Re: HTTPS security model and TLS anonymous cipher-suites
Dear, Le 04-déc.-06 à 19:15, Victor Duchovni a écrit : TLS includes anonymous cipher-suites (ADH) that do not require or use server certificates. Postfix 2.3 clients using opportunistic TLS with Postfix 2.3 (SMTP+STARTTLS) servers will use anonymous ciphers by default, because SMTP server authentication is not widely practiced or practical: http://www.postfix.org/TLS_README.html#client_tls_limits Le 05-déc.-06 à 00:25, David Schwartz a écrit : If a user types in https://site-i-trust.com; and gets the little lock icon and no warning, he's supposed to be allowed to assume that someone he trusts has certified that he has actually reached site-i-trust.com. That is not my goal of course. I don't need the user to see a lock nor want to fake anything. I wouldn't even need their url scheme to be https://. All I'm seeking is a way to have the browser engage an encrypted link with the server before sending its first query. The TLS anonymous cipher-suites Victor wrote about in the other answer to my question look like what I am looking for, but I have a doubt browsers would generally support this. I'll dig more information and program some tests. There may be ways to solve your outer problem. The most obvious being to either obtain a certificate signed by a trusted third party or to get users to install your certificate themself. That would work of course, but each user-customer runs his own server (and this is no webservers meant to be accessed by the public at large) and getting a certificate for each of those from a public authority is useless because nobody tries to authenticate these servers at first, just to establish encrypted communications between those and their users. We might freely deliver them certificates signed by some root of us that we would ask them to download and install. But that introduces a dependance on us that I don't like to impose on them. I'll probably try to find ways NOT to need encrypted HTTP at first and only upgrade to secured channel at a later stage (when protocol switch to non-HTTP). Thanks so much (Victor and David) for these answers, -- Olivier Mascia __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question about rsa_test.c
Hello, I try to understand RSA-OAEP with rsa_test.c and I have some questions about this file. 1. If the number is 1234567893456 in dec, that is 11F71FB11D0 in hec, how should I put it in the static unsigned char n[]? Should I put is as \x1\x1F\x71\xFB\x11\xD0, I marked this one as order A, or \xD0\x11\xFB\x71\x1F\x1, I marked it as order B? \x01\x1F\x71\xFB\x11\xD0 3. How could I print the RSA_fail and RSA_erro strings? I trace the procedure to the ERR_load_RSA_strings but I have no ideas how to print it out of the standard output. If you mean OpenSSL errors: ERR_print_errors_fp(stderr); 4. How could I print bn number out of the standard output? BN_print(). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Setting arbitrary bag attributes on PKCS#12 files using the openssl pkcs12 command?
Hi, is there a way to set bag attributes in PKCS#12 files using the openssl pkcs12 or any other openssl command? I searched the mailinglist archives and the openssl documentation but to no avail. It seems there once was a patch for openssl to get OID 1.3.6.1.4.1.311.17.2 into the bag attributes but that was not complete since it's value could not be set to be empty - or so I understood. Did this patch make it into the current stable openssl release? I'd like to set bag attributes like 1.3.6.1.4.1.311.17.2: No Values localKeyID: 01 00 00 00 Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider friendlyName: 5866... Key Attributes X509v3 Key Usage: 10 for the private key and bag attributes like localKeyID: 01 00 00 00 friendlyName: Test-Server for the certificate. I am aware of the -name and -caname options of the pkcs12 command setting these friendly names. I understand that a PKCS#12 file needs the bag attribute with OID 1.3.6.1.4.1.311.17.2 to trigger a direct import of the key and certificate into the LOCAL_MACHINE sub-tree of Microsofts Certificate Manager MMC snap-in. Any hints are appreciated. Thanks. -- Kind Regards Reimer Karlsen-Masur -- 14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007 Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH https://www.dfn-cert.de, +49 40 808077-615 / +49 40 808077-555 (Hotline) PGP RSA/2048, 1A9E4B95, A6 9E 4F AF F6 C7 2C B8 DA 72 F4 5E B4 A4 F0 66 smime.p7s Description: S/MIME Cryptographic Signature
Re: Setting arbitrary bag attributes on PKCS#12 files using the openssl pkcs12 command?
On Tue, Dec 05, 2006, Reimer Karlsen-Masur, DFN-CERT wrote: Hi, is there a way to set bag attributes in PKCS#12 files using the openssl pkcs12 or any other openssl command? I searched the mailinglist archives and the openssl documentation but to no avail. It seems there once was a patch for openssl to get OID 1.3.6.1.4.1.311.17.2 into the bag attributes but that was not complete since it's value could not be set to be empty - or so I understood. Did this patch make it into the current stable openssl release? I'd like to set bag attributes like 1.3.6.1.4.1.311.17.2: No Values localKeyID: 01 00 00 00 Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider friendlyName: 5866... Key Attributes X509v3 Key Usage: 10 for the private key and bag attributes like localKeyID: 01 00 00 00 friendlyName: Test-Server for the certificate. I am aware of the -name and -caname options of the pkcs12 command setting these friendly names. I understand that a PKCS#12 file needs the bag attribute with OID 1.3.6.1.4.1.311.17.2 to trigger a direct import of the key and certificate into the LOCAL_MACHINE sub-tree of Microsofts Certificate Manager MMC snap-in. Any hints are appreciated. There is no command line option to do that at present. You can probably hack up PKCS12_create() to do that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL make instal error on Solaris 9
CHASTAIN, TIGE (CONTRACTOR) a e'crit : I was having problems building OpenSSL 0.9.7k on Solaris 9. The error was similar to problems other people have with building it on Solaris 9, but not exactly the same. The error is: installing fips-1.0... [snip] I thought someone might find this of interest. Me. Thanks! I had the same problem with 0.9.7l, it broke my installation process, and I couldn't understand what I had done wrong. Note that I got the same error using gmake, but unlike with make, the install continued to the end. Since make test worked, I guess it's just a matter of gmake considering the issue unimportant. installing fipsld cp: cannot access fipscanister.o cp: cannot access fipscanister.o.sha1 fipscanister.o: No such file or directory gmake[1]: Leaving directory `/var/home/lblume/openssl-0.9.7l/fips-1.0' Laurent __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Pass DES encrypted data between Java and openssl
Hi, Marc, If you download the not-yet-commons-ssl.jar I'm working on, you can decrypt your file with the Java code I've included below. I tested using Sun Java 1.4.2. Notice the password in the example: char[] pwd = secret.toCharArray(); http://juliusdavies.ca/commons-ssl/download.html Unfortunately the jar file isn't properly setup to stream the decryption. Normally I'm decrypting PKCS #8 RSA Private Keys, and so I always read them into byte[] arrays. If you're decrypting big stuff, this code probably uses a lot of memory. Hopefully this will help get you started! import org.apache.commons.ssl.Util; import org.apache.commons.ssl.DerivedKey; import org.apache.commons.ssl.PKCS8Key; public static void main( String[] args ) throws Exception { FileInputStream fin = new FileInputStream( args[ 0 ] ); byte[] saltLine = new byte[ 16 ]; int[] status = Util.fill( saltLine, 0, fin ); if ( status[ 0 ] != saltLine.length ) { throw new IOException( couldn't read salt-line from OpenSSL file ); } byte[] salt = new byte[ 8 ]; System.arraycopy( saltLine, 8, salt, 0, 8 ); char[] pwd = secret.toCharArray(); byte[] pass = new byte[pwd.length]; for ( int i = 0; i pass.length; i++ ) { pass[ i ] = (byte) pwd[ i ]; } MessageDigest md5 = MessageDigest.getInstance( MD5 ); int keySize = 64; DerivedKey dk = PKCS8Key.deriveKeyOpenSSL( pass, salt, keySize, md5 ); PKCS8Key.DecryptResult dr = PKCS8Key.decrypt( DES, CBC, dk, false, null, fin ); System.out.println( new String( dr.bytes ) ); } yours, Julius On 12/4/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Mon, Dec 04, 2006, Marc Saegesser wrote: I have an existing application (which I don't control) that sends me files that were encrypted using an openssl comand like: openssl enc -e -des -pass pass:passphrase I would like to decrypt these files inside a Java application and generate response files that the client can decrypt using a similar openssl command. I've been trying to figure out how to do this using the javax.crypto API but so far I haven't had any luck. I know the passphrase used to encrypt the data but I haven't figured out the right way to use it to generate a key using javax.crypto that is valid to decrypt the data. I'd appreciate any help or pointers Well you have to first implement EVP_BytesToKey() then use that to derive the appropriate DES key and IV based on the salt and passphrase. You are in luck because that function is compatible with PKCS#5 v1.5 when the key size is small enough which it is for DES. You can use the enc debugging options to make sure you get the right key and IV. Then finally use that key and IV to decrypt the data. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/
Re: HTTPS security model
The difficulty for the end user here is that the little lock icon is overloaded: it is taken to mean both session is secured against spying AND session is with a trusted partner. One could argue that this confounds authentication (verifying the cert.) and authorization (asserting trust of the target site). One could also argue that end users should know better than to read it that way, but the UI is just too simple to do the job required and the protocol hasn't been supplying all the information that the user really wants. The CA and browser folk (http://www.cabforum.org/forum.html) have been working on that and are about to roll out a fix, which they're calling Extended Validation. It looks like, for more money you get a certificate which certifies more about you such as your business' real-world name, and compliant browsers will display the additional information when you connect. This begins to pry off one of the two meanings of the lock. It is at least an interesting attempt. Maybe after a while we'll get browsers which allow us to craft explicit trust lists, so that we can have a little smiley-face or something next to the lock which indicates you have explicitly told me to trust this object. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is intuitive he means the exact opposite. pgpz4zisIJ0da.pgp Description: PGP signature
Loading CRLs and certs safely
Looking at the code of X509_load_cert_crl_file (OpenSSL 0.9.7e), it seems that it will add any certificates found in the file to the trusted store, which is undesireable behaviour. What, then, is the correct way to load CRLs from a file containing both the CRLs themselves and any non-root certificates needed to verify the signatures of those CRLs? The certificates in the file should all be ultimately be signed by a common root CA, which I already have in my trusted store. I'm thinking of something like this: - Iterate over the file, loading each X509 object. - If it's a certificate, verify its signature against my trusted store, and if it passes, load it into the same store. - If it's a CRL, verify its signature against my trusted store, and if it passes, load it into the store. I can verify a certificate, but how does one verify a CRL? Also, what should be done when there is a new, replacement CRL file? Is it possible to remove the existing CRLs from the store before performing the above process on the new file? Regards, Dan. -- Dan Ellis, Software Engineer, BSC Team ip.access ltd http://www.ipaccess.com Building 2020, Cambourne Business Park, Cambourne, Cambridge, CB3 6DW Tel: 01954 713790, Fax: 01954 713799 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Pass DES encrypted data between Java and openssl
Whoops! This method only takes an InputStream on my LOCAL machine. :-$ PKCS8Key.decrypt( DES, CBC, dk, false, null, fin ); You'll need to replace that line with: byte[] bytes = Util.streamToBytes( fin ); PKCS8Key.decrypt( DES, CBC, dk, false, null, bytes ); yours, Julius On 12/5/06, Julius Davies [EMAIL PROTECTED] wrote: Hi, Marc, If you download the not-yet-commons-ssl.jar I'm working on, you can decrypt your file with the Java code I've included below. I tested using Sun Java 1.4.2. Notice the password in the example: char[] pwd = secret.toCharArray(); http://juliusdavies.ca/commons-ssl/download.html Unfortunately the jar file isn't properly setup to stream the decryption. Normally I'm decrypting PKCS #8 RSA Private Keys, and so I always read them into byte[] arrays. If you're decrypting big stuff, this code probably uses a lot of memory. Hopefully this will help get you started! import org.apache.commons.ssl.Util; import org.apache.commons.ssl.DerivedKey; import org.apache.commons.ssl.PKCS8Key; public static void main( String[] args ) throws Exception { FileInputStream fin = new FileInputStream( args[ 0 ] ); byte[] saltLine = new byte[ 16 ]; int[] status = Util.fill( saltLine, 0, fin ); if ( status[ 0 ] != saltLine.length ) { throw new IOException( couldn't read salt-line from OpenSSL file ); } byte[] salt = new byte[ 8 ]; System.arraycopy( saltLine, 8, salt, 0, 8 ); char[] pwd = secret.toCharArray(); byte[] pass = new byte[pwd.length]; for ( int i = 0; i pass.length; i++ ) { pass[ i ] = (byte) pwd[ i ]; } MessageDigest md5 = MessageDigest.getInstance( MD5 ); int keySize = 64; DerivedKey dk = PKCS8Key.deriveKeyOpenSSL( pass, salt, keySize, md5 ); PKCS8Key.DecryptResult dr = PKCS8Key.decrypt( DES, CBC, dk, false, null, fin ); System.out.println( new String( dr.bytes ) ); } -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/
DH_generate_parameters(_ex)
Dear, Using current OpenSSL version (0.9.8d), which of: DH_generate_parameters DH_generate_parameters_ex should better be used in new code? Documentation pages do not refer to the _ex version, yet dh.h shows: /* Deprecated version */ #ifndef OPENSSL_NO_DEPRECATED DH *DH_generate_parameters(int prime_len,int generator, void (*callback)(int,int,void *),void *cb_arg); #endif /* !defined(OPENSSL_NO_DEPRECATED) */ /* New version */ int DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb); It looks like I have no problem using the _ex version, calling DH_new () first and passing 0 for the BN_GENCB (callback) which I don't need for now. Am I driving in the wrong lane? -- Olivier Mascia __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Loading CRLs and certs safely
On Tue, Dec 05, 2006, Dan Ellis wrote: Looking at the code of X509_load_cert_crl_file (OpenSSL 0.9.7e), it seems that it will add any certificates found in the file to the trusted store, which is undesireable behaviour. What, then, is the correct way to load CRLs from a file containing both the CRLs themselves and any non-root certificates needed to verify the signatures of those CRLs? The certificates in the file should all be ultimately be signed by a common root CA, which I already have in my trusted store. I'm thinking of something like this: - Iterate over the file, loading each X509 object. - If it's a certificate, verify its signature against my trusted store, and if it passes, load it into the same store. - If it's a CRL, verify its signature against my trusted store, and if it passes, load it into the store. I can verify a certificate, but how does one verify a CRL? A CRL signature is verified before use so there is no need to verify it before adding it to the store. The certificate needed to verify the CRL signature will be part of the certificate chain during normal chain verification. Also, what should be done when there is a new, replacement CRL file? Is it possible to remove the existing CRLs from the store before performing the above process on the new file? The CRL handling in 0.9.7 and 0.9.8 doesn't support this with the built in stores. It is possible to override the get_crl() callback used during verification to supply whichever CRL is needed. The latest dev version allow multiple CRLs from the same issuer to be added to the store and it will automatically retrieve and use the correct one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AES-128-CTR
Can anybody point me to some examples on how to use AES-128 in counter mode? Is this supported thru the EVP interface, or do I need to use the lower-level API's, such as AES_128ctr_encrypt/decrypt()? Also, looking at the signature of these API's in aes.h, I don't see a return code, or anything indicating successful encryption/decryption? Thanks, Ed
RE: HTTPS security model
The difficulty for the end user here is that the little lock icon is overloaded: it is taken to mean both session is secured against spying AND session is with a trusted partner. One could argue that this confounds authentication (verifying the cert.) and authorization (asserting trust of the target site). One could also argue that end users should know better than to read it that way, but the UI is just too simple to do the job required and the protocol hasn't been supplying all the information that the user really wants. I don't understand this argument at all. The two questions you seem to think are being confused are the *same* question. When I type in https://www.amazon.com;, what I want to know is -- do I have a secure connection to Amazon? A secure connection to someone who is out to steal my credit card is not really any better or worse than in insecure connection to Amazon. A secure connection to an unauthenticated source is of no value because the unauthenticated source could be the one person who the connection is supposed to be secured from. If there's nobody the connection is supposed to be secured from, why would you care that the connection is secure? Authentication and authorization are the same thing. They are both required to ensure that only those who are supposed to be parties to the conversation are in fact parties to the conversation. And that is the root security requirement. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Pass DES encrypted data between Java and openssl
Steve, Thanks for the help. I finally got this working and figured I'd reply here for posterity's sake. I found a Java implementation of EVP_BytesToKey() in the JRuby code and borrowed it. I ran the password through it and the key and IV I got back didn't mach what openssl enc -d -des -p showed. I finally realized that the encryption was salted when I'd originally thought it was unsalted. I pulled the salt from the encrypted bytes and included that in the call to EVP_BytesToKey(). That gave me a key and IV that matched what openssl showed. Yeah! Unfortunately, when I tried to initialize the Cipher object with the key and IV I got an InvalidKeyException that said the key was the wrong size. I ran around in circles trying to solve that problem but never did. However, I realized that my first experiments had been with the mistaken assumption that there as no salt. I went back to my original implementation, which used the PBEWithMD5AndDES transformation, added in the salt stuff and now it works great. sigh. Anyway, for those who want to do this here's the basic idea: int iterationCount = 1; byte[] salt = new byte[8]; System.arraycopy(encrypted, 8, salt, 0, 8); PBEKeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, iterationCount); SecretKey key = SecretKeyFactory.getInstance (PBEWithMD5AndDES).generateSecret(keySpec); Cipher cipher = Cipher.getInstance(key.getAlgorithm()); PBEParameterSpec paramSpec = new PBEParameterSpec(salt, iterationCount); cipher.init(Cipher.DECRYPT_MODE, key, paramSpec); byte[] plainText = cipher.doFinal(encrypted, 16, encrypted.length-16); String result = new String(plainText); -- Marc
Re: DH_generate_parameters(_ex)
On Tue, Dec 05, 2006, Olivier Mascia wrote: Dear, Using current OpenSSL version (0.9.8d), which of: DH_generate_parameters DH_generate_parameters_ex should better be used in new code? Documentation pages do not refer to the _ex version, yet dh.h shows: /* Deprecated version */ #ifndef OPENSSL_NO_DEPRECATED DH * DH_generate_parameters(int prime_len,int generator, void (*callback)(int,int,void *),void *cb_arg); #endif /* !defined(OPENSSL_NO_DEPRECATED) */ /* New version */ int DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb); It looks like I have no problem using the _ex version, calling DH_new () first and passing 0 for the BN_GENCB (callback) which I don't need for now. Am I driving in the wrong lane? The DH_generate_parameters() function is deprecated as the comment implies. The _ex version can use a non-default ENGINE for the parameter generation. If you really want to be up to date you can use the new EVP_PKEY version but that's only supported in 0.9.9-dev :-) Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]