Steve, > >>Additionally you seem to be using an unsalted key derivation algorithm with a >>stream cipher (RC4). If passwords are reused then I hope you aren't sending >>anything sensitive that way because that is an insecure combination. >> >
Additional Questions: SALT isn't secret, correct? In this app I'm going to have to send the SALT to the other end in order for the passwords to be the same...This isn't a problem, is it? IV. I should really use an IV with some modes. Again, its random bytes, but it doesn't have to be secret. I will also have to transmit the IV to the other side. That's not a security problem is it? Is is a problem if you use the same random bytes for the SALT and the IV? Thanks, Sean P.S. The books I have are pretty clear on the IV issue, but don't really get into much details on SALT, and none mention if IV=SALT would be a bad thing. > > Good point. I assume what I really want to use is EVP_BytesToKey to > create the key with salt. > > Thanks for the help! > > Sean > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
