[xmlsec] Special password length for block encryption?
Stefan Schulze Frielinghaus
stefan at seekline.net
Sat Apr 12 03:13:53 PDT 2008
Now I have some free time to answer my own question, just in case if
someone else runs into the same problem.
I was completely mislead by the assumption of how e.g. my hard drive
encryption, OpenSSL etc. work (from a user perspective!). They use
AES-256Bit encryption and can deal with passwords unequal 256 Bit.
_Because_ they use e.g. PKCS#5, SHA256 or whatever to generate a key
(with length 256 Bit if you use AES-256Bit) out of the password. A
password using as direct input for a key shouldn't be used at all
because it doesn't provide enough entropy. This means the behavior of
XMLsec is absolutely fine!
Hope that helps someone else too.
On Sat, 2008-03-22 at 00:53 -0700, Aleksey Sanin wrote:
> Well, I am not doing "haha". I don't see reasons
> to try to explain this because I know that I can't
> do it better than, for example, Bruce Schneier did
> in his "Applied Cryptography"...
> Stefan Schulze Frielinghaus wrote:
> > On Fri, 2008-03-21 at 10:52 -0700, Aleksey Sanin wrote:
> >> http://www.aleksey.com/xmlsec/related.html#books
> >> Best,
> >> Aleksey
> > Ok I don't get it. Could you please be a little bit more specific than
> > "haha just RTFM".
> > The http://www.w3.org/TR/xml-encryption-req and
> > http://www.w3.org/TR/xmlenc-core/ state that there is symmetric
> > encryption algorithms support like AES.
> > Also your example applications like "encrypt2" use a password file which
> > needs a special length.
> > All other documents around state symmetric key encryption (e.g.
> > http://www.ibm.com/developerworks/library/s-xmlsec.html ). So the
> > standard definitely supports that. Maybe I'm running to the wrong
> > direction ;-)
> > -Stefan
More information about the xmlsec