Re: Creating AES Key for encryption in server side and share the key
On 9/9/2011 10:13 PM, krishnamurthy santhanam wrote: I am implementing SSL on server side to authenticate the client certificate(X.509) and also client will authenticate the servers certificate(X.509). Once the mutual authentication has completed server has to generate AES key for encryption and decryption. In server side I am creating 256 bits AES key for encrypting the plaintext using C programming using OpenSSL. AES_KEY aeskey; RAND_bytes(key32,sizeof(key32)); AES_set_encrypt_key(key32, 32*8,aeskey); AES_cbc_encrypt(inbuf, outbuf, 16,aeskey, iv, AES_ENCRYPT); I have to decrypt the same message in Client side. Client side I am using JAVA Programming. 1. How i can send this AES key to JAVA client? or 2. How can derive common AES key on both side? 2. Can i use Password Based Encryption to derive the common keys for both side(JAVA and C)? Thanks, Krish The normal way to do this is: 1. On the side running openssl, just let openssl handle the entire process, including any AES (or other negotiated algorithm) encryption in both directions with all the required precautions about key reuse etc. If you insist on at least 256 bit AES, set options in openssl parameters to only accept ciphersuites with strong enough ciphers. 2. On the side running Java, just let the standard SSL classes in Java (I forgot their names, see the JDK docs) handle the entire process in the same way. If you insist on at least 256 bit AES, set options in java SSL class parameters to only accept ciphersuites with strong enough ciphers, or if that is not possible, check the ciphersuite chosen after handshake and abort if not strong enough for your purpose. If on the other hand you are using an already encrypted and authenticated SSL channel to exchange encryption keys for some other use outside the SSL protocol, you need to know *A LOT* about security and cryptography to avoid making an insecure system. Once you know all that (which is very little about APIs and very much about the tricky ways such a system might be attacked), design the details (language and API independent) of how you will generate, use and protect your extra encryption keys. Then send your detailed protocol design (under NDA if applicable) to one or more highly experienced professional cryptographers for review. You will probably have to pay them (I did for my design and the response resulted in minor tweaks to my design before release). The whole learning and designing process took me 3 to 10 years depending on how much I include in the process. After all this (very necessary!) learning, design and review work, finding the right APIs to implement your protocol steps in various libraries should be trivial. (It ended up being mostly a matter of looking stuff up in the low level documentation and comparing function descriptions with my acquired knowledge of cryptographic security). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to link user application with FIPS-2
Hello, I would like to use CTR DRBG random number generator. It's part of the FIPS-2. I have downloaded the CVS tree and found fips_rand.h which defines functions I would like to use: FIPS_drbg_init FIPS_drbg_instantiate FIPS_drbg_generate FIPS_drbg_reseed However, I'm not able to link these functions with my application. I have compiled openssl using sources from CVS ./config make make check make install but in the installation directory I'm missing fips_rand.h I have also checked the functions which are ready in openssl library but the functions above are missing there. can you please give me a hint how to compile FIPS-2 and link it with my application? Thanks a lot! Jiri
test vectors for CTR DRBG
Hello, I'm looking for the test vectors for CTR DRBG random number generator. I got test vectors from http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip which contains CTR_DRBG.rsp file. However, I'm looking for the following scenario which is not covered right now: [AES-128 no df] [PredictionResistance = False] [EntropyInputLen = 256] [NonceLen = 0] [PersonalizationStringLen = 0] [AdditionalInputLen = 0] Can anybody please provide such testing vectors? Thanks a lot! Jiri
Re: How to link user application with FIPS-2
On 09/12/2011 05:27 AM, Jiri Hladky wrote: Hello, I would like to use CTR DRBG random number generator. It's part of the FIPS-2. I have downloaded the CVS tree and found fips_rand.h which defines functions I would like to use: FIPS_drbg_init FIPS_drbg_instantiate FIPS_drbg_generate FIPS_drbg_reseed However, I'm not able to link these functions with my application. I have compiled openssl using sources from CVS ./config make make check make install but in the installation directory I'm missing fips_rand.h I have also checked the functions which are ready in openssl library but the functions above are missing there. can you please give me a hint how to compile FIPS-2 and link it with my application? Thanks a lot! Jiri I assume that by FIPS-2 you mean the OpenSSL FIPS Object Module 2.0 that is now in the middle of the FIPS 140-2 validation process. Are you sure you really want to try calling FIPS_*() functions directly? That's not an intended use of the FIPS module. It is designed for use via the standard API of a FIPS capable OpenSSL. As for building, see http://www.mail-archive.com/openssl-dev@openssl.org/msg29421.html. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
id-RSASSA-PSS question
Hi, we have an SOD (a CMS for e-passports and e-ID cards) file that we can read out and verify nicely if the signature algo is RSA_PKCS1_PADDING. But if the algo is RSA_PKCS1_PSS_PADDING (see attached txt for an asn1 dump), the verification fails. Below is a part of the stack trace, it looks like openssl still thinks the algorithm is RSA_PKCS1_PADDING instead of RSA_PKCS1_PSS_PADDING: CMS_verify() { cms_signerinfo_verify() { EVP_DigestVerifyInit() { do_sigver_init() { EVP_PKEY_CTX_set_signature_md() { ... pkey_rsa_ctrl() { // type == EVP_PKEY_CTRL_DIGESTINIT EVP_DigestVerifyFinal() { ... pkey_rsa_verify(EVP_PKEY_CTX *ctx, ...) { RSA_PKEY_CTX *rctx = ctx-data; // rctx-pad_mode == RSA_PKCS1_PADDING (???) // and EVP_MD_type(rctx-md) = NID_sha256 (OK) Someone knows if the problem is with the encoding of the signature algo in the file, or with openssl itself? Thanks! Stef 0 119: [APPLICATION 23] { 4 48: SEQUENCE { 86: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 19 160: [0] { 23 48: SEQUENCE { 272: INTEGER 3 30 49: SET { 32 48: SEQUENCE { 346: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1' (SHA256) : } : } 45 48: SEQUENCE { 486: OBJECT IDENTIFIER '2 23 136 1 1 1' 56 160: [0] { 594: OCTET STRING, encapsulates { 62 48: SEQUENCE { 652: INTEGER 0 68 48: SEQUENCE { 706: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1' (SHA256) : } 81 48: SEQUENCE { 83 48: SEQUENCE { 852: INTEGER 1 884: OCTET STRING : 2C 51 36 2F 0B 0D DC 58 C1 67 FB EC AE B3 6B EC : 51 DA 1C FC 97 23 4A 72 9E AB 2C AE 89 F8 C5 2B (hash 0x01) : } 122 48: SEQUENCE { 1242: INTEGER 13 1274: OCTET STRING : BF 2C 0F 06 DB DB D5 F9 0C C7 8E CB 76 02 5C 9D : D1 04 F1 C0 21 D2 57 4F 57 1B 66 F1 15 43 0F 5E (hash 0x13) : } 161 48: SEQUENCE { 1632: INTEGER 11 1664: OCTET STRING : 9D 83 2F 80 A0 82 D0 29 F3 64 0F 2F 62 78 6F AF : 89 2E 1A 6F 4A FA F0 AE 29 42 5E 51 C4 AC B2 62 (hash 0x11) : } : } : } : } : } : } 200 49: SET { 204 48: SEQUENCE { 2082: INTEGER 1 211 128: [0] : 2D B6 81 D6 A3 72 D3 A2 27 53 03 E3 F2 90 33 36 SubjectKeyIdentifier : 2C C7 00 9D 233 48: SEQUENCE { 2356: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1' (SHA256) : } 246 160: [0] { 248 48: SEQUENCE { 2506: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3) 261 49: SET { 2636: OBJECT IDENTIFIER '2 23 136 1 1 1' : } : } 271 48: SEQUENCE { 2736: OBJECT IDENTIFIER : messageDigest (1 2 840 113549 1 9 4) 284 49: SET { 2864: OCTET STRING : 43 D2 E0 C5 3C ED DF F9 3A D9 1B 26 72 D1 16 90 (hash over : F5 3B 26 04 86 F0 7F 05 0A CB 6A 25 D8 2A 7B C3 the eContent) : } : } : } 320 48: SEQUENCE { 3226: OBJECT IDENTIFIER '1 2 840 113549 1 1 10' (id-RSASSA-PSS) 333 48: SEQUENCE { 335 160: [0] { 337 48: SEQUENCE { 3396: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1' (SHA256) : } : } 350 161: [1] { 352 48: SEQUENCE { 3546: OBJECT IDENTIFIER '1 2 840 113549 1 1 8' (id-mgf1) 365 48: SEQUENCE { 3676: OBJECT IDENTIFIER '2 16 840 1 101 3 4 2 1' (SHA256) : } :
Re: id-RSASSA-PSS question
On Mon, Sep 12, 2011, Stef Hoeben wrote: Hi, we have an SOD (a CMS for e-passports and e-ID cards) file that we can read out and verify nicely if the signature algo is RSA_PKCS1_PADDING. But if the algo is RSA_PKCS1_PSS_PADDING (see attached txt for an asn1 dump), the verification fails. Below is a part of the stack trace, it looks like openssl still thinks the algorithm is RSA_PKCS1_PADDING instead of RSA_PKCS1_PSS_PADDING: CMS_verify() { cms_signerinfo_verify() { EVP_DigestVerifyInit() { do_sigver_init() { EVP_PKEY_CTX_set_signature_md() { ... pkey_rsa_ctrl() { // type == EVP_PKEY_CTRL_DIGESTINIT EVP_DigestVerifyFinal() { ... pkey_rsa_verify(EVP_PKEY_CTX *ctx, ...) { RSA_PKEY_CTX *rctx = ctx-data; // rctx-pad_mode == RSA_PKCS1_PADDING (???) // and EVP_MD_type(rctx-md) = NID_sha256 (OK) Someone knows if the problem is with the encoding of the signature algo in the file, or with openssl itself? OpenSSL HEAD only supports PSS and only for certificates, not CMS. Can you include the DER format message itself instead of the ASN1 dump? This will be very useful when CMS+PSS is implemented. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Creating AES Key for encryption in server side and share the key
From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm Sent: Monday, 12 September, 2011 03:52 On 9/9/2011 10:13 PM, krishnamurthy santhanam wrote: snip: unclear about key transport or maybe derivation The normal way to do this is: 1. On the side running openssl, just let openssl handle the entire process, including any AES (or other negotiated algorithm) encryption in both directions with all the required precautions about key reuse etc. If you insist on at least 256 bit AES, set options in openssl parameters to only accept ciphersuites with strong enough ciphers. 2. On the side running Java, just let the standard SSL classes in Java (I forgot their names, see the JDK docs) handle the entire process in the same way. If you insist on at least 256 bit AES, set options in java SSL class parameters to only accept ciphersuites with strong enough ciphers, or if that is not possible, check the ciphersuite chosen after handshake and abort if not strong enough for your purpose. It is enough to require 'strong' cipher on one of server or client, whichever is more convenient. On Java to use AES 256 at all (optional or required) you must install the JCE 'unlimited' policy from the Sun-now-Oracle website. At least on the Suncle JVM; other JVMs may work differently. This may apply to other 'high' suites also; I haven't checked all. snip rest __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org