From: owner-openssl-us...@openssl.org On Behalf Of Gregory Sloop
Sent: Monday, September 15, 2014 22:50
And, one more question:
How can I tell what format/encryption my pkcs12 files are in?
[I believe for Android platform use, I need p12 certs/keys - so I'm working
on the
[SNIP]
However this looks like the key is encrypted with 3DES, but I exported it
from the Cert+Key with -aes256 - so I'm puzzled why I'd have a 3DES
encrypted p12.
DT You thought you did but you didn't.
DT The doc is a bit subtle, but the -$cipher option is listed under PARSING.
DT It
So, hopefully this will be the last post in the thread. [fat chance, eh!?]
I've gone back and re-encrypted the private keys [thanks Dave, again!] and this
is the result from an asn1parse
openssl asn1parse somepk.key
0:d=0 hl=4 l=2463 cons: SEQUENCE
4:d=1 hl=2 l= 73 cons: SEQUENCE
And, one more question:
How can I tell what format/encryption my pkcs12 files are in?
[I believe for Android platform use, I need p12 certs/keys - so I'm working on
the export/conversion part too.]
I export my cert+key like so:
[openssl pkcs12 -export -aes256 -in somecert.crt -inkey
...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Tuesday, 09 September, 2014 01:19
To: openssl-users@openssl.org
Subject: Re: Certificate pass phrase brute force...
I used the asn1parse command [thanks Dave!] and while the key looks old style
it parses as follows
cipher.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Gregory Sloop
Sent: Tuesday, 09 September, 2014 01:19
To: openssl-users@openssl.org
Subject: Re: Certificate pass phrase brute force...
I used
to submit a patch.
Michael Wojcik
Technology Specialist, Micro Focus
From: Kyle Hamilton [mailto:aerow...@gmail.com]
Sent: Tuesday, 09 September, 2014 13:43
To: openssl-users@openssl.org; Michael Wojcik
Subject: RE: Certificate pass phrase brute force...
At least 3DES is *some* encryption
.
Michael Wojcik
Technology Specialist, Micro Focus
From: Kyle Hamilton [mailto:aerow...@gmail.com]
Sent: Tuesday, 09 September, 2014 13:43
To: openssl-users@openssl.org; Michael Wojcik
Subject: RE: Certificate pass phrase brute force...
At least 3DES is *some* encryption. The issue
to submit a patch.
Michael Wojcik
Technology Specialist, Micro Focus
From: Kyle Hamilton [mailto:aerow...@gmail.com]
Sent: Tuesday, 09 September, 2014 13:43
To: openssl-users@openssl.org; Michael Wojcik
Subject: RE: Certificate pass phrase brute force...
At least 3DES is *some* encryption
Of Gregory Sloop
Sent: Tuesday, September 09, 2014 01:19
To: mailto:openssl-users@openssl.org openssl-users@openssl.org
Subject: Re: Certificate pass phrase brute force...
I used the asn1parse command [thanks Dave!] and while the key looks old style
it parses as follows:
50:d=4 hl=2 l= 8 prim
any of those figures.
Does that help?
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Friday, 05 September, 2014 16:32
To: Salz, Rich
Subject: Re: Certificate pass phrase brute force
: Re: Certificate pass phrase brute force...
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption
I think it's safe to assume that 3DES is almost certainly a lousier choice
than AES or Camellia on multiple fronts.
Two key triple DES provides about 80-bits of security, and three key triple
DES provides 112-bits of security. Do you know which they are using?
AES-128 provides about 128-bits of
Well, as I said, given my reading of the code, the newest version of EasyRSA
[line 861] shows the following:
local crypto=-des3
It's in the set_pass function. [On further review of the code, this appears to
only be used by the set-rsa-pass or set-ec-pass functions, and I can't
determine what
For the legacy formats (dashes-BEGIN PRIVATE RSA KEY or PRIVATE EC KEY)
just look on the DEK-Info: header line.
For PKCS#8 format (dashes-BEGIN ENCRYPTED PRIVATE KEY) do
openssl asn1parse key.pem
and the third line will be an OBJECT (really OID) in the form
pbeWithhashandcipher.
General question:
I've done a number of searches and can't find a lot about the subject. [I've
searched the list archives too...at least as best I could.]
In several cases, the most obvious being OpenVPN, I use client certificates
generated by openssl, with a pass-phrase [password]. This
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption is that your users will pick truly random 10char
From: Gregory Sloop gr...@sloop.net
Date:09/05/2014 1:36 PM (GMT-05:00)
To: openssl-users@openssl.org
Cc:
Subject: Certificate pass phrase brute force...
General question:
I've done a number of searches and can't find a lot about the subject.
[I've searched the list archives too
[mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Friday, 05 September, 2014 13:37
To: openssl-users@openssl.org
Subject: Certificate pass phrase brute force...
General question:
I've done a number of searches and can't find a lot about the subject. [I've
searched
-users@openssl.org
Cc:
Subject: Re: Certificate pass phrase brute force...
That is easy. Just restrict the number of different passwords per day. Any
account. Thus the old school brute force idea passes out the window. Most of
what you are looking at it a signing issue. Basically one person
, but deplore your rudeness
Sent via the Samsung GALAXY S® 5, an ATT 4G LTE smartphone
Original message
From: dave paxton dpax...@me.com
Date:09/05/2014 3:33 PM (GMT-05:00)
To: openssl-users@openssl.org
Cc:
Subject: Re: Certificate pass phrase brute force...
That is easy
PM (GMT-05:00)
To: openssl-users@openssl.org
Cc:
Subject: Re: Certificate pass phrase brute force...
That is easy. Just restrict the number of different passwords per day.
Any account. Thus the old school brute force idea passes out the window.
Most of what you are looking at it a signing
Original message
From: Gregory Sloop gr...@sloop.netmailto:gr...@sloop.net
Date:09/05/2014 1:36 PM (GMT-05:00)
To: openssl-users@openssl.orgmailto:openssl-users@openssl.org
Cc:
Subject: Certificate pass phrase brute force...
General question:
I've done a number of searches and can't find
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption is that your users will pick truly random 10char
:33 PM (GMT-05:00)
To: openssl-users@openssl.org
Cc:
Subject: Re: Certificate pass phrase brute force...
That is easy. Just restrict the number of different passwords per day.
Any account. Thus the old school brute force idea passes out the
window. Most of what you are looking
25 matches
Mail list logo