Openssl RC4 - password as plain text

Question

I am trying to encrypt using RC4 using openssl. I can match results with online cipher tools only with key as hex but not as plaintext.

Using password option with plaintext - DOES NOT MATCH.

# echo -ne "stackoverflow" | openssl rc4 -pass pass:"rc4cipher" -nopad -nosalt | xxd -p

Result : 8189898ec30bd96a81bca0e293

Getting the symmetric key for the password

#echo -ne "stackoverflow" | openssl rc4 -pass pass:"rc4cipher" -nopad -nosalt -p

key=1E8B649064CC6657312EE7346ED410A4

With hexa key for the above password (-k option) - MATCHES.

echo -ne "stackoverflow" | openssl rc4 -K "1E8B649064CC6657312EE7346ED410A4" -nopad -nosalt | xxd -p

Result :8189898ec30bd96a81bca0e293

I can match my result with online tools by using key as hex but not as plain text.

Can someone help please me with the option to use with openssl ?

Thanks,

Ak

Answer 1

Keys should consist of random binary data. They should not consist of text. If you need to perform password based encryption you need to use a password hash or, more precisely, a Password Based Key Derivation Function to turn the password into a key. Common PBKDF's are bcrypt, scrypt, PBKDF2 and Argon2.

And this is what OpenSSL (command line) does underneath: it uses a weak, OpenSSL proprietary algorithm called EVP_BytesToKey. This is basically only compatible with OpenSSL implementations or compatibility libs.

Most online tools (which you should never use to validate any implementation in the end) simply convert the text to binary using character-encoding such as UTF-8, Windows-1252 or any other - usually unspecified - encoding. This is not secure; it's as braindead as most click-bait encryption tools found online.