Sorry Victor, Im not explaining it very well. Let me try again.
What we need to do is to protect data from the point of view of
ensuring that if the media it is on be that a hard drive, tape, or
optical disk is encrypted. For our system that is best done by
encrypting each file on a file by file basis. Our design team is
looking to use AES-128 in CBC, and a pass phrase protected key.
Our team is planning on using the OpenSSL Libs do do this. None
of them have a crypto back ground so im trying to help them make
sure that they have the resources to make the right design decisions.
It is becoming clear to me, and them that what they first had planned
may not be as secure as they first thought.
When I first posted the question about modes I thought it was a simple
matter of picking the "Correct One", but im seeing that is a moving
target depending on what your trying to do.
So in short we know what we want to do, and how we want to implement
it into our software, but it appears that we may need a better
understanding of the "Correct Way" to implement the encryption!
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.
Email: [EMAIL PROTECTED]
Web: www.comsquared.com
Victor Duchovni wrote:
On Tue, Oct 18, 2005 at 11:09:51AM -0400, David Gianndrea wrote:
Ok that is good info. What about just doing file level encryption.
As an example you have a disk with a bunch of files, and it is
only those files you would want encrypted, and the issue is more
a confidentiality is required / media loss issue then a tamper issue?
We are looking to use AES-256 for this.
A strong cipher used badly can give worse security than a weaker cipher
used well. Is your application a crypto disk, a crypto filesystem, or a
utility to encrypt and decrypt files. Is the threat model loss of physical
media, or are files encrypted for transmission or on-line network access?
You are still looking for algorithm recommendations (a common error)
when you should be looking for a security analysis of your problem,
the algorithm is the easy part at the end of the analysis.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
