Re: Secure unsalted or fixed salt symmetric encryption?



On Sun, May 24, 2009 at 10:57:35PM -0700, Kelly Jones wrote:
Are there any secure openssl symmetric encryption routines that
*don't* use a salt?

Is it secure to use a random-but-fixed salt (openssl enc -S salt)?

"man enc" says "This option [-salt] should ALWAYS be used [...]"

Reason I ask: I was using this command to backup files using
compression/encryption:

bzip2 -k -c original | openssl enc -bf -pass file:passfile > encfile

and was surprised that doing this to identical files yielded different
results. I then realized "openssl enc" randomly(?) chooses a salt if
you don't supply one.

So? It will still decrypt properly if you give the right password!

I want my backups encrypted, but I also want identical files to
encrypt identically. Thoughts?

You could use the -S option and specify a constant salt. It might make
the encrypted materials easier to break, though. You can generate a
random salt with openssl as well:

openssl rand 8 | hexdump -e '"0x" 2 "%X" "\n"'

(According to [http://www.openssl.org/docs/crypto/EVP_BytesToKey.html],
the salt is 8 bytes.)

Or you can use the -nosalt option. But as explained in
[http://www.openssl.org/docs/apps/enc.html], using a random salt by
default is a design decision because: "Without the -salt option it is
possible to perform efficient dictionary attacks on the password". That
doesn't sound good, does it?

Alternatively, ports like security/ccrypt hash your password to make a
key. They don't require a separate salt.

If you are using a (e.g. USB connected) disk as backup, use geli(8) to encrypt
the whole disk instead of encrypting each file separately.

Roland
--
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

Attachment: pgpqKls5Mdf67.pgp
Description: PGP signature