[Gambas-user] What is equivalent of -nosalt in gambas gb.openssl

[Jussi Lahtinen]

I'm quite sure I misunderstand something here, but MD5 is not
cryptographically secure and should never be used in hashing passwords.

Jussi


On Wed, Apr 8, 2020 at 8:41 PM Tobias Boege <taboege at gmail.com> wrote:

> On Wed, 08 Apr 2020, T Lee Davidson wrote:
> > On 4/8/20 3:08 AM, Safiur Rahman wrote:
> > > How can I get the following command using gb.openssl
> > > Shell "echo abc | openssl enc -aes-256-cbc -nosalt -pass pass:password
> | base64"
> > >
> > > Safiur Rahman
> > >
> >
> > I am certainly no expert on this. But, as far as I can tell, you can't
> >
>
> I think I agree with your judgement. One way to do this is as T Lee
> described and I think exposing key derivation functions was another
> TODO anyway. So one could kill two birds with one stone here.
> BTW: I'm almost sure that at least some openssl utilities currently
> deployed use MD5 in their key derivation -- you might want to try if
> that fixes the incompatibility of your code that uses SHA-256.
>
> Another way is to introduce an edge case for EncryptSalted. Currently
> if EncryptSalted does not receive a Salt argument, it generates one
> at random. An API to implement -nosalt that would maintain plausible
> API compatibility would require the user to pass a salt argument but
> make it Null, i.e.:
>
>   EncryptSalted(sData, sPassword)        ' use random salt
>   EncryptSalted(sData, sPassword, sSalt) ' use given salt
>   EncryptSalted(sData, sPassword, Null)  ' new: no salt
>
> *Currently* the last invocation would result in a salt consisting
> entirely of NUL bytes, which is arguably not what one would expect
> either way.
>
> Regards,
> Tobias
>
> --
> "There's an old saying: Don't change anything... ever!" -- Mr. Monk
>
> ----[ http://gambaswiki.org/wiki/doc/netiquette ]----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gambas-basic.org/pipermail/user/attachments/20200408/a0f1ee34/attachment-0001.html>