When you set your password, Linux hashes your password and stores it in /etc/shadow. This allows Linux not to know your password even though it knows when you provide the correct password. Although commonly called encrypted, Linux passwords are actually hashed using either MD5 or the old UNIX password hash (based on the DES encryption algorithm). Skip this paragraph to avoid pedantic cryptography. OpenSSL has a built-in command for creating encrypted Linux passwords exactly like those made by /bin/passwd.
#Openssl base64 generator#
For example, an eight-character fully printable ASCII password is about a strong as a nine-character base64 password.Īlthough not as quick as using OpenSSL rand, the Diceware passphrase generator produces strong and often easy-to-memorize passphrases. Adding only one additional character makes up for the difference in security. This is intentionally a limited character set, but more complexity in the character set is not necessarily better. The base64 character set consists only of uppercase and lowercase letters A–Z, the numbers 1–9 and the three punctuation characters: plus, slash and equals.
#Openssl base64 plus#
For 15 bytes, the output always will be 20 characters, plus a newline character. The first argument of 15 is the number of binary bytes to generate, and the second argument of -base64 specifies that those binary bytes should be encoded in base64 characters. If you run this example, your output will be different from the example, because the passphrase is randomly generated. OpenSSL can create very strong random passphrases like this: $ openssl enc -d -aes-128-cbc -in filename.aes-128-cbc > filename Verifying - enter aes-128-cbc encryption password:Īs with GnuPG, OpenSSL asks for a passphrase twice, which will not echo to the screen.ĭecryption is also a bit more complicated: $ openssl enc -aes-128-cbc filename.aes-128-cbc Strong algorithms you should use include bf, which is the Blowfish algorithm, and -aes-128-cbc, which is the US NIST Advanced Encryption Standard (AES) with 128-bit keys running in Cipher Block Chaining (CBC) mode. Some algorithms, like DES and RC4-40, are kept only for backward compatibility and shouldn't be used anymore. There are also many algorithms from which to choose. OpenSSL has very few defaults, so more options have to be used. The flexibility of OpenSSL makes it a bit more complicated than GnuPG. Like MD5, they shouldn't be used anymore.Īlthough not OpenSSL's strength, it also can encrypt files. These are older algorithms that are provided for backward compatibility. OpenSSL, unlike GnuPG, doesn't have SHA-512, but OpenSSL does have MD2, MD4 and MDC2. Note the newline at the end automatically added by vi:ĥ4 68 65 20 4c 69 6e 75 78 20 4a 6f 75 72 6e 61 6c 0a If you have a problem replicating these results, here is the ASCII-annotated hexadecimal representation of the file. Note that there is no period in the string. MD5(filename)= 26e9855f8ad6a5906fea121283c729c4Īs in my previous “GnuPG Hacks” article, the above examples use a file that contains the string: “The Linux Journal”. OpenSSL format always identifies the algorithm used and also outputs a lowercase hexadecimal string with no whitespace. The OpenSSL hash output format is a bit different from GnuPG, but numerically identical. If you run into any of these problems or simply want consistent, known, good cross-platform software, consider OpenSSL.
Some versions can hash only one file at a time, some can't handle stdin or have some other deficiency. Several different programs go by this name, however.
If it's installed, the more secure sha1sum should be used. They work fine, as long as as you don't need cross-platform compatibility or security, and you don't mind that occasionally two completely different files will have the same checksum value.Īlthough Linux systems often have md5sum installed, the MD5 algorithm suffers from a relatively new vulnerability and shouldn't be used anymore. Sum and cksum are the traditional UNIX checksum programs.
0 kommentar(er)
