up vote 3 down vote favorite

From https://wiki.openssl.org/index.php/Manual:Enc(1):

When a password is being specified using one of the other options, the IV is generated from this password.

Why does OpenSSL do this? My expectation would be that an unique IV is generated and encoded in the output message every time you invoke OpenSSL. When decrypting, OpenSSL extracts the IV and uses it.

Is there any reason to derive an IV from a password instead? Is that even safe to do? Aren't you using the same IV each time you use the password? What even is the point of using an IV if it's going to be paired to the encryption key?

share|improve this question
up vote 1 down vote

If you read the manpage you referenced a bit more carfeully, you will find the following lines:

-nosalt

do not use a salt

-salt

use salt (randomly generated or provide with -S option) when encrypting (this is the default).

The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay.

Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

Putting this together we learn:

  • You should use a random salt, which gets used in the key derivation process (calculating the encryption key and the IV from the password)
  • If you use a salt, the key and the IV and thus the ciphertext won't be deterministic
  • Using a random salt is the default behaviour of openssl enc

You can easily check this by running

echo foo |openssl enc -aes-128-cbc -out encrypted -nosalt

and

echo foo |openssl enc -aes-128-cbc -out encrypted

In the first case, the output will be 16 bytes long (one block of AES), in the second case it will be longer, because the salt has to be stored.

share|improve this answer
up vote 1 down vote

In OpenSSL, if the enc command is used (enc.c) the generation of the IV from a password is performed alongside the derivation of the key (by the function EVP_BytesToKey: source). As they say here:

The EVP_BytesToKey(3) function provides some limited support for password based encryption. Careful selection of the parameters will provide a PKCS#5 PBKDF1 compatible implementation. However, new applications should not typically use this (preferring, for example, PBKDF2 from PCKS#5).

Therefore, it is safe to derive an IV from a password if a proper salt is used in the derivation (see RFC 2898). If a random salt is selected each time, you are not using the same IV each time you use the password.

Furthermore, it is also safe to derive key and IV from the same output of the KDF if enough randomness is already provided by the salt. That is, the size of the salt shall be already enough to ensure that is difficult for an attacker to pre-compute all the possible keys for a dictionary of passwords. Thus, it is not reasonable to split key and IV derivation just to add the burden of computing all the possible pairs (key, IV).

My next question is, why do they not use PBKDF2 for enc command with password?

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.