3

I am trying to make a folder encryption with maximum automation (except password input). Inside a bash script I do the following:

echo $RANDOM | md5sum | cut -d' ' -f1 > iv

and then using it:

openssl aes-128-cbc -md sha256 -iv $(cat iv) -in folder.7z -out folder.7z.enc

Assuming that echo $RANDOM returns good random value, then I use md5sum on that value, and md5sum has collision weaknesses, so I assume that there is some security problem with that, but this is the way I found of how to produce a correct iv string for openssl. Can someone point what exactly can be a problem with this approach, and may be give an advice how to produce a pseudo-random iv in a better way?

stackoverflower
  • 161
  • 6
  • 3
    I don't have time to write an answer now but there are many problems with your code. The openssl command line is only designed for tests, not for production use, and it's very difficult to use it correctly. Use a tool design for this purpose, such as zip or 7z's encryption feature, or gpg. – Gilles 'SO- stop being evil' Oct 24 '18 at 17:55
  • If you have a time once, please write what open source tool to use in a standard linux environment to encrypt with aes correctly :) – stackoverflower Oct 25 '18 at 08:47

2 Answers2

8

Assuming that echo $RANDOM returns good random value…

It does not. $RANDOM in bash is implemented using a LCRNG with 32 bits of state and a 15-bit output.

4

... md5sum has collision weaknesses, so assume that there is some security problem with that,

Collision attacks are irrelevant here. All what matters is that the IV used is in no way predictable (i.e. no bias - all outputs have the same probability) and the same IV is not used with the same input. For more see How do poor-quality initialization vectors affect the security of CBC mode?.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424