Hi Bear,
Thank you for replying.
> > - I gather that it's a bad idea to just encrypt all the files with the
> > passphrase chosen by the user, right?
>
>You don't use the passphrase *directly*, but you should certainly
>use the user's passphrase. Run it through a cryptographic hash
>and use the results as your encryption key.
Can I use either the SHA or RIPEMD-160 hashes from openssl for this purpose?
>[snip]
>Bottom line: if you're not sure what you're doing, keep it as
>simple as you possibly can. Adding features you don't understand
>is a good way to introduce fatal weaknesses.
OK.
>If you want to encrypt
>a file:
>
> - hash the passphrase to generate the key. Do not worry about
> random keys.
OK.
> - use OpenPGP packeting, but only use the literal block (which
> contains the data) and the symmetric key encrypted session
> block (which contains the encrypted literal block). Do not
> worry about the compressed block or various key blocks.
>
>- for your first cut, use hard-coded "random" data at the top
> of the SKES block. It's less secure than true random data,
> but it's one less thing for you to worry about right now.
I don't quite understand what you mean, and the man page EVP_EncryptInit(3)
isn't helping much; can't I just do it as in the example from that page:
--
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
EVP_EncryptInit_ex(&ctx, NULL, EVP_bf_cbc(), key, iv);
if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
{
return 0;
}
if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen))
{
return 0;
}
outlen += tmplen;
EVP_CIPHER_CTX_cleanup(&ctx);
--
after having set 'key' and 'iv'?
About salt/IV: how do I determine its appropriate length? And do I store it
(in plaintext) next to the encrypted file?
>But instead of asking us, the best thing to do is grabbing a copy
>of the OpenPGP spec (RFC 2440).
I shall do so. Although my interest is only in using very simple symmetric
encryption, it seems to touch on some of these issues.
There is another question I would like to pose you: suppose that I wish to
be able to determine whether the user entered the right passphrase (for
purposes other than decrypting the cyphertext). This would imply storing a
hash of the passphrase on disk, and comparing each entered passphrase to it,
right? (As Unices do.) In this context, is it still advisable to use a hash
of the passphrase as the encryption key? I understand that, for obvious
reasons, I would need to use a *different* hash algorithm (otherwise, the
decryption key would be stored as plaintext on disk all the time:-). But if
I do use a different hash algorithm, is this an acceptable approach? Or is
there a more intelligent way of doing this?
TIA,
Mack
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
