5.18. Using Variable Key-Length Ciphers in OpenSSL
Problem
You’re using a cipher with an adjustable key length, yet OpenSSL provides no default cipher configuration for your desired key length.
Solution
Initialize the cipher without a key, call
EVP_CIPHER_CTX_set_key_length(
)
to set the appropriate key length, then set
the key.
Discussion
Many of the ciphers supported by OpenSSL support variable key lengths. Whereas some, such as AES, have an available call for each possible key length, others (in particular, RC4) allow for nearly arbitrary byte-aligned keys. Table 5-7 lists ciphers supported by OpenSSL, and the varying key lengths those ciphers can support.
Table 5-7. Variable key sizes
Cipher |
OpenSSL-supported key sizes |
Algorithm’s possible key sizes |
---|---|---|
AES |
128, 192, and 256 bits |
128, 192, and 256 bits |
Blowfish |
Up to 256 bits |
Up to 448 bits |
CAST5 |
40-128 bits |
40-128 bits |
RC2 |
Up to 256 bits |
Up to 1,024 bits |
RC4 |
Up to 256 bits |
Up to 2,048 bits |
RC5 |
Up to 256 bits |
Up to 2,040 bits |
While RC2, RC4, and RC5 support absurdly high key lengths, it really is overkill to use more than a 256-bit symmetric key. There is not likely to be any greater security, only less efficiency. Therefore, OpenSSL puts a hard limit of 256 bits on key sizes.
When calling the OpenSSL cipher initialization functions, you can set
to NULL
any value you do not want to provide
immediately. If the cipher requires data you have not yet provided,
clearly encryption will not work properly.
Therefore, ...
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.