From: Scott Worley Date: Mon, 23 Oct 2017 03:45:09 +0000 (-0700) Subject: Don't use salt for encryption X-Git-Url: http://git.scottworley.com/overonion/commitdiff_plain/4a5d2fe40628c9348fe018e0ee69aba6787905cf?ds=inline;hp=4a5d2fe40628c9348fe018e0ee69aba6787905cf Don't use salt for encryption The openssl-enc documentation says "This option SHOULD NOT be used ...". I claim that -nosalt is safe to use in this application because: 1. The secrets being used here are full key-size + IV-size random values straight out of the random number generator. 2. Keys are never re-used. -nosalt is desirable for this application because it avoids the "Salted__..." header. Having a "Salted__" header on every single layer of encryption allows an attacker to get a known-plaintext-attack fingernail under each layer, giving an opportunity to attack each layer individually. ---