PKCS5_PBKDF2_HMAC: Binary Password
I'm going to use PKCS5_PBKDF2_HMAC to get keys. Password parameter const char*
. Does this mean that it should only be printable characters? Can I use a binary password instead? The OpenSSL Documentation says nothing about this. The only clue is to use char instead of unsigned char, but nothing more:
int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
const unsigned char *salt, int saltlen, int iter,
const EVP_MD *digest,
int keylen, unsigned char *out);
RFC mentions P label for password, an octet string
. Does this mean that I can use a binary password that is encoded as a hex string?
source to share
Does this mean that it should only be printable characters?
NOT.
If it is a binary password, then you must specify its length in passlen
. You can't set it passlen
to -1 because it strlen
won't work as expected.
Can I use a binary password instead?
YES.
Be sure to include the length in passlen
.
Does this mean that I can use a binary password that is encoded as a hex string?
YES.
There is no difference between raw octets, Hex encoding, Base32 encoding, or Base64 encoding. These are presentation formats and they all have the same entropy. Entropy will be extracted by derivation functions.
Different encodings will result in different derived keys, but all derived keys will have the same amount of entropy.
Related, see What does the OpenSSL PKCS5_PBKDF2_HMAC_SHA1 return value mean? to analyze the function. It was provided before OpenSSL provided documentation for this feature.
Also see other related questions, such as How to use PKCS5_PBKDF2_HMAC_SHA1 () .
source to share