Okay I think I get it. I noticed the beginning of the hash contained "Salted__" but I didn't know why! Are you saying I can strip that along with the next 8 bytes, and the hash will be intact, and I can decrypt it without the salt??
Bob S > On Jun 6, 2018, at 21:06 , Brian Milby via use-livecode > <use-livecode@lists.runrev.com> wrote: > > If you are using a known salt, then I would say it makes sense to strip it. > It would make it easier to decrypt if included, but still not easy to break a > cipher that isn’t already cracked. > > Since only 8 bytes of the salt are unique/used, it may be better to generate > your own key instead of using the built in password and salt, but I’m not a > security expert. > > If you are just using a password, then a random salt is added. That means > that each encrypted message (even if the message and password is the same) > will be unique. > On Jun 6, 2018, 10:38 PM -0500, prothero--- via use-livecode > <use-livecode@lists.runrev.com>, wrote: >> Hmmm.... >> If the salt is included in the encrypted text, doesn’t that enable anyone >> who intercepts it to decrypt it more easily, invalidating the purpose of >> using the salt in the first place. >> >> Or, if the server decrypting the text uses a standard, but secret, salt that >> is known by both parties, it seems more reasonable to me. >> >> Sorry if I’m being dense. >> Bill >> >> William Prothero >> http://earthlearningsolutions.org >> >>> On Jun 6, 2018, at 7:56 PM, Brian Milby via use-livecode >>> <use-livecode@lists.runrev.com> wrote: >>> >>> I’m not sure what the original thread was using the salt for but the >>> initial post in this one was more about hashing. The question about >>> encryption was introduced so I answered that. >>> >>> For encryption, it looks like there is only an effective 8 byte salt (the >>> first 8 are static - “Salted__”). Specifying more than 8 bytes does not >>> change the resulting encrypted text. >>> >>> Since LC does include the salt, it does not need to be separately provided >>> to decrypt. If you strip the salt (first 16 bytes), then you must supply >>> the salt to decrypt. Providing the salt without stripping it from the >>> encrypted text did not pose a problem in my test. >>>> On Jun 6, 2018, 9:32 PM -0500, Richard Gaskin via use-livecode >>>> <use-livecode@lists.runrev.com>, wrote: >>>> Brian Milby wrote: >>>>> From the dictionary: >>>>> >>>>> The password and salt value are combined and scrambled to form the key >>>>> and IV which are used as described above. The key derivation process >>>>> is the same as that used in the openSSL utility. A 16-byte salt prefix >>>>> is prepended to the encrypted data, based on the salt value. This is >>>>> used in decryption. >>>> >>>> "decryption"? >>>> >>>> Are we talking about hashing or encrypting? >>>> >>>> -- >>>> Richard Gaskin >>>> Fourth World Systems >>>> Software Design and Development for the Desktop, Mobile, and the Web >>>> ____________________________________________________________________ >>>> ambassa...@fourthworld.com http://www.FourthWorld.com >>>> >>>> _______________________________________________ >>>> use-livecode mailing list >>>> use-livecode@lists.runrev.com >>>> Please visit this url to subscribe, unsubscribe and manage your >>>> subscription preferences: >>>> http://lists.runrev.com/mailman/listinfo/use-livecode >>> _______________________________________________ >>> use-livecode mailing list >>> use-livecode@lists.runrev.com >>> Please visit this url to subscribe, unsubscribe and manage your >>> subscription preferences: >>> http://lists.runrev.com/mailman/listinfo/use-livecode >> >> >> _______________________________________________ >> use-livecode mailing list >> use-livecode@lists.runrev.com >> Please visit this url to subscribe, unsubscribe and manage your subscription >> preferences: >> http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
