Steve, Thank you for the prompt reply! Here is the command that I'm using to create a pkcs8 formatted key:
openssl pkcs8 -in <file> -topk8 -v2 des3 -passout pass:<pass> As you said "The bit you are missing is the PKCS#5 spec which gives details of the PBKDF2 key derivation algorithm." My questions: 1) Is the type of algorithm stored in the SEQUENCE value preceding the :PBES2 declaration? (see below) 2) If someone knows the default algorithm being used by the command above, please let me know! > 0:d=0 hl=4 l= 710 cons: SEQUENCE > 4:d=1 hl=2 l= 64 cons: SEQUENCE > 6:d=2 hl=2 l= 9 prim: OBJECT :PBES2 > 17:d=2 hl=2 l= 51 cons: SEQUENCE > 19:d=3 hl=2 l= 27 cons: SEQUENCE > 21:d=4 hl=2 l= 9 prim: OBJECT :PBKDF2 Thanks Steve and fellow openssl users! On Wed, Jan 7, 2009 at 2:13 AM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Tue, Jan 06, 2009, Nate wrote: > > > I'm using openssl to create an encrypted key in pkcs8 format. > Specifically > > I'm using triple des. An example of the asn1parse output is below. > > > > My goal is to take the "rather long hexadecimal value", which I assume is > > the encrypted key, and decrypt it using a separate triple des decryption > > library. The decryption method I would like to use asks for a 24 byte > key > > and an 8 byte input vector as well as the encrypted hexadecimal value. I > > haven't been able to find an online resource that clearly describes what > the > > parts of the asn1parse output are. > > > > What I think I know (hahaha): > > > > 1) The first short hexadecimal values is a salt. > > 2) The INTEGER is the iteration count (2048). > > 3) The second short hexadecimal value is an initialization vector for > CBC. > > 4) The long hexadecimal value is the encrypted key. > > > > Two Questions: > > > > 1) How do I get the 24 byte key? Use some sort of algorithm to generate > it > > from the salt, the iteration count, and the user's password? > > 2) What exactly is the 8 byte input vector? The first 8 bytes of the > second > > short hexadecimal value? > > > > Thank you for your time! > > > > openssl asn1parse -in my_private_key.txt produces: > > > > 0:d=0 hl=4 l= 710 cons: SEQUENCE > > 4:d=1 hl=2 l= 64 cons: SEQUENCE > > 6:d=2 hl=2 l= 9 prim: OBJECT :PBES2 > > 17:d=2 hl=2 l= 51 cons: SEQUENCE > > 19:d=3 hl=2 l= 27 cons: SEQUENCE > > 21:d=4 hl=2 l= 9 prim: OBJECT :PBKDF2 > > 32:d=4 hl=2 l= 14 cons: SEQUENCE > > 34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX > DUMP]:3F471CCCC0EDDDD9 > > 44:d=5 hl=2 l= 2 prim: INTEGER :0800 > > 48:d=3 hl=2 l= 20 cons: SEQUENCE > > 50:d=4 hl=2 l= 8 prim: OBJECT :des-ede3-cbc > > 60:d=4 hl=2 l= 8 prim: OCTET STRING [HEX > DUMP]:93BBBB22D404D394 > > 70:d=1 hl=4 l= 640 prim: OCTET STRING [HEX DUMP]: <rather long > hex > > value here> > > The bit you are missing is the PKCS#5 spec which gives details of the > PBKDF2 > key derivation algorithm. > > From that the salt is the first OCTET STRING, the iteration count the > INTEGER > value and the IV the second OCTET STRING. The actual encrypted key is the > 640 > byte longer OCTET STRING. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
