openssl命令行有做按键强化吗？

发布于 2024-09-05 04:18:47 字数 297 浏览 4 评论 0原文

如果我在 hmac 模式下运行 openssl 命令行（如下），用于 hmac 的密钥是直接使用还是在将其用作密钥之前进行哈希处理？

echo "foo" | openssl dgst -sha256 -binary -hmac "test" | openssl base64

同样，当使用 openssl 加密文件时（如下所示），密码短语是否用盐进行哈希处理？（如果是这样，它是如何完成的？指向正确源文件的指针会更好。）

openssl enc -salt

原文

If I run the openssl command line in hmac mode (as below), is the key used for the hmac used directly or is it hashed before using it as the key?

echo "foo" | openssl dgst -sha256 -binary -hmac "test" | openssl base64

Similarly, when encrypting a file with openssl (as below)is the pass phrase hashed with the salt? (If so how is it done? A pointer to the right source file would be even better.)

openssl enc -salt

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

迷离° 2024-09-12 04:18:48

hmac 选项不使用加盐或散列；它只是直接使用密码作为密钥。请参阅源代码分发中的apps/dgst.c：

            else if (!strcmp(*argv,"-hmac"))
                    {
                    if (--argc < 1)
                            break;
                    hmac_key=*++argv;
                    }
    ...

    if (hmac_key)
            {
            sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
                                    (unsigned char *)hmac_key, -1);
            if (!sigkey)
                    goto end;
            }

enc命令似乎确实使用了某种形式的加盐，至少在某些情况下是如此。相关源文件是apps/enc.c，但似乎有一些警告：

            /* Note that str is NULL if a key was passed on the command
             * line, so we get no salt in that case. Is this a bug?
             */
            if (str != NULL)
                    {
                    /* Salt handling: if encrypting generate a salt and
                     * write to output BIO. If decrypting read salt from
                     * input BIO.
                     */

然后它使用函数EVP_BytesToKey（在crypto/evp/evp_key.c中） c) 生成随机密钥。这个函数似乎是一个非标准算法，乍一看似乎还不错，但除此之外我无法证明它。

源代码片段和注释均来自 OpenSSL 1.0.0 版本。

The hmac option does not use salting or hashing; it just uses the passphrase directly as the key. See apps/dgst.c in the source distribution:

            else if (!strcmp(*argv,"-hmac"))
                    {
                    if (--argc < 1)
                            break;
                    hmac_key=*++argv;
                    }
    ...

    if (hmac_key)
            {
            sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
                                    (unsigned char *)hmac_key, -1);
            if (!sigkey)
                    goto end;
            }

The enc command does seem to use some form of salting, at least in some cases. The relevant source file is apps/enc.c, but seems to come with some caveats:

            /* Note that str is NULL if a key was passed on the command
             * line, so we get no salt in that case. Is this a bug?
             */
            if (str != NULL)
                    {
                    /* Salt handling: if encrypting generate a salt and
                     * write to output BIO. If decrypting read salt from
                     * input BIO.
                     */

It then uses the function EVP_BytesToKey (in crypto/evp/evp_key.c) to generate a random key. This function seems to be a non-standard algorithm, which looked perhaps plausibly OK at a very brief glance but I couldn't attest to it beyond that.

Source snippets and comments are all from the OpenSSL 1.0.0 release.

回复收藏 0 原文

~没有更多了~