On 5/16/2014 2:15 AM, Dave Thompson wrote:
EVP_BytesToKey implements (a tweak on) the original PKCS#5, which derived a key and IV by iterated hashing of a (reusable but secret) password with random (i.e. unique) salt. Given random salt this gives effectively random IV, but is unnecessarily complicated. This was recognized as a not terribly good plan, and the improved PBKDF2 in PKCS#5v2 derives only the key in a slightly different way (iterated **HMAC** with salt **cumulated**) leaving the IV, if any, as plain random outside the scope of the PBKDF2 primitive. OpenSSL does implement PBKDF2, and can use it for PKCS#8 and PKCS#12 etc., but kept BytesToKey for compatibility with existing ‘enc’ files and ‘legacy’ (pre PKCS#8) keys. (Which don’t even really use the iteration feature; they are hardcoded 1!) Using BytesToKey with random salt to generate the IV is a waste of time, and using it with fixed salt violates its specification. Just use random IV. Unless you don’t trust your RNG. But in that case you’re better off fixing or replacing the RNG, not trying weird things to prop it up. BytesToKey (like PBKDF1) uses the one iteration count to produce data which is returned for both key and IV. It does additional round(s) if and only if necessary, a PBKDF2-like tweak not in standard PBKDF1, but still using the same count.
Which openssl function does key derivation based on PKCS#5v2? -- Best regards. Hooman Fazaeli
