From OpenSSLWiki
Jump to navigationJump to search

Rarely Used -K option[edit]

"This is rarely used, normally you specify a password from which a key is derived."

Is this true? Does it not depend fairly heavily on your use case? Just not sure what the basis for this statement is.

--Matt 21:39, 27 June 2013 (UTC)

Probably you are right. Its a biased statement. I'll change it.

--Frukto 07:27, 28 June 2013 (UTC)

Zlib compression[edit]

"Use this flag to enable zlib-compression. After a file is encrypted (and maybe base64 encoded) it will be compressed via zlib. Vice versa while decrypting, zlib will be applied first."

I think this happens the other way around. Doesn't compression occur before encryption, or after decryption? It doesn't make sense to do it the other way around - after encryption the data will appear indistinguishable from random data, and therefore should not have any appreciable ability to be compressed.

--Matt 12:17, 5 July 2013 (UTC)

Yes, i had the same question. But i tried it and it works actually like this: encryption -> base64 -> zlib

encrypt + unzip:

$ openssl enc -des -in message.plain -a -out message.enc -nosalt -z

$ printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" |cat - message.enc | gzip -dc

gives the same as:

$ openssl enc -des -in message.plain -a -out message.enc -nosalt

--Frukto 14:05, 5 July 2013 (UTC)

Interesting. I checked the source code and you appear to be right. The manual page however says this about -z: "Compress or decompress clear text using zlib before encryption or after decryption. This option exists only if OpenSSL with compiled with zlib or zlib-dynamic option. "

--Matt 11:41, 6 July 2013 (UTC)

Maybe, I should file a bug? I mean as you pointed out, the point of encryption is, in some sense, to maximize entropy. It does not make sense to compress afterwards. I don't know what was intended, but as you cite (actually i didn't check) the man page, it is a bug? But obviously nobody is using it, it would have been noticed immediately.

--Frukto 12:07, 6 July 2013 (UTC)

Might be worth raising it on the mailing list to see what the reaction is. I suspect it won't be fixed as it might break scripts etc for people that do use it. A possible feature enhancement could be to add a new option to do it properly. If it won't get fixed then we can edit the wiki version of the manual here, so at least the documentation is right.

--Matt 13:09, 6 July 2013 (UTC)

Block size vs Key size[edit]

I changed references to block size to key size as I think that is what you meant. AES-256 has a 256-bit key. The block size is always 128 bits for AES.

--Matt 11:41, 6 July 2013 (UTC)

Yes sure, thx.

--Frukto 11:57, 6 July 2013 (UTC)