However I have noticed asn undocumented feature/bug?
Whenever you encrypt or decrypt it prompts the use for a Password: ? Since the salt is being given on the command line why does it insist on a password?
Can this be supressed?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sorry for the slow reply, I didn't notice this forum. Excellent news about cygwin -- I don't have access to a windows box and never got to try it out. Thanks for letting me know.
Generally, passwords are converted into a key and an iv which are used during encryption. To encrypt and decrypt you need to remember the password.
However, there is an attack where somebody could take a big list of passwords and generate keys and ivs from them over the course of a few weeks. They could then look at the start of the encrypted file and use their generated keys to run lots of small encryptions, following each encryption with checks to see if the result appeared as unencrypted. The checks could be a statistical analysis of ascii characters (or real words) or a check for known text such as common file headers.
The salt makes the generating of the keys and ivs , before the attack , harder by making one password generate millions of different keys and ivs. It is the password and the salt together that generate the key/iv. This has the overall effect of slowing down the attack.
The salt is left public in most encryption tools -- if you wanted the security provided by making it private, you can get the same thing by using a longer password/passphrase (murk will accept up to 255 characters).
Saul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Compiled fine under cygwin....
However I have noticed asn undocumented feature/bug?
Whenever you encrypt or decrypt it prompts the use for a Password: ? Since the salt is being given on the command line why does it insist on a password?
Can this be supressed?
Sorry for the slow reply, I didn't notice this forum. Excellent news about cygwin -- I don't have access to a windows box and never got to try it out. Thanks for letting me know.
Generally, passwords are converted into a key and an iv which are used during encryption. To encrypt and decrypt you need to remember the password.
However, there is an attack where somebody could take a big list of passwords and generate keys and ivs from them over the course of a few weeks. They could then look at the start of the encrypted file and use their generated keys to run lots of small encryptions, following each encryption with checks to see if the result appeared as unencrypted. The checks could be a statistical analysis of ascii characters (or real words) or a check for known text such as common file headers.
The salt makes the generating of the keys and ivs , before the attack , harder by making one password generate millions of different keys and ivs. It is the password and the salt together that generate the key/iv. This has the overall effect of slowing down the attack.
The salt is left public in most encryption tools -- if you wanted the security provided by making it private, you can get the same thing by using a longer password/passphrase (murk will accept up to 255 characters).
Saul