Re: Secure plaintext-derived filename [was: HMAC with RSA Key]

2011-10-26 Thread Jakob Bohm 

On 10/26/2011 3:01 PM, Steffen DETTMER wrote:

4. Truncate the string to your desired file name length, but not so
short that accidental collisions become likely (Example to
keep up to 16000 file names likely different, use file names with 2

*

log2(16000)=2*14=28 bits minimum).

Where can I learn more about this formula?
I think it does not work well for small number of files
and I wonder why it isn't something like "log2(n)+20"
or "2*log2(n)+10" or so?

Google "Birthday paradox", the formula I gave is a rough and not very 
precise

variant.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Secure plaintext-derived filename [was: HMAC with RSA Key]

2011-10-26 Thread Steffen DETTMER 
> > 4. Truncate the string to your desired file name length, but not so 
> > short that accidental collisions become likely (Example to 
> > keep up to 16000 file names likely different, use file names with 2
* 
> > log2(16000)=2*14=28 bits minimum).

Where can I learn more about this formula?
I think it does not work well for small number of files
and I wonder why it isn't something like "log2(n)+20"
or "2*log2(n)+10" or so?

oki,

Steffen


























































End of message.
-- 

 
About Ingenico: Ingenico is a leading provider of payment, transaction and 
business solutions, with over 15 million terminals deployed in more than 125 
countries. Over 3,000 employees worldwide support merchants, banks and service 
providers to optimize and secure their electronic payments solutions, develop 
their offer of services and increase their point of sales revenue. 
http://www.ingenico.com/.
 This message may contain confidential and/or privileged information. If you 
are not the addressee or authorized to receive this for the addressee, you must 
not use, copy, disclose or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.
 P Please consider the environment before printing this e-mail
 
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Secure plaintext-derived filename [was: HMAC with RSA Key]

2011-10-25 Thread Jakob Bohm 
SHA-1 is partially broken already.  It should not be used unless 
necessary for backwards compatibility.


On 10/25/2011 9:01 PM, Jonas Schnelli wrote:





On 10/25/2011 10:52 AM, Jonas Schnelli wrote:

How do i create a HMAC-SHA1 with a RSA Key?
What do i give as input for the param *key?

Why:
My encrypted file has now the filename of the 
unencrypted-files-sha1. (unsecure!).
I cannot use the sha1 of the encrypted file because i use EVP_Seal* 
(aes256 session key) so the sha1 of the encrypted file will change 
after every encryption (need to be constant because of the other 
function in the project).
My approach is, to use a encrypted sha1 of the unencrypted file (so 
it might keep constant).
I also tried to use RSA_public_encrypt on the unencrypted sha1, but 
i'd like to avoid 128BIT filenames.




From your question, I gather that you want the following:

Give the encrypted file a (short) file name which is computed from the
unencrypted plaintext in a way that adversaries cannot use to determine
if the plaintext is the same as some guessed value, or which otherwise
helps adversaries.

It is OK if only the encrypting party can generate the file name
(otherwise an adversary could calculate it too).

Proposed solution.

1. Generate a secret 224 bit key and store it somewhere safe (as safely
as you store your RSA private keys).

2. Use this secret key as the key when computing HMAC-SHA224 of
the unencrypted plaintext.


Another thing:
Can i also just make a HMAC-SSH224 of the SHA1 of the unencrypted 
plaintext instead of the whole plaintext?

Is this to unsafe?
Remember: i just want to have a filename which not leads to a possible 
file-content.


Thanks



3. Convert the resulting 224 bit value to a string using Base32 or 
another

scheme of your choosing. (Base32 would produce a 45 character
case insensitive string).

4. Truncate the string to your desired file name length, but not so short
that accidental collisions become likely (Example to keep up to 16000
file names likely different, use file names with 2 * log2(16000)=2*14=28
bits minimum).

--
Jakob Bohm, CIO, WiseMo A/S.
Secure remote control of Smart phones, PCs and embedded systems.
This public posting comes with no promises, no warranties and is not 
binding.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org 

Automated List Manager majord...@openssl.org 






__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Secure plaintext-derived filename [was: HMAC with RSA Key]

2011-10-25 Thread Jonas Schnelli 



> On 10/25/2011 10:52 AM, Jonas Schnelli wrote:
>> How do i create a HMAC-SHA1 with a RSA Key?
>> What do i give as input for the param *key?
>> 
>> Why:
>> My encrypted file has now the filename of the unencrypted-files-sha1. 
>> (unsecure!).
>> I cannot use the sha1 of the encrypted file because i use EVP_Seal* (aes256 
>> session key) so the sha1 of the encrypted file will change after every 
>> encryption (need to be constant because of the other function in the 
>> project).
>> My approach is, to use a encrypted sha1 of the unencrypted file (so it might 
>> keep constant).
>> I also tried to use RSA_public_encrypt on the unencrypted sha1, but i'd like 
>> to avoid 128BIT filenames.
>> 
>> 
> From your question, I gather that you want the following:
> 
> Give the encrypted file a (short) file name which is computed from the
> unencrypted plaintext in a way that adversaries cannot use to determine
> if the plaintext is the same as some guessed value, or which otherwise
> helps adversaries.
> 
> It is OK if only the encrypting party can generate the file name
> (otherwise an adversary could calculate it too).
> 
> Proposed solution.
> 
> 1. Generate a secret 224 bit key and store it somewhere safe (as safely
> as you store your RSA private keys).
> 
> 2. Use this secret key as the key when computing HMAC-SHA224 of
> the unencrypted plaintext.

Another thing:
Can i also just make a HMAC-SSH224 of the SHA1 of the unencrypted plaintext 
instead of the whole plaintext?
Is this to unsafe?
Remember: i just want to have a filename which not leads to a possible 
file-content.

Thanks

> 
> 3. Convert the resulting 224 bit value to a string using Base32 or another
> scheme of your choosing. (Base32 would produce a 45 character
> case insensitive string).
> 
> 4. Truncate the string to your desired file name length, but not so short
> that accidental collisions become likely (Example to keep up to 16000
> file names likely different, use file names with 2 * log2(16000)=2*14=28
> bits minimum).
> 
> -- 
> Jakob Bohm, CIO, WiseMo A/S.
> Secure remote control of Smart phones, PCs and embedded systems.
> This public posting comes with no promises, no warranties and is not binding.
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

Re: Secure plaintext-derived filename [was: HMAC with RSA Key]

2011-10-25 Thread Jonas Schnelli 

> On 10/25/2011 10:52 AM, Jonas Schnelli wrote:
>> How do i create a HMAC-SHA1 with a RSA Key?
>> What do i give as input for the param *key?
>> 
>> Why:
>> My encrypted file has now the filename of the unencrypted-files-sha1. 
>> (unsecure!).
>> I cannot use the sha1 of the encrypted file because i use EVP_Seal* (aes256 
>> session key) so the sha1 of the encrypted file will change after every 
>> encryption (need to be constant because of the other function in the 
>> project).
>> My approach is, to use a encrypted sha1 of the unencrypted file (so it might 
>> keep constant).
>> I also tried to use RSA_public_encrypt on the unencrypted sha1, but i'd like 
>> to avoid 128BIT filenames.
>> 
>> 
> From your question, I gather that you want the following:
> 
> Give the encrypted file a (short) file name which is computed from the
> unencrypted plaintext in a way that adversaries cannot use to determine
> if the plaintext is the same as some guessed value, or which otherwise
> helps adversaries.
> 
> It is OK if only the encrypting party can generate the file name
> (otherwise an adversary could calculate it too).
> 
> Proposed solution.
> 
> 1. Generate a secret 224 bit key and store it somewhere safe (as safely
> as you store your RSA private keys).
> 
> 2. Use this secret key as the key when computing HMAC-SHA224 of
> the unencrypted plaintext.

Why using SHA224 (EVP_sha224()) instead of SHA1(EVP_sha1())?
Do you think sha-1 is to weak?

> 
> 3. Convert the resulting 224 bit value to a string using Base32 or another
> scheme of your choosing. (Base32 would produce a 45 character
> case insensitive string).
> 
> 4. Truncate the string to your desired file name length, but not so short
> that accidental collisions become likely (Example to keep up to 16000
> file names likely different, use file names with 2 * log2(16000)=2*14=28
> bits minimum).

Thank you very much for your solution.
Now i try to implement it like this.

Jonas


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Secure plaintext-derived filename [was: HMAC with RSA Key]

2011-10-25 Thread Jakob Bohm 

On 10/25/2011 10:52 AM, Jonas Schnelli wrote:

How do i create a HMAC-SHA1 with a RSA Key?
What do i give as input for the param *key?

Why:
My encrypted file has now the filename of the unencrypted-files-sha1. 
(unsecure!).
I cannot use the sha1 of the encrypted file because i use EVP_Seal* (aes256 
session key) so the sha1 of the encrypted file will change after every 
encryption (need to be constant because of the other function in the project).
My approach is, to use a encrypted sha1 of the unencrypted file (so it might 
keep constant).
I also tried to use RSA_public_encrypt on the unencrypted sha1, but i'd like to 
avoid 128BIT filenames.



From your question, I gather that you want the following:

Give the encrypted file a (short) file name which is computed from the
unencrypted plaintext in a way that adversaries cannot use to determine
if the plaintext is the same as some guessed value, or which otherwise
helps adversaries.

It is OK if only the encrypting party can generate the file name
(otherwise an adversary could calculate it too).

Proposed solution.

1. Generate a secret 224 bit key and store it somewhere safe (as safely
as you store your RSA private keys).

2. Use this secret key as the key when computing HMAC-SHA224 of
the unencrypted plaintext.

3. Convert the resulting 224 bit value to a string using Base32 or another
scheme of your choosing. (Base32 would produce a 45 character
case insensitive string).

4. Truncate the string to your desired file name length, but not so short
that accidental collisions become likely (Example to keep up to 16000
file names likely different, use file names with 2 * log2(16000)=2*14=28
bits minimum).

--
Jakob Bohm, CIO, WiseMo A/S.
Secure remote control of Smart phones, PCs and embedded systems.
This public posting comes with no promises, no warranties and is not 
binding.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org