[openssl-users] Using random bytes only in openssl_encrypt versus real private key

Richard Levitte levitte at openssl.org
Mon Sep 3 03:48:17 UTC 2018

In message <6126f3d3-91a0-02b3-20e8-ab26dbf8bc60 at gmail.com> on Sun, 2 Sep 2018 06:48:09 -0500, Jim Dutton <randomnoise058 at gmail.com> said:

> It appears that the (PHP) openssl_encrypt function will accept a string of
> random bytes as the encryption key in place of a generated private key. It
> works without any errors or warnings. So does the openssl_decrypt function.
> This begs the question: what does openssl_encrypt actually do with just a string
> of random bytes passed as the "key". I can't find anything in the OpenSSL or
> PHP/openssl source code that clearly identifies any particular action
> specifically related to a string of random bytes used as the encryption key,
> other than requiring a correct key length.

openssl_encrypt (and openssl_decrypt) does symmetric encryption, not
asymmetric, so private / public keys aren't involved, just an
encryption key that, as you noticed, can be any random bytes (although
they are usually generated from a passphrase using a secure key
derivation function).  For more information, I suggest you read the
PHP docs (which is essentially what I did):



Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-users mailing list