Joel Morris wrote:
>
> Hello,
>
> I'm using openssl to implement PBEWithMD5AndDES. I'm also using Sun's JCE1.2 for
>java to do the
> same thing. When my iteration count <= 255 (0xff) I get the same encrypted data
>back from both
> programs. However, if I use a iteration count > 255 I stop getting the same
>encrypted data back.
> I'm not sure if the problem is in openssl or JCE1.2, but I thought I'd see if anyone
>has seen this
> before or has any ideas. I would just use a iteration count < 256, but the PKCS#5
>spec says not
> to use a count < 1000.
>
Its also not a good idea using 56 bit DES for encrytion either but you
may have no choice.
The PKCS#12 code uses the same ASN1 structures and almost the same code
and its known to work with Netscape and MSIE with iteration counts of
2000 or more. I'm pretty sure someone checked the PKCS#8 encrypted keys
that use PKCS#5 with PBEWithMD5AndDES some time in the past.
There isn't any dependency I can see at the 256 mark in the OpenSSL code
its just a counter.
Maybe JCE is just using a single byte for the iteration count. Why not
check if there is a "wrap around" i.e. does a count of 257 yield the
same results as 1?
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
