worth it's salt in security
Brian Milby
brian at milby7.com
Wed Jun 6 22:56:07 EDT 2018
I’m not sure what the original thread was using the salt for but the initial post in this one was more about hashing. The question about encryption was introduced so I answered that.
For encryption, it looks like there is only an effective 8 byte salt (the first 8 are static - “Salted__”). Specifying more than 8 bytes does not change the resulting encrypted text.
Since LC does include the salt, it does not need to be separately provided to decrypt. If you strip the salt (first 16 bytes), then you must supply the salt to decrypt. Providing the salt without stripping it from the encrypted text did not pose a problem in my test.
On Jun 6, 2018, 9:32 PM -0500, Richard Gaskin via use-livecode <use-livecode at lists.runrev.com>, wrote:
> Brian Milby wrote:
> > From the dictionary:
> >
> > The password and salt value are combined and scrambled to form the key
> > and IV which are used as described above. The key derivation process
> > is the same as that used in the openSSL utility. A 16-byte salt prefix
> > is prepended to the encrypted data, based on the salt value. This is
> > used in decryption.
>
> "decryption"?
>
> Are we talking about hashing or encrypting?
>
> --
> Richard Gaskin
> Fourth World Systems
> Software Design and Development for the Desktop, Mobile, and the Web
> ____________________________________________________________________
> Ambassador at FourthWorld.com http://www.FourthWorld.com
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
More information about the use-livecode
mailing list