Re: Integration of new algorithms

[Dr Paul Dale]

Kris,

Dynamically allocate yourself a block of NIDs, one for each algorithm, using 
OBJ_new_nid().

Note also, that there is a preferable option if you are working against the 
upcoming 3.0.  Instead of developing an engine, create a provider.  This avoids 
NIDs completely and was designed from the ground up to support what you want.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 27 Aug 2020, at 2:21 am, Kris Kwiatkowski  wrote:
> 
> Hello,
> 
> I'm working on development of OpenSSL ENGINE that integrates
> post-quantum algorithms (new NIDs). During integration I
> need to modify OpenSSL code to add custom function, but would
> prefer not to need add anything to OpenSSL code (so engine
> can be dynmicaly loaded by any modern OpenSSL).
> 
> So, In three cases, namely when the code is in callbacks for keygen,
> encryption and ctrl (called by EVP_PKEY_CTX_ctrl, EVP_PKEY_encrypt 
> and EVP_PKEY_keygen) I need to get NID of the scheme. The problem
> is that, those functions are called with EVP_PKEY_CTX object
> provided as an argument. The NID is stored in the 
> EVP_PKEY_CTX->pmeth->pkey_id. I think (AFAIK) there is no API
> which would return that value.
> 
> I've added a simple function that returns pkey_id from the ctx, but
> that means that I need to change OpenSSL code. Is there any way
> to get NID without changing OpenSSL?
> 
> Kind regards,
> Kris
> 
> 
> 
> 

Integration of new algorithms

[Kris Kwiatkowski]

Hello,


I'm working on development of OpenSSL ENGINE that integrates
post-quantum algorithms (new NIDs). During integration I
need to modify OpenSSL code to add custom function, but would
prefer not to need add anything to OpenSSL code (so engine
can be dynmicaly loaded by any modern OpenSSL).

So, In three cases, namely when the code is in callbacks for keygen,
encryption and ctrl (called by EVP_PKEY_CTX_ctrl, EVP_PKEY_encrypt
and EVP_PKEY_keygen) I need to get NID of the scheme. The problem
is that, those functions are called with EVP_PKEY_CTX object
provided as an argument. The NID is stored in the
EVP_PKEY_CTX->pmeth->pkey_id. I think (AFAIK) there is no API
which would return that value.

I've added a simple function that returns pkey_id from the ctx, but
that means that I need to change OpenSSL code. Is there any way
to get NID without changing OpenSSL?

Kind regards,
Kris

Re: new algorithms

[open...@foocrypt.net]

HI Giovanni

Depending on the country you are located in, you may need to check the current 
status of your countries regulatory legislation regarding encryption 
technologies. 

Participating countries : https://www.wassenaar.org/participating-states/ 
 [ contacts ] & encryption is 
listed under Dual List Technologies : https://www.wassenaar.org/ 
 is always a good place to start before drilling 
into your own locations specific regulations on encryption technologies.

All the best mate and hoping your invention prospers.


-- 

Regards,

Mark A. Lane   

© Mark A. Lane 1980 - 2019, All Rights Reserved.
© FooCrypt 1980 - 2019, All Rights Reserved.
© FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2019, All Rights 
Reserved.
© Cryptopocalypse 1980 - 2019, All Rights Reserved.

> On 9 Apr 2019, at 03:50, Giovanni Fontana  
> wrote:
> 
> Thank you every one for the answers and tips, really a great and active group!
> 
> Thank you also to Teja and Tobias who has just wrote some suggestion on how I 
> can  have a technical shortcut to prove the functionality of my algorithms in 
> very limited environment.
> What I asked is to move a first step (after the algorithms) to have a demo 
> before to setup a company. 
> For my limited knowledge I know  the algorithms need to be published and 
> security must be proved for some authorities. All I need to prove is the 
> algorithms works in the real world and openSSL is one of the most used tool 
> to do that, then the other steps
> 
> Thank you again for your answer, this is what I really need.
> 
> Giovanni
> 
> 
> 
> Il giorno lun 8 apr 2019 alle ore 19:23 Teja Prabhu <213...@gmail.com 
> > ha scritto:
> 1. dasync_aes128_cbc_cipher (search for this in 
> https://github.com/openssl/openssl/blob/master/engines/e_dasync.c 
> ) || 
> replace it with your symmetric cipher, and do the same for RSA.
> 2. setup a server and client and hard-code the symmetric & asymmetric ciphers 
> to your ciphers
> 3. your idea is simply not going to work. Like Tobias said, you have to add 
> them manually. I suggest you simply not use OpenSSL or any TLS library, 
> unless you have a lot of clout in the International Communication Union.
> 
> You can take Mega's approach and use javascript since every browser under the 
> sun has it (as an additional layer over TLS).
> 
> Teja Prabhu
> 
> 
> On Mon, Apr 8, 2019 at 7:06 PM Tobias Nießen  > wrote:
> > creation of x509 certificate with algo1 and algo2, and/or TLS and SSL 
> > connection always with algo1 and algo2
> As far as I know, you will need to have an OID assigned for each 
> algorithm for x509 certificates. You can add those to OpenSSL manually, 
> but you won't be able to communicate with any other software that does 
> not implement them. (And as Rich said, there is little reason for people 
> to trust and use non-standard algorithms.)

Re: new algorithms

[Michael Richardson]

>> creation of x509 certificate with algo1 and algo2, and/or TLS and SSL
>> connection always with algo1 and algo2

Tobias Nießen  wrote:
> As far as I know, you will need to have an OID assigned for each
> algorithm for x509 certificates. You can add those to OpenSSL manually,
> but you won't be able to communicate with any other software that does
> not implement them. (And as Rich said, there is little reason for
> people to trust and use non-standard algorithms.)

But, if your goal is private testing of your stuff, then any OID will do,
including one you allocate with a Private Enterprise Number, which you can get 
from
IANA by filling out a simple form.
You'll likely have to add the OIDs to the object.txt and run some scripts.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works|IoT architect   [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



signature.asc
Description: PGP signature

Re: new algorithms

[Giovanni Fontana]

Thank you every one for the answers and tips, really a great and active
group!

Thank you also to Teja and Tobias who has just wrote some suggestion on how
I can  have a technical shortcut to prove the functionality of my
algorithms in very limited environment.
What I asked is to move a first step (after the algorithms) to have a demo
before to setup a company.
For my limited knowledge I know  the algorithms need to be published and
security must be proved for some authorities. All I need to prove is the
algorithms works in the real world and openSSL is one of the most used tool
to do that, then the other steps

Thank you again for your answer, this is what I really need.

Giovanni



Il giorno lun 8 apr 2019 alle ore 19:23 Teja Prabhu <213...@gmail.com> ha
scritto:

> 1. dasync_aes128_cbc_cipher (search for this in
> https://github.com/openssl/openssl/blob/master/engines/e_dasync.c) ||
> replace it with your symmetric cipher, and do the same for RSA.
> 2. setup a server and client and hard-code the symmetric & asymmetric
> ciphers to your ciphers
> 3. your idea is simply not going to work. Like Tobias said, you have to
> add them manually. I suggest you simply not use OpenSSL or any TLS library,
> unless you have a lot of clout in the International Communication Union.
>
> You can take Mega's approach and use javascript since every browser under
> the sun has it (as an additional layer over TLS).
>
> Teja Prabhu
>
>
> On Mon, Apr 8, 2019 at 7:06 PM Tobias Nießen  wrote:
>
>> > creation of x509 certificate with algo1 and algo2, and/or TLS and SSL
>> > connection always with algo1 and algo2
>> As far as I know, you will need to have an OID assigned for each
>> algorithm for x509 certificates. You can add those to OpenSSL manually,
>> but you won't be able to communicate with any other software that does
>> not implement them. (And as Rich said, there is little reason for people
>> to trust and use non-standard algorithms.)
>>
>

Re: new algorithms

[Teja Prabhu]

1. dasync_aes128_cbc_cipher (search for this in
https://github.com/openssl/openssl/blob/master/engines/e_dasync.c) ||
replace it with your symmetric cipher, and do the same for RSA.
2. setup a server and client and hard-code the symmetric & asymmetric
ciphers to your ciphers
3. your idea is simply not going to work. Like Tobias said, you have to add
them manually. I suggest you simply not use OpenSSL or any TLS library,
unless you have a lot of clout in the International Communication Union.

You can take Mega's approach and use javascript since every browser under
the sun has it (as an additional layer over TLS).

Teja Prabhu


On Mon, Apr 8, 2019 at 7:06 PM Tobias Nießen  wrote:

> > creation of x509 certificate with algo1 and algo2, and/or TLS and SSL
> > connection always with algo1 and algo2
> As far as I know, you will need to have an OID assigned for each
> algorithm for x509 certificates. You can add those to OpenSSL manually,
> but you won't be able to communicate with any other software that does
> not implement them. (And as Rich said, there is little reason for people
> to trust and use non-standard algorithms.)
>

Re: new algorithms

[Tobias Nießen]

creation of x509 certificate with algo1 and algo2, and/or TLS and SSL 
connection always with algo1 and algo2
As far as I know, you will need to have an OID assigned for each 
algorithm for x509 certificates. You can add those to OpenSSL manually, 
but you won't be able to communicate with any other software that does 
not implement them. (And as Rich said, there is little reason for people 
to trust and use non-standard algorithms.)

Re: new algorithms

[Salz, Rich via openssl-users]

  *   Sure, I want to publish the algorithm, but not yet... waiting for 
establishing a company.

This is a bit off-topic, but trying to make money from a cryptographic 
algorithm isn’t really done any more.  RSA was locked up by patents, and there 
were some elliptic curve patents that have since expired, but nobody really 
trusts private algorithms any more. There’s too much good stuff readily 
available.

To answer your other question: OpenSSL is covered by the Apache license and any 
contributions should also use the same license or they will not be accepted. 
And cryptography, in particular, has to be used by a recognized standards body.

Good luck.

Re: new algorithms

[Viktor Dukhovni]

On Mon, Apr 08, 2019 at 05:48:56PM +0200, Giovanni Fontana wrote:

> my name is Giovanni Fontana. I made a new symmetric crypto algorithm (let’s
> call it *algo1*) and a new asymmetric crypto algorithm (let’s call it
> *algo2*).

Recent additions to OpenSSL include X25519, Ed25519 and ChaCha20.
If, for some reason, you believe that an important security problem
we're facing is an insufficient number of available algorithms, you
can study how these recent algorithms are integrated into OpenSSL
generally, X.509, CMS and TLS, and integrate your algorithms in a
similar manner.

You might also take a look at the OpenSSL master (3.0) development
branch, which introduces changes to the internal architecture that
are intended to better facilitate integration of external cryptographic
modules.

-- 
Viktor.

Re: new algorithms

[Giovanni Fontana]

Hi Clarke,

Thanks for the email.
Sure, I want to publish the algorithm, but not yet... waiting for
establishing a company.
For similar reasons no github usage at moment.

Giovanni



Il giorno lun 8 apr 2019 alle 18:06 Dennis Clarke 
ha scritto:

> On 4/8/19 11:48 AM, Giovanni Fontana wrote:
> > Hello everybody,
> >
> > my name is Giovanni Fontana. I made a new symmetric crypto algorithm
> > (let’s call it *algo1*) and a new asymmetric crypto algorithm (let’s
> > call it *algo2*).
> >
> > I use algo2 for key exchange and with that I can create a session key to
> > cipher and decipher with algo1, so Alice and Bob can communicate each
> > other in secure way.
>
> I think you would need to publish the algorithm at some point. Is there
> a github link perhaps?
>
> Dennis
>
>
>

Re: new algorithms

[Dennis Clarke]

On 4/8/19 11:48 AM, Giovanni Fontana wrote:
> Hello everybody,
> 
> my name is Giovanni Fontana. I made a new symmetric crypto algorithm
> (let’s call it *algo1*) and a new asymmetric crypto algorithm (let’s
> call it *algo2*).
> 
> I use algo2 for key exchange and with that I can create a session key to
> cipher and decipher with algo1, so Alice and Bob can communicate each
> other in secure way.

I think you would need to publish the algorithm at some point. Is there
a github link perhaps?

Dennis

new algorithms

[Giovanni Fontana]

Hello everybody,

my name is Giovanni Fontana. I made a new symmetric crypto algorithm (let’s
call it *algo1*) and a new asymmetric crypto algorithm (let’s call it
*algo2*).

I use algo2 for key exchange and with that I can create a session key to
cipher and decipher with algo1, so Alice and Bob can communicate each other
in secure way.

I wish to import those algorithms inside OpenSSL in order to use some
features of this suite (i.e. creation of x509 certificate with algo1 and
algo2, and/or TLS and SSL connection always with algo1 and algo2).
My first tries were not successful.
Could you please tell me each step I have to do in order to achieve my
targets? Or share with me some Internet links where those steps are already
defined?

Below some info that may help you in answer me:
- The version of OpenSSL I’m playing with is 1.1.1b
- The OS is Linux Ubuntu 14.04
- Of course my algorithms are written in C.

Further question (probably to ask elsewhere inside OpenSSL organisation):
If in the next future with my algorithms I can have some business, which
kind of license I need to have with OpenSSL then?

Thank in advance
Kind regards