OpenSSL PBKDF2 Default Iterations
by Emile `iMil' Heitor - 2020-07-22
I’m digging into OpenSSL for quite a while to find a decent encryption method to double the security of some critical GnuPG already encrypted files.
The one I came up with that seemed to satisfy my confidentiality requirements is as follows:
aes () {
openssl enc -aes-256-cbc -in $1 -out ${1}.aes -a -pbkdf2
}
Now, a friend of mine, whose crypto is a field of expertise, told me that the CBC
mode was unsecure because of possible attacks, and that I should use GCM
.
While searching on the subject, I also read this interesting thread which also rose the CBC
vs GCM
question, finally stating that the latter is not a silver bullet and that CBC
used with HMAC
would be a reasonable choice. Which suits me well as I actually use the -pbkdf2
parameter which seems to do just that.
Now on the subject, I read pretty much on every related post that the number of iterations done by the pbkdf2
function was critical, and could make a password discovery time much higher, and OpenSSL’s help says:
-pbkdf2
Use PBKDF2 algorithm with default iteration count unless otherwise specified.
But not a world about this default iteration count.
I spent a ridiculous amount of time searching over the web and asking here and there only to read wrong answers. I finally RTFS, and found the answer in OpenSSL’s source code:
case OPT_ITER:
if (!opt_int(opt_arg(), &iter))
goto opthelp;
pbkdf2 = 1;
break;
case OPT_PBKDF2:
pbkdf2 = 1;
if (iter == 0) /* do not overwrite a chosen value */
iter = 10000;
break;
So here we have it, openssl
’s default pbkdf2
iterations value is 10000
. You’re welcome.