Steve,
Salt shouldn't be predictable so using a fixed string isn't an option but it
isn't secret.
I'm using rand_bytes() to create the salt.
IV. I should really use an IV with some modes. Again, its random
bytes, but it doesn't have to be secret. I will also have to transmit
the IV
Steve,
Additionally you seem to be using an unsalted key derivation algorithm with a
stream cipher (RC4). If passwords are reused then I hope you aren't sending
anything sensitive that way because that is an insecure combination.
Additional Questions:
SALT isn't secret, correct? In this
On Tue, May 10, 2005, Sean Covel wrote:
Steve,
Additionally you seem to be using an unsalted key derivation algorithm with
a
stream cipher (RC4). If passwords are reused then I hope you aren't sending
anything sensitive that way because that is an insecure combination.
On Mon, Apr 25, 2005, Sean Covel wrote:
Now that I've updated to the latest OpenSSL (7g) I've got a question:
I implemented some RC4 functionality using the low-level rc4 functions.(
RC4_Set_Key, RC4), and its working fine.
The OpenSSL documentation recommends using the EVP_* functions
Steve,
Dr. Stephen Henson wrote:
[snip]
Here are the relevant chunks for code. I'm trying to give enough code
without over-burdening you. If you need more, let me know.
[snip]
Here's one problem:
EVP_CIPHER_CTX_set_key_length(Dctx, 128);
the length parameter is in bytes
Now that I've updated to the latest OpenSSL (7g) I've got a question:
I implemented some RC4 functionality using the low-level rc4 functions.(
RC4_Set_Key, RC4), and its working fine.
The OpenSSL documentation recommends using the EVP_* functions instead
of the lower level functions. It seems
I'm continuing to test. I've noticed something else strange with the
EVP_ functions...
I have a test program that reads in text file A a chunk at a time,
encrypts the chunk, then writes it out to B. It then reads B back
in a chunk at a time, decrypts it, and writes it back out to C.
Simple
