Re: Just Encryption Using Openssl
Well I implemented something very similar recently but using tcp rather than udp. In my case, alice creates a public-private key pair and sends public key to bob. Bob then encrypts randomly generated symmetric key (.e.g blowish, dsa or aes etc.) with public key and sends the result to alice. Alice then decrypts with her private key. Both alice and bob have knowledge of symmetric key which can then be used for secure communication. A clear problem with this is a man-in-the-middle attack. There are functions built into the open ssl framework that allows you do create such keys manually. If that's what you need to do, I can give a more concrete ( albeit probably naive) example... Cheers, Ben. On 21 July 2010 15:02, Harshvir Sidhu hvssi...@gmail.com wrote: Hi All, I am trying to use encryption over Client/Server machines. My requirement is that i have to use winsock UDP functions to send and receive data. Is there some mechanism to perform key and cipher exchange in this case, like normally SSL_Connect will do this, but in my case i cannot use that. Is there some suggestion for this? // Harshvir
Re: Just Encryption Using Openssl
Ok, well assuming you're talking about C++ which is what I'm using, then to create an RSA key pair you do: // alice would do this RSA *rsa = RSA_generate_key(bits, 65537, NULL, NULL); // alice can then get the public part of the key and send to bob const int max_hex_size = (bits / 4) + 1; long size = max_hex_size; char keyBufferA[size]; char keyBufferB[size]; bzero(keyBufferA,size); bzero(keyBufferB,size); sprintf(keyBufferA,%s\r\n,BN_bn2hex(rsa-n)); sprintf(keyBufferB,%s\r\n,BN_bn2hex(rsa-e)); int n = send(sock,keyBufferA,size,0); char recBuf[2]; n = recv(sock,recBuf,2,0); n = send(sock,keyBufferB,size,0); n = recv(sock,recBuf,2,0); // bob can then receive the public key, so on bob's end: int max_hex_size = (bits / 4) + 1; char keybufA[max_hex_size]; bzero(keybufA,max_hex_size); char keybufB[max_hex_size]; bzero(keybufB,max_hex_size); int n = recv(sock,keybufA,max_hex_size,0); n = send(sock,OK,2,0); n = recv(sock,keybufB,max_hex_size,0); n = send(sock,OK,2,0); rsa = RSA_new(); BN_hex2bn(rsa-n, keybufA); BN_hex2bn(rsa-e, keybufB); // bob can then generate symmetric key unsigned char* key; int n = RAND_bytes(key, bytes); // if n is 0 then system failed in having enough entropy to gather a strong key and should be //considered insecure // bob can then encrypt key with alice's public key, in fact here is a snippet of a function // note ivec is an intialisation vector. This is often initialized to 0 (but doing this is very insecure, but its useful // to do this for testing purposes) void theEncryptor::blowfish(unsigned char *data, int data_len, unsigned char* key, unsigned char *ivec, int enc) { // hash the key first! unsigned char obuf[20]; bzero(obuf,20); SHA1((const unsigned char*)key, 64, obuf); BF_KEY bfkey; int keySize = 20;//strlen((char*)key); BF_set_key(bfkey, keySize, obuf); //unsigned char ivec[16]; //memset(ivec, 0, 16); unsigned char* out=(unsigned char*) malloc(data_len); bzero(out,data_len); int num = 0; // enc is whether to encrypt (true) or decrypt (false) BF_cfb64_encrypt(data, out, data_len, bfkey, ivec, num, enc); memcpy(data, out, data_len); free(out); } // bob is now free to send the ecnrypted key back to alice Note: you should also look at the open_ssl api. I found this very helpful. Cheers, Ben. On 21 July 2010 15:41, Harshvir Sidhu hvssi...@gmail.com wrote: Ben: Yes thats what i need to do. If you can provide some example, that will be great. Thanks. // Harshvir On Wed, Jul 21, 2010 at 9:17 AM, Ben Jones b...@bhjones.com wrote: Well I implemented something very similar recently but using tcp rather than udp. In my case, alice creates a public-private key pair and sends public key to bob. Bob then encrypts randomly generated symmetric key (.e.g blowish, dsa or aes etc.) with public key and sends the result to alice. Alice then decrypts with her private key. Both alice and bob have knowledge of symmetric key which can then be used for secure communication. A clear problem with this is a man-in-the-middle attack. There are functions built into the open ssl framework that allows you do create such keys manually. If that's what you need to do, I can give a more concrete ( albeit probably naive) example... Cheers, Ben. On 21 July 2010 15:02, Harshvir Sidhu hvssi...@gmail.com wrote: Hi All, I am trying to use encryption over Client/Server machines. My requirement is that i have to use winsock UDP functions to send and receive data. Is there some mechanism to perform key and cipher exchange in this case, like normally SSL_Connect will do this, but in my case i cannot use that. Is there some suggestion for this? // Harshvir
Re: recommended rsa api
note, also see http://stackoverflow.com/questions/2012645/can-you-help-me-get-my-head-around-openssl-public-key-encryption-with-rsa-h-in-c Cheers, Ben. On 20 January 2010 16:22, Anand Patel anand.apa...@gmail.com wrote: For RSA API take a look at http://openssl.org/docs/crypto/rsa.html# -Anand On Wed, Jan 20, 2010 at 11:18 AM, Anand Patel anand.apa...@gmail.comwrote: EVP is oneway of implementing your solution. Look at Example section of http://openssl.org/docs/crypto/EVP_EncryptInit.html# -Anand On Wed, Jan 20, 2010 at 10:14 AM, Alexey Luchko l...@ank-sia.com wrote: Hi! I'm new to openssl. I need to encrypt and decrypt approx 1k block of data with rsa. What is recommended api for the case? I've found RSA_public_encrypt() and RSA_private_decrypt(). It looks like a kind of low level api. But here I've got a problem with OAEP padding. Another one is EVP_PKEY_encrypt() and EVP_PKEY_decrypt(). It is of a higher level. It encodes and decodes correctly only one block for me, but looks like it could operate on block of any size. And I've not found any use cases with google code search. It looks like I missed smth ;) Any advice is very welcome! -- Thanks in advance, Alexey sms stands for save my soul __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Ben H D Jones www.bhjones.com
Re: recommended rsa api
Hi there Alexey Many people will tell you to use the EVP stuff and quite frankly, they're most likely right. However, I've not managed to figure out the EVP stuff so I use the public_encrypt and private_decrypt functions instead. I have written the following functions to encapsulate the functionality I need. Adapt them as you like :-) void theEncryptor::generateRSAKeyPair(int bits) { rsa = RSA_generate_key(bits, 65537, NULL, NULL); } int theEncryptor::publicEncrypt(unsigned char* data, unsigned char* dataEncrypted,int dataLen) { return RSA_public_encrypt(dataLen, data, dataEncrypted, rsa, RSA_PKCS1_PADDING); } int theEncryptor::privateDecrypt(unsigned char* dataEncrypted, unsigned char* dataDecrypted) { return RSA_private_decrypt(RSA_size(rsa), dataEncrypted, dataDecrypted, rsa, RSA_PKCS1_PADDING); } Then since I am receiving a public key, I have a sockets framework: void theEncryptor::receivePublicKeyAndSetRSA(int sock, int bits) { int max_hex_size = (bits / 4) + 1; char keybufA[max_hex_size]; bzero(keybufA,max_hex_size); char keybufB[max_hex_size]; bzero(keybufB,max_hex_size); int n = recv(sock,keybufA,max_hex_size,0); n = send(sock,OK,2,0); n = recv(sock,keybufB,max_hex_size,0); n = send(sock,OK,2,0); rsa = RSA_new(); BN_hex2bn(rsa-n, keybufA); BN_hex2bn(rsa-e, keybufB); } void theEncryptor::transmitPublicKey(int sock, int bits) { const int max_hex_size = (bits / 4) + 1; long size = max_hex_size; char keyBufferA[size]; char keyBufferB[size]; bzero(keyBufferA,size); bzero(keyBufferB,size); sprintf(keyBufferA,%s\r\n,BN_bn2hex(rsa-n)); sprintf(keyBufferB,%s\r\n,BN_bn2hex(rsa-e)); int n = send(sock,keyBufferA,size,0); char recBuf[2]; n = recv(sock,recBuf,2,0); n = send(sock,keyBufferB,size,0); n = recv(sock,recBuf,2,0); } Best Wishes, Ben. On 20 January 2010 15:14, Alexey Luchko l...@ank-sia.com wrote: Hi! I'm new to openssl. I need to encrypt and decrypt approx 1k block of data with rsa. What is recommended api for the case? I've found RSA_public_encrypt() and RSA_private_decrypt(). It looks like a kind of low level api. But here I've got a problem with OAEP padding. Another one is EVP_PKEY_encrypt() and EVP_PKEY_decrypt(). It is of a higher level. It encodes and decodes correctly only one block for me, but looks like it could operate on block of any size. And I've not found any use cases with google code search. It looks like I missed smth ;) Any advice is very welcome! -- Thanks in advance, Alexey sms stands for save my soul __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Ben H D Jones www.bhjones.com
blowfish.h use in simple server/client application
Hi, (I hope this is the correct list to be asking this, apologies if not) I am trying to write an application which amongst other things uses the blowfish implementation (blowfish.h) to transport files over a simple server/client pair. However, whilst some files are encrypted, transported, received and decrypted correctly, some end up being corrupted, after the final decryption stage. This leads me to think that the encryption routines are not being called correctly (since I have also tried with equivalent DES library calls, with the same 'intermittent corruption' results). The relevant code is pasted below and further mirrored at http://pastebin.com/d4d166d12. So it starts with the function send_file (called by a connected client). This splits the file into chunks. Each 1024 byte chunk is encrypted separately and then sent. Each chunk is then received by the server in the receive_file function, decrypted and saved to disc. Any idea what the problem could be? Cheers, Ben. inline void blowfish(unsigned char *data, int data_len, char* key, int enc) { BF_KEY bfkey; BF_set_key(bfkey, strlen(key)+1, (const unsigned char*)key); unsigned char ivec[8]; memset(ivec, 0, 8); unsigned char *out = (unsigned char*) malloc(1024); bzero(out,1024); int num = 0; BF_cfb64_encrypt(data, out, data_len, bfkey, ivec, num, enc); memcpy(data, out, data_len); free(out); } void MyFrame::encryptHelper(const char* orig, int inlength) { char *pb=(char*)(std::string((passInput-GetValue()).mb_str()).c_str()); blowfish((unsigned char*)orig, inlength, pb, BF_ENCRYPT); } void MyFrame::decryptHelper(const char* orig, int inlength) { char *pb=(char*)(std::string((passInput-GetValue()).mb_str()).c_str()); blowfish((unsigned char*)orig, inlength, pb, BF_DECRYPT); } int MyFrame::send_file(int fd) { // Note file size and name of file which the receiver is expecting have been sent // in a function prior to the call of this one char rec[10]; struct stat stat_buf; fstat (fd, stat_buf); int size=stat_buf.st_size; while(size 0) { char buffer[1030]; bzero(buffer,1030); bzero(rec,10); int n; if(size=1024) { n=read(fd, buffer, 1024); // encrypt is necessary if(encButtonOn-GetValue()) encryptHelper(buffer,1024); // Send a chunk of data n=send(sockFile_, buffer, 1024, 0 ); // Wait for an acknowledgement n = recv(sockFile_, rec, 10, 0 ); } else // reamining file bytes { n=read(fd, buffer, size); if(encButtonOn-GetValue()) encryptHelper(buffer,size); buffer[size]='\0'; n=send(sockFile_,buffer, size, 0 ); n=recv(sockFile_, rec, 10, 0 ); } } // Send a 'completion' string int n = send(sockFile_, COMP,strlen(COMP), 0 ); // Receive an acknowledgemnt char buf[10]; bzero(buf,10); n = recv(sockFile_, buf, 10, 0 ); return(0); } int MyFrame::receive_file() { // receive file size and send ack char sizeBuffer[50]; bzero(sizeBuffer,50); int n; n=read(sockFile_, sizeBuffer, 50); n=send(sockFile_,OK, strlen(OK), 0 ); int size = atoi(sizeBuffer); //std::coutsizestd::endl; // receive file name and send ack char saveName[256]; bzero(saveName,256); n=read(sockFile_, saveName, 256); n=send(sockFile_,OK,strlen(OK), 0 ); //std::coutsaveName_std::endl; // start file writing process to local disk // decrypt first if necessary if(encButtonOn-GetValue()) decryptHelper(saveName,strlen(saveName)); ofstream outFile(saveName,ios::out|ios::binary|ios::app); while(size 0) { // buffer for storing incoming data char buf[1030]; bzero(buf,1030); if(size=1024) { // receive chunk of data n=recv(sockFile_, buf, 1024, 0 ); // decrypt if necessary if(encButtonOn-GetValue()) decryptHelper(buf,1024); // write chunk of data to disk outFile.write(buf,1024); // send acknowledgement n = send(sockFile_, OK, strlen(OK), 0 ); } else { n=recv(sockFile_, buf, size, 0 ); if(encButtonOn-GetValue()) decryptHelper(buf,size); buf[size]='\0'; outFile.write(buf,size); n = send(sockFile_, OK, strlen(OK), 0 ); } size -= 1024; } outFile.close(); // Receive 'COMP' and send acknowledgement // --- char buf[10]; bzero(buf,10); n = recv(sockFile_, buf, 10, 0 ); n = send(sockFile_, OK, strlen(OK), 0 ); std::coutFile received...std::endl; return(0); }