Re: Beginner's questions with openssl API

[Juan Segarra]

On Mon, 7 Jan 2002, Mack Stevenson wrote:

 Hi Bear,

 Thank you for replying.


   - I gather that it's a bad idea to just encrypt all the files with the
   passphrase chosen by the user, right?
 
 You don't use the passphrase *directly*, but you should certainly
 use the user's passphrase.  Run it through a cryptographic hash
 and use the results as your encryption key.

 Can I use either the SHA or RIPEMD-160 hashes from openssl for this purpose?

You should use the PBE (Password Based Encryption) routines instead of
hashing directly. They are based on PKCS#5 (1.5 and 2.0) and PKCS#12. You
can take a look at my EVP tutorial (sorry but i don't know any other
:-P)...

http://spisa.act.uji.es/~juan/tutoriales/openssl/evp/

Unfortunately by now it's in spanish, but the code could help you. Hope
you can find it useful.

Juan.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Beginner's questions with openssl API

[Mack Stevenson]

Howdy,

I don't have any experience in coding apps which use cryptography, but I 
don't want to screw up, so I come looking for some friendly advice.

What I would like to do is to use the openssl simmetric crypto library to 
encrypt local files, and decrypt them with a user supplied passphrase. 
Pretty normal stuff, right? I have seen the Blowfish example in the 
documentation.

My doubts are the following:

- I gather that it's a bad idea to just encrypt all the files with the 
passphrase chosen by the user, right?

- If so, I would encrypt the files with an internally generated 
pseudo-random key of the appropriate length, store it encrypted (with the 
user-chosen passphase as key) on disk, and then use the passphrase entered 
by the user to decrypt the real key and then decrypt the files with the 
latter. I think this is what PGP/GPG do, so it should be a better solution 
than just using the passphrase in the first place. Is this right?

- If so, how do I get the pseudo-random data to use as a key? Just read it 
from /dev/random? (I am on linux.) Or is there a preferred way of doing 
this?

- How do I use the IV value? Is this the salt? If so, I don't need it to 
decrypt the cyphertext, right? (If this is right, why does the decrypt 
command in the above-mentioned example 
(http://www.openssl.org/docs/crypto/EVP_EncryptInit.html#EXAMPLES) mention 
the IV value: -iv 0102030405060708?)

Thank you for any help. As you can see, I am new to these things.

Cheerio,

Mack Stevenson



_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Beginner's questions with openssl API

[Mack Stevenson]

Hi Bear,

Thank you for replying.


  - I gather that it's a bad idea to just encrypt all the files with the
  passphrase chosen by the user, right?

You don't use the passphrase *directly*, but you should certainly
use the user's passphrase.  Run it through a cryptographic hash
and use the results as your encryption key.

Can I use either the SHA or RIPEMD-160 hashes from openssl for this purpose?

[snip]
Bottom line: if you're not sure what you're doing, keep it as
simple as you possibly can.  Adding features you don't understand
is a good way to introduce fatal weaknesses.

OK.

If you want to encrypt
a file:

  - hash the passphrase to generate the key.  Do not worry about
random keys.

OK.

  - use OpenPGP packeting, but only use the literal block (which
contains the data) and the symmetric key encrypted session
block (which contains the encrypted literal block).  Do not
worry about the compressed block or various key blocks.

- for your first cut, use hard-coded random data at the top
   of the SKES block.  It's less secure than true random data,
   but it's one less thing for you to worry about right now.

I don't quite understand what you mean, and the man page EVP_EncryptInit(3) 
isn't helping much; can't I just do it as in the example from that page:

--
EVP_CIPHER_CTX ctx;

EVP_CIPHER_CTX_init(ctx);
EVP_EncryptInit_ex(ctx, NULL, EVP_bf_cbc(), key, iv);

if(!EVP_EncryptUpdate(ctx, outbuf, outlen, intext, strlen(intext)))
   {

   return 0;
   }

if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, tmplen))
   {

   return 0;
   }
outlen += tmplen;
EVP_CIPHER_CTX_cleanup(ctx);

--
after having set 'key' and 'iv'?

About salt/IV: how do I determine its appropriate length? And do I store it 
(in plaintext) next to the encrypted file?

But instead of asking us, the best thing to do is grabbing a copy
of the OpenPGP spec (RFC 2440).

I shall do so. Although my interest is only in using very simple symmetric 
encryption, it seems to touch on some of these issues.

There is another question I would like to pose you: suppose that I wish to 
be able to determine whether the user entered the right passphrase (for 
purposes other than decrypting the cyphertext). This would imply storing a 
hash of the passphrase on disk, and comparing each entered passphrase to it, 
right? (As Unices do.) In this context, is it still advisable to use a hash 
of the passphrase as the encryption key? I understand that, for obvious 
reasons, I would need to use a *different* hash algorithm (otherwise, the 
decryption key would be stored as plaintext on disk all the time:-). But if 
I do use a different hash algorithm, is this an acceptable approach? Or is 
there a more intelligent way of doing this?

TIA,

Mack




_
Chat with friends online, try MSN Messenger: http://messenger.msn.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]