On Tue, May 10, 2005, Sean Covel wrote: > Steve, > > > > >>Additionally you seem to be using an unsalted key derivation algorithm with > >>a > >>stream cipher (RC4). If passwords are reused then I hope you aren't sending > >>anything sensitive that way because that is an insecure combination. > >> > > > > Additional Questions: > > SALT isn't secret, correct? In this app I'm going to have to send the > SALT to the other end in order for the passwords to be the same...This > isn't a problem, is it? >
Salt shouldn't be predictable so using a fixed string isn't an option but it isn't secret. > IV. I should really use an IV with some modes. Again, its random > bytes, but it doesn't have to be secret. I will also have to transmit > the IV to the other side. That's not a security problem is it? > > Is is a problem if you use the same random bytes for the SALT and the IV? > EVP_BytesToKey() also generates an IV so that isn't a problem. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
