Discussion:
OpenSSL support for RFC2898 / PBKDF2
Graham Leggett
2008-09-03 14:16:57 UTC
Permalink
Hi all,

According to the man page for EVP_BytesToKey, "Newer applications should
use more standard algorithms such as PKCS#5 v2.0 for key derivation".

Unfortunately the man page stops there, and doesn't give a clue as to
which openssl function should be used to derive a key in a compliant way.

Does openssl support RFC2898, and if so, what function should I be
looking at?

Regards,
Graham
--
Marek.Marcola-O6hvhuWbBu5mR6Xm/
2008-09-03 21:15:03 UTC
Permalink
Hello,
Post by Graham Leggett
Hi all,
According to the man page for EVP_BytesToKey, "Newer applications should
use more standard algorithms such as PKCS#5 v2.0 for key derivation".
Unfortunately the man page stops there, and doesn't give a clue as to
which openssl function should be used to derive a key in a compliant way.
Does openssl support RFC2898, and if so, what function should I be
looking at?
PKCS5_PBKDF2_HMAC_SHA1()

Best regards,
--
Marek Marcola <Marek.Marcola-O6hvhuWbBu5mR6Xm/***@public.gmane.org>

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Graham Leggett
2008-09-05 00:04:01 UTC
Permalink
Post by Marek.Marcola-O6hvhuWbBu5mR6Xm/
Post by Graham Leggett
Does openssl support RFC2898, and if so, what function should I be
looking at?
PKCS5_PBKDF2_HMAC_SHA1()
This function seems to be undocumented:

int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
unsigned char *salt, int saltlen, int iter,
int keylen, unsigned char *out);

Am I correct in understanding that the key generated by this function
will be written to the buffer specified in out, and will have the length
specified by keylen?

What is the meaning of the int that this function returns?

Regards,
Graham
--
Marek.Marcola-O6hvhuWbBu5mR6Xm/
2008-09-05 11:09:52 UTC
Permalink
Hello,
Post by Graham Leggett
Post by Marek.Marcola-O6hvhuWbBu5mR6Xm/
Post by Graham Leggett
Does openssl support RFC2898, and if so, what function should I be
looking at?
PKCS5_PBKDF2_HMAC_SHA1()
int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
unsigned char *salt, int saltlen, int iter,
int keylen, unsigned char *out);
Am I correct in understanding that the key generated by this function
will be written to the buffer specified in out, and will have the length
specified by keylen?
Yes, example attached.
Post by Graham Leggett
What is the meaning of the int that this function returns?
This function always returns 1.

Best regards,
--
Marek Marcola <Marek.Marcola-O6hvhuWbBu5mR6Xm/***@public.gmane.org>
Eric Murray
2008-09-03 20:15:55 UTC
Permalink
Post by Graham Leggett
Does openssl support RFC2898
Not in 0.9.8.x.
You have to write it yourself.
--
Eric Murray Sr. Security Architect
SafeNet www.ingrian.com www.safenet-inc.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...