5

when i was reading the latest source code of openssl, i found openssl enc has an 8-byte (64-bit) salt length; because the same (password, salt, iter) will generate the same (key, iv), birthday paradox tells that you may reuse a (key, iv) pair within about 2^32 encryptions;

openssl source:

//  apps/enc.c;
int enc_main(int argc, char **argv)
{
    ...
    unsigned char *buff = NULL, salt[PKCS5_SALT_LEN];
    ...
}

//  include/openssl/evp.h;


define PKCS5_SALT_LEN                  8

personally i do not think 2^32 (around 4 billion) is a very large number; there are almost 8 billion people around the world now; in some use cases there are a lot of personal data records that need to be encrypted; the number is even larger when you include other animals such as cats and dogs;

pkcs #5 (in 2017) recommends at least 64-bit salt length; while nist (in 2010) says you shall use at least 128-bit salt length; there is also a github issue proposed in 2017;

my questions:

  1. is 64-bit salt length deemed secure right now? if so, why does nist said you shall use at least 128-bit salt length 7 years earlier?

  2. is openssl enc meant for production use or only a demo of the openssl library?

  3. if the salt length cannot be easily improved in openssl, what other libraries and shell tools are both secure and easy to use?

Community
  • 1
Cyker
  • 759
  • 6
  • 17

1 Answers1

0

Some sites even suggest using a salt that is the length of the digest of the hash function, created by a CSPRNG, but 16 bytes is generally the minimum salt length used (128 bits).

SamG101
  • 633
  • 4
  • 12