14

When encrypting a file with OpenSSL, it is possible to use -pass pass:mySillyPassword, where mySillyPassword is the password used in encryption. In addition, it is possible to use a salt, where -salt -s (hex string) is used to specify the salt.

Why would someone want to use a password instead of the salt or in conjunction with a salt? Also, I understand just using the -salt command will cause OpenSSL to generate a salt. How is this better than a user-defined salt? If OpenSSL randomly generates a salt, how will the user know what the salt is to decrypt the file in the future?

BuZZ-dEE
  • 6,075
  • 12
  • 66
  • 96
user2520041
  • 145
  • 1
  • 1
  • 5

4 Answers4

14

In OpenSSL, the salt will be prepended to the front of the encrypted data, which will allow it to be decrypted. The purpose of the salt is to prevent dictionary attacks, rainbow tables, etc. The following is from the OpenSSL documentation:

Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

The documentation suggests that a salt always be used with a password, except if compatibility with earlier versions that do not support a salt is neccessary.

IanPudney
  • 5,941
  • 1
  • 24
  • 39
  • 1
    Thank you for the explanation, but I am still not understanding the purpose of the password. Here's what OpenSSL documentation says: pass:password the actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. How is the password stored in the encrypted data? Is it appended as well? It seems the password is not very secure, but I guess that only matters if the person has access to the computer at the time data is being encrypted, correct? – user2520041 Jun 25 '13 at 14:14
  • Yes, you are correct, the password is compromised in this manner only if access to the computer exists at the time of encryption or decryption. However, When it says "this form should only be used where security is not important", it means that syntax for specifying the password (`pass:password`). Instead, you should use other methods, such as `file:pathname` or `stdin`. And no, the password is not appended. The password is used to generate a secret key for decrypting the file, and it can only be decrypted with that password. The password is secure, but only if used properly. – IanPudney Jun 25 '13 at 14:29
  • Thanks, that makes it more clear. This password used to generate the secret key - is the password file a separately generated file? If not, I think it would be much like a salt. I wish the documentation was more specific. – user2520041 Jun 25 '13 at 16:16
  • You can provide a password either in the command line or in a file. The difference between the password and salt is that the password is secret, while the salt is not. – IanPudney Jun 25 '13 at 16:26
  • Thanks, I understand that part. But my question is more related to purpose - can you provide an example of why one would choose to forgo using a password and just use a salt and another example of why a password would be a good idea? – user2520041 Jun 25 '13 at 17:59
  • 1
    The purpose of encrypting a file is to hide its contents. Thus, you must provide either a password or an encryption key. (If you provide a password, the password is used to generate an encryption key, which is then used to encrypt or decrypt your information). So to answer your question, no, I cannot provide an example of a situation in which you would use just a salt. – IanPudney Jun 25 '13 at 18:32
8

Password and SALT are two different things. You have to have a password with or without salt (password is mandatory while salt is optional but recommended).

The actual key which is used for encryption is driven from the password and the SALT, if provided. Hence, even if the same password used to encrypt two files, if SALT is used, then the key will be different and the ciphertext of course.

The password is never appended or encoded into the ciphertext. In contrast, the salt is added to the beginning of the ciphertext. But it can't be used to decrypt the ciphertext without the password.

Why SALT is important? Imagine you are using the same password without SALT to encrypt ten files. An adversary can generate keys dictionary for potential passwords then once one key successfully decrypt one file, it can decrypt all files. With SALT he has to create ten different dictionaries one for each SALT, which make things more expensive for him and secure for us.

Let's do practical things, I will use openssl 1.1.1:

Password without SALT:

echo "secret data in my file" > plaintext.txt

openssl enc -aes-128-cbc -nosalt -k "mySecretPassword" -in plaintext.txt -out enc1.nosalt.bin
openssl enc -aes-128-cbc -nosalt -k "mySecretPassword" -in plaintext.txt -out enc2.nosalt.bin

Both ciphertexts should be the same because the encryption key only depends on the password which is the same in both cases. 

xxd enc1.nosalt.bin
00000000: 576e a82c 0dac 92d8 5e45 5ef4 3f6f db6a  Wn.,....^E^.?o.j
00000010: 5630 554f 3f28 a0de ae96 91d9 1024 d5ca  V0UO?(.......$..

xxd enc2.nosalt.bin
00000000: 576e a82c 0dac 92d8 5e45 5ef4 3f6f db6a  Wn.,....^E^.?o.j
00000010: 5630 554f 3f28 a0de ae96 91d9 1024 d5ca  V0UO?(.......$..

Password and SALT: 

openssl enc -aes-128-cbc -k "mySecretPassword" -in plaintext.txt -out enc2.salted.bin
 openssl enc -aes-128-cbc -k "mySecretPassword" -in plaintext.txt -out enc1.salted.bin

The ciphertext should be different due to the SALT, even though we use the same password. Note that the Salt is appended to the beginning of the ciphertext. 

xxd enc2.salted.bin
00000000: 5361 6c74 6564 5f5f 9cfe 2d62 a2d4 70b8  Salted__..-b..p.
00000010: aee4 afb5 85c9 76a2 cb04 7e1d 27d9 94d4  ......v...~.'...
00000020: a1b3 c4d6 39b8 f5a8 c300 81b5 b6ed 4cca  ....9.........L.

xxd enc1.salted.bin
00000000: 5361 6c74 6564 5f5f e73c ee5b 701b bba8  Salted__.<.[p...
00000010: fa25 c54e befa 26dc ddb1 3a2d 2bd7 a95b  .%.N..&...:-+..[
00000020: bda9 56f0 4445 f229 3398 4076 1044 dad6  ..V.DE.)3.@v.D..
alshaboti
  • 643
  • 8
  • 18
0

The SALT is important against adversaries who don´t use openssl/GPG to decrypt your ciphertext. When matching the password (not the key), a dictionary atack using openssl will decrypt all the files encrypted with this password, agree? The adversary´s main goal here is to know the encryption standard (aes, des, etc.).

Osvaldo Dalben Junior
  • 1
0

With SALT, it can only little bit increase the security: if a hacker can find the password for one encrypted file, and if the user is using the same password for all the files, no matter whether a SALT is used, the hacker will be able to decrypt all the files, no matter they have different SALTs or not.

user2906783
  • 11
  • 4