[cryptography] Just how bad is OpenSSL ?

danimoth danimoth at cryptolab.net
Tue Oct 30 16:47:26 EDT 2012


On 27/10/12 at 06:47pm, Patrick Pelletier wrote:
[cut]
> Besides the poor documentation, the other thing about OpenSSL is
> that it is definitely not "batteries included."  Now, I'm not
[cut]

I think they use a "batteries included" approach in the enc code:
man pages [2] talks about a IV/key generation, so OpenSSL doesn't
provide the primitive block cipher (and you, user, need to take care of
stream cipher mode when you need it) but instead they offer an all-included
solution, absolutely non-standard IMHO, which derives key and IV from
passphrase, with a salt.
Am I wrong in something?

BTW, a concurrent library, Crypto++, does the exact opposite [1].


[1] http://www.cryptopp.com/wiki/Advanced_Encryption_Standard
[2] http://www.openssl.org/docs/apps/enc.html



More information about the cryptography mailing list