>________________________________
> From: Roberto Spadim <robe...@spadim.com.br>
>To: openssl-users@openssl.org
>Sent: Friday, August 16, 2013 6:01 PM
>Subject: Re: How to securely encrypt identical files to identical ciphertext?
>
>
>
>hi, i don't know if i will answer your question, but i will give some tips
>about security...
>
>the point about decrypt is crypt lists, reverse engeneer and many others
>solutions to decrypt informations
>i didn't remember the name, maybe rainbow list or something like it is a
>normal feature used with hash functions
>a salt is very interesting since the list without salt is normally 'weak',
>because anyone could create a list with a
>
>
>for(i=0 to infinity)
> crypted value (i) = crypt function ( i )
>and yes, many guys create this lists... it's nice, and it's a problem... maybe
>you lost your password some day and found it in the list and ! now you have
>your password back !
>
>
>about file decrypt, the "attacker" will try to decrypt a small part of file or
>the full file, normally when i try to decrypt i know +- what file have (a know
>file structure) in this case if the file is a image for example, or a zip
>file, i will try to run a program to decrypt and only check if the magic
>numbers of that know file structure is found, it's a way to hack a crypt, it
>take many time (maybe never happen), but it's a easy to understand strategy...
>there's more features about crypt/decrypt but i will give a superficial idea
>only...
>
>
>in real world, a salt is important, some users use a MD5('salt' + MD5(password
>+ 'salt2')) to ensure that the password isn't listed in a list or another
>hash/crypt function...
>well in my option (not statistic, but real world use cases) it's just a
>placebo, the point here is...
>if someone want your information, restrict the time he can try to read/access
>your information... example...
>a login system, should allow a 5 wrong logins, after this block by 5 minutes,
>after more 5 wrong logins block for more 10 minutes... it's like iphone screen
>lock, the attacker can have a very big high optimized cluster to extra world
>solutions, but it only have 5 tryes to know the password / 5 minutes... well
>sorry attacker i could do the same job with my cellphone and maybe know the
>right password ... that's not the case if attacker know more informations
>about user password (her name, wife name, child name, birthday, first car, pet
>names, etc...)
>
>
>again, the problem is: don't allow a intensive access to your information, if
>this occur check if the user have permissions to do this, if not block it with
>a pre fixed time and contact user... the user should ask about permission to
>admin, and admin could add more permission to user.... that's the 'right way'
>to add security to any system
>
>
>i don't know if this help you, but these are some tips about security and i
>didn't checked if i answered your question :P sorry
>maybe i talked something wrong, it just a idea i didn't checked the normalized
>ideas (there's some information at FBI docs about forense it's nice to read...)
>
>
>bye
>
Hi Roberto
Thank you for the reply.
My encrypted file is with you. It is encrypted without a salt. I'm scared you
may use a sophisticated system to decrypt it and read the sensitive info. I use
a per file not guessable 150 character password. This password is not repeated,
only reuse on identical plaintext files only.
I want to understand is it any easy for you to decrypt it than a salted
encrypted file?
Best regards
Unga
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
