Accepted: OWASP Hartford: February 2009 (Open Web Application Security Project)
BEGIN:VCALENDAR METHOD:REPLY PRODID:Microsoft CDO for Microsoft Exchange VERSION:2.0 BEGIN:VTIMEZONE TZID:(GMT-08.00) Pacific Time (US Canada)/Tijuana X-MICROSOFT-CDO-TZID:13 BEGIN:STANDARD DTSTART:16010101T02 TZOFFSETFROM:-0700 TZOFFSETTO:-0800 RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=11;BYDAY=1SU END:STANDARD BEGIN:DAYLIGHT DTSTART:16010101T02 TZOFFSETFROM:-0800 TZOFFSETTO:-0700 RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=3;BYDAY=2SU END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT DTSTAMP:20081125T200509Z DTSTART;TZID=(GMT-08.00) Pacific Time (US Canada)/Tijuana:20090210T1400 00 SUMMARY:Accepted: OWASP Hartford: February 2009 (Open Web Application Secur ity Project) UID:04008200E00074C5B7101A82E0086015A2316121C901000 010008755599A2D01DB488364749052F323A6 ATTENDEE;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;RSVP=TRUE;CN=Buicliu, Ion VSA:EX:MAILTO:ion.buic...@gov.bc.ca ORGANIZER:MAILTO:openssl-users@openssl.org LOCATION:The Hartford\, Tower Building: Atrium Conference Room DTEND;TZID=(GMT-08.00) Pacific Time (US Canada)/Tijuana:20090210T16 SEQUENCE:1 PRIORITY:5 CLASS:Company-Confidential CREATED:20081212T222442Z LAST-MODIFIED:20081212T222442Z STATUS:TENTATIVE TRANSP:OPAQUE X-MICROSOFT-CDO-BUSYSTATUS:BUSY X-MICROSOFT-CDO-INSTTYPE:0 X-MICROSOFT-CDO-REPLYTIME:20081212T222442Z X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY X-MICROSOFT-CDO-ALLDAYEVENT:FALSE X-MICROSOFT-CDO-IMPORTANCE:1 X-MICROSOFT-CDO-OWNERAPPTID:-1986226216 X-MICROSOFT-CDO-APPT-SEQUENCE:1 X-MICROSOFT-CDO-ATTENDEE-CRITICAL-CHANGE:20081212T222442Z X-MICROSOFT-CDO-OWNER-CRITICAL-CHANGE:20081125T200509Z END:VEVENT END:VCALENDAR
RE: Accepted: OWASP Hartford: February 2009 (Open Web Application Security Project)
I am very sorry for pressing Accept without looking carefully to what was in front of me. Please cancel - I will not be able to attend. Thank you. Ion Buicliu Systems Integration Specialist BC Vital Statistics Agency Health Sector IM/IT Division Voice Mail: (250) 952-2410 Please consider the environment before printing this email. Unless otherwise agreed expressly in writing by the author, this communication is to be treated as confidential and the information in it (or attached to it) may not be used or disclosed except for the purpose for which it has been sent or as determined by FOIPPA requirements and procedures. This message is intended only for the use of the person(s) to whom it is addressed. Any distribution, copying or use by anyone else is strictly prohibited. If you have received this e-mail in error, please telephone the sender immediately and destroy this e-mail. _ From: Buicliu, Ion VSA:EX [mailto:ion.buic...@gov.bc.ca] Sent: Fri, December 12, 2008 2:25 PM To: openssl-users@openssl.org Subject: Accepted: OWASP Hartford: February 2009 (Open Web Application Security Project) When: Tue, February 10, 2009 2:00 PM-4:00 PM (GMT-08:00) Pacific Time (US Canada). Where:The Hartford, Tower Building: Atrium Conference Room Sensitivity: Confidential
Openssl encrypt on UNIX, decrypt on Windows
Our UNIX-based organization is preparing to send encrypted data to a Windows-based organization. We have openSSL 0.9.8 on UNIX. We create the keys and will send them to the client in one process, then encrypt the data files and send them to the client in a different process. I don't know much about openSSL on Windows. My question: - is it possible to configure Windows with openSSL to use the keys and decrypt the files encrypted on UNIX? - how difficult is this operation? Since the client seems to think that this is difficult to do, I would appreciate if you guide me in the right direction. In the end it is the client's responsibility to do it, but I'd like to have an idea of what's involved. Thank you Ion Buicliu
RE: Openssl encrypt on UNIX, decrypt on Windows
Are you using OpenSSL CLI tools on UNIX? If so do the same on windows; compile OpenSSL and use the transferred keys and decrypt the data. If by CLI you mean Command Line Interface, yes, that's what I am using on UNIX (not a graphical interface). If not, please let me know what you mean by CLI. Also, I would appreciate if you can give me more details about using the keys and decrypting on Windows. Thank you. Ion Buicliu My question: - is it possible to configure Windows with openSSL to use the keys and decrypt the files encrypted on UNIX? Yes - how difficult is this operation? Are you using OpenSSL CLI tools on UNIX? If so do the same on windows; compile OpenSSL and use the transferred keys and decrypt the data.
RE: Openssl encrypt on UNIX, decrypt on Windows
Thank you very much Chris, that's all I needed to know. I will inform the client and let them deal with the rest. Ion Buicliu Hi Ion, On Wed, 19 Nov 2008, Buicliu, Ion VSA:EX wrote: Are you using OpenSSL CLI tools on UNIX? If so do the same on windows; compile OpenSSL and use the transferred keys and decrypt the data. If by CLI you mean Command Line Interface, yes, that's what I am using on UNIX (not a graphical interface). If not, please let me know what you mean by CLI. Also, I would appreciate if you can give me more details about using the keys and decrypting on Windows. There is a command-line version of OpenSSL that you can download and install on Windows that works in exactly the same way as the one on Linux/Unix does. No magic. If your Windows shop finds that too difficult to deal with (e.g. having to remember command line options) then I'm not aware of an OpenSSL GUI that could be used. Perhaps PGP for Windows might provide what you want, with a GUI? Cheers, Chris. -- _ __ _ \ __/ / ,__(_)_ | Chris Wilson at qwirx.com - Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \ _/_/_/_//_/___/ | Stop nuclear war http://www.nuclearrisk.org | __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl encrypt on UNIX, decrypt on Windows
Thank you Kyle, excellent details. I will inform the client. Ion Buicliu On Wed, Nov 19, 2008 at 1:34 PM, Buicliu, Ion VSA:EX [EMAIL PROTECTED] wrote: If by CLI you mean Command Line Interface, yes, that's what I am using on UNIX (not a graphical interface). If not, please let me know what you mean by CLI. Yes, command-line interface, invoked by cmd.exe. Also, I would appreciate if you can give me more details about using the keys and decrypting on Windows. Use exactly the same commands you would use on UNIX. OpenSSL does not interact with the Windows certificate store at all. It does not interact with CryptoAPI. It just deals with what's in the files that you hand to it. The only gotcha you need to worry about would be if you're decrypting on Vista or Windows Server 2003+; you might be in a directory which requires an integrity level of Medium or High, and most invocations of cmd.exe have Low integrity (meaning you have to get to a directory that Low integrity can write to, which is often your user account's Documents directory or a subdir thereof). Basically: if you get a cannot write error, move the stuff to your user account's Documents folder and retry. Thank you. Ion Buicliu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
remove
Ion Buicliu Systems Integration Specialist BC Vital Statistics Agency Knowledge Management and Technology Division Voice Mail: (250) 952-2410 mailto:[EMAIL PROTECTED] Unless otherwise agreed expressly in writing by the author, this communication is to be treated as confidential and the information in it (or attached to it) may not be used or disclosed except for the purpose for which it has been sent or as determined by FOIPPA requirements and procedures. This message is intended only for the use of the person(s) to whom it is addressed. Any distribution, copying or use by anyone else is strictly prohibited. If you have received this e-mail in error, please telephone the sender immediately and destroy this e-mail.
FW: FW: File encryption with smime
What we are trying to do is to place an encrypted file on our ftp server for a specific user. The ftp server is behind a firewall, and the user can access and see only its account, and they are supposed to get the file and decrypt it. As far as we are concerned, we'd like to make sure that the file on our ftp server is as safe as possible. This can work if only that user has the private key to decrypt the file. I would like to hear any suggestions to make this file transfer as secure as possible. The problem with PKI is not so much what is possible and what is not. It is only a question of how cleverly you design the solution such that it causes the least inconvenience to users at the same time ensuring the best possible security. Let me suggest a possible solution to you. It is not scalable and elegant but at least it can give you what you want. You have to generate a keypair for each user with the genrsa command. Make sure the user's private keys are protected with a well chosen passphrase or USB dongle or something. Anyway you can distribute the private keys to the users in a secure out of band mechanism. I am assuming they are colocated in which case you could do it physically. Or else the remote users can generate their own keypairs and you could obtain their public keys in which case you might have to go in for certificates since you have to ensure that the public key really belongs to the user... Now, you have to store the files corresponding to each user encrypted with the public key of that particular user. For instance, File meant for A is encrypted with A's public key File meant for B is encrypted with B's public key and so on. Now, the user just goes ahead, downloads the file , decrypts it with his private key and you are set. Since a file encrypted with a public key can be decrypted only with the corresponding private key this guarantees good security as long as the user's private keys are not compromised. Of course, you could go for some creative combos like having two private keys for one public key with simple X-ORing and so on ... Remember what I told you is just a conceptual overview of how things could be. SMIME might be suited for this. Thank you again Girish. This is what I do and it works well except for 2 things: 1. why is the public cert (.cert) file needed for decryption, shouldn't be enough to have the private key (.key) for that? 2. how to put a 'well chosen password' on the private key? With the -passout and what arguments? Here is what I did, and it worked: Create private and public keys: openssl genrsa -out test.key 1024 openssl req -new -key test.key -out test.csr openssl x509 -req -days 30 -in test.csr -signkey test.key -out test.cert Encrypt: openssl smime -encrypt -des3 -binary test.cert File File.enc Decrypt: openssl smime -decrypt -in File.enc -inkey test.key -recip test.cert File.out My final question: is des3 a high enough level of encryption (168 bits)? Should we go higher, and if yes, what is recommended? Thank you. Ion Buicliu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
FW: File encryption with smime
Thank you Girish, I understand now. The combination: encrypt with public key - decrypt with private works. What we are trying to do is to place an encrypted file on our ftp server for a specific user. The ftp server is behind a firewall, and the user can access and see only its account, and they are supposed to get the file and decrypt it. As far as we are concerned, we'd like to make sure that the file on our ftp server is as safe as possible. This can work if only that user has the private key to decrypt the file. I would like to hear any suggestions to make this file transfer as secure as possible. Ion Buicliu --- Buicliu, Ion VSA:EX [EMAIL PROTECTED] wrote: I am trying to do the following: - create a private and public key (self-signed certificate) - encrypt a file and place on an ftp server - the client will pick up the file and decrypt it using the PUBLIC key Here is what I did to create the certificate: openssl genrsa -out sfu.key 1024 openssl req -new -key sfu.key -out sfu.csr openssl x509 -req -days 30 -in sfu.csr -signkey sfu.key -out sfu.cert Then encrypt: openssl smime -encrypt -des3 -binary sfu.cert bfile bfile.enc At this stage I was thinking that I would pass the public cert (sfu.cert) to the user and ask them to do the decryption like this: openssl smime -decrypt -inkey sfu.cert vsvic3f03.enc vsvic3f03.out This doesn't work. The error is: unable to load signing key file This is what works, using the private key: openssl smime -decrypt -inkey sfu.key vsvic3f03.enc vsvic3f03.out This is not what I want. How can I encrypt a file, have it safe on a public site (for ftp) and have the client use a public key to decrypt it? I am afraid you are doing things against the recommendations of public key crypto. If you really want the client use a public key to decrypt it, then remember that what you have is a signature and that you are merely verifying it. Since public key is public. OTOH, if you want to do public key decryption then you could do first encrypt with the client's public key... Since I am not quite clear what is it that you want to accomplish, I can only tell you this much that if you encrypt with public key, you decrypt with private key and vice versa. regards, Girish I am a bit new at this, so I am eager to learn as much as possible about it. Thank you. Ion Buicliu mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
File encryption with smime
Title: File encryption with smime I am trying to do the following: - create a private and public key (self-signed certificate) - encrypt a file and place on an ftp server - the client will pick up the file and decrypt it using the PUBLIC key Here is what I did to create the certificate: openssl genrsa -out sfu.key 1024 openssl req -new -key sfu.key -out sfu.csr openssl x509 -req -days 30 -in sfu.csr -signkey sfu.key -out sfu.cert Then encrypt: openssl smime -encrypt -des3 -binary sfu.cert bfile bfile.enc At this stage I was thinking that I would pass the public cert (sfu.cert) to the user and ask them to do the decryption like this: openssl smime -decrypt -inkey sfu.cert vsvic3f03.enc vsvic3f03.out This doesn't work. The error is: unable to load signing key file This is what works, using the private key: openssl smime -decrypt -inkey sfu.key vsvic3f03.enc vsvic3f03.out This is not what I want. How can I encrypt a file, have it safe on a public site (for ftp) and have the client use a public key to decrypt it? I am a bit new at this, so I am eager to learn as much as possible about it. Thank you. Ion Buicliu mailto:[EMAIL PROTECTED]