On the fly certificate generation to send to the client
Hi, I need some Info.I have a client and server application which requires a secure medium for the transferring of data between each other. Currently I am using openssl to achieve this using private and public key certificates with RSA encryption. I don't want to ship the certificate with each every and client application. So, Is there a method where I can transfer an on the fly created certificate from the server to the client securely(like using diffi-hellman) and after exchanging the certificates. I will communicate with the normal openssl process. -- _/\_ With Regards SB Angel Warrior
Re: On the fly certificate generation to send to the client
forgot to say at step 7 and 8 agreed upon encryption algorithm On Wed, May 20, 2009 at 3:18 PM, AngelWarrior srikanth.bemin...@gmail.comwrote: Thank you for replying. I am thinking of this design.Is this feasible.My design approach is mainly based on I dont need to know with whom I am contacting but after contact my messages should be private. client(My own application) Server (My own application) 1.(client)create a normal socket and connect to the server 2.(server)After receiving the connection send deffie hellman paramerters 3. (client)compute my key and pass the params for DH 4.(server)compute the key number 6. (client)Multiple(n==10) key exchange using DH 5. (server)Multiple(n==10) key exchange using DH 7.(server)generate the public key and encrypt with the key which we have already exchanged. 8.(server)Send the key to client and disconnect the normal socket. 10.(client)after receiving the key close the connection. 11.(client)Start a normal openssl connection. With Regards On Wed, May 20, 2009 at 2:48 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, May 20, 2009 at 02:37:58PM -0500, AngelWarrior wrote: I need some Info.I have a client and server application which requires a secure medium for the transferring of data between each other. Currently I am using openssl to achieve this using private and public key certificates with RSA encryption. I don't want to ship the certificate with each every and client application. So, Is there a method where I can transfer an on the fly created certificate from the server to the client securely(like using diffi-hellman) and after exchanging the certificates. I will communicate with the normal openssl process. Certifications are for *authentication*, which is only possible via: - Prior bi-lateral exchange of keys (what you are doing now) OR - Mediated key-exchange via a trusted introducer (the public CA model such as it is today) OR - Scalable mediated introduction via a trusted online distributed database, i.e keys in a secure DNS. This has not happened yet, and may yet fail to materialize. If you need authentication, pick one of the first two. If you don't, use anonymous ciphers and accept the risk of active man-in-the-middle attacks, with TLS protecting you only against passive eavesdropping. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- _/\_ With Regards SB Angel Warrior -- _/\_ With Regards SB Angel Warrior
Re: On the fly certificate generation to send to the client
but this still requires a CA kind of certificate right.I dont know if the client will be have a CA certificate to authenticate it.If I am wrong please explain me how it can be done. On Wed, May 20, 2009 at 2:47 PM, Scott Gifford sgiff...@suspectclass.comwrote: AngelWarrior srikanth.bemin...@gmail.com writes: I need some Info.I have a client and server application which requires a secure medium for the transferring of data between each other. Currently I am using openssl to achieve this using private and public key certificates with RSA encryption. I don't want to ship the certificate with each every and client application. Hello, The easiest way to transfer data securely between a client and server over the network is to simply use an SSL connection. It will only require a certificate on the server, and will take care of all of the necessary details to set up a secure channel. Is there a reason this won't work for you and you need to use RSA directly? If so, please explain the reason; it will probably affect what sort of solution will be workable for you. -Scott. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- _/\_ With Regards SB Angel Warrior
Re: On the fly certificate generation to send to the client
Thank you for replying. I am thinking of this design.Is this feasible.My design approach is mainly based on I dont need to know with whom I am contacting but after contact my messages should be private. client(My own application) Server (My own application) 1.(client)create a normal socket and connect to the server 2.(server)After receiving the connection send deffie hellman paramerters 3. (client)compute my key and pass the params for DH 4.(server)compute the key number 6. (client)Multiple(n==10) key exchange using DH 5. (server)Multiple(n==10) key exchange using DH 7.(server)generate the public key and encrypt with the key which we have already exchanged. 8.(server)Send the key to client and disconnect the normal socket. 10.(client)after receiving the key close the connection. 11.(client)Start a normal openssl connection. With Regards On Wed, May 20, 2009 at 2:48 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, May 20, 2009 at 02:37:58PM -0500, AngelWarrior wrote: I need some Info.I have a client and server application which requires a secure medium for the transferring of data between each other. Currently I am using openssl to achieve this using private and public key certificates with RSA encryption. I don't want to ship the certificate with each every and client application. So, Is there a method where I can transfer an on the fly created certificate from the server to the client securely(like using diffi-hellman) and after exchanging the certificates. I will communicate with the normal openssl process. Certifications are for *authentication*, which is only possible via: - Prior bi-lateral exchange of keys (what you are doing now) OR - Mediated key-exchange via a trusted introducer (the public CA model such as it is today) OR - Scalable mediated introduction via a trusted online distributed database, i.e keys in a secure DNS. This has not happened yet, and may yet fail to materialize. If you need authentication, pick one of the first two. If you don't, use anonymous ciphers and accept the risk of active man-in-the-middle attacks, with TLS protecting you only against passive eavesdropping. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- _/\_ With Regards SB Angel Warrior
Does AES_cbc_encrypt remove PKCS5 padding
Hi, Does AES_cbc_encrypt add or remove the padding, if I provide an un-padded data in the multiples of 16 bytes? I wrote a piece code where I am manually adding the padding but when I decrypt using AES_cbc_encrypt the padding is automatically removed. -- _/\_ With Regards SB Angel Warrior
Re: Does AES_cbc_encrypt remove PKCS5 padding
But I am experimenting with the code which is actually removing the padding by calling AES_cbc_encrypt(unsigned char*)input, (unsigned char*)(output), (const unsigned long)(length), ks, (unsigned char*)ivec, AES_DECRYPT). What is EVP layer? On Wed, May 6, 2009 at 3:45 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Wed, May 06, 2009, AngelWarrior wrote: Hi, Does AES_cbc_encrypt add or remove the padding, if I provide an un-padded data in the multiples of 16 bytes? I wrote a piece code where I am manually adding the padding but when I decrypt using AES_cbc_encrypt the padding is automatically removed. None of the low level cipher routines including AES_cbc_encrypt() add or remove padding. That is handled in the EVP layer. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- _/\_ With Regards SB Angel Warrior
Re: BF-cfb64-encrypt() encrypts data partially.
Got it.Thank you .Sometimes being in programming world we forget the rules of maths. On Mon, Apr 27, 2009 at 2:08 AM, Michael S. Zick open...@morethan.orgwrote: On Mon April 27 2009, Michael S. Zick wrote: I put my comment on the wrong line of code - but you get the idea. ;) On Mon April 27 2009, AngelWarrior wrote: I have a file containing 549 bytes of data. When I try to encrypt the data,I get only a partial encrypted data in the range of 113 to 140 bytes in different runs.When I decrypt the data I get the partial data. This is a QT application OpenSSL 0.9.8j windows int main(int argc, char** argv ) { QApplication app(argc , argv); QFile inputfile(input.xml); stin.open(stdin ,QIODevice::ReadOnly); stout.open(stdout,QIODevice::WriteOnly); outLine(Enter key\n); QString key=readIn(); inputfile.open(QIODevice::ReadOnly); QByteArray temp = inputfile.readAll(); BF_KEY ks; BF_set_key( ks, key.length(), (const unsigned char*)(key.toAscii().data())); char ivec[8]; memset(ivec,0,8); int num=0; char *out = new char[temp.length()]; BF_cfb64_encrypt((unsigned char*)temp.data(), (unsigned char*)(out), (unsigned long)temp.length(), ks, (unsigned char*)ivec, num, BF_ENCRYPT ); outLine(Encrypted Data\n); outLine(---\n); outLine(QString().sprintf(Encrypt length = %d\n,strlen(out))); outLine(QString(out)); outLine(\n); readIn(); QFile outputfile(output.xml); outputfile.open(QIODevice::WriteOnly); outputfile.write(out,strlen(out)); QByteArray entemp(out); memset(out,0,temp.length()); memset(ivec,0,8); num=0; //out = new char[entemp.length()]; BF_cfb64_encrypt((unsigned char*)entemp.data(), (unsigned char*)(out), (long)entemp.length(), ks, (unsigned char*)ivec, num, BF_DECRYPT ); outLine(Decrypted Data\n); outLine(---\n); outLine(QString().sprintf(Decrypt length = %d\n,strlen(out))); Encrypted data != C-string format; \0 is a legal data value, not a string terminator. outLine(QString(out)); } Enter key temp Encrypted Data --- Encrypt length = 180 ?ƒ6i[y╔╒⌂+ñßh÷≥┴W¿┼XE╕û─ºæ▓iÜ║↑┴K♦8)zⁿö♠j⌐┤▐⌡ë┐FMG╡^δå,♀p[⌐«╥∞Aεën u%↑Aƒ╖½1Φ║÷;α┘╦▬á▼]q{ █}╕9b▌$Åp╗▐D½k?ε/ôH(☺ªuÑ↓ñ╖¿jåHV┘¥zεφ│wc ╙l■d▲▀¿úu1╜iPα Decrypted Data --- Decrypt length = 180 input namehello how are you doing/name sundayyes/sunday mondayno/monday tuesdayno/tuesday wednesdayno/wednesday thursdayno/thursday fridayno/fri __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- _/\_ With Regards SB Angel Warrior
BF-cfb64-encrypt() encrypts data partially.
I have a file containing 549 bytes of data. When I try to encrypt the data,I get only a partial encrypted data in the range of 113 to 140 bytes in different runs.When I decrypt the data I get the partial data. This is a QT application OpenSSL 0.9.8j windows int main(int argc, char** argv ) { QApplication app(argc , argv); QFile inputfile(input.xml); stin.open(stdin ,QIODevice::ReadOnly); stout.open(stdout,QIODevice::WriteOnly); outLine(Enter key\n); QString key=readIn(); inputfile.open(QIODevice::ReadOnly); QByteArray temp = inputfile.readAll(); BF_KEY ks; BF_set_key( ks, key.length(), (const unsigned char*)(key.toAscii().data())); char ivec[8]; memset(ivec,0,8); int num=0; char *out = new char[temp.length()]; BF_cfb64_encrypt((unsigned char*)temp.data(), (unsigned char*)(out), (unsigned long)temp.length(), ks, (unsigned char*)ivec, num, BF_ENCRYPT ); outLine(Encrypted Data\n); outLine(---\n); outLine(QString().sprintf(Encrypt length = %d\n,strlen(out))); outLine(QString(out)); outLine(\n); readIn(); QFile outputfile(output.xml); outputfile.open(QIODevice::WriteOnly); outputfile.write(out,strlen(out)); QByteArray entemp(out); memset(out,0,temp.length()); memset(ivec,0,8); num=0; //out = new char[entemp.length()]; BF_cfb64_encrypt((unsigned char*)entemp.data(), (unsigned char*)(out), (long)entemp.length(), ks, (unsigned char*)ivec, num, BF_DECRYPT ); outLine(Decrypted Data\n); outLine(---\n); outLine(QString().sprintf(Decrypt length = %d\n,strlen(out))); outLine(QString(out)); } Enter key temp Encrypted Data --- Encrypt length = 180 ?ƒ6i[y╔╒⌂+ñßh÷≥┴W¿┼XE╕û─ºæ▓iÜ║↑┴K♦8)zⁿö♠j⌐┤▐⌡ë┐FMG╡^δå,♀p[⌐«╥∞Aεën u%↑Aƒ╖½1Φ║÷;α┘╦▬á▼]q{ █}╕9b▌$Åp╗▐D½k?ε/ôH(☺ªuÑ↓ñ╖¿jåHV┘¥zεφ│wc ╙l■d▲▀¿úu1╜iPα Decrypted Data --- Decrypt length = 180 input namehello how are you doing/name sundayyes/sunday mondayno/monday tuesdayno/tuesday wednesdayno/wednesday thursdayno/thursday fridayno/fri -- _/\_ With Regards SB Angel Warrior