=3/28/2013 11:47:11 AM=
http://www.orangeparkcpa.com/att/vks.xdil?bpppv 3/28/2013 11:47:11 AM nafe12
Re: Question about FIPS enabled OPENSSL build on armv4 platform
On 03/27/2013 11:51 PM, Abhijit Ray Chaudhury wrote: Hi, I am probably re-posting same question after I made some headway in compiling, linking and running FIPS enabled openssl module in our platform. Following are the steps I followed: 1. Downloaded http://www.openssl.org/source/openssl-fips-2.0.2.tar.gz : 2. I have used following script to setup the environment: === export MACHINE=armv4t export RELEASE=2.6.23 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=/opt/fip-tools/ export HOSTCC=/usr/bin/gcc ./config -t Operating system: armv4t-whatever-linux2 Auto Configuring fipsonly Auto Configuring fipsonly Configuring for linux-armv4 /usr/bin/perl ./Configure linux-armv4 -Wa,--noexecstack no-bf no-camellia no-cast no-idea no-md2 no-md5 no-mdc2 no-rc2 no-rc4 no-rc5 no-ripemd no-seed == 3. created a shell script: /opt/fip-tools/gcc == /opt/gccarm-4.1.2/bin/gcc -march=armv4 -Dmalloc=XXX_malloc -Dfree=XXX_free $* == -march was needed as we need to specify the cpu architecture, else build fails as openssl header file tries to guess the CPU architechture. -Dmalloc was needed, as we have custom memory allocator. 4. built fipscanister.o linked with our customized openssl-1.0.1c and created signed libcrypto.so. 5. compiled with our application and run it in our target platform. Now my question is : As I have not changed a single file in openssl-fips-2.0.2 source tree and since FIPS_selftest() , FIPS_mode_set(1) passes in our platform, does that mean libcrypto.so that I built is FIPS compliant ? The term FIPS compliant has no real meaning. The question should be is the OpenSSL FIPS Object Module 2.0 a FIPS 140-2 validated module as used in this context?. The immediate answer is no, one reason being that you did not use the specifically mandated commands ./config make to create the FIPS module. The Security Policy is pretty clear on that point. Note use of environment variables MACHINE, SYSTEM, HOSTCC, etc. to define the target platform for the cross-compilation toolkit is generally acceptable, but IMHO passing arbitrary compiler options by any means is a gray area. Assuming you use the mandatory canonical build commands your best option (short of formally adding your platform to the existing validation) is to user affirm per section G.5 of the Implementation Guidance document: http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf Unfortunately the guidance isn't crystal clear on the question of indirectly finessing compiler options. In similar situations I advise our clients not to take such liberties. However, my opinion is just that, one opinion of many. You could try asking the only definitive authority, the CMVP (http://csrc.nist.gov/groups/STM/cmvp/contacts.html) for an determination on the specifics of your situation, though they tend to avoid such implementation level details (typically responding ask your test lab). Absent clear guidance from the CMVP you'll need to decide your comfort level with making that claim. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Help me understand how this should work:
Hello all, I am curious about how something should work relating to some self signed certs I am trying to use. It has been a while since I was messing with this. I have a webserver setup for my internal webmail at https://examplemail.com. however, that site redirects to https://mail.mycompany.com How should the certs be set up for this? Currently, my browser is giving me a warning when I go to https://example.com that the cert i am giving back is only valid for www.mycompany.com I guess I need to know what to research to make all of these guys sort of use the same cert. is this what chaining could do for me? Thanks
RE: Help me understand how this should work:
Ø I guess I need to know what to research to make all of these guys sort of use the same cert. is this what chaining could do for me? Not sure why you need or want a single cert, but if you do then one cert with multiple subjectAltName extensions should do it. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: Got FIPS routines:FIPS_drbg_init:selftest failure, how do I work around it?
On Wed, Mar 27, 2013, Bao, Robert wrote: I changed the default DRBG for FIPS to HMAC_SHA384 by following Dr. Henson's suggestion in another post titled FIPS Mode and Default DRBG (OpenSSL 1.0.x and FIPS 2.0 Module) I changed the OpenSSL compile flag OPENSSL_DRBG_DEFAULT_TYPE to point to NID_hmacWithSHA384. In run time however, the FIPS_mode_set(1) function returned error:2D073087:FIPS routines:FIPS_drbg_init:selftest failure. What did I do wrong? How to solve/work-around this problem? Ah, you also need to set the default flags to zero as they're set up to use the CTR DRBG. You can do this with: -DOPENSSL_DRBG_DEFAULT_FLAGS=0 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about FIPS enabled OPENSSL build on armv4 platform
Steve, Thanks a lot for your explanation. I am not clear on one crucial point. Below are the steps I used to build fipscanister.o: 1. export env variables. (note CROSS_COMPILE=/opt/fip-tools/; and /opt/fip-tools/gcc is a shell script). 2. ./config 3. make It built fipscanister.o for me. 1 Is the fipscanister.o thus built, a FIPS 140-2 validated module ? 2 If not , could you kindly clarify the need for source distribution , instead of FIPS validated object module distribution ? 3 Also in configure script I found following line: android-armv7,gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib here machine architecture is passed as gcc option, so isn't it also a violation ? 4 Even the version of egcs, cc1, ld etc. on a validated platform can lead to code generation that could be technically termed not tested. Sorry for so many questions, but if you can kindly clarify, it will be great. Thanks in Advance, -Abhijit On Thu, Mar 28, 2013 at 6:14 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 03/27/2013 11:51 PM, Abhijit Ray Chaudhury wrote: Hi, I am probably re-posting same question after I made some headway in compiling, linking and running FIPS enabled openssl module in our platform. Following are the steps I followed: 1. Downloaded http://www.openssl.org/source/openssl-fips-2.0.2.tar.gz : 2. I have used following script to setup the environment: === export MACHINE=armv4t export RELEASE=2.6.23 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=/opt/fip-tools/ export HOSTCC=/usr/bin/gcc ./config -t Operating system: armv4t-whatever-linux2 Auto Configuring fipsonly Auto Configuring fipsonly Configuring for linux-armv4 /usr/bin/perl ./Configure linux-armv4 -Wa,--noexecstack no-bf no-camellia no-cast no-idea no-md2 no-md5 no-mdc2 no-rc2 no-rc4 no-rc5 no-ripemd no-seed == 3. created a shell script: /opt/fip-tools/gcc == /opt/gccarm-4.1.2/bin/gcc -march=armv4 -Dmalloc=XXX_malloc -Dfree=XXX_free $* == -march was needed as we need to specify the cpu architecture, else build fails as openssl header file tries to guess the CPU architechture. -Dmalloc was needed, as we have custom memory allocator. 4. built fipscanister.o linked with our customized openssl-1.0.1c and created signed libcrypto.so. 5. compiled with our application and run it in our target platform. Now my question is : As I have not changed a single file in openssl-fips-2.0.2 source tree and since FIPS_selftest() , FIPS_mode_set(1) passes in our platform, does that mean libcrypto.so that I built is FIPS compliant ? The term FIPS compliant has no real meaning. The question should be is the OpenSSL FIPS Object Module 2.0 a FIPS 140-2 validated module as used in this context?. The immediate answer is no, one reason being that you did not use the specifically mandated commands ./config make to create the FIPS module. The Security Policy is pretty clear on that point. Note use of environment variables MACHINE, SYSTEM, HOSTCC, etc. to define the target platform for the cross-compilation toolkit is generally acceptable, but IMHO passing arbitrary compiler options by any means is a gray area. Assuming you use the mandatory canonical build commands your best option (short of formally adding your platform to the existing validation) is to user affirm per section G.5 of the Implementation Guidance document: http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf Unfortunately the guidance isn't crystal clear on the question of indirectly finessing compiler options. In similar situations I advise our clients not to take such liberties. However, my opinion is just that, one opinion of many. You could try asking the only definitive authority, the CMVP (http://csrc.nist.gov/groups/STM/cmvp/contacts.html) for an determination on the specifics of your situation, though they tend to avoid such implementation level details (typically responding ask your test lab). Absent clear guidance from the CMVP you'll need to decide your comfort level with making that claim. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Troubles building FIPS-enabled OpenSSL on s390x
I started wondering whether FIPS 2 had been built on s390(x) after first trying to build it 32-bit and having that crash and burn completely. A little more research turned up that SuSE has FIPS support as of SuSE 11 SP1, some variant of OpenSSL 0.9.8 and FIPS 1. That ought to be available on s390 since that is one of their supported platforms so it looks like upgrading OS is the easiest thing for me to do and saying we're FIPS 140-2 compliant is sufficient for our purposes. Thanks! - Andrew -Original Message- From: Steve Marquess [mailto:marqu...@opensslfoundation.com] Sent: Wednesday, March 27, 2013 3:02 PM To: openssl-users@openssl.org Cc: Porter, Andrew Subject: Re: Troubles building FIPS-enabled OpenSSL on s390x On 03/27/2013 03:26 PM, Porter, Andrew wrote: After successfully building the combination of openssl-fips-2.0.2 and openssl-1.0.1e on Intel Linux I am trying to do the same on mainframe Linux, 64-bit SuSE 10.2 in my case. When I unpack openssl-fips-2.0.2 and do ./config; make it fails with *** No rule to make target `s390xcap.o', needed by `fips'. So I found a copy of s390xcap.c after unpacking the openssl-1.0.1e tarball and copied it to the FIPS crypto directory and was then able to make and install. Question: was that the correct action to take? That's fine for informal testing purposes but you can't use the result as a validated module. You've got two strikes against you there; you can't modify the original source distribution at all, and the processor isn't represented among the formally tested platforms. As far as I know you're the first to try building the 2.0 FIPS module for mainframe Linux (a platform we don't have ready access to) so your result isn't surprising. That platform could be formally added to the validation (via a change letter mod), but that takes time and money. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Got FIPS routines:FIPS_drbg_init:selftest failure, how do I work around it?
That worked! Thanks a lot for your quick help. Robert -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, March 28, 2013 10:11 AM To: openssl-users@openssl.org Subject: Re: Got FIPS routines:FIPS_drbg_init:selftest failure, how do I work around it? On Wed, Mar 27, 2013, Bao, Robert wrote: I changed the default DRBG for FIPS to HMAC_SHA384 by following Dr. Henson's suggestion in another post titled FIPS Mode and Default DRBG (OpenSSL 1.0.x and FIPS 2.0 Module) I changed the OpenSSL compile flag OPENSSL_DRBG_DEFAULT_TYPE to point to NID_hmacWithSHA384. In run time however, the FIPS_mode_set(1) function returned error:2D073087:FIPS routines:FIPS_drbg_init:selftest failure. What did I do wrong? How to solve/work-around this problem? Ah, you also need to set the default flags to zero as they're set up to use the CTR DRBG. You can do this with: -DOPENSSL_DRBG_DEFAULT_FLAGS=0 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to STORE encrypted string in database
hi, i have encrypted a string using Blowfish from Openssl library i got the following string A▓☼LÝ$øä²↓j╗ú¤Ä:ðï▲ i inserted the data into my database BUT when i retrieved the data i got A¦¤LÝ$øä²?j+ú¤Ä:ðï? (NOT same to the original the one i inserted) thus when i decrypt the loaded string from the database i donot get the original string Can anyone ply help to solve the problem i'm using SQLITE and c/c++ I google the problem but came along a c# solution http://stackoverflow.com/questions/8389412/md5-encrypted-string-returns-different-from-database-than-it-is-inserted Can anyone PLZ help From:- Shanil J.S
RE: how to STORE encrypted string in database
Encrypted data is not a text string, it is an array of binary octets. You will have to do something like base64 encode/decode when treating it as a text string. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: [openssl-users] how to STORE encrypted string in database
Your string is not portable (it isn't even a string). Whence, storing it as a string in your database isn't a good thing to do. Try encoding it in base64 after your encryption, and store the result (which will be a clean portable string). An alternative solution is to store your encrypted value as binary data. In fact, following your link, those are the first 2 answers... -- Erwann ABALEA Le 28/03/2013 19:08, Jevin Sonut a écrit : hi, i have encrypted a string using Blowfish from Openssl library i got the following string A▓☼LÝ$øä²↓j╗ú¤Ä:ðï▲ i inserted the data into my database BUT when i retrieved the data i got A¦¤LÝ$øä²?j+ú¤Ä:ðï? (NOT same to the original the one i inserted) thus when i decrypt the loaded string from the database i donot get the original string Can anyone ply help to solve the problem i'm using SQLITE and c/c++ I google the problem but came along a c# solution http://stackoverflow.com/questions/8389412/md5-encrypted-string-returns-different-from-database-than-it-is-inserted Can anyone PLZ help From:- Shanil J.S
Re: how to STORE encrypted string in database
Can anyone PLZ tell me how can one do base64 encode/decode on OPENSSL PLz provide a link where can learn how to use the base64 in openssl On Thu, Mar 28, 2013 at 10:14 PM, Salz, Rich rs...@akamai.com wrote: Encrypted data is not a text string, it is an array of binary octets. You will have to do something like base64 encode/decode when treating it as a text string. ** ** /r$ ** ** -- Principal Security Engineer Akamai Technology Cambridge, MA ** ** -- From:- Shanil J.S
Re: how to STORE encrypted string in database
El día Thursday, March 28, 2013 a las 01:14:35PM -0500, Salz, Rich escribió: Encrypted data is not a text string, it is an array of binary octets. You will have to do something like base64 encode/decode when treating it as a text string. Or the OP should use a data type of the database which allows storing binary actets, like BLOB (Sybase) or IMAGE (Oracle) or ... depends on your DBS. matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - Never being an iSlave WWW: http://www.unixarea.de/ | - No proprietary attachments, no HTML/RTF in E-mail phone: +49-170-4527211 | - Respect for open standards __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: How to create crt and pem
From: owner-openssl-us...@openssl.org On Behalf Of Kevin Jenkins Sent: Wednesday, 27 March, 2013 01:51 (previously: keycerts setup for Tomcat-apparently-with-APR) The default server.xml has Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / I'll leave that in since it seems to be what I need Looks good to me. http://www.digicert.com/ssl-support/pem-ssl-creation.htm talks about how to concatenate the different chunks of data into one file, with the .pem extension. I take it this is not necessary. Not for your case as described. That's needed if your cert needs multiple chain certs -- some CA's do; or if you need the server (aka primary) cert in the same file with the chain cert(s) -- some openssl and indeed other apps do, but apparently not Tomcat/APR; or if you want cert and privatekey in the same file -- see below. Here is what I have so far: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=SSLv3 SSLCertificateKeyFile=${catalina.base}/conf/privatekey.txt SSLCertificateFile=${catalina.base}/conf/milestone.lobby3.raknet.com.txt SSLCertificateChainFile=${catalina.base}/conf/intermediate.txt / I notice on this page http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support it says (NOT RECOMMENDED) in the block for SSLCertificateKeyFile. Why would it not be recommended to use SSLCertificateKeyFile ? What it says is not-recommended is defaulting the privatekey to be in the same file as the cert, i.e. OMITTING SSLCertificateKeyFile. Some people find it convenient to keep cert and key together. Even that is probably overstated. *If* you are copying certs and cert files about a lot, and you use the approach of keeping cert and privatekey in one file, it is easy to make the mistake of copying (a file with) your privatekey when you shouldn't, especially if this is an unencrypted privatekey (which it must be if the party that issued it didn't give you a passphrase). But if you just install key and cert in your server (along with chain) and do nothing else with them, I wouldn't worry either way. Do I need to download files from OpenSSL for this to work, or do you know if Tomcat already has built-int what I need? You said Apache native httpd so perhaps I do not? Native httpd is a completely different implementation, though it's also a webserver and *similar* in many respects to tomcat. httpd (optionally) uses mod_ssl which uses openssl. tomcat can use Java crypto (JSSE,JCE) or it can use APR and openssl. I can't say for sure because I don't use the actual Apache packaging but instead the Jboss repackaging (into jbossweb and jbossweb-native). But looking more carefully at /tomcat-7.0-doc/apr.html I see it says Most Linux distributions will ship packages for APR and OpenSSL. The JNI wrapper (libtcnative) will then have to be compiled. It depends on APR, OpenSSL, and the Java headers. instructions (I had forgotten than tcnative is actually a separate shim.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to STORE encrypted string in database
Look up the documentation of the following OpenSSL functions (Yes this is a bit roundabout for encoding a single string, but this is all OpenSSL exposes): BIO_f_base64 BIO_s_mem A better way is to use a non-OpenSSL library to Base64 (or Base32 or Base85 or Base16 or whatever you like) the binary data directly, without the gratuitous insertion of newlines and = sign padding done by the file-oriented BIO_f_base64. An even better way is to use the SQL syntax for explicitly specifying non-textual bytes in field values (ask an SQL expert or read the documentation that came with your database development tools). On 3/28/2013 7:32 PM, Jevin Sonut wrote: Can anyone PLZ tell me how can one do base64 encode/decode on OPENSSL PLz provide a link where can learn how to use the base64 in openssl On Thu, Mar 28, 2013 at 10:14 PM, Salz, Rich rs...@akamai.com mailto:rs...@akamai.com wrote: Encrypted data is not a text string, it is an array of binary octets. You will have to do something like base64 encode/decode when treating it as a text string. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to STORE encrypted string in database
There is greater need for precision in what is desired. Doing a base64 encoding and storing encrypted data are two entirely different matters, required sometimes in quite different circumstances. I generally do not bother with encoding as that is not normally needed in what I do, but a 30 second search using google found this somewhat dated note: http://www.ioncannon.net/programming/34/howto-base64-encode-with-cc-and-openssl/ Perhaps someone who knows openssl much better than I can tell us if the information contained in it is still accurate. My experience with openssl is primarily in using it to create and manage certificates. Any handling of encrypting and storing data, I typically divide between whatever RDBMS I am using for a given task and perl. That said, if the only real requirement is to store encrypted data in a database, the task is dirt simple (or perhaps simpler, as a soil scientist would probably tell us that dirt isn't so simple). First, one must recognize that the encrypted data is binary data, not plain text (i.e., for the OP, what blowfish returned to you wasn't a string at all, but rather binary data, and it is a mistake to try to treat it like a string). Once you know that, then the task becomes as trivially simple as to define the field in the table that is to hold that data to be of type varbinary, with a suitable maximum length. That is fairly standard across RDBMS. It is available in all the RDBMS I have worked with (MS SQL Server, MySQL, PostgreSQL), and has been for a rather long time.The connector library documentation you use to connect to whatever database you're using ought to have sufficient documentation on how to handle varbinary data. And, of course, if you're storing encrypted data in your database, you must ensure that you are storing everything you need to be able to decrypt it (and there is little point in storing it encrypted if the key used is stored in the same database, as any bad guy who gains access to your DB has thus access to both the encrypted data and the key needed to decrypt it, but that gets to an issue in the architecture of the software system you're building, and I am sure you don't wwant me to talk about use of multiple servers on multiple subnets each separated from the others by firewalls using a blend of techniques such as IP filtering - my enthusiasm for paranoia might just get the best of me if I do ). Cheers Ted __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Store generated keys for later use on windows
what is the best way to store keys that will be used by openssl can someone plz explain how to create the pem/p7 file for keys found some info @ http://www.mail-archive.com/openssl-users@openssl.org/msg18775.html Another unanswered question about pem file manipulation http://www.mail-archive.com/openssl-users@openssl.org/msg69377.html if there is any other better way plz tell me Actually i defined a char and enters the passkey and IV in the program itself??? From:- Shanil J.S
RE: how to STORE encrypted string in database
Hahaha, I thought I was reading my own notes there for a minute Ted. I would highly recommend the key not being on the same machine, or even in the same cluster. And honestly, not the same data warehouse for that matter. (Anything in the warehouse can be cross-tracked and traced, and you're be surprised how many times it's a worker at the warehouse who doesn't know what he doesn't know.) My 2cents/agreeing with Ted, Paranoia RULZ. After while crocodiles. ~dodi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ted Byers Sent: Thursday, March 28, 2013 6:40 PM To: openssl-users@openssl.org Subject: Re: how to STORE encrypted string in database There is greater need for precision in what is desired. Doing a base64 encoding and storing encrypted data are two entirely different matters, required sometimes in quite different circumstances. I generally do not bother with encoding as that is not normally needed in what I do, but a 30 second search using google found this somewhat dated note: http://www.ioncannon.net/programming/34/howto-base64-encode-with-cc-and-openssl/ Perhaps someone who knows openssl much better than I can tell us if the information contained in it is still accurate. My experience with openssl is primarily in using it to create and manage certificates. Any handling of encrypting and storing data, I typically divide between whatever RDBMS I am using for a given task and perl. That said, if the only real requirement is to store encrypted data in a database, the task is dirt simple (or perhaps simpler, as a soil scientist would probably tell us that dirt isn't so simple). First, one must recognize that the encrypted data is binary data, not plain text (i.e., for the OP, what blowfish returned to you wasn't a string at all, but rather binary data, and it is a mistake to try to treat it like a string). Once you know that, then the task becomes as trivially simple as to define the field in the table that is to hold that data to be of type varbinary, with a suitable maximum length. That is fairly standard across RDBMS. It is available in all the RDBMS I have worked with (MS SQL Server, MySQL, PostgreSQL), and has been for a rather long time.The connector library documentation you use to connect to whatever database you're using ought to have sufficient documentation on how to handle varbinary data. And, of course, if you're storing encrypted data in your database, you must ensure that you are storing everything you need to be able to decrypt it (and there is little point in storing it encrypted if the key used is stored in the same database, as any bad guy who gains access to your DB has thus access to both the encrypted data and the key needed to decrypt it, but that gets to an issue in the architecture of the software system you're building, and I am sure you don't wwant me to talk about use of multiple servers on multiple subnets each separated from the others by firewalls using a blend of techniques such as IP filtering - my enthusiasm for paranoia might just get the best of me if I do ). Cheers Ted __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org