Rafael Cividanes wrote:
IŽd like to know if the use of EVP API for symetric encryption is a good choice when using OpenSSL.
It depends on what you want to do and how you know about cryptography in general.
"Use the raw OpenSSL API only when absolutely necessary because there is a huge potential for introducing a security vulnerability by accident. For general-purpose use, we recommend a high-level abstraction, such as that discussed in Recipe 5.16 <0596003943_secureprgckbk-chp-5-sect-16.html#secureprgckbk-CHP-5-SECT-16>." - Secure Programming Cookbook for C and C++, Viega & Messier.
Is Viega asking in the sentence above to not use the EVP API? What is the "raw OpenSSL API"?
I think he's just warning you that if you are using low level API there are lots of traps that can cause your programm to seem very secure even if it is in fact very insecure. If you are using EVP API you have to select good keys, use the appropriate algorithms, do correct padding and so on.
On the other hand if you are using high level APIs like for example the SSL-API many of those traps are already handled by the library and the number of mistakes you can make is greatly reduced (though there are still enough remaining).
So if you find a high level API that does what you have to do, it will usually be the better choice. And if you have to use the low level for some reason, be sure to know what you are doing.
Thanks for any help.
[ ]'s
Rafael
Hope it helps. Ted ;)
-- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
