This is a discussion on Re: Generating Keys in Triple-DES encryption - Openssl ; Ambarish Mitra wrote: > Hi all, > > Background: > My application reads an encrpyted-base64 password from a config file and > decrypts the same inside the application. The password is encryped using > Triple-DES algorithm. > > To encrypt ...
Ambarish Mitra wrote:
> Hi all,
> My application reads an encrpyted-base64 password from a config file and
> decrypts the same inside the application. The password is encryped using
> Triple-DES algorithm.
> To encrypt and base64 the actual password, a stand-alone utility is
> provided. We run this utility, and then copy-paste the generated password in
> the config file. Of course, the key, the IV (Salt not used) are same
> (hard-coded) in both the applications.
> So far, so good.
> Now, we have to make the keys available in another file (Which will be kept
> under more security). Both the applications are to read the key from the
> file. Now, we have to generate the key and then write out the key in the
> So, the question is: How can we generate a key for Triple DES encryption and
> write out the same in a file?
Simple answer for 'how to generate a key for a symmetric cipher' is 'use
a pseudo-random generator' to generate key/IV pairs of desired length.
A more complicated answer would depend on 'if you want the key
generation to be deterministic based on a set of given parameters', then
you'd have to make the key generation a secure function of these
parameters (else look at the simple answer). Examples would pbe, key
generation in SSL sessions (well not exactly, but given the same random
values you do get the same keys). Formulating this function is better
left to a security expert; better still use one of the standard or
How to write out to a file? Simple answer: base64, or raw binary, or etc..
Have you considered if PKCS12 or PEM would suite your application's needs?
> I tried the genrsa and dsa options but they seem to generate keys for
> RSA/DSA encryptions. Also, we can specify the length of modulus in those
> keys. But they will not map well in T-Des case.
Don't know how rsa/dsa can help with DES
> Any pointers would be welcome.
Real computer scientists don't comment their code. The identifiers are
so long they can't afford the disk space.
OpenSSL Project http://www.openssl.org
User Support Mailing List email@example.com
Automated List Manager firstname.lastname@example.org