Multiple encrypt / decrypt with same BIO

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple encrypt / decrypt with same BIO

Manuel Arguelles
Hello list,

I have been using RC4 to encrypt some files, everything is working ok, the
problem is that I have been reading and it seems that the best way to add
extra security to RC4 is to encrypt some data and throw it away before
encrypting the real one, at least 12*256 bytes, so it's internals can get
enought scrambling. I'm using BIO's and I suppose that the RC4
intialization takes place within this call:

BIO_set_cipher(cipher, EVP_rc4(), key, NULL, 1);

The problem is that after calling BIO_flush(cipher); I can't encrypt
anything else without calling BIO_set_cipher before encrypting. Does
Bio_flush unitialize the cipher method? is there any other way to
accomplish what I'm trying to do here? I'm planning to call my encrypt
function like 1 time each second or two, there may be a security problem
if I need to initialize the RC4 each time right?

Regards, and thanks for your time.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple encrypt / decrypt with same BIO

Dr. Stephen Henson
On Sun, Mar 12, 2006, Manuel Arguelles wrote:

> Hello list,
>
> I have been using RC4 to encrypt some files, everything is working ok, the
> problem is that I have been reading and it seems that the best way to add
> extra security to RC4 is to encrypt some data and throw it away before
> encrypting the real one, at least 12*256 bytes, so it's internals can get
> enought scrambling. I'm using BIO's and I suppose that the RC4
> intialization takes place within this call:
>
> BIO_set_cipher(cipher, EVP_rc4(), key, NULL, 1);
>
> The problem is that after calling BIO_flush(cipher); I can't encrypt
> anything else without calling BIO_set_cipher before encrypting. Does
> Bio_flush unitialize the cipher method? is there any other way to
> accomplish what I'm trying to do here? I'm planning to call my encrypt
> function like 1 time each second or two, there may be a security problem
> if I need to initialize the RC4 each time right?
>

The best way to add security is not to use RC4.

If you have to use RC4 the main thing to be aware of is that you should
*never* reuse the same key for encrypting different data. Quite a few security
issues have occurred due to people ignoring that...

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple encrypt / decrypt with same BIO

Manuel Arguelles
Yes, I'm aware of that, what I want to do is:
1. generate a key
2. encrypt string of 256 chars with 0's to BIO_s_null 100 times
3. encrypt the real data

the problem is in step 2 to 3, It seems that I can't BIO_write to
BIO_s_null (or mem or buffer or /dev/null), BIO_flush, then pop null and
push file and continue writing...

is this a feature? is there maybe something that I'm not getting?

thanks

> On Sun, Mar 12, 2006, Manuel Arguelles wrote:
>
>> Hello list,
>>
>> I have been using RC4 to encrypt some files, everything is working ok,
>> the
>> problem is that I have been reading and it seems that the best way to
>> add
>> extra security to RC4 is to encrypt some data and throw it away before
>> encrypting the real one, at least 12*256 bytes, so it's internals can
>> get
>> enought scrambling. I'm using BIO's and I suppose that the RC4
>> intialization takes place within this call:
>>
>> BIO_set_cipher(cipher, EVP_rc4(), key, NULL, 1);
>>
>> The problem is that after calling BIO_flush(cipher); I can't encrypt
>> anything else without calling BIO_set_cipher before encrypting. Does
>> Bio_flush unitialize the cipher method? is there any other way to
>> accomplish what I'm trying to do here? I'm planning to call my encrypt
>> function like 1 time each second or two, there may be a security problem
>> if I need to initialize the RC4 each time right?
>>
>
> The best way to add security is not to use RC4.
>
> If you have to use RC4 the main thing to be aware of is that you should
> *never* reuse the same key for encrypting different data. Quite a few
> security
> issues have occurred due to people ignoring that...
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]