If you are using a known salt, then I would say it makes sense to strip it. It would make it easier to decrypt if included, but still not easy to break a cipher that isn’t already cracked.
Since only 8 bytes of the salt are unique/used, it may be better to generate your own key instead of using the built in password and salt, but I’m not a security expert. If you are just using a password, then a random salt is added. That means that each encrypted message (even if the message and password is the same) will be unique. On Jun 6, 2018, 10:38 PM -0500, prothero--- via use-livecode <use-livecode@lists.runrev.com>, wrote: > Hmmm.... > If the salt is included in the encrypted text, doesn’t that enable anyone who > intercepts it to decrypt it more easily, invalidating the purpose of using > the salt in the first place. > > Or, if the server decrypting the text uses a standard, but secret, salt that > is known by both parties, it seems more reasonable to me. > > Sorry if I’m being dense. > Bill > > William Prothero > http://earthlearningsolutions.org > > > On Jun 6, 2018, at 7:56 PM, Brian Milby via use-livecode > > <use-livecode@lists.runrev.com> wrote: > > > > I’m not sure what the original thread was using the salt for but the > > initial post in this one was more about hashing. The question about > > encryption was introduced so I answered that. > > > > For encryption, it looks like there is only an effective 8 byte salt (the > > first 8 are static - “Salted__”). Specifying more than 8 bytes does not > > change the resulting encrypted text. > > > > Since LC does include the salt, it does not need to be separately provided > > to decrypt. If you strip the salt (first 16 bytes), then you must supply > > the salt to decrypt. Providing the salt without stripping it from the > > encrypted text did not pose a problem in my test. > > > On Jun 6, 2018, 9:32 PM -0500, Richard Gaskin via use-livecode > > > <use-livecode@lists.runrev.com>, wrote: > > > Brian Milby wrote: > > > > From the dictionary: > > > > > > > > The password and salt value are combined and scrambled to form the key > > > > and IV which are used as described above. The key derivation process > > > > is the same as that used in the openSSL utility. A 16-byte salt prefix > > > > is prepended to the encrypted data, based on the salt value. This is > > > > used in decryption. > > > > > > "decryption"? > > > > > > Are we talking about hashing or encrypting? > > > > > > -- > > > Richard Gaskin > > > Fourth World Systems > > > Software Design and Development for the Desktop, Mobile, and the Web > > > ____________________________________________________________________ > > > ambassa...@fourthworld.com http://www.FourthWorld.com > > > > > > _______________________________________________ > > > use-livecode mailing list > > > use-livecode@lists.runrev.com > > > Please visit this url to subscribe, unsubscribe and manage your > > > subscription preferences: > > > http://lists.runrev.com/mailman/listinfo/use-livecode > > _______________________________________________ > > use-livecode mailing list > > use-livecode@lists.runrev.com > > Please visit this url to subscribe, unsubscribe and manage your > > subscription preferences: > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
