RE: OpenSSL PKCS #7 supports AES SHA-2 ?

2006-10-13 Thread Tolga Acar
Read RFC4055 for RSA with various hashes, OAEP, and PSS combinations.

- Tolga

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alten
 Sent: Tuesday, October 10, 2006 9:47 AM
 To: Russ Housley; cryptography@metzdowd.com
 Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
 [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
 [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
 [EMAIL PROTECTED]
 Subject: Re: OpenSSL PKCS #7 supports AES  SHA-2 ?
 
 Russ,
 
 OK.  I found SHA-2 in RFC 4634 (only 3 months old), which 
 refers back to FIPS 180-2.
 
 But I reach a dead-end with PKCS #7 (now RFC 3852).  There's 
 no support for
 SHA-2
 algorithm types (RFC 3279). Also PKCS #1 (now RFC 3447) needs 
 an update for
 SHA-2 with RSA encryption (OIDs, etc.).
 
 Did I miss something or do you need help in updating these, 
 since I, and probably others too, need them?
 
 - Alex
 
 
 At 01:19 PM 10/9/2006 -0400, Russ Housley wrote:
 PKCS#7 has been turned over to the IETF for maintenance.  The most 
 recent version is RFC 3852.  Since the protocol is more 
 stable than the 
 cryptographic algorithms, the algorithm discussion appear in 
 separate RFCs.
 
 TLS 1.2 is under development in the IETF.  It is being done 
 in such a 
 way that none of the ciphersuites that have already been 
 defined need 
 to be updated, including the ones that use AES and the SHA-2 family.
 
 Russ
 
 
 At 01:28 AM 10/7/2006, Alex Alten wrote:
 After reading PKCS #1 v2 more closely and SHA-2 is not even in the 
 specs, therefore OpenSSL PKCS #7 functions won't support 
 SHA-2.  This 
 spec was last updated in 1998.
 
 PKCS Editor, is there a new update in progress by RSA Labs to 
 incorporate
 SHA-2 and AES?
 
 Does OpenSSL implement PKCS #1 v2 or just v1.5?  If the latter then 
 not even
 SHA-1 is supported.
 
 PKCS editor, is there any timeline as to when PKCS #7 will then be 
 updated with references to official OIDs, etc., for 
 specifying SHA-2 and AES?
 
 Dr. Ron Rivest, are you going to publish new message-digest 
 IETF RFCs 
 for
 SHA-1
 and SHA-2?  (So that they can be referenced by an updated PKCS #7.)
 
 Mr. Russ Housley, can you weigh in with what happening in 
 the IETF WG 
 security area?  I know that Mr. Eric Rescorla is working on 
 a new TLS 
 v1.2 draft.  Will this be done/ratified soon?  I assume 
 OpenSSL will 
 incorporate this soon thereafter?
 
 This mess with the MD5 and SHA-1 hashes is really starting 
 to becoming 
 a problem.
 It's certainly impacting new development projects/products I'm 
 involved with using SSL and PKI certificates.  My customers are 
 concerned about using MD5 and SHA-1, and they don't want to keep 
 paying for implementations repeatedly as the standards catch up to 
 reality.  Updating these various heavily used standards quickly is 
 quite important.
 
 Sincerely (and thanks in advance for all of your replies),
 
 - Alex
 
 
 At 09:05 AM 10/6/2006 -0700, Alex Alten wrote:
 Does anyone know if the OpenSSL PKCS #7 functions support 
 AES and SHA-2?
 (I assuming OpenSSL 0.9.7 or later.)
 
 Thanks,
 
 - Alex
 
 --
 
 Alex Alten
 Alten Security Engineering, Inc.
 [EMAIL PROTECTED]
 
 
 
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to 
 [EMAIL PROTECTED]
 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Exponent 3 damage spreads...

2006-09-21 Thread Tolga Acar
 Anton,

Here is what I compute in Maple.
I wonder if you are running into an old BC bug. I don't remember the
details, but bc had a bug some 10 years or so ago with big numbers.

 with(numtheory):

s:=convert(`00D3CDA91B578B6DF29AEB140272BD9198759F79FA10DC410B5D10362048AC7A
BE5DF7FE0D94A6646E791C5B95B29F2C6384A570769DC888ED0B7AD510CCD3C758CEBEB64851
1620490E0FD54162BADB1ED05411ACC853509B62A4C1B242E1E2F737A1E7E4340F5A79B05EC3
475D7BA6FC7B3302F1258ABAC1079F11E8DFB9FC09D42716BA4054ADD460BB12FC1B0B8D5D32
DB50395374AEB3C215C2BC566328D2F03BF043068C5C9ABC649BA1767E97DF32B6AA734594EE
22FFFE7FB06EA3B77030E79BD6FE7683AB7FFCE462ABFBA5777B3914DE4665B86C1EC203FEB6
FCCB3DADB8BA51FD87A7457C62385418E65D17809C4256E3D27DC2017D7A093C8BD193A09168
F34D522DD7D3AFB95FC61C9F4339091CF25D78BF461B4EA5620EED722AB7D3EFF99CEA4A4F54
6BFF6CE338D7763AFF20A9B61452DA07179590D3316BBCE63B06B43D996D775D6843F46633FF
107A3C866E3B0A8AAAEA31F4A2048C9FCB448958287F8E961C9F3393E18FC9A05460D51A2867
37AEC14A1A7B27A51`,decimal,hex):

m:=convert(`01D851D5148345606F586935D227CD5CF7F04F890AC5024178BA5F4EE85D7796
918C3DC7A5951C985539CB240E28BA4AC3AFBE0F6EB3151A0DBAFD686C234A30D07D590D61A5
474491BF0D68E1AC7F94CDC989C19C2E25B12511A29FFAF5F11E0B994E19C5C3DC298F9E584F
FF3C7DBB8F703A0EAD97167F88C7229BBFA55B449CDE4C91B409D5B9ACF0134CB61352E9CE6C
B3D847C7F3D9AFA74E8E19DD1ED7923270E310A5D91E97EF198694465950715AA066ACB06FAE
C0BA64FCCCA155104852EFD41346F75D1ACB8574BBE3C7C8D6D1B501C1163AD2058506DF1B64
059A6932C0672FB9D094364EA4D7FA04442B8E643B74B8746B594866C7CBDAB8FEA954FDEE7C
44B9C5D6B9E19B49082D65B517EA7DBFEF5CA1EEA39AB2283CDB854C8B246F2B8EFE51895349
640248A3248EC65F64A89CA5AB194B444DF676B015AFBCACE13697CEEB5268F5E9AA674A83DD
1B0CE4DC83603CFFB801DB669216FC647CD7A6A84831E421D9676C7AAC44411B2AB3E901A713
9B3519B58EBAEEC20B`,decimal,hex):
 c:=s^3 mod m:
 convert(c,hex);
 

1B5FD52F9033ADD581101429F83B600AB9280AF9F448FCAF1F8F3D1375D526A390\
B949DE72773778D4C4C1A517730A90BA1DDC5DAEACE248534B1ECBF53B8957\
E595A8097D6828E1D05E9B7207EAA8425CC54365D78AEC13A53713AA6B44E5\
E63860824D0748184208398611253CC08E2AACE1ED62FDEB85403507512F90\
296CEC26A05194C1332792468AC83D8411F4A1609799F7AAE9E60C84B33EDB\
E4CD590D58A5483A9A94B52853E7CF81DBFEECCD922AB1D954F9FEA40C22BB\
575A094730F9F2AE5ECDD023AB37740984F5289F2C3900512974BE878D1A8D\
D880A871BEF9FE3C18A28DA9A40ABFF0B1288DFC9BA6971883E7263500BACC\
458E3F9D1847BE6D542948363E8544BC2E7890580063D322DA203172FADA62\
B8D42A7959DA60CB6DC5CB90DB9E3F046F2AE816524FF5D112EB2CAC0E7D96\
365550E68EAEA1EB2C17E63EC51719F4299A7FF68DD544FD2A6639F9B991F7\
9F4497EAF86EA7E8964B28125772414BDA2369EA39994D972B863C2E46072D\
56CEFF7E54A5774F1

 c2:=m^3 mod s:
 convert(c2,hex);

89DB60414C5FE1762638AE4C61C0B485812C50E711FD7EAFA34544208E4E110F2A\
04EDCF5CD2A71F13EC1640606DB7A49F6FD15E91269D5FF325FD6ECA6E\
80FFDD9DC196E199DA55D69259E6022910598A886A4AFDC196C641B5BFF9C6\
18D5EC1429C669D37C6A9B64EFDDF146C1774261B7CC9D53D360AC0B072546\
568699A354E85BACA05119C09C5EE92A05B8AFE4BDBD725171A19F687AFE8B\
B28000181201CD7534C7D2A62B53796173BCA080630212CDD60D92A4E00E14\
446748873F05AF14DBDECD5B5143F01C26A91A510623926DAADEADA8E16D6F\
52C4184035767A2109197147D2279CDA312897CD346B5C8D0C7BFAE33CE33C\
C7C94E7C2CD66B212D99ADC15373E9815893F44B9510140395DB5EAC436E09\
71E9D05EF760E477B58713B770A3FE61E37B2456543D8865D3272CC89F7390\
03770446F4FD6CACA14BDCD7C5050774516C77456958BAF794ADE9A8BDB8A4\
9092631DD467B0158BFBA416164D81DC8DE5C9D75118DA5BDB0CB121DC0C11\
5271451781B4D0F

 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Anton Stiglic
 Sent: Tuesday, September 19, 2006 8:56 PM
 To: cryptography@metzdowd.com
 Cc: 'Anton Stiglic'
 Subject: RE: Exponent 3 damage spreads...
 
 
 I tried coming up with my own forged signature that could be 
 validated with OpenSSL (which I intended to use to test other 
 libraries).  I haven't succeeded, either because in the 
 particular example I came up with OpenSSL does something that 
 catches the invalid signature, or I messed up somewhere (the 
 likelihood of which is far from negligible).  Unfortunately, 
 I don't have much more time to play with this.  I decided to 
 share the methodology I used with those of you who are 
 interested in case the info is helpful to anyone, or someone 
 can tell me why the signature I produced doesn't get 
 validated by OpenSSL.
 
 I followed the instructions of Hal Finney's excellent post:
 http://www.mail-archive.com/cryptography@metzdowd.com/msg06537.html
 
 I started out by generating 3072 RSA key pair, with public 
 exponent e = 3.
 
 openssl genrsa -des3 -3 -out my.key 3072
 
 the resulting key can be found bellow, the passwords is 
 test if you ever want to use it.
 
 Then I created the corresponding public key certificate:
 
 openssl req -new -x509 -days 1001 -key my.key -out my.cer
 
 The public key certificate can be found bellow as well.  You 
 can import this in 

RE: Real World Exploit for Bleichenbachers Attack on SSL fromCrypto'06 working

2006-09-15 Thread Tolga Acar
You need to have one zero octet after bunch of FFs and before DER encoded
has blob in order to have a proper PKCS#1v1.5 signature encoding.

Based on what you say below, I used this cert and my key to sign an
end-entity certificate which I used to set up an webserver, it appears that
implementations you used don't check for this one zero octet, either.

- Tolga 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Erik Tews
 Sent: Thursday, September 14, 2006 3:40 PM
 To: Cryptography
 Subject: Real World Exploit for Bleichenbachers Attack on SSL 
 fromCrypto'06 working
 
 Hi
 
 I had an idea very similar to the one Peter Gutmann had this 
 morning. I managed to write a real world exploit which takes as input:
 
   * an CA-Certificate using 1024 Bit RSA and Exponent 3 (ca-in)
   * a Public Key, using an algorithm and size of your choice
 (key-in)
 
 and generats an CA-Certificate signed by ca-in, using public 
 key key-in.
 
 At least 3 major webbrowsers on the marked are shipped by 
 default with CA certificates, which have signed other 
 intermediate CAs which use
 rsa1024 with exponent 3, in their current version. With this 
 exploit, you can now sign arbitary server certificates for 
 any website of your choice, which are accepted by all 3 
 webbrowsers without any kind of ssl-warning-message.
 
 I used the following method:
 
 I first generated a certificate, with BasicConstraints set to 
 True, Public Key set to one of my keys, and Issuer to the DN 
 of a CA using
 1024 Bit RSA with Exponent 3. I used usual values for all the 
 other fields. When I signed a Certificate I shiftet all my 
 data to the left. I had 46 bytes of fixed valued (this can 
 perhaps be reduced to 45 bytes, I have not checked yet, but 
 even with 46, this attack works). They had the form 00 01 FF 
 FF FF FF FF FF FF FF ASN1DataWithHash. This gives me 82 bytes 
 I can fill with arbitary values (at least, if the 
 implementations skipps some part of the asn1-data, I can 
 choose some bytes there too).
 
 If you now set all the bytes right of your ASN1DataWithHash 
 to 00, and interpret that as a number n, and compute:
 
y = (ceil(cubeRoot(n)))^3
 
Where ceil means rounding to the next bigger natural 
 number and cubeRoot
  computes the third Root in R.
 
 y will be a perfect cube and have the form:
 
 00 01 FF FF FF FF FF FF FF FF ASN1DataWithHash' Garbage
 
 and ASN1DataWithHash' looks quite similar to your original 
 ASN1DataWithHash, with perhaps 2-3 rightmost bytes changed. 
 These bytes are part of the certificate hash value.
 
 This signature is useless, because every certificate has a 
 fixed hash value. But you don't need to sign a fixed 
 certificate. So i started adding some seconds to the notAfter 
 value of the certificate and computed the hash again. I brute 
 forced until I had a certificate where the computation of y 
 did not alter any bytes of the ASN1DataWithHash.
 
 I had to try 275992 different values which took 2-3 minutes 
 on my 1.7 GHz Pentium using an unoptimized java-implementation.
 
 I used this cert and my key to sign an end-entity certificate 
 which I used to set up an webserver.
 
 I have to check some legal aspects before publishing the 
 names of the browser which accepted this certificate and the 
 name of the ca-certificates with exponent 3 I used in some 
 hours, if nobody tells me not to do that. Depending on the 
 advice I get, I will release the sourcecode of the exploit too.
 
 Thanks go to Alexander May and Ralf-Philipp Weinmann who helped me.
 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: RSA Implementation in C language

2004-12-01 Thread Tolga Acar
Try Intel's open-sourced CDSA, available at SourceForge.

- Tolga

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:owner-
 [EMAIL PROTECTED] On Behalf Of Trei, Peter
 Sent: Tuesday, November 30, 2004 7:16
 To: Sandeep N; [EMAIL PROTECTED]
 Subject: RE: RSA Implementation in C language
 
 Admittedly somewhat old and creaky, but try Googling
 RSAREF. I don't know where that stands for IP rights
 (presumably we still have copyright), bout for
 research it's a startin point.
 
 
 
 Peter
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] Behalf Of Sandeep N
  Sent: Monday, November 29, 2004 3:17 AM
  To: [EMAIL PROTECTED]
  Subject: RSA Implementation in C language
 
 
  Hi,
 
  Can anybody tell me where I can get an implementation of RSA
  algorithm in C language? I searched for it, but could not locate one.
  I would be grateful to you if you could give me the location of the
  source code.
 
  Thanks and Regards,
  Sandeep
 
  -
  The Cryptography Mailing List
  Unsubscribe by sending unsubscribe cryptography to
  [EMAIL PROTECTED]
 
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to
 [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Tolga Acar
On a second thought, that there is no key management algorithm 
certified, how would one set up a SSL connection in FIPS mode?

It seems to me that, it is not possible to have a FIPS 140 certified 
SSL/TLS session using the OpenSSL's certification.

- Tolga

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Tolga Acar
Joshua Hill wrote:

On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote:
 

It is the first *source code* certification.
   

The ability to do this runs counter to my understanding of FIPS 140-2.

. and to experiences with the previous FIPS 140-1 certifications I was 
involved in, including a fairly recent communication from NIST that 
defines a crypto module: it is not a statically linked library, and 
that it ought to be an executable or a shared library (so,dll).

Second, it is unclear to me what would be tested during operational
testing.  The source code can't itself be a module, because the source
code doesn't do anything until it is compiled and run. FIPS 140-2
currently only allows for fully functional units to be modules; you'll
note, for instance, that FIPS certs for software modules are listed as
a multi-chip standalone embodiment, for instance.  NIST was talking
about producing documents that would support a true software only
embodiment, but that initiative seems to have stalled with the change
of directors of the CMVP (the NIST group that issues FIPS 140-2 certs).
Can you say that the C/asm source code is the code that constitutes a 
module, and define compiler/linker/OS/CPU as your execution 
environment for FIPS 140 purposes? Think Java, for instance.
I realize this is stretching too thin. and can think of lots of reasons 
why it can't be. But...

Third, nominally, the FIPS certificate only applies to the particular
operating system (and OS version) that the operational testing was
done on.  For level 1 modules, NIST has historically allowed OSes in
the same family to also be covered, and they have been very liberal
in their definition of family.
I have seen evidences that this restriction has become exceptionally 
loose, and that the family can be as broad as UNIX-like systems...

- Tolga



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]