I use the FZ crypto CLI to decrypt data that has been encrypted outside FZ. I know the AES key and IV used to encrypt the data.
But strangely decryption on FZ always fail.
The following fails:
- encrypt with FZ CLI “>: crypto encrypt” ==> OK
- decrypt with FZ CLI “>: crypto decrypt” ==> OK
- decrypt with other tool (like Python or Cyberchef) ==> fails to decrypt data and gives garbage
The opposite is also not working:
- encrypt with other tool (like Python or Cyberchef) ==> OK
- decrypt with other tool (like Python or Cyberchef) ==> OK
- decrypt with FZ CLI “>: crypto decrypt” ==> fails to decrypt data and gives garbage
But each time encrypt and decrypt with FZ work fine.
I am using the same AES256 key and same IV each time.
In case there is an endianness issue, I have tried using simple & symetrical AES key & IV like “BBBBBB…BBBBB”
but it doesn’t change anything.
So my guess is FZ core2 is changing the AES key when storing into crypto enclave on Core2 and using this modified AES key to encrypt and decrypt.
Do you have any idea on what happens ?
Here are the commands I useed to store a key/encrypt/decrypt
>: crypto
Usage:
crypto <cmd> <args>
Cmd list:
encrypt <key_slot:int> <iv:hex> - Using key from secure enclave and IV encrypt plain text with AES256CBC and encode to hex
decrypt <key_slot:int> <iv:hex> - Using key from secure enclave and IV decrypt hex encoded encrypted with AES256CBC data to plain text
has_key <key_slot:int> - Check if secure enclave has key in slot
store_key <key_slot:int> <key_type:str> <key_size:int> <key_data:hex> - Store key in secure enclave. !!! NON-REVERSIBLE OPERATION - READ MANUAL FIRST !!!
To store a new AES key
>: crypto store_key 11 simple 256 <My 32 bytes AES key>
To encrypt using that key
>: crypto encrypt 11 <My 16 bytes IV>
To encrypt using that key
>: crypto decrypt 11 <My 16 bytes IV>