From owner-freebsd-questions@FreeBSD.ORG Mon May 25 21:52:07 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A42E106566B for ; Mon, 25 May 2009 21:52:07 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr1.xs4all.nl (smtp-vbr1.xs4all.nl [194.109.24.21]) by mx1.freebsd.org (Postfix) with ESMTP id 77B538FC15 for ; Mon, 25 May 2009 21:52:06 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr1.xs4all.nl (8.13.8/8.13.8) with ESMTP id n4PLq5IJ015951; Mon, 25 May 2009 23:52:05 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 4FD7ABA98; Mon, 25 May 2009 23:52:05 +0200 (CEST) Date: Mon, 25 May 2009 23:52:05 +0200 From: Roland Smith To: RW Message-ID: <20090525215205.GA45395@slackbox.xs4all.nl> References: <26face530905242257m7030933cy4a1171de7a06ee59@mail.gmail.com> <20090525190039.GA39139@slackbox.xs4all.nl> <20090525220601.1a9f7109@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <20090525220601.1a9f7109@gumby.homeunix.com> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.19 (2009-01-05) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org Subject: Re: Secure unsalted or fixed salt symmetric encryption? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2009 21:52:07 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 25, 2009 at 10:06:01PM +0100, RW wrote: > On Mon, 25 May 2009 21:00:39 +0200 > Roland Smith wrote: >=20 >=20 > > Or you can use the -nosalt option. But as explained in > > [http://www.openssl.org/docs/apps/enc.html], using a random salt by > > default is a design decision because: "Without the -salt option it is > > possible to perform efficient dictionary attacks on the password". > > That doesn't sound good, does it? >=20 > It's not a problem since she's using a random key file, not a weak > password. But a key alone is not sufficient. You'll need to specify an initialization vector as well, using the -iv option. E.g.: openssl enc -aes256 -in -out .aes \ -K 971001EE50DCDBCAF3F521851E773B0285838CA549E2258C1A195565D61F2145 \ -iv FD246E34A631AE38 If you try it with only a key or keyfile, you'll get a 'iv undefined' error, resulting in a zero-length output file. :-( If you use a password (-pass) you don't need an iv. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkobEwUACgkQEnfvsMMhpyW6ewCgg2Y7n2+YDvlZO5H/jfYgL6vV GpQAoKZp6F4Ojrv36rDF6FLTYfcix/vY =ksp5 -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga--