[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSL as a general purpose encryption tool

To: John Kaiser <jk06@donefor.net>
Subject: Re: OpenSSL as a general purpose encryption tool
From: Chris Foote <chris@zeus.foote.com.au>
Date: Sat, 10 Feb 2001 11:52:03 +1030 (CST)
Cc: <misc@openbsd.org>

On Fri, 9 Feb 2001, John Kaiser wrote:

> Openssl is a nice command line encryption utility.  You would never know
> it if you tried to read the man page to figure out how to use it.

hmm... I've always found the user level docs to be quite good, and
openssl comes with a man page `man 1 enc` which describes your
example.   However, this particular manpage, whilst it exists on
FreeBSD, is missing from OpenBSD :-(  It might have been added
since openssl 0.9.5a (FreeBSD has version 0.9.6).

Docs on the openssl library functions, however, are a different story :-(

> openssl enc -bf -in plaintext.txt -out cyphertext.dat -pass pass:secret

Make sure you at least add the '-salt' option:

       "The -salt option should ALWAYS be used if the key is being
       derived from a password unless you want compatibility with
       previous versions of OpenSSL and SSLeay.

       Without the -salt option it is possible to perform
       efficient dictionary attacks on the password and to attack
       stream cipher encrypted data. The reason for this is that
       without the salt the same password always generates the
       same encryption key. When the salt is being used the first
       eight bytes of the encrypted data are reserved for the
       salt: it is generated at random when encrypting a file and
       read from the encrypted file when it is decrypted."

Keep in mind that using openssl in this way isn't particularly
secure - you just need the human created plaintext password, which
might not take long to guess, and someone will have full access
to your files :-)   It probably does have a use in shell scripts
to encrypt temporary files with a random key.

You should probably be using something like GNU PG instead
(/usr/ports/security/gnupg), since the key is much larger (e.g.
1024 bits), and the key is protected by a password which you can
change over time.

Chris Foote                        SE Net
Technical Manager                  222 Grote Street
SE Network Access                  Adelaide SA 5000
e-mail chris@senet.com.au          Australia
phone :  (08) 8221 5221            PGP Public Key available from
fax:     (08) 8221 5220            http://www.senet.com.au/PGP
support: (08) 8221 5792

Follow-Ups:
- Re: OpenSSL as a general purpose encryption tool
  - From: Seth Arnold <sarnold@willamette.edu>

References:
- OpenSSL as a general purpose encryption tool
  - From: John Kaiser <jk06@donefor.net>

Prev by Date: remote XDM login
Next by Date: Re: question about cleaning up packages after upgrade
Prev by thread: OpenSSL as a general purpose encryption tool
Next by thread: Re: OpenSSL as a general purpose encryption tool
Index(es):
- Date
- Thread