date:20100331

Re: OpenSSL 1.0.0 and FIPS

2010-03-31 Thread William A. Rowe Jr.

On 3/31/2010 4:21 PM, Gatewood (Woody) Green wrote:
> 
> Actually, no 140-3 will be successor to 140-2 which is successor to
> 140-1.  The hyphenated number is a release version.

Woody, thanks for this clarification...

> You are trying to talk about FIPS 140-2, Level 3 certification in your
> example. (bottom of page two in the gov't 140-2 PDF; see link below)
> 
> The levels are *within* the particular 140-x standard.  Case in point,
> the original draft of 140-3 contained five levels but has since been
> reduced back to four as is in the 140-2 version.  Second example, we
> have 140-2, Level 2 certification on a subset of our products (version,
> model and product specific).

and these additional details!  Yes, I had confused the rev level with the
FIPS certification level.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0 and FIPS

2010-03-31 Thread Gatewood (Woody) Green

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

William A. Rowe Jr. wrote on 03/31/2010 01:20 AM:
> On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote:
>>
>> I assume the 2010 limit on new validations is the impending finalization
>> of 140-3.
> 
> What you are thinking of won't be designated 140-3, it's not sequential,
> there is such a FIPS level already.  Probably FIPS-{new}-2 or FIPS-140-2 2010
> or something like that.
> 
> FIPS 140-3 implies a level of physical validation that an open source project
> isn't able to consider validating to.  If you were to bundle OpenSSL-FIPS into
> a sealed card, and add the appropriate cert/key mgmt, then you could consider
> applying for FIPS 140-3 validation for such a physical device.

Actually, no 140-3 will be successor to 140-2 which is successor to
140-1.  The hyphenated number is a release version.

You are trying to talk about FIPS 140-2, Level 3 certification in your
example. (bottom of page two in the gov't 140-2 PDF; see link below)

The levels are *within* the particular 140-x standard.  Case in point,
the original draft of 140-3 contained five levels but has since been
reduced back to four as is in the 140-2 version.  Second example, we
have 140-2, Level 2 certification on a subset of our products (version,
model and product specific).

A reading of the gov't's own file titled "fips1402.pdf" contains data on
all four levels of 140-2 certification.

Note the phrasing used in the second paragraph and the security levels
starting at the bottom of page one in:

  http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

Backed by the wording "The Revised Draft FIPS 140-3 is the second public
draft of NIST’s proposed revision of FIPS 140-2." on:

  http://csrc.nist.gov/publications/PubsDrafts.html

And finally, 140-2 certifications issued continue to be valid even after
the release of 140-3, but *new* certifications will be required to meet
the 140-3 stricter standard.  My original question was centered around
the idea of whether the 2010 limit Steve M. mentioned was due to the
upcoming release of 140-3, a possible update to 140-2 prior to the
finalization and release of 140-3 or if he thought the openssl-fips-1.2
certificate might be revoked (as has happened once before with 1.1.2 if
I remember correctly).

Thanks,

Woody

- -- 

- ---
Gatewood Green  Sr. Software Engineer/Network Admin
Email:  wo...@nitrosecurity.com
http://www.nitrosecurity.com/ NitroSecurity
- ---

Imagine, if you will, a world in which there are no hypothetical
situations...
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org/

iEYEAREDAAYFAkuzvL8ACgkQHnsUla8nzK07GwCfVwX7jVP9T2nPtHzawKHdAVaZ
EdIAnioJrMbH7hIpFW2g8emBOTpobgbu
=eTij
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Get key from a evp_pkey structure

2010-03-31 Thread xabi esteban


Hello, I have my public key stored in a card. Using opensc I get the public key 
from my certificate.I'm doing a C program and I have the key in a EVP_PKEY 
structure but i need pass the key to a string or file
Any idea?
Thanks
_
¿Te gustaría tener Hotmail en tu móvil Movistar? ¡Es gratis!
http://serviciosmoviles.es.msn.com/hotmail/movistar-particulares.aspx

Openssl issue??

2010-03-31 Thread Govind c

I am trying to to use ftps for secure server. We have two identical 
client trying to connect to the server.Client 1 can connect but not 
client 2. Client 2 throws below error 

error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag 


Openssl on both clients 


openssl-0.9.7a-43.1 
xmlsec1-openssl-1.2.6-3 
openssl-devel-0.9.7a-43.1 


client 1 
--- 


 curl  -3 -v  --ftp-ssl -k -S ftp://abc:xyz...@10.10.10.1 
* About to connect() to 10.10.10.1 port 21 
*   Trying 10.10.10.1... * connected 
* Connected to 10.10.10.1 (10.10.10.1) port 21 
< 220 (vsFTPd 2.0.1) 


> AUTH SSL 


< 234 Proceed with negotiation. 
* successfully set certificate verify locations: 
*   CAfile: /usr/share/ssl/certs/ca-bundle.crt 
  CApath: none 
* SSL connection using DES-CBC3-SHA 
* Server certificate: 
*subject: /C=US/ST=NJ/L=FP/O=test/CN=test.test.com 
*start date: 2010-03-31 04:53:33 GMT 
*expire date: 2011-03-31 04:53:33 GMT 
*common name: test.test.com (does not match '10.10.10.1') 
*issuer: /C=US/ST=NJ/L=FP/O=test/CN=test.test.com 
* SSL certificate verify result: error number 1 (18), continuing 
anyway. 

> USER abc 


< 331 Please specify the password. 

> PASS xyz123 


< 530 Login incorrect. 
* the username and/or the password are incorrect 
* Closing connection #0 

client2 


#  curl  -3 -v  --ftp-ssl -k -S ftp://abc:xyz...@10.10.10.1 
* About to connect() to 10.10.10.1 port 21 
*   Trying 10.10.10.1... * connected 
* Connected to 10.10.10.1 (10.10.10.1) port 21 
< 220 (vsFTPd 2.0.1) 


> AUTH SSL 


< 234 Proceed with negotiation. 
* successfully set certificate verify locations: 
*   CAfile: /usr/share/ssl/certs/ca-bundle.crt 
  CApath: none 
* error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag 
* Closing connection #0 

Cheers 
CG 





  
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

wget passphrase

2010-03-31 Thread piper.guy1

Sorry if this has been ask before.

I need to use 'wget' to do a secure file download. It works great at
the command line. Unfortunately wget asks for the PEM passphrase.
However this will eventually be part of an embedded application so the
passphrase prompt can't happen.

1. Can you create PEM's without a passphrase?
2. Should i use Curl which seems to provide an option for passphrases.
3. Any better suggestions (fairly new to security).

thanx
/carl
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Random Numbers

2010-03-31 Thread Dr. Stephen Henson

On Wed, Mar 31, 2010, Anthony Gabrielson wrote:

> 
> Hello, 
> 
> I'm actually writing a Matlab toolbox that uses OpenSSL. I put together a
> function, actually its really heavily based on the OpenSSL book, that
> generates random keys and IV. Anyway, I wasn't comfortable with how I was
> seeding prng, it seems like a real easy place to screw up. I just wanted to
> make sure I wasn't doing anything obviously wrong. My current function will
> look /dev/urandom if its unix based and RAND_screen if its windows based.
> With that said, based on your comments I'm wondering if I should just take
> that function out all together. 
> 

The OpenSSL code already uses /dev/urandom if available and other sources too.

On Windows it uses CryptGenRandom() among other things.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Random Numbers

2010-03-31 Thread Anthony Gabrielson

- Original Message - 
From: "Dr. Stephen Henson"  
To: openssl-users@openssl.org 
Sent: Wednesday, March 31, 2010 7:43:06 AM GMT -05:00 US/Canada Eastern 
Subject: Re: Random Numbers 

You can use RAND_bytes() on Windows and the OpenSSL PRNG will be automatically 
seeded from various sources of entropy. If you're only using OpenSSL for 
random numbers then you could alternatively use other Windows specific APIs 
such as CryptGenRandom() of CryptoAPI. 

Steve. 
-- 

Hello, 

I'm actually writing a Matlab toolbox that uses OpenSSL. I put together a 
function, actually its really heavily based on the OpenSSL book, that generates 
random keys and IV. Anyway, I wasn't comfortable with how I was seeding prng, 
it seems like a real easy place to screw up. I just wanted to make sure I 
wasn't doing anything obviously wrong. My current function will look 
/dev/urandom if its unix based and RAND_screen if its windows based. With that 
said, based on your comments I'm wondering if I should just take that function 
out all together. 

Thanks, 
Anthony

Re: Random Numbers

2010-03-31 Thread Dr. Stephen Henson

On Tue, Mar 30, 2010, Anthony Gabrielson wrote:

> Hello,
> 
> I've been searching around and I'm not finding much on
> OpenSSL and random numbers.  I'm trying to figure out how to best use
> RAND_bytes and RAND_pseudo_bytes; do I still need to worry about entropy or
> does OpenSSL take care of it for me these days?  If I do need to worry about
> it, does anyone have any suggestions on where I can look for pointers for
> use with windows?
> 

You can use RAND_bytes() on Windows and the OpenSSL PRNG will be automatically
seeded from various sources of entropy. If you're only using OpenSSL for
random numbers then you could alternatively use other Windows specific APIs
such as CryptGenRandom() of CryptoAPI.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0 and FIPS

2010-03-31 Thread William A. Rowe Jr.

On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote:
> 
> I assume the 2010 limit on new validations is the impending finalization
> of 140-3.

What you are thinking of won't be designated 140-3, it's not sequential,
there is such a FIPS level already.  Probably FIPS-{new}-2 or FIPS-140-2 2010
or something like that.

FIPS 140-3 implies a level of physical validation that an open source project
isn't able to consider validating to.  If you were to bundle OpenSSL-FIPS into
a sealed card, and add the appropriate cert/key mgmt, then you could consider
applying for FIPS 140-3 validation for such a physical device.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Random Numbers

2010-03-31 Thread Michael Sierchio

On Tue, Mar 30, 2010 at 11:48 PM, P Kamath  wrote:

> I said it is an RNG, not cryptographic RNG.  By adding current time source,
> however crude, and doing a sha1/md5, why should it not be cryptoPRNG?  What
> properties should I look for?

 Taking a hash of an entirely predictable (or narrowly bounded) value adds
no entropy.

RE: Random Numbers

2010-03-31 Thread David Schwartz

P Kamath wrote:

> I said it is an RNG, not cryptographic RNG.  By adding current time
> source,
> however crude, and doing a sha1/md5, why should it not be cryptoPRNG?
> What
> properties should I look for?

You should look for a cryptographically-secure random number generator.
Seriously, you shouldn't be hacking random bits of junk together and then
relying on it to be secure.

DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl ciphers fails when using "!"

2010-03-31 Thread Ben DJ

On Tue, Mar 30, 2010 at 12:14 PM, Kyle Hamilton  wrote:
> That's your shell talking.  Try:
>
> openssl ciphers -v 'HIGH:!RSA'# note the single-quotes
>
> You just have to tell the shell not to interpret the bang, by quoting
> it -- either with a backslash or in an uninterpreted-quoted string.

fwiw, for each of:

 sh
 bash
 tcsh

results,

 openssl ciphers -v ALL:!RSA
  RSA: Event not found.

 openssl ciphers 'ALL:!RSA'
  RSA: Event not found.

 openssl ciphers -v "ALL:!RSA"
  RSA: Event not found.

checking escaping,

 echo "ALL:\!RSA"
  ALL:!RSA

then,

 openssl ciphers -v ALL:\!RSAWORKS
 openssl ciphers -v 'ALL:\!RSA'WORKS
 openssl ciphers -v "ALL:\!RSA"WORKS

whereas, in ksh, all of

 openssl ciphers -v ALL:!RSA
 openssl ciphers 'ALL:!RSA'
 openssl ciphers -v "ALL:!RSA"

WORK with no escaping required.

i've suggested that perhaps a mention in the man page might be worthwhile ?

bendj
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0 and FIPS

Re: OpenSSL 1.0.0 and FIPS

Get key from a evp_pkey structure

Openssl issue??

wget passphrase

Re: Random Numbers

Re: Random Numbers

Re: Random Numbers

Re: OpenSSL 1.0.0 and FIPS

Re: Random Numbers

RE: Random Numbers

Re: openssl ciphers fails when using "!"

12 matches

Site Navigation

Mail list logo

Footer information