search

digitalbazaar / forge

A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps
https://digitalbazaar.com/
Other
5.08k stars 784 forks source link

Question about openssl enc example in README #209

Closed kevgrig closed 9 years ago

kevgrig commented 9 years ago

In the README, there is an example called, "Using forge in node.js to match openssl's "enc" command line tool." There is an answer on StackExchange Information Security that says, in part:

The encryption format used by OpenSSL is non-standard: it is "what OpenSSL does", and if all versions of OpenSSL tend to agree with each other, there is still no reference document which describes this format except OpenSSL source code...

The process by which the password and salt are turned into the key and IV is not documented, but a look at the source code shows that it calls the OpenSSL-specific EVP_BytesToKey() function, which uses a custom key derivation function with some repeated hashing. This is a non-standard and not-well vetted construct (!)... the "iteration count" is set by the enc command to 1 and cannot be changed (!!!!). This means that the first 16 bytes of the key will be equal to MD5(password||salt), and that's it.

This is quite weak ! Anybody who knows how to write code on a PC can try to crack such a scheme and will be able to "try" several dozens of millions of potential passwords per second (hundreds of millions will be achievable with a GPU). If you use "openssl enc", make sure your password has very high entropy ! (i.e. higher than usually recommended; aim for 80 bits, at least). Or, preferably, don't use it at all; instead, go for something more robust (GnuPG, when doing symmetric encryption for a password, uses a stronger KDF with many iterations of the underlying hash function).

I've put a few concerning parts in bold. Do you have any opinions on this? Do you think an example that writes a gpg-format file would be better?

dlongley commented 9 years ago

We should probably add similar warning(s) to the README. People (unfortunately) use that tool so we need to have the example available, but a warning is a good idea. More examples (eg: gpg-format) are also welcome.

kevgrig commented 9 years ago

@dlongley Thanks

kevgrig commented 9 years ago

I investigated gpg-format a little bit and it looks like it would require implementing a lot of RFC 4880 including its S2K KDF, so it seems like a significant chunk of work.