Re: Secure unsalted or fixed salt symmetric encryption?



On Sun, May 24, 2009 at 10:57:35PM -0700, Kelly Jones wrote:
Are there any secure openssl symmetric encryption routines that
*don't* use a salt?

Is it secure to use a random-but-fixed salt (openssl enc -S salt)?

"man enc" says "This option [-salt] should ALWAYS be used [...]"

Reason I ask: I was using this command to backup files using
compression/encryption:

bzip2 -k -c original | openssl enc -bf -pass file:passfile > encfile

and was surprised that doing this to identical files yielded different
results. I then realized "openssl enc" randomly(?) chooses a salt if
you don't supply one.

So? It will still decrypt properly if you give the right password!

I want my backups encrypted, but I also want identical files to
encrypt identically. Thoughts?

You could use the -S option and specify a constant salt. It might make
the encrypted materials easier to break, though. You can generate a
random salt with openssl as well:

openssl rand 8 | hexdump -e '"0x" 2 "%X" "\n"'

(According to [http://www.openssl.org/docs/crypto/EVP_BytesToKey.html],
the salt is 8 bytes.)

Or you can use the -nosalt option. But as explained in
[http://www.openssl.org/docs/apps/enc.html], using a random salt by
default is a design decision because: "Without the -salt option it is
possible to perform efficient dictionary attacks on the password". That
doesn't sound good, does it?

Alternatively, ports like security/ccrypt hash your password to make a
key. They don't require a separate salt.

If you are using a (e.g. USB connected) disk as backup, use geli(8) to encrypt
the whole disk instead of encrypting each file separately.

Roland
--
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

Attachment: pgpqKls5Mdf67.pgp
Description: PGP signature



Relevant Pages

  • RE: Values to use for a salt?
    ... > increased randomness and uniqueness of a password's hash. ... Not unless the random salt happened to be the same for both. ... because they can encrypt their precomputed hash ...
    (SecProg)
  • Re: Rijndael Reproducing
    ... Every time through the loop you are creating a new rfc. ... that it generates a *random* salt of the size specified. ... How do I get an IV and Key that are consistant for a given pass phrase? ... keeps the same random salt. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: [PHP] password hashing and crypt()
    ... and with your "zz" $salt exposed to anyone who ... can tell hash from grits. ... Tying your exampleto older encryption mechanisms. ... is true that the random salt is less valid than the custom supplied ...
    (php.general)
  • Re: [PHP] password hashing and crypt()
    ... I didn't know I was competing. ... I think the $salt and encryption method both count for a lot. ... salt would be better than a random salt given that the encryption method ...
    (php.general)
  • Re: Encrypt with RijndaelManaged and decrypt with OpenSSL
    ... I implemented the documented keygen algorithm described here in C#: ... I could NOT get the correct key and iv for the same salt. ... IV and Key values as output by openssl enc ... change the iteration count for PBKD keys! ...
    (microsoft.public.dotnet.security)