Re: DH-algorithm using OpenSSL
On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra hemayaminiku...@email.arizona.edu wrote: Hello!! I am implementing DH algorithm using OpenSSL library. My scenario is - using DH key exchange algorithm for key generation and exchange between client and server. Using DSA for two way authentication. server: Could be tricky to get right, especially when you need semantic authentication over the process. I have generated DH parameters using DH_generate_parameters() I have generated the public and private keys using DH_generate_key() Don't forget to validate the key. If you don't validate a key, you cannot use it. For encryption, that means you don't apply your secret to an unvalidated key; and for signatures, you don't trust the outcome of the verification process. GnuPG is a special case. They used Lim-Lee primes and they can't be validated without obtaining the unique factorization. I would recommend asking for a key composed of a strong or safe prime or refuse to process their data (but I've always been defensive/paranoid). I am using TCP socket programming in c to send the prime generator and ... I am getting segmentation fault. That sounds like a network programming problem. Have you been through W. Richard Stevens' TCP/IP Illustrated or UNIX Network Programming? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH-algorithm using OpenSSL
Thanks for the reply Jeff!! The problem comes when I try to send the values of prime and publickey to peer. As I am converting BIGNUM to binary and then at the peer the other way round, The parameters are not received properly by the peer!! On Fri, Dec 28, 2012 at 2:28 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra hemayaminiku...@email.arizona.edu wrote: Hello!! I am implementing DH algorithm using OpenSSL library. My scenario is - using DH key exchange algorithm for key generation and exchange between client and server. Using DSA for two way authentication. server: Could be tricky to get right, especially when you need semantic authentication over the process. I have generated DH parameters using DH_generate_parameters() I have generated the public and private keys using DH_generate_key() Don't forget to validate the key. If you don't validate a key, you cannot use it. For encryption, that means you don't apply your secret to an unvalidated key; and for signatures, you don't trust the outcome of the verification process. GnuPG is a special case. They used Lim-Lee primes and they can't be validated without obtaining the unique factorization. I would recommend asking for a key composed of a strong or safe prime or refuse to process their data (but I've always been defensive/paranoid). I am using TCP socket programming in c to send the prime generator and ... I am getting segmentation fault. That sounds like a network programming problem. Have you been through W. Richard Stevens' TCP/IP Illustrated or UNIX Network Programming? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH-algorithm using OpenSSL
On Fri, Dec 28, 2012 at 4:32 PM, Hemayamini Kurra hemayaminiku...@email.arizona.edu wrote: Thanks for the reply Jeff!! The problem comes when I try to send the values of prime and publickey to peer. As I am converting BIGNUM to binary and then at the peer the other way round, The parameters are not received properly by the peer!! Use BSON to package the data. It sounds like its a presentation layer problem. Jeff On Fri, Dec 28, 2012 at 2:28 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra hemayaminiku...@email.arizona.edu wrote: Hello!! I am implementing DH algorithm using OpenSSL library. My scenario is - using DH key exchange algorithm for key generation and exchange between client and server. Using DSA for two way authentication. server: Could be tricky to get right, especially when you need semantic authentication over the process. I have generated DH parameters using DH_generate_parameters() I have generated the public and private keys using DH_generate_key() Don't forget to validate the key. If you don't validate a key, you cannot use it. For encryption, that means you don't apply your secret to an unvalidated key; and for signatures, you don't trust the outcome of the verification process. GnuPG is a special case. They used Lim-Lee primes and they can't be validated without obtaining the unique factorization. I would recommend asking for a key composed of a strong or safe prime or refuse to process their data (but I've always been defensive/paranoid). I am using TCP socket programming in c to send the prime generator and ... I am getting segmentation fault. That sounds like a network programming problem. Have you been through W. Richard Stevens' TCP/IP Illustrated or UNIX Network Programming? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
