Cryptography-Digest Digest #297, Volume #12 Thu, 27 Jul 00 08:13:01 EDT
Contents:
Re: How to Convert p12 Files to Ascii for certificate installation (Paul Rubin)
Re: How is the security of Outlook Express encryption ? (Sébastien SAUVAGE)
Re: looking for asymmetric program sources (Runu Knips)
Re: 8 bit block ciphers (Runu Knips)
Little typo (Runu Knips)
Re: looking for asymmetric program sources ("Ian Dichkovsky")
Re: HTTPS & SSL (Mark Wooding)
Re: Selecting cipher - which one to use? (Mark Wooding)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: How to Convert p12 Files to Ascii for certificate installation
Date: 27 Jul 2000 10:16:42 GMT
In article <8loo95$1jj$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>
>> Simplest way is with the openssl pkcs12 and x509 commands (see
>> the built in help strings). www.openssl.org.
>>
>
>Well, thanks but i have no unix available nor a compiler to compile the
>source for win...any other ways ?
Try the web site, there might be a windoze binary available.
>btw: How is the name of this data structure , i mean
>BEGIN CERTIFICATE
>... etc
>END CERTIFICATE
That's an X509 PEM file. There might be some way to write them out
with M$ Internet Exploder. I've never looked into it--I just use OpenSSL.
------------------------------
Subject: Re: How is the security of Outlook Express encryption ?
From: [EMAIL PROTECTED] (Sébastien SAUVAGE)
Date: Thu, 27 Jul 2000 10:17:46 GMT
[EMAIL PROTECTED] (???) wrote in
<8lp1gs$f7r$[EMAIL PROTECTED]>:
>
> How about PGP ? Does it suffer form the attack of DLL interception ?
>
Every single program (Windows Explorer, Outlook, PGP, your browser,
your very own firewall, your antivirus, games...) can be hooked.
This is not PGP or Outlook specific.
--
Sébastien SAUVAGE - [EMAIL PROTECTED]
http://www.bigfoot.com/~sebsauvage
------------------------------
Date: Thu, 27 Jul 2000 12:17:36 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: looking for asymmetric program sources
Ian Dichkovsky wrote:
>
> Hi All!
> I'm looking for free asymmetric program sources
> (RSA, PGP, etc)
> Pleas post in NG all known http, or ftp, where I could get it.
> I'm searching third day. I'm tired >:-P.
3rd day ???? What damned ways are you using when searching ????
www.gnupg.org
www.pgpi.org
www.openssl.org
and that are only those why I know from memory ;-)
------------------------------
Date: Thu, 27 Jul 2000 12:19:51 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: 8 bit block ciphers
Mack wrote:
> I am looking into skipjack.
It seems that my posting has been lost. So here it is again:
/*
** Skipjack algorithm, from sci.crypt.
** Edited for better readability - Runu Knips
*/
/*
Subject: Re: Skipjack implementation in C (this one works)
Date: Thu, 18 May 2000 23:09:24 GMT
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Organization: @Home Network
Newsgroups: sci.crypt
SKIPJACK implementation in Standard C
last edit: 25-Jan-1999 [EMAIL PROTECTED]
This is a C89 implementation of the SKIPJACK block cipher
algorithm
described in version 2.0 of NSA's SKIPJACK specification dated
29 May 1998 <http://csrc.nist.gov/encryption/skipjack-kea.htm>.
*/
#ifdef DEBUG
#include <stdio.h>
#endif
/*
** Interface specification:
*/
#define SJ_Keysize 10 /* (80 bits) */
/* Encryption/decryption is performed for a single 64-bit block. */
void SJ_Encrypt (
const unsigned char *Key,
const unsigned char *Plaintext,
unsigned char *Ciphertext
);
void SJ_Decrypt (
const unsigned char *Key,
const unsigned char *Ciphertext,
unsigned char *Plaintext
);
int SJ_Selftest (void); /* returns nonzero iff passed test */
/*
** Implementation:
*/
static const unsigned char F[256] = {
0xA3, 0xD7, 0x09, 0x83, 0xF8, 0x48, 0xF6, 0xF4,
0xB3, 0x21, 0x15, 0x78, 0x99, 0xB1, 0xAF, 0xF9,
0xE7, 0x2D, 0x4D, 0x8A, 0xCE, 0x4C, 0xCA, 0x2E,
0x52, 0x95, 0xD9, 0x1E, 0x4E, 0x38, 0x44, 0x28,
0x0A, 0xDF, 0x02, 0xA0, 0x17, 0xF1, 0x60, 0x68,
0x12, 0xB7, 0x7A, 0xC3, 0xE9, 0xFA, 0x3D, 0x53,
0x96, 0x84, 0x6B, 0xBA, 0xF2, 0x63, 0x9A, 0x19,
0x7C, 0xAE, 0xE5, 0xF5, 0xF7, 0x16, 0x6A, 0xA2,
0x39, 0xB6, 0x7B, 0x0F, 0xC1, 0x93, 0x81, 0x1B,
0xEE, 0xB4, 0x1A, 0xEA, 0xD0, 0x91, 0x2F, 0xB8,
0x55, 0xB9, 0xDA, 0x85, 0x3F, 0x41, 0xBF, 0xE0,
0x5A, 0x58, 0x80, 0x5F, 0x66, 0x0B, 0xD8, 0x90,
0x35, 0xD5, 0xC0, 0xA7, 0x33, 0x06, 0x65, 0x69,
0x45, 0x00, 0x94, 0x56, 0x6D, 0x98, 0x9B, 0x76,
0x97, 0xFC, 0xB2, 0xC2, 0xB0, 0xFE, 0xDB, 0x20,
0xE1, 0xEB, 0xD6, 0xE4, 0xDD, 0x47, 0x4A, 0x1D,
0x42, 0xED, 0x9E, 0x6E, 0x49, 0x3C, 0xCD, 0x43,
0x27, 0xD2, 0x07, 0xD4, 0xDE, 0xC7, 0x67, 0x18,
0x89, 0xCB, 0x30, 0x1F, 0x8D, 0xC6, 0x8F, 0xAA,
0xC8, 0x74, 0xDC, 0xC9, 0x5D, 0x5C, 0x31, 0xA4,
0x70, 0x88, 0x61, 0x2C, 0x9F, 0x0D, 0x2B, 0x87,
0x50, 0x82, 0x54, 0x64, 0x26, 0x7D, 0x03, 0x40,
0x34, 0x4B, 0x1C, 0x73, 0xD1, 0xC4, 0xFD, 0x3B,
0xCC, 0xFB, 0x7F, 0xAB, 0xE6, 0x3E, 0x5B, 0xA5,
0xAD, 0x04, 0x23, 0x9C, 0x14, 0x51, 0x22, 0xF0,
0x29, 0x79, 0x71, 0x7E, 0xFF, 0x8C, 0x0E, 0xE2,
0x0C, 0xEF, 0xBC, 0x72, 0x75, 0x6F, 0x37, 0xA1,
0xEC, 0xD3, 0x8E, 0x62, 0x8B, 0x86, 0x10, 0xE8,
0x08, 0x77, 0x11, 0xBE, 0x92, 0x4F, 0x24, 0xC5,
0x32, 0x36, 0x9D, 0xCF, 0xF3, 0xA6, 0xBB, 0xAC,
0x5E, 0x6C, 0xA9, 0x13, 0x57, 0x25, 0xB5, 0xE3,
0xBD, 0xA8, 0x3A, 0x01, 0x05, 0x59, 0x2A, 0x46
};
void SJ_Encrypt (
const unsigned char *K,
const unsigned char *P,
unsigned char *C)
{
register int i, k; /* could be unsigned char */
unsigned char counter = 0;
unsigned char temp[2];
for (i = 0; i < 8; ++i)
C[i] = P[i];
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", C[i]);
printf("\n");
#endif
k = 0;
do {
++counter;
temp[0] = C[6];
temp[1] = C[7];
C[6] = C[4];
C[7] = C[5];
C[4] = C[2];
C[5] = C[3];
C[2] = C[0];
C[3] = C[1];
C[2] ^= F[C[3] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[3] ^= F[C[2] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[2] ^= F[C[3] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[3] ^= F[C[2] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[0] = temp[0] ^ C[2];
C[1] = temp[1] ^ C[3] ^ counter;
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", C[i]);
printf("\n");
#endif
} while (counter < 8);
do {
++counter;
temp[0] = C[6];
temp[1] = C[7];
C[6] = C[4];
C[7] = C[5];
C[4] = C[2];
C[5] = C[3];
C[2] = C[0];
C[3] = C[1];
C[4] ^= C[0];
C[5] ^= C[1] ^ counter;
C[2] ^= F[C[3] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[3] ^= F[C[2] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[2] ^= F[C[3] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[3] ^= F[C[2] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[0] = temp[0];
C[1] = temp[1];
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", C[i]);
printf("\n");
#endif
} while (counter < 16);
do {
++counter;
temp[0] = C[6];
temp[1] = C[7];
C[6] = C[4];
C[7] = C[5];
C[4] = C[2];
C[5] = C[3];
C[2] = C[0];
C[3] = C[1];
C[2] ^= F[C[3] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[3] ^= F[C[2] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[2] ^= F[C[3] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[3] ^= F[C[2] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[0] = temp[0] ^ C[2];
C[1] = temp[1] ^ C[3] ^ counter;
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", C[i]);
printf("\n");
#endif
} while (counter < 24);
do {
++counter;
temp[0] = C[6];
temp[1] = C[7];
C[6] = C[4];
C[7] = C[5];
C[4] = C[2];
C[5] = C[3];
C[2] = C[0];
C[3] = C[1];
C[4] ^= C[0];
C[5] ^= C[1] ^ counter;
C[2] ^= F[C[3] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[3] ^= F[C[2] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[2] ^= F[C[3] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[3] ^= F[C[2] ^ K[k]];
if (++k >= SJ_Keysize) k = 0;
C[0] = temp[0];
C[1] = temp[1];
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", C[i]);
printf("\n");
#endif
} while (counter < 32);
}
void SJ_Decrypt (
const unsigned char *K,
const unsigned char *C,
unsigned char *P)
{
register int i, k; /* could be unsigned char */
/* the last comment is WRONG, k has to be signed - Runu Knips */
unsigned char counter = 32;
unsigned char temp[2];
for (i = 0; i < 8; ++i)
P[i] = C[i];
k = 127 % SJ_Keysize /* + 1 */;
do {
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", P[i]);
printf("\n");
#endif
temp[0] = P[0];
temp[1] = P[1];
P[0] = P[2];
P[1] = P[3];
P[2] = P[4];
P[3] = P[5];
P[4] = P[6];
P[5] = P[7];
P[1] ^= F[P[0] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[0] ^= F[P[1] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[1] ^= F[P[0] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[0] ^= F[P[1] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[2] ^= P[0];
P[3] ^= P[1] ^ counter;
P[6] = temp[0];
P[7] = temp[1];
--counter;
} while (counter > 24);
do {
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", P[i]);
printf("\n");
#endif
temp[0] = P[0] ^ P[2];
temp[1] = P[1] ^ P[3] ^ counter;
P[0] = P[2];
P[1] = P[3];
P[2] = P[4];
P[3] = P[5];
P[4] = P[6];
P[5] = P[7];
P[1] ^= F[P[0] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[0] ^= F[P[1] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[1] ^= F[P[0] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[0] ^= F[P[1] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[6] = temp[0];
P[7] = temp[1];
--counter;
} while (counter > 16);
do {
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", P[i]);
printf("\n");
#endif
temp[0] = P[0];
temp[1] = P[1];
P[0] = P[2];
P[1] = P[3];
P[2] = P[4];
P[3] = P[5];
P[4] = P[6];
P[5] = P[7];
P[1] ^= F[P[0] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[0] ^= F[P[1] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[1] ^= F[P[0] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[0] ^= F[P[1] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[2] ^= P[0];
P[3] ^= P[1] ^ counter;
P[6] = temp[0];
P[7] = temp[1];
--counter;
} while (counter > 8);
do {
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", P[i]);
printf("\n");
#endif
temp[0] = P[0] ^ P[2];
temp[1] = P[1] ^ P[3] ^ counter;
P[0] = P[2];
P[1] = P[3];
P[2] = P[4];
P[3] = P[5];
P[4] = P[6];
P[5] = P[7];
P[1] ^= F[P[0] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[0] ^= F[P[1] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[1] ^= F[P[0] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[0] ^= F[P[1] ^ K[k]];
if (--k < 0) k = SJ_Keysize - 1;
P[6] = temp[0];
P[7] = temp[1];
--counter;
} while (counter > 0);
#ifdef DEBUG
printf("%2d", counter);
for (i = 0; i < 8; ++i)
printf(" %2.2x", P[i]);
printf("\n");
#endif
}
int SJ_Selftest(void)
{
register int i;
unsigned char C[8], P2[8];
const static unsigned char K[10] = {
0x00, 0x99, 0x88, 0x77, 0x66,
0x55, 0x44, 0x33, 0x22, 0x11
};
const static unsigned char P[8] = {
0x33, 0x22, 0x11, 0x00,
0xDD, 0xCC, 0xBB, 0xAA
};
const static unsigned char Cexp[8] = {
0x25, 0x87, 0xCA, 0xE2,
0x7A, 0x12, 0xD3, 0x00
};
#ifdef DEBUG
printf("K:");
for (i = 0; i < 10; ++i)
printf(" %2.2x", K[i]);
printf("\n");
printf("P:");
for (i = 0; i < 8; ++i)
printf(" %2.2x", P[i]);
printf("\n");
#endif
SJ_Encrypt( K, P, C );
#ifdef DEBUG
printf("C:");
for (i = 0; i < 8; ++i)
printf(" %2.2x", C[i]);
printf("\n");
printf("E:");
for (i = 0; i < 8; ++i)
printf(" %2.2x", Cexp[i]);
printf( "\n" );
for (i = 0; i < 8; ++i)
C[i] = Cexp[i];
#endif
SJ_Decrypt(K, C, P2);
#ifdef DEBUG
printf("R:");
for (i = 0; i < 8; ++i)
printf(" %2.2x", P2[i]);
printf("\n");
#endif
for (i = 0; i < 8; ++i)
if (C[i] != Cexp[i] || P2[i] != P[i])
return 0;
return 1;
}
#ifdef TEST
/*
SKIPJACK test in Standard C
last edit: 25-Jan-1999 [EMAIL PROTECTED]
*/
#include <stdio.h>
#include <stdlib.h>
/*
Test program:
*/
int main(int argc, char *argv[])
{
int ok;
ok = SJ_Selftest();
printf("SKIPJACK TEST: %s.\n", ok ? "Succeeded" : "Failed");
return ok ? EXIT_SUCCESS : EXIT_FAILURE;
}
#endif
------------------------------
Date: Thu, 27 Jul 2000 13:05:53 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Little typo
Runu Knips wrote:
> Ian Dichkovsky wrote:
> >
> > Hi All!
> > I'm looking for free asymmetric program sources
> > (RSA, PGP, etc)
> > Pleas post in NG all known http, or ftp, where I could get it.
> > I'm searching third day. I'm tired >:-P.
>
> 3rd day ???? What damned ways are you using when searching ????
>
> www.gnupg.org
> www.pgpi.org
> www.openssl.org
>
> and that are only those why I know from memory ;-)
Argl... s/why/which/ of course...
------------------------------
From: "Ian Dichkovsky" <[EMAIL PROTECTED]>
Subject: Re: looking for asymmetric program sources
Date: Thu, 27 Jul 2000 14:29:45 -0700
> > I'm searching third day. I'm tired >:-P.
>
> 3rd day ???? What damned ways are you using when searching ????
altavista,northernlight,search,develop,excite
but i search "rsa source"
and i don't know that in the openssl archive are tools for working with RSA
> www.openssl.org
BIG THANKS!!!
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: HTTPS & SSL
Date: 27 Jul 2000 11:46:28 GMT
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> 1) If we visit one homepage[for example: index.html] which include
> some pictures. Do the browser will retrieve index.html througth one
> socket and retrieve pictures throught other sockets? If it does, how
> to retrieve pictures throught SSL?
I think you need to understand the concept of an SSL `session'. The
first time a client contacts a server, they do some public key stuff to
negotiate a big shared secret. At this time, they also agree a name for
this session, which they can use later. Then they derive some session
keys from the big secret and start communicating.
Subsequently, the client can say `I want to use session FOO', and then
both ends look up the session's big secret and compute some new keys
from the secret. This is much faster than doing the public key stuff.
In the above case with the images, what happens is that the client opens
a connection for index.html, negotiates an SSL session, and starts
reading. When it notices an IMG tag, it opens a new connection as part
of the same SSL session and reads the image.
Note that the server is allowed to throw away the session information,
at which point the client has to go through all of the public key stuff
and start a new one.
> 2) If the connection from browser to server will be breaken after
> we retrieve one page [for example:index.html] from web site? If it
> does, Do the SSL connect will need rebuild?
I think my wafflings about SSL sessions answers this. Either that or my
English parsing routines have failed.
> 3) How long the SSL connection will be timeout after connected ?
The underlying TCP connections are usually thrown away once the page has
been fetched. The SSL session might be thrown away by either side, and
I believe that the timeout for the session is implementation-specific.
The above is based on hazy recollections of the SSL 3.0 spec, but should
be enough to give a feel for what's going on underneath the covers. I
welcome corrections if I've got things muddled.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Selecting cipher - which one to use?
Date: 27 Jul 2000 12:04:28 GMT
Mack <[EMAIL PROTECTED]> wrote:
> I would stay away from IDEA. It is patented.
I agree with this.
> 3-DES is used for most electronic commerce at the current time.
> Blowfish and Twofish are pretty good.
Twofish has acquired a lot of advocates already. I'm still not entirely
convinced by it yet. Blowfish is my usual recommendation for a block
cipher, however. Since Lucks' results agaisnt triple-DES, I think I
prefer Blowfish from a security point of view, but this might be
considered strange by most in the establishment.
> Square and Rjindael are also pretty good.
Square is blazingly fast, I'll admit. However, the recent-ish results
against Rijndael (Improved Cryptanalysis of Rijndael, by the `extended
Twofish team') make its security somewhat suspect, and I believe that
the attack can be carried over against Square fairly easily. Because of
this, I now recommend against using Square. I think that this is a shame,
because Square is a beautiful design, but I don't get to choose which
ciphers are secure and which aren't.
[I hope that someone will correct me if I'm wrong about the Rijndael
analysis applying to Square.]
> RC-5 and RC-6 are also patented. RC-5 is parameterized which makes it
> a good choice if you want to shell out cash. It is more popular than
> IDEA.
I think RC5 is also weaker than IDEA. I'm certainly unconvinced by it,
and I'm rather wary of RC6, which has a similar structure with some
extra goodies in it.
My recommendation is for Blowfish.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
