Re: DSA key sizes
Eric Rescorla wrote: > SHA-1 is only 2^80 strong against birthday attack. If you > go around using SHA-1 or worse yet MD5 to sign stuff then > using a private key of size > 1024 is only of limited value. If you want to forge a signature, you will probably not be able to use the birthday attack. You need to find something whose hash is identical to one already signed, not just a random collision. That said, I do think that the hash function may well be the weakest link in a lot of modern systems. No one (outside government) really uses Skipjack because the cryptanalytic results known have destroyed people's confidence. The results known for MD5 are probably just as significant, but plenty of people still use that. A related problem is that systems using TLS are forced to support earlier, possibly less secure hashes. There are still certs going around that use MD2, for example. -- Pete __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MDC2 block size
Burger, Kobus K wrote: > I have noticed a couple of discrepancies between mainframe support for MDC2 > and OpenSSL's support: > > * Mainframe supports MDC2 with various keys (The documentation notes that > the default key is the same as the one used by OpenSSL) - Openssl has a > single key hardcoded. I don't understand -- MDC2 doesn't have a key. It takes input data and produces a hash value. You could do HMAC with it in which case it would have a key, I suppose. > * The Mainframe MDC2 blocksize is 16, OpenSSL's blocksize is 8 bytes. MDC2 works in conjunction with a block cipher. It takes inputs which are the size of the block cipher's blocks and produces an output which is twice that. So if you use DES as the block cipher you will have the OpenSSL block size. If you used an AES candidate, say, you would end up with the mainframe block size. OpenSSL seems to support MDC2 with DES for use in signature algorithms, but I don't know who uses this or where it is documented. -- Pete __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Random Numbers in Client Hello and Server Hello
Raghuram Belur wrote: > I am wondering if it is possible to use some simple cross-platform > [PRNG] on the client which is probably not too hard to guess and use > a more robust mechanism such as an entropy gathering daemon on the > server You will have to be very careful. For example, if you use ElGamal or its variants, inadequate random numbers cause leakage of your long term key. I think you could make a workable scheme with RSA keys, though it wouldn't work within the constraints of an established protocol like TLS/SSL. The first step in this protocol would be that the server would choose, say, 128 random bits. It would encrypt and sign these and send them to the client. The client would use them as the seed for a secure PRNG. The protocol would then proceed as normal. Obviously the client's random numbers would be completely predictable to the server, but that would not help an attacker. It is important that the PRNG seeds cannot be replayed to clients. One way of stopping this would be to include a timestamp and the identity of the client in the signed data. The timestamp stops very old seeds being replayed. At the same time, the client will store used seeds for a certain period; otherwise a seed might be accepted erroneously if the client's clock was out of synchronisation with the server's. -- Pete __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Patent Issues... interesting article...
Geoff Thorpe wrote: > Which leaves > the mathematical consideration of the multi-prime keys themselves, and > their generation, to be debated (ie. I doubt the patent could rest on an > argument that it is a physical process, or an implementation invention, > because that should bang its head on the prior art I would have though). Does anyone have a patent number for the multiprimes patent? I was involved in a discussion about something along those lines before the patent was published, so I am keen to find out if any of it would be useful prior art. -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How does signature's length grows
Salz, Rich wrote: > > Pls excuse my silly question. Can anyone kindly tell me that does > > signatures have fixed lengths, or not. > > For RSA sizeof(sig) == sizeof(key) For DSA, the signature is 320 bits -- two numbers the size of the small modulus. For ElGamal the signature is twice the length of the (only) modulus. -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Dr. Greg Quinn wrote: > A big limitation as far as I can see would be getting certs > pre-installed into web browsers. The chance of either MS or > netscape doing this would be close to none. Yes. On the other hand, there is a way of giving people a trusted copy of the root certificate without it being pre-installed. You get a certificate from some other CA, and use that on the web server that supplies the root cert. People thus know that the copy of the root cert they are receiving really comes from freecert. (Of course, they don't know how much freecert is to be trusted.) -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl deperately needs some intro docs
Leland V. Lammert wrote: > I don't think you have placed OpenSSL in the proper > perspective. OpenSSL is a *toolkit* used primarily with OTHER > applications. Most toolkits have documentation, though. Developers need to know how to use the product just like anyone else. For an example, see the GNU C library documentation -- very comprehensive and clear. > Would you complain that gcc does not have documentation? ... but it does (separate from the library documentation). (I am not wanting to detract from OpenSSL at all -- it is a very good product, and we all understand the effort that went into writing it.) -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: sslified imap server
Kristian Köhntopp wrote: > Now, where do I find a free SSLified IMAP server, please? ;-) It depends if you want the old or new version of the protocol. The old version has a different port number for secured IMAP; the new one doesn't. If you want the new version, you could have a look at SafeGossip: http://www.skygate.co.uk/safegossip It's currently at a beta release, but there are portability problems that stop it working on anything besides a very up to date Linux. I'm working on it... (Actually SafeGossip will implement the old protocol version as well, but if that is all you want there is no point -- there are much simpler products available.) -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ANNOUNCE: SafeGossip first beta
At long last, here is the first beta release of SafeGossip, which implements the new RFCs and Internet drafts for telnet, FTP, IMAP, POP and SMTP over TLS. Here are some of the new features: * Telnet support is now implemented according to the Internet draft. * You can now configure SafeGossip using a web browser. * Lots of installation bug fixes. You shouldn't have to edit any of the scripts now; they should look for things in the right place automatically. Please try it and send me your (positive or negative) experiences. I want the product to be simple to install and use -- but I depend on your howls of anguish to get me there! SafeGossip is distributed under the GPL. You can browse the manual and download SafeGossip from: http://www.skygate.co.uk/safegossip "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" "This product includes cryptographic software written by Eric Young ([EMAIL PROTECTED])" -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Mapping Certs to local account names: is there a standard practice?
Jeffrey Altman wrote: > How are you mapping a client cert to a local Unix account name? > > Are you using a field within the cert? If so, which one(s)? Are > different fields used for different services? > > Or are you using some form of Certificate MApping Service which takes > a validated cert as input and returns a local account name? If so, > how are you implementing this service? I've had this problem as well -- as far as I can see there is no good answer. If you use a special field, you run into problems with CAs that won't add them. Also it is not the way certificates are "supposed" to be used: they are meant to be evidence of identity and not evidence of the right to use a particular machine. One approach would be to use the email field. If you have email addresses of the form id@firm, this is essentially giving you what you need. You want to make sure that the firm is yours, and then allow the person to log on with that id. Another approach might be to use the certificate's DN to look up the user in an LDAP/X.500 database. You then get the user ID out of that. Dennis Glatting wrote: > I remember reading a standard on mapping X.400 to SMTP. Maybe that'll > help. Try the RFC repositories. The document in question is RFC 2156. It doesn't help a great deal -- it just describes a way to represent X.400 DNs as RFC 822 addresses. For example C=GB; PRMD=foo; O=bar; S=baz would become something like: "/C=GB/PRMD=foo/O=bar/S=baz"@x400-relay.wibble.com -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using openssl like pgp
Joe Pruett wrote: > did you ever find a way to do this? i am just starting down the same > road. pgp licensing is way out of control for commercial use nowadays > ($9500!). If you want to do PGP-style messages for commercial use, you are probably best off with the GNU Privacy Guard (www.gnupg.org). This can do RSA if you download the appropriate module. You could also do RSA with the old GPL version of PGP. -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SafeGossip
Some of you have been asking about my package which implements various protocols over TLS. Here is an alpha release. I have called the package SafeGossip, or Gossip for short. Currently the protocols implemented are FTP, telnet (sort of), IMAP, SMTP and POP. Gossip supports both the old and new forms of the protocols; you can either have a dedicated port for the secured version of the protocol or it can share a port with the cleartext version. I don't want to arouse unrealistic expectations at this stage! The product is an alpha release aimed mainly at the people who wanted to do interoperability testing. There are undoubtedly lots of bugs and the package isn't really very "polished". If you still want to download it, the URL is: http://www.skygate.co.uk/safegossip/ Please let me know of any bugs you find; especially any non-conformance with the protocol specifications. -- phone +44 (0) 208 542 7856, fax +44 (0) 208 543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Perl, FTP & SSL
"Roth, Leland" wrote: > 2) Can anyone point to a decent 'SSL ftp' standalone program? I might > couple that with some Perl to build a workable solution. Of course FTP over SSL is only an Internet draft at present. However I am currently working on implementing it (as well as telnet, pop, imap and smtp over SSL). Currently all except FTP are working if not very polished. I was intending to spend some time smartening things up and writing documentation and release it in a few weeks. However if you like I could add FTP next weekend and release an alpha version. It is actually quite usable -- there are things I want to change but as far as I know there aren't any show stopping bugs. -- phone +44 (0) 208 542 7856, fax +44 (0) 208 543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: a task that I'm sure someone has solved
Craig Idler wrote: > Has someone done something like this in the past? It seems an ssl enabled > telnet program could do this. It's so easy to use basic telnet talking to port > 80, but using something that communicates with port 443 is a different story. Try "openssl s_client". This is similar to an SSL enabled telnet except that it doesn't do telnet option negotiation. In other words, it won't work very well talking to a telnetd but you won't notice a lot of difference if you are talking to something like an httpd. -- phone +44 (0) 208 542 7856, fax +44 (0) 208 543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What US companies need to know about RSA
Dave Neuer wrote: > RSADSI seem to have a propensity for casting information in a decidedly > pro-RSADSI light. Kind of like the way they convinced the IETF that the > licensing for RSA would always be "affordable and non-discriminatory." Interestingly one of the RFCs says that the licence fee is fixed at 2% of the selling price (I will dig out the exact RFC number if anyone is interested). That could equate to a good deal for producers of free software. Of course the question arises as to what extent RSA are bound by that statement. I can only write from an English viewpoint, but here there is a concept called, confusingly, `estoppel'. The idea is that if someone makes a promise that would not ordinarily be binding, but you rely on it to your detriment, they are not subsequently allowed to retract. (Of course this is an oversimplification.) The English and American legal systems are quite similar in a lot of ways, so does anyone have any idea how it would be seen on the other side of the pond? -- phone +44 (0) 208 542 7856, fax +44 (0) 208 543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing external certs with local CA
Dmitry Morozovsky wrote: > Now i've starring at the very special problem: when user already have > personal cert from one of master CA, it seems to be "Right Thing" to use > this cert for authorization instead of making another local user > certificate. As I understand, the best way to use it -- sign existing cert > with local CA. Am I wrong at this stage? As far as I know an X.509 certificate can only be signed by one CA. So although you could substitute a different signature it would then be a different certificate that would have to be loaded into the user's browser separately. This would defeat the object really. If you wanted you could set your server to trust the CA that originally issued that user's certificate. Then, of course, you would have to have a table that says which people are permitted to use your system, rather than this being implicit in the fact that a user possesses a certificate. (It is often said that certificates should only be used to vouch for identity and not as a basis for access control decisions. Of course in practice people do not always keep to this.) --- Pete Chown, email [EMAIL PROTECTED], phone +44 (0) 181 680 8393, fax+44 (0) 181 688 8013, mobile +44 (0) 468 765 645, post 58 Foss Avenue, Croydon, CR0 4EU, England __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Mapping Certs to local account names: is there a standard pra
Michael Urban wrote: > Perhaps a file mapping a certificate subject name to a local > username is a better solution. The certificate can be used at sites > with different usernames that aren't known at certificate issue time, > and doesn't require extra baggage in the certificate. This might work for me, but it wouldn't work for John Smith... You don't want a second person turning up, who is genuinely called John Smith, but isn't the person you thought you were referring to. A better approach would be to map the whole DN to the user ID, but then you run into problems with CAs that don't include much information in the DN. I think the Thawte freemail CA is like this; the DN is just your name with enough containers to make it valid. (Not that there is a lot else that they could do, but it makes it a bit awkward.) -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
