I would like to use AES_256_GCM in my software. The OpenSSL wiki page gives me an example: wiki page.
It shows that only function EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) uses key.
My key is SHA3_256 hash of a password (Qt implementation of SHA3_256).
I would like to know if I have to use PKCS#5 to randomize the key or the function takes care of that.
Asked
Active
Viewed 151 times
1
MKAROL
- 316
- 3
- 11
-
This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Cryptography Stack Exchange](http://crypto.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Jun 09 '15 at 01:33
-
It is about programming because I would like to know if function EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) randomize key itself or I have to do. I would not like to pass my password through 2 rounds of PBKDF. It would not be necessery. – MKAROL Jun 09 '15 at 09:14
1 Answers
1
My key is SHA3_256 hash of a password (Qt implementation of SHA3_256).
You should probably digest the password into a key with OpenSSL's PKCS5_PBKDF2_HMAC_SHA1. See How to use PKCS5_PBKDF2_HMAC_SHA1().
It shows that only function
EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)uses key.... I would like to know if I have to use PKCS#5 to randomize the key or the function takes care of that.
Each encryption of a string or file should get its own random IV. IVs cannot repeat. Your other option is to use a random key for each string or file.
The output of the encrypt operation is the {IV,CipherText} pair.
AES_256_GCM is a good choice. One of the few ways it could get better is with an Integrated Encryption Scheme. You might take a look at openssl-pkey-ec-ies on GitHub. Crypto++ and BouncyCastle also have Elliptic Curve Integrated Encryption Scheme implementations, so you have other choices.
Be sure to test interop. They interop, but it takes some knob turning. The problem with interop is there are so many standards providing it, and each is slightly non-interoperable.
To give you an idea of the nuances, ECIES calls out that a particular variable gets hashed (its the length of a given string of data). One standard represents the variable in 4 octets, another in 8 octets. That's the only difference and causes interop issues if you are not aware.
-
If you go for password hashing then you can use a random salt to generate a random key (and IV, if that's what you want). – Maarten Bodewes Jun 09 '15 at 15:19
-
I would recommend using PBKDF2-HMAC-SHA-256 or PBKDF2-HMAC-SHA-512 instead, depending on how many key bits are required; OpenSSL supports both. – Anti-weakpasswords Feb 17 '16 at 05:50