1
System: Linux Mint 18.3 Cinnamon 64-bit.
OpenSSL: 1.0.2g
Ordinarily, I would encrypt a file as follows:
openssl enc -aes-256-cbc -salt -in somefile -out somefile.enc
But I wonder what algorithm will be used to hash my password and if I can change it?
LinuxSecurityFreak
Posted 2017-12-10T06:15:44.190
Reputation: 2 298
1
I found out by accident, here, that for openssl version 1.1.0:
-md digest Use the specified digest to create the key from the passphrase. The default algorithm is sha-256.
So, there is no point of specifying the message digest algorithm for the newer version of openssl as it already uses SHA-256.
But since on my system there is openssl version 1.0.2g, I dug further and found out, here, that:
... In OpenSSL 1.1.0 we changed from MD5 to SHA-256 ...
Essentially, this means, my openssl will by default use the old and obsolete MD5.
Luckily, this can be changed to SHA-256 with openssl version 1.0.2g:
openssl enc -aes-256-cbc -md sha256 -salt -in somefile -out somefile.enc
If you have an older openssl version than me, you might want to try -md sha1, if the above fails.
LinuxSecurityFreak
Posted 2017-12-10T06:15:44.190
Reputation: 2 298
Dupe https://superuser.com/questions/455463/openssl-hash-function-for-generating-aes-key except that was out of date until just now; for full details see https://crypto.stackexchange.com/questions/3298/is-there-a-standard-for-openssl-interoperable-aes-encryption . Note that any single hash is a bad PBKDF; SHA-256 is not noticeably better than MD5. And
– dave_thompson_085 – 2017-12-10T07:36:56.877-salthas been the default for over a decade, nearly two.@dave_thompson_085: OpenSSL does use a KDF instead of simple hash, although it still seems to be homegrown and rather weak (see EVP_BytesToKey). – user1686 – 2017-12-11T15:46:50.737
1
@grawity my answer to the crypto Q I linked explains this in detail. EVP_BytesToKey is a tweak of PBKDF1 from PKCS5, but commandline enc uses EVP_BytesToKey with iteration count 1 so it does only a single hash per output block, it does NOT actually iterate as PBKDF should. The bear agrees: https://security.stackexchange.com/questions/29106/openssl-recover-key-and-iv-by-passphrase
– dave_thompson_085 – 2017-12-12T03:31:41.110Vlastimil: You're not using this for bulletproof security, are you? Consider GPG/PGP instead, it should still stump the biggest players. @dave_thompson_085 They're still only iterating once? Yowza. Moving away from MD5 is a baby step at least. Do they track the hash & encryption used, or you still have to remember yourself too? (I've quoted the bear too ;-)
– Xen2050 – 2017-12-14T21:10:31.343