Today I've spend a few hours trying to finding out a good system for storing my passwords and sensible information securely. Of course all the strong passwords are only in my mind, but I have a lot users/passwords of non important pages that I cannot remember. Until today I were storing all this sensible information in a file. Plaint text. And that's a bad idea. Reeeeeally bad idea.
After doing some tests I've come up with something I don't like it at all. If you encrypt the same file with the same cypher algorithm but with differents programs, the files are not exactly the same. "Of course!" you may say. Every program puts its own format wrapping the cyphered information and that's why we cannot interchange information between, let's say, VIM and openssl. That's annoying because you will always need to have installed the program (and maybe the same version of the program) you used for cyphering the data, and you are not able to decipyer the data with other programm, even using a algorigth supported by the two programs.
Using the Blowfish algorithm, create a cyphered file using Vim, OpenSSl and BCrype with the text "Hello world". I expected to be able to encrypt the file with one program and decrypt it with other one.
$ echo "set cryptmethod=blowfish" >> ~/.vimrc $ vim -x vim-test >>> Enter encryption key: 12345678 >>> Enter same key again: 12345678 ### We write "Hello world" saving the file and exiting with ":wq"
$ echo "Hello world" > hello_world.plain $ openssl enc -blowfish -e -in hello_world.plain -out openssl-test >>> enter bf-cbc encryption password: 12345678 >>> Verifying - enter bf-cbc encryption password: 12345678
$ bcrypt plain -o > "bcrypt-test" >>> Encryption key: 12345678 >>> Again: 12345678
The size of the files are different:
inedit@tpad:~/killme$ ls -lh -rw------- 1 inedit inedit 86 Jun 19 21:18 bcrypt-test -rw------- 1 inedit inedit 32 Jun 19 21:19 openssl-test -rw------- 1 inedit inedit 12 Jun 19 21:18 hello_world.plain -rw------- 1 inedit inedit 40 Jun 19 21:14 vim-test
[Different headers in the file]
Ok. This can be due to differents options of the algorithm (if compression is activated, etc)... The problem is that is very difficult to know in the documentation of VIM if they are using blowfish-CBC, blowfish-CFB, blowflish-ECB... And the other problem are the headers that the programs add to the file. Let's take a look:
inedit@tpad:~/killme$ od -c hello_world.plain 0000000 H e l l o w o r l d \\n inedit@tpad:~/killme$ od -c vim-test 0000000 V i m C r y p t ~ 0 2 ! 2 320 254 253 0000020 360 g \\a 320 277 = 321 l 302 305 221 307 G 345 236 m 0000040 Y A 001 377 } 354 226 \\v 0000050 inedit@tpad:~/killme$ od -c openssl-test 0000000 S a l t e d _ _ 203 375 ( 362 ` ! 327 1 0000020 326 [ i 204 337 M 236 Y 222 006 x 376 f 1 \ 313 0000040
:O! The programs add metadata at the start of a file for being able to recognise lately of wich cypher algorithm has been used, but this prevents to being able to encrypt with one program and decrypt with other. See that Vim adds "VimCrypt~02!" header and OpenSSL adds the text "Salted__".
Well, I didn't thought about this before and I just expect that since I'm using the same algorithm I should be able to cypher and decypher the content of a file without taking into account the program that I'm using for doing it. As we have seen, this is not how this works because the programs add some metadata in the final binary file preventing the compatibility with other programs.