Okay I think I get it. I noticed the beginning of the hash contained "Salted__" but I didn't know why! Are you saying I can strip that along with the next 8 bytes, and the hash will be intact, and I can decrypt it without the salt??
Bob S > On Jun 6, 2018, at 21:06 , Brian Milby via use-livecode > <[email protected]> wrote: > > If you are using a known salt, then I would say it makes sense to strip it. > It would make it easier to decrypt if included, but still not easy to break a > cipher that isn’t already cracked. > > Since only 8 bytes of the salt are unique/used, it may be better to generate > your own key instead of using the built in password and salt, but I’m not a > security expert. > > If you are just using a password, then a random salt is added. That means > that each encrypted message (even if the message and password is the same) > will be unique. > On Jun 6, 2018, 10:38 PM -0500, prothero--- via use-livecode > <[email protected]>, wrote: >> Hmmm.... >> If the salt is included in the encrypted text, doesn’t that enable anyone >> who intercepts it to decrypt it more easily, invalidating the purpose of >> using the salt in the first place. >> >> Or, if the server decrypting the text uses a standard, but secret, salt that >> is known by both parties, it seems more reasonable to me. >> >> Sorry if I’m being dense. >> Bill >> >> William Prothero >> http://earthlearningsolutions.org >> >>> On Jun 6, 2018, at 7:56 PM, Brian Milby via use-livecode >>> <[email protected]> wrote: >>> >>> I’m not sure what the original thread was using the salt for but the >>> initial post in this one was more about hashing. The question about >>> encryption was introduced so I answered that. >>> >>> For encryption, it looks like there is only an effective 8 byte salt (the >>> first 8 are static - “Salted__”). Specifying more than 8 bytes does not >>> change the resulting encrypted text. >>> >>> Since LC does include the salt, it does not need to be separately provided >>> to decrypt. If you strip the salt (first 16 bytes), then you must supply >>> the salt to decrypt. Providing the salt without stripping it from the >>> encrypted text did not pose a problem in my test. >>>> On Jun 6, 2018, 9:32 PM -0500, Richard Gaskin via use-livecode >>>> <[email protected]>, wrote: >>>> Brian Milby wrote: >>>>> From the dictionary: >>>>> >>>>> The password and salt value are combined and scrambled to form the key >>>>> and IV which are used as described above. The key derivation process >>>>> is the same as that used in the openSSL utility. A 16-byte salt prefix >>>>> is prepended to the encrypted data, based on the salt value. This is >>>>> used in decryption. >>>> >>>> "decryption"? >>>> >>>> Are we talking about hashing or encrypting? >>>> >>>> -- >>>> Richard Gaskin >>>> Fourth World Systems >>>> Software Design and Development for the Desktop, Mobile, and the Web >>>> ____________________________________________________________________ >>>> [email protected] http://www.FourthWorld.com >>>> >>>> _______________________________________________ >>>> use-livecode mailing list >>>> [email protected] >>>> Please visit this url to subscribe, unsubscribe and manage your >>>> subscription preferences: >>>> http://lists.runrev.com/mailman/listinfo/use-livecode >>> _______________________________________________ >>> use-livecode mailing list >>> [email protected] >>> Please visit this url to subscribe, unsubscribe and manage your >>> subscription preferences: >>> http://lists.runrev.com/mailman/listinfo/use-livecode >> >> >> _______________________________________________ >> use-livecode mailing list >> [email protected] >> Please visit this url to subscribe, unsubscribe and manage your subscription >> preferences: >> http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ > use-livecode mailing list > [email protected] > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list [email protected] Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
