Re: Salted password generation/digest
Hello, [EMAIL PROTECTED] wrote on 03/31/2008 11:44:10 PM: I don't think Marek is correct. The command-line interface (openssl enc) doesn't use PKCS5_PBKDF2_HMAC_SHA1(). Other parts of the command-line utilities do (e.g. openssl pkcs8 -topk8 -v2 for encrypting RSA and DSA private keys), but not openssl enc. Of course you are right about openssl enc, this code does not use PKCS5_PBKDF2_HMAC_SHA1(). This code use something between PBKDF1 and PBKDF2. My answer was rather about last question about: public interface where an application developer can pass a password and as a result he becomes a password of the specified length. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Salted password generation/digest
I don't think Marek is correct. The command-line interface (openssl enc) doesn't use PKCS5_PBKDF2_HMAC_SHA1(). Other parts of the command-line utilities do (e.g. openssl pkcs8 -topk8 -v2 for encrypting RSA and DSA private keys), but not openssl enc. If you can read Java, here's the algorithm OpenSSL uses to expanding the password into 256 bits (and beyond!) in slightly less than 100 lines: http://juliusdavies.ca/commons-ssl/javadocs/src-html/org/apache/commons/ssl/OpenSSL.html#line.448 For small keys the algorithm is compatible with the standard PBEWithMD5AndDES with an iteration-count of 1. For longer keys the algorithm just keeps rehashing against itself and the salt until enough bytes are generated. This variation doesn't have a standard that describes it. In my mind I refer to it as traditional ssleay pbe. yours, Julius On Sat, Mar 29, 2008 at 12:09 PM, [EMAIL PROTECTED] wrote: Hello, [EMAIL PROTECTED] wrote on 03/29/2008 06:52:18 PM: Hello, consider the following example: You want to encrypt something using OpenSSL's AES 256 Bit encryption. You use the OpenSSL command line interface and specify an 8 character password. This means you specified 64 Bit (8 characters = 64 Bit) but want to use 256 Bit encryption. How does the OpenSSL library expand the password? Does it do a digest of the user specified password to fill up the 256 Bit? Is there even a standard which describes this? And finally is there a public interface where an application developer can pass a password and as a result he becomes a password of the specified length? Try: PKCS5_PBKDF2_HMAC_SHA1() Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Salted password generation/digest
Hello, consider the following example: You want to encrypt something using OpenSSL's AES 256 Bit encryption. You use the OpenSSL command line interface and specify an 8 character password. This means you specified 64 Bit (8 characters = 64 Bit) but want to use 256 Bit encryption. How does the OpenSSL library expand the password? Does it do a digest of the user specified password to fill up the 256 Bit? Is there even a standard which describes this? And finally is there a public interface where an application developer can pass a password and as a result he becomes a password of the specified length? Best regards Stefan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Salted password generation/digest
Hello, [EMAIL PROTECTED] wrote on 03/29/2008 06:52:18 PM: Hello, consider the following example: You want to encrypt something using OpenSSL's AES 256 Bit encryption. You use the OpenSSL command line interface and specify an 8 character password. This means you specified 64 Bit (8 characters = 64 Bit) but want to use 256 Bit encryption. How does the OpenSSL library expand the password? Does it do a digest of the user specified password to fill up the 256 Bit? Is there even a standard which describes this? And finally is there a public interface where an application developer can pass a password and as a result he becomes a password of the specified length? Try: PKCS5_PBKDF2_HMAC_SHA1() Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]