How Secure is OpenSSL?

BlackVikingPro
8 years ago

0

Hello everybody, I had a very small question for you guys. I’ve seen plenty of documentation over this question, I just want to reconfirm my thoughts.

So, I have a text document on my desktop named:

passwords.txt.encrypted[/Spoiler]
This file, is encrypted using OpenSSL AES-256 Bit Encryption, with a rather non-complicated password to it. As you guys could tell from my previous post(s), I am running Windows 10 as my main OS (along with some cool Bash-Like tools). Therefore, OpenSSL isn’t a default DOS command, so I’ve installed the following program that comes with OpenSSL preloaded:
<!- https://indy.fulgan.com/SSL

My exact downloaded file?:
<!- https://indy.fulgan.com/SSL/openssl-1.0.2j-x64_86-win64.zip[/Spoiler]
[/Spoiler]

So, this program is very nice and easy to use. In order for me to encrypt/decrypt a file anywhere on my machine, I have to use the following command:
[Spoiler]
To Encrypt:
[Spoiler]C:\Users\willi>openssl enc -e -aes256 -in Desktop\passwords.txt -out Desktop\passwords.txt.encrypted

and to Decrypt:
[Spoiler]C:\Users\willi>openssl enc -d -aes256 -in Desktop\passwords.txt.encrypted -out Desktop\passwords.txt -!>
-!>

Then it asks me for a password for either the encryption/decryption, then it does it’s thing and Bob’s your Uncle!

So my real question is.. Just how secure is this? I mean, obviously it can’t be decrypted in a reasonable amount of time (or can it?); so other than someone trying a brute force attack on it to simply guess the password, it’s pretty much safe being on my Desktop isn’t it? Just for say if someone were to either infect my machine and copy the document or upload it to a server, or maybe someone comes to my PC physically with a USB and copies the file to his USB stick.. I mean there are numerous ways that someone can get a hold of this document, but I need to know if it’s truly secure where it lies?

Thanks for all the help in advance :)

1reply
2voices
1,479views
SIGKILL [r4v463]
8 years ago | edited 8 years ago

2

So first, OpenSSL has an implementation of AES-256 that’s known to be very safe against side channel attacks (Not 100% secure, take a look at CRIME, Heartbleed, etc.).

Here you are asking two things in reality : “is AES-256 secure ?” and “is using a password as encryption key secure ?”

For the first question : “is AES-256 secure ?”, so far, AES-256 is secure if you use a secure mode (I would recommend CBC but you might want to choose another one depending on the circumstances). No breach has been found and with a good implementation (i.e. OpenSSL) it’s (nowadays) unbreakable without a quantum computer which only @dloser has. Of course you can be victim of a bruteforce attack, but AES-256 use a 256 bit key i.e. there are 2256 possibilities which is +/- 1077, so from that point of view, you’re safe.

Now your second question : “is using a password as encryption key secure ?”, no it’s not. You must generate a key randomly, I’m gonna try to explain with practical examples.
Let’s consider that you use only one bytes characters in your password. With a random key you have 25632 (number of possibilities power number of bytes) possibilities which is +/- 1077 as seen above. Now if you take a password, I suppose that you use lower case, upper case and numbers, so you have 26 + 26 + 10 = 62 possible characters which gives 6232 +/- equal to 1057. While it’s still an enormous number, you just reduced your security level.
Another thing is that the password can be guess. There are a lot of other reasons, you should try to read some docs on crypto, I can recommend Introduction to Modern Cryptography of Jonathan Katz and Yehuda Lindell

Moreover, it seems that you don’t use any IV, which means that the same plain text, with the same key will give the same cipher text, which is pretty bad too. You should use a random IV, stored with the ciphertext so none can perform cryptanalysis using Known Ciphertext Attack.

I hope I’ve answered to your question. Obviously, the level of security that you wanna put in place will depend on the cost you give to the encrypted data. In one hand, if you find it too hard to put in place correct encryption/decryption and your data aren’t sensitive, it’s not necessary to raise your level of security higher. In the other hand, if your data are classified, you might want to put in place a secure encryption policy for them.

EDIT: I’ve seen the website on your profile page that I suppose you created: http://aesencryption.net/ There are at least one wrong implementation. Rijndael is an encryption algorithm, it has 3 possibles block size, 128 bits, 192 bits and 256 bits.
AES is a standard which uses Rijndael-128 (with a 128 bits block size). Rijndael-128 accepts keys of length 128, 192 or 256 bits, so AES-256 isn’t Rijndael-256, it’s Rijndael-128 using a 256bits key. Once again I hope I’ve been clear in my explanations :)

Discussion thread has been locked. You can no longer add new posts.
1 of 2

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss