Commit f8547f62c212837dbf44fb7e2755e5774a59a57b (documented in
9e8b6f042749ded556380227c9f2db7ffad9a3aa), changed the default digest
for the 'enc' utility from MD5 to SHA256.

While I do strongly encourage getting away from MD5, this has the
unfortunate side effect of silently breaking existing data.

An old encrypted file would be generated with MD5 as the digest used on
the passphrase. Then if you tried to decrypt it on a new version of
OpenSSL, that defaults to SHA256, you'd get just garbage output.

This recently bit me when trying to decrypt Amanda backups:
(yes, I'm aware that the asym variant also passes in -nosalt).

This happens because there is no metadata that conveys what parameters
were used during encryption. Unless you happen to know exactly which
version of OpenSSL was used, and what parameters, you risk getting
garbage data back.

This can also happen already when the ciphers are mismatched between
encryption & decryption.

The -salt option already sets a precedent for adding a header with the
salt data, and I'd like to extend that, to improve backwards

1. Encrypted data should include a header block, that OPTIONALLY
   specifies each of:
   - cipher & parameters (e.g. salt, padding)
   - key derivation function & parameters (MD)
1.1. Some users might want to leave the fields empty, to increase
     security by obscurity.
1.2. This also opens the path to stronger key derivation (PBKDF2)
2. During decryption, if no header block is present, and no message
   digest was specified, the default digest SHOULD be MD5.

Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer
E-Mail   :
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

Attachment: signature.asc
Description: Digital signature

openssl-dev mailing list
To unsubscribe:

Reply via email to