From owner-freebsd-questions@FreeBSD.ORG Mon May 25 22:57:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96F76106566B for ; Mon, 25 May 2009 22:57:05 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ew0-f159.google.com (mail-ew0-f159.google.com [209.85.219.159]) by mx1.freebsd.org (Postfix) with ESMTP id 209EA8FC14 for ; Mon, 25 May 2009 22:57:04 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by ewy3 with SMTP id 3so3431256ewy.43 for ; Mon, 25 May 2009 15:57:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=nZkphRFis+TvIjZCCmp+JS954bnyGMgNXQp0eJPNbi8=; b=IVhqfOI4Vwh6WB26SxFB1UBRm2zPOeYFNF1MK7kwObMfhFHC+/CYmGR54oVMGwMIkW P88n5DvaoUDI6fOQ4fh3Gn0DVZtSOi/MHCm28dGxxBgyrydpncKzqZnRmBZWjk+FZglj RrvEDAO4devvwrAso/21uo9n3hr+FiZ6Q49uA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=VOM0JwjuBxI26FA2+ucv8/3HdR0t3Hn6C71w87xAE9phUgJFQ08khqfqbelRI8uEy5 GQYLe4NFX2EK5DeUjxpVxVAQ2Oc/XOVMHn9xBIeq8ojTpaJzWteLz7pviMXoAMN+xa5c EbWeeQoaTU/0HIyJTdDEoQdj5OZd65FAfc0to= Received: by 10.216.10.74 with SMTP id 52mr1331825weu.164.1243292223755; Mon, 25 May 2009 15:57:03 -0700 (PDT) Received: from gumby.homeunix.com (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by mx.google.com with ESMTPS id 28sm647119eyg.14.2009.05.25.15.57.02 (version=SSLv3 cipher=RC4-MD5); Mon, 25 May 2009 15:57:03 -0700 (PDT) Date: Mon, 25 May 2009 23:57:00 +0100 From: RW To: freebsd-questions@freebsd.org Message-ID: <20090525235700.5907deaf@gumby.homeunix.com> In-Reply-To: <20090525215205.GA45395@slackbox.xs4all.nl> References: <26face530905242257m7030933cy4a1171de7a06ee59@mail.gmail.com> <20090525190039.GA39139@slackbox.xs4all.nl> <20090525220601.1a9f7109@gumby.homeunix.com> <20090525215205.GA45395@slackbox.xs4all.nl> X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.1; i386-portbld-freebsd7.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Secure unsalted or fixed salt symmetric encryption? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2009 22:57:05 -0000 On Mon, 25 May 2009 23:52:05 +0200 Roland Smith wrote: > On Mon, May 25, 2009 at 10:06:01PM +0100, RW wrote: > > On Mon, 25 May 2009 21:00:39 +0200 > > Roland Smith wrote: > > > > > > > Or you can use the -nosalt option. But as explained in > > > [http://www.openssl.org/docs/apps/enc.html], using a random salt > > > by default is a design decision because: "Without the -salt > > > option it is possible to perform efficient dictionary attacks on > > > the password". That doesn't sound good, does it? > > > > It's not a problem since she's using a random key file, not a weak > > password. > > But a key alone is not sufficient. You'll need to specify an > initialization vector as well, using the -iv option. E.g.: > > openssl enc -aes256 -in -out .aes \ > -K 971001EE50DCDBCAF3F521851E773B0285838CA549E2258C1A195565D61F2145 \ > -iv FD246E34A631AE38 > > If you try it with only a key or keyfile, you'll get a 'iv undefined' > error, resulting in a zero-length output file. :-( > It works for me: $ echo "hello world" > infile $ head -c32 /dev/random |sha256 > keyfile $ openssl enc -aes256 -nosalt -kfile keyfile -in infile -out outfile $ openssl enc -aes256 -nosalt -d -kfile keyfile -in outfile hello world