5.18. Using Variable Key-Length Ciphers in OpenSSL
Problem
You’re using a cipher with an adjustable key length, yet OpenSSL provides no default cipher configuration for your desired key length.
Solution
Initialize the cipher without a key, call
EVP_CIPHER_CTX_set_key_length(
)
to set the appropriate key length, then set
the key.
Discussion
Many of the ciphers supported by OpenSSL support variable key lengths. Whereas some, such as AES, have an available call for each possible key length, others (in particular, RC4) allow for nearly arbitrary byte-aligned keys. Table 5-7 lists ciphers supported by OpenSSL, and the varying key lengths those ciphers can support.
Table 5-7. Variable key sizes
|
Cipher |
OpenSSL-supported key sizes |
Algorithm’s possible key sizes |
|---|---|---|
|
AES |
128, 192, and 256 bits |
128, 192, and 256 bits |
|
Blowfish |
Up to 256 bits |
Up to 448 bits |
|
CAST5 |
40-128 bits |
40-128 bits |
|
RC2 |
Up to 256 bits |
Up to 1,024 bits |
|
RC4 |
Up to 256 bits |
Up to 2,048 bits |
|
RC5 |
Up to 256 bits |
Up to 2,040 bits |
While RC2, RC4, and RC5 support absurdly high key lengths, it really is overkill to use more than a 256-bit symmetric key. There is not likely to be any greater security, only less efficiency. Therefore, OpenSSL puts a hard limit of 256 bits on key sizes.
When calling the OpenSSL cipher initialization functions, you can set
to NULL any value you do not want to provide
immediately. If the cipher requires data you have not yet provided,
clearly encryption will not work properly.
Therefore, ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access