OpenSSL - 密码vs盐目的 [英] OpenSSL - Password vs Salt Purpose

问题描述

使用OpenSSL加密文件时，可以使用-pass pass：mySillyPassword，其中mySillyPassword是加密中使用的密码。此外，可以使用盐，其中使用-salt -s（十六进制字符串）来指定盐。

When encrypting a file with OpenSSL, it is possible to use -pass pass:mySillyPassword, where mySillyPassword is the password used in encryption. In addition, it is possible to use a salt, where -salt -s (hex string) is used to specify the salt.

为什么有人想使用密码而不是盐或与盐结合？另外，我明白只要使用-salt命令会导致OpenSSL生成一个盐。这比用户定义的盐好吗？如果OpenSSL随机生成盐，那么用户如何知道将来要解密该文件的盐？

Why would someone want to use a password instead of the salt or in conjunction with a salt? Also, I understand just using the -salt command will cause OpenSSL to generate a salt. How is this better than a user-defined salt? If OpenSSL randomly generates a salt, how will the user know what the salt is to decrypt the file in the future?

推荐答案

OpenSSL，这个盐会被加到前面的加密数据中，这样就可以解密了。盐的目的是防止字典攻击，彩虹表等。以下是OpenSSL文档：

In OpenSSL, the salt will be prepended to the front of the encrypted data, which will allow it to be decrypted. The purpose of the salt is to prevent dictionary attacks, rainbow tables, etc. The following is from the OpenSSL documentation:

没有-salt选项可以对密码执行有效的
字典攻击，并攻击流密码
加密数据。原因是没有盐，相同的
密码总是生成相同的加密密钥。当盐被使用
时，加密数据的前八个字节被保留
为盐：它是在加密文件时随机生成的，当加密文件是从加密文件读取的
时解密。

Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

文档建议盐总是与密码一起使用，除非与早期版本不兼容的兼容性是必需的。

The documentation suggests that a salt always be used with a password, except if compatibility with earlier versions that do not support a salt is neccessary.

这篇关于OpenSSL - 密码vs盐目的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！