Hi Bear,
Thank you for replying.
- I gather that it's a bad idea to just encrypt all the files with the
passphrase chosen by the user, right?
You don't use the passphrase *directly*, but you should certainly
use the user's passphrase. Run it through a cryptographic hash
and use the results as your encryption key.
Can I use either the SHA or RIPEMD-160 hashes from openssl for this purpose?
[snip]
Bottom line: if you're not sure what you're doing, keep it as
simple as you possibly can. Adding features you don't understand
is a good way to introduce fatal weaknesses.
OK.
If you want to encrypt
a file:
- hash the passphrase to generate the key. Do not worry about
random keys.
OK.
- use OpenPGP packeting, but only use the literal block (which
contains the data) and the symmetric key encrypted session
block (which contains the encrypted literal block). Do not
worry about the compressed block or various key blocks.
- for your first cut, use hard-coded random data at the top
of the SKES block. It's less secure than true random data,
but it's one less thing for you to worry about right now.
I don't quite understand what you mean, and the man page EVP_EncryptInit(3)
isn't helping much; can't I just do it as in the example from that page:
--
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(ctx);
EVP_EncryptInit_ex(ctx, NULL, EVP_bf_cbc(), key, iv);
if(!EVP_EncryptUpdate(ctx, outbuf, outlen, intext, strlen(intext)))
{
return 0;
}
if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, tmplen))
{
return 0;
}
outlen += tmplen;
EVP_CIPHER_CTX_cleanup(ctx);
--
after having set 'key' and 'iv'?
About salt/IV: how do I determine its appropriate length? And do I store it
(in plaintext) next to the encrypted file?
But instead of asking us, the best thing to do is grabbing a copy
of the OpenPGP spec (RFC 2440).
I shall do so. Although my interest is only in using very simple symmetric
encryption, it seems to touch on some of these issues.
There is another question I would like to pose you: suppose that I wish to
be able to determine whether the user entered the right passphrase (for
purposes other than decrypting the cyphertext). This would imply storing a
hash of the passphrase on disk, and comparing each entered passphrase to it,
right? (As Unices do.) In this context, is it still advisable to use a hash
of the passphrase as the encryption key? I understand that, for obvious
reasons, I would need to use a *different* hash algorithm (otherwise, the
decryption key would be stored as plaintext on disk all the time:-). But if
I do use a different hash algorithm, is this an acceptable approach? Or is
there a more intelligent way of doing this?
TIA,
Mack
_
Chat with friends online, try MSN Messenger: http://messenger.msn.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]