Re: [openssl-users] In-place encryption/decryption via the EVP_* APIs
In message on Tue, 6 Nov 2018 14:46:52 -0800, Terry Chong said: > Hi, I am planning on using EVP_* APIs to encrypt/decrypt my data. One thing I > am wondering > about is whether I can do in-place encryption, meaning I don't have to pay > the price of an extra > memory buffer to store my cipher text and a potential memcpy back to the > source buffer. > > I tried that with the EVP_* APIs by essentially passing in the same buffer to > the plaintext and cipher > text input pointers, and it seems to work. I am using AES XTS mode, and I > understand that that > may not work if I were to use a different mode. > > I am wondering if this behavior for AES XTS that allows in-place > encryption/decryption is going to > stay? test/evp_test.c does a number of tests on all ciphers we have test vectors for, including overlapping buffers (i.e. input and output buffer are the same). So that is to say that if that behaviour ever stopped working, we would certainly notice. Does that help? Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Trouble installing openssl 1.1.0 on Ubuntu 14.04
In message <1541454675952-0.p...@n7.nabble.com> on Mon, 5 Nov 2018 14:51:15 -0700 (MST), EcolaneAdam said: > Hello, > > Several months ago I had configured ansible to deploy openssl upgrades to > our Ubuntu 14.04 servers and did so with the following version via apt > module: > - libssl-dev=1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1 > - openssl=1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1 > > Now when doing deployments I am getting that the version is not found. I am > having trouble finding the correct version to reference. Anything I have > tried hasn't worked. > > Any ideas? Those package names told me I could have a look at http://deb.sury.org, and sure enough, there was something there, with a PPA link: https://launchpad.net/~ondrej/+archive/ubuntu/php/ You can see the full (I assume) list of available packages there, and for OpenSSL, I find these: 1.1.1-2+ubuntu18.10.1+deb.sury.org+2 1.1.1-2+ubuntu18.04.1+deb.sury.org+2 1.1.1-2+ubuntu16.04.1+deb.sury.org+2 1.1.1-2+ubuntu14.04.1+deb.sury.org+2 So it looks to me like you're being forced to upgrade. Note that 1.1.1 is forward compatible with 1.1.0h, so that upgrade should go smoothly. Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL vs GPG for encrypting files? Security best practices?
Interesting. How about this for a start? http://nickpapadonis.com/images-share/summerian-ancient-mesopotamia-ancient-lock.jpg http://nickpapadonis.com/images-share/anunnaki1.jpg http://nickpapadonis.com/images-share/summerian-Winged_Human-headed_Bulls.JPG On Sun, Nov 4, 2018 at 7:21 PM open...@foocrypt.net wrote: > Hi Nick > > Have You tried The FooKey Method ? https://foocrypt.net/the-fookey-method > > Also, > > I will be sourcing public addendum's as addendum's to my submission into > the Parliamentary Joint Committee on Intelligence and Security [ > https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018/Submissions > ] regarding the committee’s review of the 'Telecommunication and Other > Legislation Amendment (Assistance and Access) Bill 2018' after the > Melbourne Cup. It will be similar to the open request for the Defence Trade > Control Act review performed by the former Inspector General of > Intelligence, Dr Vivian Thom. > > > https://foocrypt.net/independent-review-of-the-defence-trade-controls-act-2012-cth-call-for-information-for-submission-as-a-case-study-from-the-openssl-community > > > -- > > Regards, > > Mark A. Lane > > Cryptopocalypse NOW 01 04 2016 > > Volumes 0.0 -> 10.0 Now available through iTunes - iBooks @ > https://itunes.apple.com/au/author/mark-a.-lane/id1100062966?mt=11 > > Cryptopocalypse NOW is the story behind the trials and tribulations > encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption." > > "FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening > several commonly used Symmetric Open Source Encryption methods so that they > are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'. > > "FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under > export control by the Australian Department of Defence Defence Export > Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology > as per the ‘Wassenaar Arrangement’ > > A permit from Defence Export Control is expected within the next 2 months > as the Australian Signals Directorate is currently assessing the associated > application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical > Encryption." > > Early releases of "Cryptopocalypse NOW" will be available in the period > leading up to June, 2016. > > Limited Edition Collectors versions and Hard Back Editions are available > via the store on http://www.foocrypt.net/ > > © Mark A. Lane 1980 - 2016, All Rights Reserved. > © FooCrypt 1980 - 2016, All Rights Reserved. > © FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2016, All Rights > Reserved. > © Cryptopocalypse 1980 - 2016, All Rights Reserved. > > > > On 5 Nov 2018, at 10:35, Nicholas Papadonis > wrote: > > Comments > > On Sat, Nov 3, 2018 at 5:56 PM Bear Giles wrote: > >> > I'm considering encrypting a tar archive and optionally a block file >> system (via FUSE) using either utility >> >> Linux has good support for encrypted filesystems. Google LUKS. >> > > >> BTW a tar file starts with the name of the first entry. The 'magic >> numbers' are at offset 128 or so. However a compressed tar file will start >> with a known value since gzip, b2zip, and 7zip?, all start with their magic >> values. >> > > Does tar placing known data at a certain offset increase the probability > that someone can perform an attack easier? They may already know the data > to decrypt at that offset and if the encrypted block overlaps, then the > attack is easier. > > Thanks > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] In-place encryption/decryption via the EVP_* APIs
Hi, I am planning on using EVP_* APIs to encrypt/decrypt my data. One thing I am wondering about is whether I can do in-place encryption, meaning I don't have to pay the price of an extra memory buffer to store my cipher text and a potential memcpy back to the source buffer. I tried that with the EVP_* APIs by essentially passing in the same buffer to the plaintext and cipher text input pointers, and it seems to work. I am using AES XTS mode, and I understand that that may not work if I were to use a different mode. I am wondering if this behavior for AES XTS that allows in-place encryption/decryption is going to stay? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] updating openssl
On 6. nóv. 2018, at 2:02 e.h., Paul wrote: > I configured Openvpn server on ubuntu 16.04 and ubuntu was using a old > version of openssl 1.0.2 and I was updating openssl to v1.1.1 > Now I've installed the openssl but now unable to mv file installed to ln -s > /usr/local/ssl/bin/openssl /usr/bin/openssl > failed to create symbolic link '/usr/bin/openssl': File exists > > but then when I use openssl version > /usr/bin/openssl: No such file or directory This is really a general unix question: I suspect you have a dangling symbolic link in /usr/bin, pointing to a (now-deleted) old copy of openssl. If so, you can just rm the dangling symbolic link. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL 1.0.2: CVE-2018-0735
Hi, According to the vulnerabilities website[1], OpenSSL 1.1.i and earlier and 1.1.1 are affected by CVE-2018-0735. Is it safe to assume that OpenSSL 1.0.2 is not affected by the CVE? Thank you, -- misaki [1] https://www.openssl.org/news/vulnerabilities.html CVE-2018-0735 (OpenSSL advisory) [Low severity] 29 October 2018: The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Reported by Samuel Weiser. Fixed in OpenSSL 1.1.1a-dev (git commit) (Affected 1.1.1) Fixed in OpenSSL 1.1.0j-dev (git commit) (Affected 1.1.0-1.1.0i) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] updating openssl
I configured Openvpn server on ubuntu 16.04 and ubuntu was using a old version of openssl 1.0.2 and I was updating openssl to v1.1.1 Now I've installed the openssl but now unable to mv file installed to ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl failed to create symbolic link '/usr/bin/openssl': File exists but then when I use openssl version /usr/bin/openssl: No such file or directory how can I correct this? Paul -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Exclude unwanted ciphers during build
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > pgndev > Sent: Tuesday, November 06, 2018 15:45 > https://wiki.openssl.org/index.php/Compilation_and_Installation > Usage: Configure [no- ...] [enable- ...] ... And it's documented in the INSTALL file in the tarball. Of course, details (e.g. which ciphers are available) depend on what version the OP is trying to builld - information he neglected to provide. I know, I know: mentioning ARIA implies 1.1.1. But folks, *tell us what version you're using*. That should be automatic any time you post a question to any public forum about any software product. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Exclude unwanted ciphers during build
https://wiki.openssl.org/index.php/Compilation_and_Installation Usage: Configure [no- ...] [enable- ...] ... ^^^ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Exclude unwanted ciphers during build
Is there a simple way of excluding unwanted ciphers or cipher suites during a build? I would like to remove ARIA in particular, but may want to remove additional ones in order to use a smaller footprint. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users