Re: Secure unsalted or fixed salt symmetric encryption?
On Tue, 26 May 2009 19:02:10 +0200 Roland Smith wrote: > Or if you have the case of a 'known-plaintext' attack. It happens > more often than you would think: > [http://en.wikipedia.org/wiki/Known-plaintext_attack] > Note that using a random salt would be a good protection against such > an attack! Only if the passphrase is weak. If you don't use salt you can pre-compute a table that maps weak passphrases to a few bytes of of the ciphertext of a known plaintext first block. But if that passphrase contains sufficient entropy it's no cheaper than a brute-force attack against the cipher. A cipher that can't withstand that isn't worth using. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Secure unsalted or fixed salt symmetric encryption?
On Tue, May 26, 2009 at 09:31:25AM -0500, Jeffrey Goldberg wrote: > On May 25, 2009, at 2:00 PM, Roland Smith wrote: > > > You could use the -S option and specify a constant salt. It might make > > the encrypted materials easier to break, though. You can generate a > > random salt with openssl as well: > > > Or you can use the -nosalt option. But as explained in > > [http://www.openssl.org/docs/apps/enc.html], using a random salt by > > default is a design decision because: "Without the -salt option it is > > possible to perform efficient dictionary attacks on the password". > > That > > doesn't sound good, does it? > > This is being used for file encryption, not password encryption. Of course. > So a dictionary attack isn't all that likely unless the encrypted > files are of a specific nature Suppose you are encrypting a tarfile that includes /usr/src/. There are definitely files in that tree that haven't changed in a long time. These could be used as (partial) cribs. > (known template which remains constant while only small parts of the > file vary). Or if you have the case of a 'known-plaintext' attack. It happens more often than you would think: [http://en.wikipedia.org/wiki/Known-plaintext_attack] Note that using a random salt would be a good protection against such an attack! I agree that in this case such an attack seems unlikely. From the original posters' questions I get the feeling that he is looking for an incremental encrypted backup solution for a large file or files. All possible solutions involve trade-offs between ease of use, robustness and security. And as you've said making a good choice requires more insight into the constraints. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpzbNdD21c09.pgp Description: PGP signature
Re: Secure unsalted or fixed salt symmetric encryption?
On May 25, 2009, at 2:00 PM, Roland Smith wrote: You could use the -S option and specify a constant salt. It might make the encrypted materials easier to break, though. You can generate a random salt with openssl as well: Or you can use the -nosalt option. But as explained in [http://www.openssl.org/docs/apps/enc.html], using a random salt by default is a design decision because: "Without the -salt option it is possible to perform efficient dictionary attacks on the password". That doesn't sound good, does it? This is being used for file encryption, not password encryption. So a dictionary attack isn't all that likely unless the encrypted files are of a specific nature (known template which remains constant while only small parts of the file vary). Note that without salt (or with constant salt) an attacker would know which files are identical both within a snapshot or across them. But this is pretty much what the OP wants the back-up system to know, so I guess that would be okay. If you are using a (e.g. USB connected) disk as backup, use geli(8) to encrypt the whole disk instead of encrypting each file separately. The OP may be doing something like rsync over an insecure network. But in the absence of details about the OPs situation it's hard to make solid recommendations. As you suggest, encrypting the resulting back-up filesystem is probably the the best option if the back-up filesystem is exacted to be the target of attack. Cheers, -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Secure unsalted or fixed salt symmetric encryption?
On Mon, 25 May 2009 23:52:05 +0200 Roland Smith wrote: > On Mon, May 25, 2009 at 10:06:01PM +0100, RW wrote: > > On Mon, 25 May 2009 21:00:39 +0200 > > Roland Smith wrote: > > > > > > > Or you can use the -nosalt option. But as explained in > > > [http://www.openssl.org/docs/apps/enc.html], using a random salt > > > by default is a design decision because: "Without the -salt > > > option it is possible to perform efficient dictionary attacks on > > > the password". That doesn't sound good, does it? > > > > It's not a problem since she's using a random key file, not a weak > > password. > > But a key alone is not sufficient. You'll need to specify an > initialization vector as well, using the -iv option. E.g.: > > openssl enc -aes256 -in -out .aes \ > -K 971001EE50DCDBCAF3F521851E773B0285838CA549E2258C1A195565D61F2145 \ > -iv FD246E34A631AE38 > > If you try it with only a key or keyfile, you'll get a 'iv undefined' > error, resulting in a zero-length output file. :-( > It works for me: $ echo "hello world" > infile $ head -c32 /dev/random |sha256 > keyfile $ openssl enc -aes256 -nosalt -kfile keyfile -in infile -out outfile $ openssl enc -aes256 -nosalt -d -kfile keyfile -in outfile hello world ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Secure unsalted or fixed salt symmetric encryption?
On Mon, May 25, 2009 at 10:06:01PM +0100, RW wrote: > On Mon, 25 May 2009 21:00:39 +0200 > Roland Smith wrote: > > > > Or you can use the -nosalt option. But as explained in > > [http://www.openssl.org/docs/apps/enc.html], using a random salt by > > default is a design decision because: "Without the -salt option it is > > possible to perform efficient dictionary attacks on the password". > > That doesn't sound good, does it? > > It's not a problem since she's using a random key file, not a weak > password. But a key alone is not sufficient. You'll need to specify an initialization vector as well, using the -iv option. E.g.: openssl enc -aes256 -in -out .aes \ -K 971001EE50DCDBCAF3F521851E773B0285838CA549E2258C1A195565D61F2145 \ -iv FD246E34A631AE38 If you try it with only a key or keyfile, you'll get a 'iv undefined' error, resulting in a zero-length output file. :-( If you use a password (-pass) you don't need an iv. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpIAoJzo6z8k.pgp Description: PGP signature
Re: Secure unsalted or fixed salt symmetric encryption?
On Mon, 25 May 2009 21:00:39 +0200 Roland Smith wrote: > Or you can use the -nosalt option. But as explained in > [http://www.openssl.org/docs/apps/enc.html], using a random salt by > default is a design decision because: "Without the -salt option it is > possible to perform efficient dictionary attacks on the password". > That doesn't sound good, does it? It's not a problem since she's using a random key file, not a weak password. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Secure unsalted or fixed salt symmetric encryption?
On Sun, May 24, 2009 at 10:57:35PM -0700, Kelly Jones wrote: > Are there any secure openssl symmetric encryption routines that > *don't* use a salt? > > Is it secure to use a random-but-fixed salt (openssl enc -S salt)? > > "man enc" says "This option [-salt] should ALWAYS be used [...]" > > Reason I ask: I was using this command to backup files using > compression/encryption: > > bzip2 -k -c original | openssl enc -bf -pass file:passfile > encfile > > and was surprised that doing this to identical files yielded different > results. I then realized "openssl enc" randomly(?) chooses a salt if > you don't supply one. So? It will still decrypt properly if you give the right password! > I want my backups encrypted, but I also want identical files to > encrypt identically. Thoughts? You could use the -S option and specify a constant salt. It might make the encrypted materials easier to break, though. You can generate a random salt with openssl as well: openssl rand 8 | hexdump -e '"0x" 2 "%X" "\n"' (According to [http://www.openssl.org/docs/crypto/EVP_BytesToKey.html], the salt is 8 bytes.) Or you can use the -nosalt option. But as explained in [http://www.openssl.org/docs/apps/enc.html], using a random salt by default is a design decision because: "Without the -salt option it is possible to perform efficient dictionary attacks on the password". That doesn't sound good, does it? Alternatively, ports like security/ccrypt hash your password to make a key. They don't require a separate salt. If you are using a (e.g. USB connected) disk as backup, use geli(8) to encrypt the whole disk instead of encrypting each file separately. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpdbnrHSY0HW.pgp Description: PGP signature
Re: Secure unsalted or fixed salt symmetric encryption?
On Sun, 24 May 2009 22:57:35 -0700 Kelly Jones wrote: > and was surprised that doing this to identical files yielded different > results. I then realized "openssl enc" randomly(?) chooses a salt if > you don't supply one. > > I want my backups encrypted, but I also want identical files to > encrypt identically. Thoughts? Then don't use salt - just a fully randomized key. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
