On Mon, Nov 16, 2009 at 11:52:26AM +1000, Anthony Thyssen wrote:
> I was reading the openssl-users mail list, (I am not on that list)
> where you mentioned the PBKDF2 openssl library function.
You should join, at least long enough to ask the question that interests
you. Further follow-up will be on-list only.
>
> Subject: Re: Encapsulation of AES_KEY
> Date: 2009-11-11 18:49:38
>
> The problem is the openssl command does not make this function available
> either directly as a password to key+IV converter, or as part of its
> file encryption method, for use from CLI.
The enc(1) command uses EVP_BytesToKey(), which would have been good
enough in most applications, if the iteration count were high-enough,
or configurable.
Thus, unless I'm misreading the code, the solution is to use a strong
pass-phrase, or code up your own tool, that uses PBKDF2, with as high
an iteration count is practical within your latency and CPU cost bounds.
Breaking backwards compatibility with already encrypted files is not
a good option, so any new key-derivation mode for enc(1) would have
to be switched-on via new, non-default flags.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
