Re: Creating AES Key for encryption in server side and share the key

[Jakob Bohm]

On 9/9/2011 10:13 PM, krishnamurthy santhanam wrote:

I am implementing SSL on server side to authenticate the client
certificate(X.509) and also client will authenticate the servers
certificate(X.509). Once the mutual authentication has completed server has
to generate AES key for encryption and decryption.

 In server side I am creating 256 bits AES key for encrypting the
plaintext using C programming using OpenSSL.
 AES_KEY aeskey;
 RAND_bytes(key32,sizeof(key32));
 AES_set_encrypt_key(key32, 32*8,aeskey);
 AES_cbc_encrypt(inbuf, outbuf, 16,aeskey, iv, AES_ENCRYPT);

 I have to decrypt the same message in Client side. Client side I am
using JAVA Programming.
 1. How i can send this AES key to JAVA client? or
 2. How can derive common AES key on both side?
 2. Can i use Password Based Encryption to derive the common keys for
both side(JAVA and C)?

Thanks,
Krish


The normal way to do this is:

1. On the side running openssl, just let openssl handle the entire process,
including any AES (or other negotiated algorithm) encryption in both
directions with all the required precautions about key reuse etc.
If you insist on at least 256 bit AES, set options in openssl parameters to
only accept ciphersuites with strong enough ciphers.

2. On the side running Java, just let the standard SSL classes in Java (I
forgot their names, see the JDK docs) handle the entire process in the same
way.  If you insist on at least 256 bit AES, set options in java SSL class
parameters to only accept ciphersuites with strong enough ciphers, or if that
is not possible, check the ciphersuite chosen after handshake and abort if
not strong enough for your purpose.

If on the other hand you are using an already encrypted and authenticated
SSL channel to exchange encryption keys for some other use outside the SSL
protocol, you need to know *A LOT* about security and cryptography to avoid
making an insecure system.

Once you know all that (which is very little about APIs and very much about
the tricky ways such a system might be attacked), design the details
(language and API independent) of how you will generate, use and protect your
extra encryption keys.  Then send your detailed protocol design (under NDA if
applicable) to one or more highly experienced professional cryptographers for
review.  You will probably have to pay them (I did for my design and the
response resulted in minor tweaks to my design before release).  The whole
learning and designing process took me 3 to 10 years depending on how much
I include in the process.

After all this (very necessary!) learning, design and review work, finding
the right APIs to implement your protocol steps in various libraries should
be trivial.  (It ended up being mostly a matter of looking stuff up
in the low level documentation and comparing function descriptions with my
acquired knowledge of cryptographic security).



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How to link user application with FIPS-2

[Jiri Hladky]

Hello,

I would like to use CTR DRBG random number generator. It's part of
the FIPS-2.

I have downloaded the CVS tree and found fips_rand.h which defines functions
I would like to use:

FIPS_drbg_init
FIPS_drbg_instantiate
FIPS_drbg_generate
FIPS_drbg_reseed

However, I'm not able to link these functions with my application. I have
compiled openssl using sources from CVS

./config
make
make check
make install

but in the installation directory I'm missing
fips_rand.h
I have also checked the functions which are ready in openssl library but the
functions above are missing there.

can you please give me a hint how to compile FIPS-2 and link it with my
application?

Thanks a lot!
Jiri

test vectors for CTR DRBG

[Jiri Hladky]

Hello,

I'm looking for the test vectors for CTR DRBG random number generator. I got
test vectors from

 http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip

which contains  CTR_DRBG.rsp file. However, I'm looking for the following
scenario which is not covered right now:

[AES-128 no df]
[PredictionResistance = False]
[EntropyInputLen = 256]
[NonceLen = 0]
[PersonalizationStringLen = 0]
[AdditionalInputLen = 0]

Can anybody please provide such testing vectors?

Thanks a lot!
Jiri

Re: How to link user application with FIPS-2

[Steve Marquess]

On 09/12/2011 05:27 AM, Jiri Hladky wrote:
 Hello,

 I would like to use CTR DRBG random number generator. It's part of
 the FIPS-2.

 I have downloaded the CVS tree and found fips_rand.h which defines
 functions I would like to use:

 FIPS_drbg_init
 FIPS_drbg_instantiate
 FIPS_drbg_generate
 FIPS_drbg_reseed

 However, I'm not able to link these functions with my application. I
 have compiled openssl using sources from CVS 

 ./config
 make
 make check
 make install

 but in the installation directory I'm missing
 fips_rand.h
 I have also checked the functions which are ready in openssl library
 but the functions above are missing there.

 can you please give me a hint how to compile FIPS-2 and link it with
 my application?

 Thanks a lot!
 Jiri

I assume that by FIPS-2 you mean the OpenSSL FIPS Object Module 2.0
that is now in the middle of the FIPS 140-2 validation process.

Are you sure you really want to try calling FIPS_*() functions
directly?  That's not an intended use of the FIPS module.  It is
designed for use via the standard API of a FIPS capable OpenSSL.

As for building, see
http://www.mail-archive.com/openssl-dev@openssl.org/msg29421.html.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com

id-RSASSA-PSS question

[Stef Hoeben]

Hi,

we have an SOD (a CMS for e-passports and e-ID cards) file that we can read
out and verify nicely if the signature algo is RSA_PKCS1_PADDING.

But if the algo is RSA_PKCS1_PSS_PADDING (see attached txt for an asn1 
dump),
the verification fails.
Below is a part of the stack trace, it looks like  openssl still thinks 
the algorithm
is RSA_PKCS1_PADDING instead of RSA_PKCS1_PSS_PADDING:

CMS_verify() {
   cms_signerinfo_verify() {
 EVP_DigestVerifyInit() {
 do_sigver_init() {
   EVP_PKEY_CTX_set_signature_md() {
 ...
pkey_rsa_ctrl() {
  // type == EVP_PKEY_CTRL_DIGESTINIT

 EVP_DigestVerifyFinal() {
   ...
 pkey_rsa_verify(EVP_PKEY_CTX *ctx, ...) {
   RSA_PKEY_CTX *rctx = ctx-data;
   // rctx-pad_mode == RSA_PKCS1_PADDING (???)
   // and EVP_MD_type(rctx-md) = NID_sha256  (OK)

Someone knows if the problem is with the encoding of the signature algo
in the file, or with openssl itself?

Thanks!
Stef

   0  119: [APPLICATION 23] {
   4   48:   SEQUENCE {
   86: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
  19  160: [0] {
  23   48:   SEQUENCE {
  272: INTEGER 3
  30   49: SET {
  32   48:   SEQUENCE {
  346: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'
(SHA256)
 : }
 :   }
  45   48: SEQUENCE {
  486:   OBJECT IDENTIFIER '2 23 136 1 1 1'
  56  160:   [0] {
  594: OCTET STRING, encapsulates {
  62   48: SEQUENCE {
  652:   INTEGER 0
  68   48:   SEQUENCE {
  706: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'   
 (SHA256)
 : }
  81   48:   SEQUENCE {
  83   48: SEQUENCE {
  852:   INTEGER 1
  884:   OCTET STRING
 :   2C 51 36 2F 0B 0D DC 58 C1 67 FB EC AE B3 6B EC
 :   51 DA 1C FC 97 23 4A 72 9E AB 2C AE 89 F8 C5 2B
   (hash 0x01)
 :   }
 122   48: SEQUENCE {
 1242:   INTEGER 13
 1274:   OCTET STRING
 :   BF 2C 0F 06 DB DB D5 F9 0C C7 8E CB 76 02 5C 9D
 :   D1 04 F1 C0 21 D2 57 4F 57 1B 66 F1 15 43 0F 5E
   (hash 0x13)
 :   }
 161   48: SEQUENCE {
 1632:   INTEGER 11
 1664:   OCTET STRING
 :   9D 83 2F 80 A0 82 D0 29 F3 64 0F 2F 62 78 6F AF
 :   89 2E 1A 6F 4A FA F0 AE 29 42 5E 51 C4 AC B2 62
(hash 0x11)
 :   }
 : }
 :   }
 : }
 : }
 :   }
 200   49: SET {
 204   48:   SEQUENCE {
 2082: INTEGER 1
 211  128: [0]
 :   2D B6 81 D6 A3 72 D3 A2 27 53 03 E3 F2 90 33 36 
SubjectKeyIdentifier
 :   2C C7 00 9D
 233   48: SEQUENCE {
 2356:   OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'
(SHA256)
 :   }
 246  160: [0] {
 248   48:   SEQUENCE {
 2506: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3)
 261   49: SET {
 2636:   OBJECT IDENTIFIER '2 23 136 1 1 1'
 :   }
 : }
 271   48:   SEQUENCE {
 2736: OBJECT IDENTIFIER
 :   messageDigest (1 2 840 113549 1 9 4)
 284   49: SET {
 2864:   OCTET STRING
 :   43 D2 E0 C5 3C ED DF F9 3A D9 1B 26 72 D1 16 90
(hash over
 :   F5 3B 26 04 86 F0 7F 05 0A CB 6A 25 D8 2A 7B C3
 the eContent)
 :   }
 : }
 :   }
 320   48: SEQUENCE {
 3226:   OBJECT IDENTIFIER '1 2 840 113549 1 1 10'  
(id-RSASSA-PSS)
 333   48:   SEQUENCE {
 335  160: [0] {
 337   48:   SEQUENCE {
 3396: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1'   
 (SHA256)
 : }
 :   }
 350  161: [1] {
 352   48:   SEQUENCE {
 3546: OBJECT IDENTIFIER '1 2 840 113549 1 1 8' 
  (id-mgf1)
 365   48: SEQUENCE {
 3676:   OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1' 
   (SHA256)
 :   }
 :  

Re: id-RSASSA-PSS question

[Dr. Stephen Henson]

On Mon, Sep 12, 2011, Stef Hoeben wrote:

 Hi,
 
 we have an SOD (a CMS for e-passports and e-ID cards) file that we can read
 out and verify nicely if the signature algo is RSA_PKCS1_PADDING.
 
 But if the algo is RSA_PKCS1_PSS_PADDING (see attached txt for an asn1 
 dump),
 the verification fails.
 Below is a part of the stack trace, it looks like  openssl still thinks 
 the algorithm
 is RSA_PKCS1_PADDING instead of RSA_PKCS1_PSS_PADDING:
 
 CMS_verify() {
cms_signerinfo_verify() {
  EVP_DigestVerifyInit() {
  do_sigver_init() {
EVP_PKEY_CTX_set_signature_md() {
  ...
 pkey_rsa_ctrl() {
   // type == EVP_PKEY_CTRL_DIGESTINIT
 
  EVP_DigestVerifyFinal() {
...
  pkey_rsa_verify(EVP_PKEY_CTX *ctx, ...) {
RSA_PKEY_CTX *rctx = ctx-data;
// rctx-pad_mode == RSA_PKCS1_PADDING (???)
// and EVP_MD_type(rctx-md) = NID_sha256  (OK)
 
 Someone knows if the problem is with the encoding of the signature algo
 in the file, or with openssl itself?
 

OpenSSL HEAD only supports PSS and only for certificates, not CMS. 

Can you include the DER format message itself instead of the ASN1 dump? This
will be very useful when CMS+PSS is implemented.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Creating AES Key for encryption in server side and share the key

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
 Sent: Monday, 12 September, 2011 03:52

 On 9/9/2011 10:13 PM, krishnamurthy santhanam wrote:
snip: unclear about key transport or maybe derivation

 The normal way to do this is:
 
 1. On the side running openssl, just let openssl handle the 
 entire process,
 including any AES (or other negotiated algorithm) encryption in both
 directions with all the required precautions about key reuse etc.
 If you insist on at least 256 bit AES, set options in openssl 
 parameters to
 only accept ciphersuites with strong enough ciphers.
 
 2. On the side running Java, just let the standard SSL 
 classes in Java (I
 forgot their names, see the JDK docs) handle the entire 
 process in the same
 way.  If you insist on at least 256 bit AES, set options in 
 java SSL class
 parameters to only accept ciphersuites with strong enough 
 ciphers, or if that
 is not possible, check the ciphersuite chosen after handshake 
 and abort if
 not strong enough for your purpose.
 
It is enough to require 'strong' cipher on one of server 
or client, whichever is more convenient.

On Java to use AES 256 at all (optional or required) 
you must install the JCE 'unlimited' policy from the 
Sun-now-Oracle website. At least on the Suncle JVM; 
other JVMs may work differently. This may apply to 
other 'high' suites also; I haven't checked all.

snip rest


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org