I'm sure others will have a better answer, but I seem to recall
that there's a difference between passwords and passphrases.
Directly using a human readable password is bad since there's not
enough randomness to it and you're limited to 8 or 16 characters.

With a passphrase you can do things like using the hash of the
passphrase as the key, encrypting the passphrase with the first 8
or 16 characters of the passphrase as the key, etc.

I believe there's a FIPS standard for generating encryption keys
from a passphrase, using a technique similar to those mentioned
above.  If you're looking at a modern Unix crypt() analogue it's
just a hash with salt.  E.g., one possibility is H(passcode .
H(salt . passcode)), with the salt is encoded in the first few
characters of the stored password.

BTW don't forget that many (all?) robust systems will generate a
random encryption key for the body of the ciphertext.  This key is
the only thing encrypted with the key generated by the passphrase.

Nadav Golombick wrote:
> What is the correct procedure if I come to a situation where the
> password length is too big for the given buffer.
> 
> --
> Nadav Golombick
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [email protected]
> Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to