RE: Command-line file encryption
Hello, Ok, it looks like these values are computed from the password... Is the algorithm for computing the key and IV from the password published ? PBKDF2 from PKCS#5 realized by EVP_BytesToKey() in OpenSSL. I don't remember exactly but there was some incompatibility with this standard ... Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL, Apache 2 and RSA key sizes
Charlie Lenahan wrote: George Adams wrote: [...] 2) Related to that, should I be worried that I'm generating a public/private keypair for my Apache2/mod_ssl server that's only 1024-bits? Do I even have the OPTION of having a larger/stronger key, or am I going to hit some weird compatibility problems with modern-day browsers? I think all CA's will only sign a request with a key size smaller than it's own key size. Most CA's should be at least 2048 if not higher. While I guess it is technically possible to sign a key which is bigger than the CA's key it is quite useless. Why should an attacker try to break your strong key if it is easier to break the CA's key and create a bogus certificate for his own key? I have never heard of modern-day browsers having problems with key sizes of 2048. For example CACert (http://www.cacert.org/) uses an RSA key of 4096 bits for its CA key and 2048 bits for the server cert. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: large data read error
Hi Sendil I am not sure but I haven't seen any such limit of 5K in my usage of the OpenSSL.. OpenSSL record size is around 16K i remember. Can problem be with ur server of client code (not OpenSSL) where some buffer size is hardcoded to 5K and than return values are nto approapriately handled. Just a wild guess.. -Krishna Flextronics, India On 8/20/06, Sendil kumar [EMAIL PROTECTED] wrote: Hi, I've got some code that seems to work, except when the server responds with a 'large' amount of data. When the server sends 5000 bytes of data to the client ,the client was able to read it and every thing goes fine.But when the server passes more than 5000 bytes of data to the client,the client crashes and SSL_read() gives SSL_ERROR_SSL error but no data returned.I tried but couldn't find any solution. please give me any solution this seems to be a headdacke for me. Thanks, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Wrapping SSL_read/SSL_write so they behave like read/write.
David can't understand Incorrect. The 'SSL_write' function is the function to send unencrypted data over the SSL link. It has nothing to do with the encrypted data the SSL engine wants to write to the socket. When we do SSL_write the i/p is unencrypted data and this gets send over the SSL link. I do agree the API as such is not encrpyting the data but it in turn calls the engine API to do the same and thus in a way it is doing encrpytion.. Please let me know what I am missing?.. thanks -Krishna On 8/21/06, David Schwartz [EMAIL PROTECTED] wrote: If you get SSL_ERROR_WANT_WRITE, even if you have no application data to send, the protocol itself requires data to be written Correct. -- so you need to call SSL_write(). Incorrect. The 'SSL_write' function is the function to send unencrypted data over the SSL link. It has nothing to do with the encrypted data the SSL engine wants to write to the socket. If you get SSL_ERROR_WANT_READ, even if you're writing application data, that means that the protocol itself is requiring data to be read from the peer, so you need to call SSL_read(). No. If the protocol itself needs to read data from the peer in order to write data, it will do so when you call SSL_write. The job of SSL_write is to do whatever is needed to encrypt and send the data you are writing, whether that means reading from the socket, writing to the socket, or both. Both situations can happen in either case. If you have no data to write, call it with a NULL buffer and a length of 0. No. Do not ever do that. If you have no data to write, do not call SSL_write. This is based on the most grievous misunderstanding of what the SSL_read and SSL_write functions do. They do *NOT* read from and write to the socket. They read from and write to the logical SSL connection. That may require reading from the socket, writing to the socket, or both in any combination, and your program should not make assumptions about which and when. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Wrapping SSL_read/SSL_write so they behave like read/write.
David can't understand Incorrect. The 'SSL_write' function is the function to send unencrypted data over the SSL link. It has nothing to do with the encrypted data the SSL engine wants to write to the socket. When we do SSL_write the i/p is unencrypted data and this gets send over the SSL link. It may or may not get sent immediately though. The SSL engine may need to receive something before it can send it. The point is, SSL_write takes plaintext. The SSL engine then does whatever it needs to do to get that to the other side, which might or might not involve writing to the socket right now. I do agree the API as such is not encrpyting the data but it in turn calls the engine API to do the same and thus in a way it is doing encrpytion.. Please let me know what I am missing?.. Let's go back. This is correct. If you get SSL_ERROR_WANT_WRITE, even if you have no application data to send, the protocol itself requires data to be written Correct. But this is incorrect: -- so you need to call SSL_write(). Because: Incorrect. The 'SSL_write' function is the function to send unencrypted data over the SSL link. It has nothing to do with the encrypted data the SSL engine wants to write to the socket. This is incorrect: If you get SSL_ERROR_WANT_READ, even if you're writing application data, that means that the protocol itself is requiring data to be read from the peer, so you need to call SSL_read(). Because: No. If the protocol itself needs to read data from the peer in order to write data, it will do so when you call SSL_write. The job of SSL_write is to do whatever is needed to encrypt and send the data you are writing, whether that means reading from the socket, writing to the socket, or both. Both situations can happen in either case. If you have no data to write, call it with a NULL buffer and a length of 0. This is incorrect: No. Do not ever do that. If you have no data to write, do not call SSL_write. Because: This is based on the most grievous misunderstanding of what the SSL_read and SSL_write functions do. They do *NOT* read from and write to the socket. They read from and write to the logical SSL connection. That may require reading from the socket, writing to the socket, or both in any combination, and your program should not make assumptions about which and when. I'm not sure how I can make it any clearer. You call SSL_read when you want to see if the SSL engine has any plaintext for you. It has nothing to do with receiving encrypted data from the socket, as far as the application is concerned. You call SSL_write when you want hand some plaintext to the SSL engine to get to the other side. A call to SSL_read might resulting in reading from the socket, writing to the socket, neither, or both. A call to SSL_write might result in writing to the socket, reading from the socket, neither, or both. It is a serious mistake to try to teach your application SSL. Let the SSL engine do that. If the SSL engine returns 'WANT_READ' that means it could not complete the operation you attempted without blocking because it needs to read some data from the other side. The operation could be an SSL_read or an SSL_write, it doesn't matter, that's the operation that couldn't complete. This doesn't mean you should call SSL_read -- you should call SSL_read if you want to read *plaintext*. WANT_READ means it wants to read more protocol or encrypted stuff. Similarly, if you call SSL_read and get a WANT_WRITE indication, this means the SSL engine needs to write to the socket before it can give you any more plaintext. This means you should 'select' for writability and then retry the operation by calling SSL_read again. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[NEWBIE] trying to convert DER file to PEM one
Dear OpenSLL users, first of all, let me point out that I'm a total newbie in the area of encryption. So maybe, my question could sound stupid ... I'm using OpenSSL 0.9.8a-7build1 on Kubuntu Dapper. And i just would like to create a PEM certificat file with two DER encrypted file(i need to do that for my wifi setup). Before all, i've verified that i can read this file with the following command: openssl x509 -inform DER -in FILE.cer -noout -text Then i've tried the following command(to convert the file): openssl rsa -inform DER -outform PEM -in FILE.cer -out FILE.pem And i get the following result: unable to load Private Key 8211:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 8211:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:824: 8211:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:743:Field=version, Type=RSA 8211:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99: I've tried this command too: openssl rsa -in FILE.cer -outform PEM -out FILE.pem And get the following error: unable to load Private Key 5527:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Does it means that i need a private key to do it?? Is there someone who can help me?? Thanks in advance for your comments and best regards, Arnaud __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [NEWBIE] trying to convert DER file to PEM one
tizon wrote: Dear OpenSLL users, first of all, let me point out that I'm a total newbie in the area of encryption. So maybe, my question could sound stupid ... I'm using OpenSSL 0.9.8a-7build1 on Kubuntu Dapper. And i just would like to create a PEM certificat file with two DER encrypted file(i need to do that for my wifi setup). Before all, i've verified that i can read this file with the following command: openssl x509 -inform DER -in FILE.cer -noout -text Then i've tried the following command(to convert the file): openssl rsa -inform DER -outform PEM -in FILE.cer -out FILE.pem [...] Try using openssl x509 -inform DER -outform PEM -in FILE.cer -out FILE.pem (not openssl rsa ...) to convert the file. See http://www.openssl.org/docs/apps/x509.html Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
How to use Open SSL Toolkit
I am new to OpenSSL and I needed information on how to begin using the toolkit. I need to programmatically create a certificate which I can then use to encrypt using SSL. Thank you for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use Open SSL Toolkit
Your best bet would be to Google for OpenSSL and "sample code". Also check out the OpenSSL book published by O'Reilly.Fatima Corona [EMAIL PROTECTED] wrote: I am new to OpenSSL and I needed information on how to begin using thetoolkit. I need to programmatically create a certificate which I can thenuse to encrypt using SSL.Thank you for your help.__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
Re: How to use Open SSL Toolkit
Fatima Corona wrote: I am new to OpenSSL and I needed information on how to begin using the toolkit. I need to programmatically create a certificate which I can then use to encrypt using SSL. Have you tried googling for openssl tutorial? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Command-line file encryption
Thanks for the reply. So what you are saying is that if I encrypt a file with a password according to my interpretation of PKCS#5/PBKDF2, then it might not decrypt properly (with the same password) using the command-line openssl function? R. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Wednesday, August 23, 2006 11:53 PM To: openssl-users@openssl.org Subject: RE: Command-line file encryption Hello, Ok, it looks like these values are computed from the password... Is the algorithm for computing the key and IV from the password published ? PBKDF2 from PKCS#5 realized by EVP_BytesToKey() in OpenSSL. I don't remember exactly but there was some incompatibility with this standard ... Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BIO Filters
All - I'm a little confused with the following example while working with BIO's. I'm trying base 64 encode a buffer using BIO_f_base64 with the following example. char *message = Hello World; b64 = BIO_new( BIO_f_base64( ) ); bio = BIO_new_fp( stdout, BIO_NOCLOSE ); bio = BIO_push( b64, bio ); BIO_write( bio, buffer, length ); BIO_flush( bio ); Ok great this works fine, but Im confused why you write to the bio if it's on the end of the chain (b64-bio) where the bio is the stdout. I would think it should look more like the following... bio = BIO_push( b64, bio); ... BIO_write( b64, buffer, length ); And the chain would look something like (b64-bio) where you write to the encoder and it writes to stdout? If someone could clear this up it would be great as I'm a little confused. -- Chris Johnson [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Blowfish encrypt and decrypt
Hello, i have a problem with the Blowfish algorithm. When i encrypt a long message i get the following error when i try to decrypt the message: 4156:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:.\crypto\evp\evp_enc.c:454: The message length is form 10 to 450 (or more) characters. The funny thing is even though i hash the key with MD5 the length of the message i can decrypt seems to depend on the key i choose to hash and further more it looks like it depend on the content of the message itself as well. The message contains only characters. I use OpenSSL 0.9.8b on Windows XP with Visual Studio 2005. Any help will be appreciated. And here is the code i use for encryption and decryption: #include iostream #include string #include openssl/evp.h #include openssl/err.h #include openssl/bio.h #include openssl/applink.c #pragma comment(lib, libeay32.lib) using namespace std; void hashtheKey (char* key, char* output) { OpenSSL_add_all_digests(); BIO *bio_err = BIO_new_fp(stdout, BIO_NOCLOSE); EVP_MD_CTX mdctx; const EVP_MD *md; unsigned char md_value[EVP_MAX_MD_SIZE]; int md_len; unsigned char iv[] = {0,1,2,3,4,5,6,7}; //Hash the Key md = EVP_get_digestbyname(md5); if(!md) { cout Unknown message digest endl; exit(1); } string hash; EVP_MD_CTX_init(mdctx); EVP_DigestInit_ex(mdctx, md, NULL); EVP_DigestUpdate(mdctx, key, strlen(key)); EVP_DigestFinal_ex(mdctx, md_value, (unsigned int *)md_len); EVP_MD_CTX_cleanup(mdctx); for (int i = 0; i md_len; i++) hash += md_value[i]; strcpy(output, hash.c_str()); } int blowencrypt (char* key, char* input, char* output) { ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); BIO *bio_err = BIO_new_fp(stdout, BIO_NOCLOSE); int outlen = 0, tmplen = 0; unsigned char iv[] = {0,1,2,3,4,5,6,7}; char* hash = new char[EVP_MAX_MD_SIZE]; hashtheKey(key, hash); cout Hashed key: hash endl; //Encrypt the message char *encodebuffer = new char[strlen(input) + EVP_MAX_BLOCK_LENGTH - 1]; EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(ctx); EVP_EncryptInit_ex(ctx, EVP_bf_cbc(), NULL, (const unsigned char*)hash, iv); if(!EVP_EncryptUpdate(ctx, (unsigned char*)encodebuffer, outlen, (const unsigned char*)input, strlen(input))) { ERR_print_errors(bio_err); BIO_free_all(bio_err); } tmplen += outlen; if(!EVP_EncryptFinal(ctx, (unsigned char*)encodebuffer + tmplen, outlen)) { ERR_print_errors(bio_err); BIO_free_all(bio_err); } tmplen += outlen; string chipher; for (int i = 0; i tmplen; i++) chipher += encodebuffer[i]; EVP_CIPHER_CTX_cleanup(ctx); strcpy(output, chipher.c_str()); return tmplen; } void blowdecrypt (char* key, char* input, int len, char* output) { ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); BIO *bio_err = BIO_new_fp(stdout, BIO_NOCLOSE); EVP_CIPHER_CTX ctx; int outlen = 0, tmplen = 0; unsigned char iv[] = {0,1,2,3,4,5,6,7}; char *hash = new char[EVP_MAX_MD_SIZE]; hashtheKey(key, hash); cout Hashed key: hash endl; char *decodebuffer = new char[len + EVP_MAX_BLOCK_LENGTH]; EVP_CIPHER_CTX_init(ctx); EVP_DecryptInit_ex(ctx, EVP_bf_cbc(), NULL, (const unsigned char*)hash, iv); if(!EVP_DecryptUpdate(ctx, (unsigned char*)decodebuffer, outlen, (const unsigned char*)input, len)) { ERR_print_errors(bio_err); BIO_free_all(bio_err); } tmplen = outlen; if(!EVP_DecryptFinal_ex(ctx, (unsigned char*)decodebuffer , outlen)) { ERR_print_errors(bio_err); BIO_free_all(bio_err); } tmplen += outlen; EVP_CIPHER_CTX_cleanup(ctx); string plain; for (int i = 0; i tmplen; i++) plain += decodebuffer[i]; strcpy(output, plain.c_str()); } int main() { //char *message = This is a secret.This is a secret.This is a secret.This is a secret.This is a secret.\ This is a secret.This is a secret.This is a secret.This is a secret.This is a secret.\ This is a secret.This is a secret.This is a secret.This is a secret.This is a secret.\ This is a secret.This is a secret.This is a secret.This is a secret.This is a secret.\ This is a secret.This is a secret.This is a secret.This is a secret.This is a secret.\