|
Posted by Mark Shroyer on July 10, 2007, 5:15 am
If you were Registered and logged in, you could reply and use other advanced thread options >>
>> > I am a little confused about creating encryption keys. How exactly
>> > does one create a 128, 512 or 1024 bit key? If I use an encryption
>> > software, does the encryption key mean the password? If so, is it
>> > enough if I create a 128/8=16 char password or even 512/8=64 char
>> > password?
>>
>> How to specify key length depends on what kind of software you're
>> talking about. Usually it's set as some sort of command-line
>> argument or in a config file, or it may be prompted for
>> interactively. Consult the man page for details.
>>
>> Dealing with public key encryption systems, the actual encryption
>> key generally has nothing to do with the password which you may or
>> may not be asked to provide. When you create a keypair with, e.g.,
>> GPG or OpenSSL, the key parameters themselves are pseudorandomly (or
>> randomly, depending on your hardware) generated in the program. The
>> password is only used as the basis for a /symmetric/ key with which
>> to protect the generated private encryption key; this is done to
>> make it more difficult for an attacker to obtain your private key,
>> should the file it is contained within fall into the wrong hands.
>>
>> Let us know which particular software you're dealing with if that
>> didn't completely answer your question.
>
> Thanks Mark. Basically, I found some software that does AES and
> Blowfish encryption on text and other files. I know that AES uses 256
> bit keys for encryption and it asked me to give a password. I wasnt
> sure if I needed to give a 32 char password because it did the
> encryption even with smaller passwords. So how do I know what was the
> key used for encryption? And how do I communicate that key to the
> recipient of the encrypted file?
No, you shouldn't need to enter a 32-character password (although I
can't say for sure because you still haven't specified what software
you're talking about :) ). What usually happens is that the 256-bit
symmetric key is generated as some hash of whatever password you
provide. The longer and more random the password (until you get
past 32 random ASCII characters, anyway), the more entropy in your
256-bit AES key and therefore the more theoretically secure it is --
but in practice a dozen or so characters should be all the entropy
you need, depending on the quality of your software's hash algorithm
and how sensitive your data is.
As for communicating the encrypted data to somebody else, you'll
both really want to be using the same encryption software. There's
no de-facto standard algorithm for converting passwords into
symmetric encryption keys (as far as I know -- maybe someone here
knows better?), so different software might interpret the same
password as signifying different keys. You probably won't be able
to determine the actual AES key that your software used unless
you're willing to dig into its source code.
On top of that, the output of your encryption software may not be
strictly an AES-encrypted copy of the original data: it could
contain some header information or be formatted in some particular
way, and will hopefully have been compressed prior to encryption for
added security; different encryption software is incompatible also
in these respects. So use the same software as your recipient, and
(physically, not electronically -- but you probably knew that
already) provide him or her your encryption key in the form of the
password.
Out of curiosity, why are you interested in obtaining the raw AES
key?
--
Mark Shroyer
http://markshroyer.com/
| 
XML site map