On Friday, July 02, 2004 4:52 PM Dr. Stephen Henson wrote:
>> Two related patches I posted earlier are for a FIPS specific default
>> ciphersuite (ssl_ciph.c) and SHA1 instead of MD5 for PEM passphrases
>> (pem_lib.c). Any additional feedback on those would also be greatly
>> appreciated; so far I've heard no objections to either. If there is
>> a reason they can't be incorporated please let me know.
>>
>
>I hadn't seen the PEM patch before. IMHO there are problems with that
>approach.
>
>As it stands it simply changes the key derivation digest from MD5 to SHA1
>without any indication in the private key file that this is so. The result is
>that private keys generated in FIPS mode can't be accessed outside FIPS mode
>and vice-versa. I also suspect that the error produced by attempting to access
>keys from different modes is just a decrypt failure which is exactly the same
>as you get, for example, if the passphrase is incorrect.
You are right, wrong algorithm is indistinguishable from bad passphrase.
In my specific case I would be willing to live with that for OpenSSH as we
would convert our all our keys in one fell swoop, but it is ugly.
>OpenSSL already supports various private key formats which only use FIPS
>approved algorithms, for example PKCS#8 with PKCS#5 v2.0. That means that one
>solution is to just change the behaviour of PEM_write_PrivateKey() and friends
>to call the PKCS#8 variants. The openssl pkcs8 utility can readily convert
>between the formats.
>
>The read version PEM_read_PrivateKey() automatically works out the format so
>it doesn't need to be changed.
So you're saying just have PEM_write_bio_PrivateKey drop through to
PEM_write_bio_PKCS8PrivateKey in FIPS mode? That could work. I suppose I
could do the same substitution at the application level as well, in lieu of
hacking OpenSSL.
I was able to convert OpenSSH PEM format keys to PKCS#8 easily enough using
openssl pkcs8, but how do I convert the PKCS#8 back to the original format?
>The second alternative is to modify the PEM headers to include a string saying
>that SHA1 is the digest algorithm used and to recognize this in both FIPS and
>none FIPS modes.
Ok, I'll do a patch that uses MD5 as before for "Proc-Type: 4,ENCRYPTED" and
SHA1 for "Proc-Type: 4,ENCRYPTED,SHA1". It looks like PEM_get_EVP_CIPHER_INFO
is going to need a third argument, though. Will that be a problem?
Thanks very much for the feedback. Any comments on the other two patches?
-Steve M.
Steve Marquess
DMLSS Technical Manager
JMLFDC, 623 Porter Street, Ft. Detrick, MD 21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
[EMAIL PROTECTED]
