Am learning OpenSSL EVP API and trying to understand the ways to generate a symmetric key using OpenSSL EVP in C++ program.
I have two questions in this regard: 1) To understand what the command openssl enc -aes-256-cbc -k secret -P -md sha1 does? It printed salt, key, and IV. I mean the -aes-256-cbc option to enc is not doing anything in generating the salt, key, IV as we are using -P option. Please correct me if wrong.
2) To generate a symmetric key as above using OpenSSL EVP functions, I assume below sequence of steps. Please correct me if missed any. Is there any flaw in doing like this for a symmetric key?
1) generates a random number 2) apply the HMAC on the passphrase by using this random number as the key.
openssl encwith password (NOT-Kuppercase) derives key and IV from password plus random salt using a single hash (like but not the same as PBKDF1) not HMAC (twice) like PBKDF2; yes this is flawed. See https://security.stackexchange.com/questions/29106/openssl-recover-key-and-iv-by-passphrase or my answer at https://crypto.stackexchange.com/questions/3298/is-there-a-standard-for-openssl-interoperable-aes-encryption or see man EVP_BytesToKey or search it on stackoverflow for many Qs onopenssl encto/from Java, Windows or dotnet, PHP, python, (node)js, swift and more. – dave_thompson_085 Feb 10 '19 at 03:23openssl encuses count=1 and therefore does only one hash (per output block); see the Qs I linked already. To do it programmatically you can just call EVP_BytesToKey, but if you are trying to replace it yes you must code the equivalent. – dave_thompson_085 Feb 12 '19 at 04:59