What is the purpose of this function.
I have a disconnect on why this is needed as opposed to just setting a key
and a IV.
IE: If a user enters 'password' as his password, what good does running
through the EVP_BytesToKey (or one of the specific functions like
BF_set_key).
I understand this runs a hash on the password but, how does that make it any
more secure. If everyone knows a hash has been run, why does this help any?
My guess is to insure a specific size key? Is this correct? but what if a
user doesnt *WANT* a specific key size. Also wouldnt this cause concern
about portability, if this function 'alters' the user defined key in some
and then the associated decrypt function comes from a different application,
if it isnt altered in exactly the same way, wouldn't that break the
algorithm... If this is useful for gauranteing key size, isn't it just as
risky to assume all implemenations will do the same thing??
For instance, Im trying to use blowfish to decrypt data encrypted with Java
Crypto Libraries. Ive been unable to get this to work, and I believe it
might be related to the key sizes.
When we talk DES (not triple) the integration of the two works fine, however
I believe this is because with DES all entities know the key is 56 bits.
With blowfish the key size can vary greatly. So what my code does is the
following:
bool CryptoObject::setKey(byte_t* KEY,uint16_t length)
{//Set the key used for decryption.
if (length != keyLength)
return false;//Enforce max key len for security reasons.
//Enfoce the tripleness of the key is secure...
//With 3DES, if the keys are the same, its just des...
if (memcmp(KEY,KEY+8,8) == 0)
return false;
if (memcmp(KEY,KEY+16,8) == 0)
return false;
if (memcmp(KEY+8,KEY+16,8) == 0)
return false;
memcpy(key,KEY,length);
return true;
}
NOTE: keyLength = EVP_MAX_KEY_LENGTH which is 24.
(Can't blowfish handle larger keys though??)
Then my decryption function is this:
int CryptoObject::BXdecrypt(const byte_t* cipherText,uint32_t cipherLength,
byte_t* plainText)
{
//Set up internal structures
EVP_DecryptInit(&dCTX,alg,key,iv);
//Decrypt Data
int plainLength1;
EVP_DecryptUpdate(&dCTX,plainText,(int*)&plainLength1,(byte_t*)cipherText,
cipherLength);
//Deal with potential padding
int plainLength2;
if (EVP_DecryptFinal(&dCTX,plainText+plainLength1,&plainLength2)==1)
{
plainText[plainLength1+plainLength2]='\0';
return plainLength1 + plainLength2;
}
else
return 0;
}
So basically a common use of this CryptoObject class would be:
(Works if co is defined to use DES, but not blowfish).
CryptoObject co;
co.setKey("0123456789012345678901234",24);
if (co.BXdecrypt(cipherText,cipherLength,plainText)==0)
cout << "Decryption failure" << endl;
else
cout << plainText << endl;
Now notice if I use the defined interface to EVP_DecryptInit, I pass the key
and IV but no where do I pass the key length... so what if my key was [32 to
448 bits] how would EVP_DecryptInit know what size I wanted?
Thanx in advance for taking the time to look at this,
brian
ps. If im not being too greedy with my number of questions per email, I was
curious if their are any plans to update libcrypto with newer algorithms,
like for instance twofish.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
