txt

Output: U2FsdGVkX1/sqDrVkgk/7dKiCfLW+1/bgvRT/YAopJQ=

gpg -c --cipher-algo AES256 apple.txt

Output: A0ECQMCvDw3qeyQxgNg0kABv5nE4IDtSYmDTJudbl55d0GjBkiLd1B4sgbY/QQPVJX/uaHuDIb9
xhcwW/7UaxIxh9URhkHPni2IhYoOuKqm

How to sync out the two results?

Best Answer

The openssl command is salting your input and putting it in an OpenSSL encryption container. You could use the -nosalt option, but it will reduce the security of your encryption. I know less about the gpg command, but I'm pretty sure it's doing something similar. Its output is far too large to be just the word "apple" encrypted.

Related Solutions

Nginx – Testing SSL performance on Nginx

What I have investigated may be helpful for you. There is an article from intel : https://software.intel.com/sites/default/files/open-ssl-performance-paper.pdf

They use apache to test and they said they did not tune any configuration of apache. I think for Nginx is same.

I use gdb to trace back and here is my result :

(gdb) bt
#0  0x00000000004dcd50 in aesni_init_key ()
#1  0x00000000004d8dff in EVP_CipherInit_ex ()
#2  0x0000000000494c5a in ssl3_send_newsession_ticket ()
#3  0x00000000004997e8 in ssl3_accept ()
#4  0x00000000004281af in ngx_ssl_handshake (c=0x7ffff7fad1c0) at src/event/ngx_event_openssl.c:996
#5  0x0000000000428571 in ngx_ssl_handshake_handler (ev=0x8c3770) at src/event/ngx_event_openssl.c:1144
#6  0x0000000000424467 in ngx_epoll_process_events (cycle=0x89b9d0, timer=<value optimized out>, flags=<value optimized out>)
    at src/event/modules/ngx_epoll_module.c:691
#7  0x000000000041bd43 in ngx_process_events_and_timers (cycle=0x89b9d0) at src/event/ngx_event.c:248
#8  0x0000000000421de8 in ngx_single_process_cycle (cycle=0x89b9d0) at src/os/unix/ngx_process_cycle.c:315
#9  0x000000000040519c in main (argc=<value optimized out>, argv=<value optimized out>) at src/core/nginx.c:404

EVP_CipherInit_ex uses ctx->cipher->init(ctx,key,iv,enc) to start aesni_init_key (). The details defined at openssl/crypto/evp/e_aes.c

 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
static const EVP_CIPHER aesni_##keylen##_##mode = { \
    nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
    flags|EVP_CIPH_##MODE##_MODE,   \
    aesni_init_key,         \
    aesni_##mode##_cipher,      \
    NULL,               \
    sizeof(EVP_AES_KEY),        \
    NULL,NULL,NULL,NULL }; \
static const EVP_CIPHER aes_##keylen##_##mode = { \
    nid##_##keylen##_##nmode,blocksize, \
    keylen/8,ivlen, \
    flags|EVP_CIPH_##MODE##_MODE,   \
    aes_init_key,           \
    aes_##mode##_cipher,        \
    NULL,               \
    sizeof(EVP_AES_KEY),        \
    NULL,NULL,NULL,NULL }; \
const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }

AESNI_CAPABLE determines which function enable, aes_init_key or aes_init_key. This is completed at compilation. Further detail you can find here .

If your openssl evp interface enabled AESNI, Nginx also uses that. So for your case, I think nginx is using AESNI by default.

Nginx – RC4_128 to avoid BEAST

No, there aren't supported RC4 ciphers of a greater key length than 128 bit.

The use of this cipher as the current "best practice" might open the door a bit wider for a brute force attack against the shorter key, but is the lesser of two evils at the moment.

Best Answer

Related Solutions

Nginx – Testing SSL performance on Nginx

Nginx – RC4_128 to avoid BEAST

Related Topic