CMS with Symmetric key

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

CMS with Symmetric key

Abe Racioppo
Hey guys, 

I'm trying to use the CMS operations in libcrypto but with a symmetric key encryption key instead of x509.

I'm thinking I want to use a combination of 

CMS_RecipientInfo_set0_pkey,
SMIME_write_CMS,
and
CMS_EncryptedData_encrypt.

Has anyone done this before and can give me some direction?  This is my first time working with openssl and am getting kinda lost.

Thanks,

Abe

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CMS with Symmetric key

Jakob Bohm-7
On 05/04/2016 00:18, Abe Racioppo wrote:

> Hey guys,
>
> I'm trying to use the CMS operations in libcrypto but with a symmetric
> key encryption key instead of x509.
>
> I'm thinking I want to use a combination of
>
> CMS_RecipientInfo_set0_pkey,
> SMIME_write_CMS,
> and
> CMS_EncryptedData_encrypt.
>
> Has anyone done this before and can give me some direction?  This is
> my first time working with openssl and am getting kinda lost.
>
The "CMS" operations implement the "CMS" standard, formerly
known as PKCS#7, which is based entirely on the use of X.509
certificates.

Unless you can point out a clause in the "CMS" format RFCs
that allow use without X.509 certificates, there is no reason
why the "CMS" part of the OpenSSL library should be able to
any such thing.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CMS with Symmetric key

Wim Lewis-3

On Apr 4, 2016, at 3:42 PM, Jakob Bohm <[hidden email]> wrote:
> Unless you can point out a clause in the "CMS" format RFCs
> that allow use without X.509 certificates, there is no reason
> why the "CMS" part of the OpenSSL library should be able to
> any such thing.

The CMS RFC (RFC 5652) specifies password based key derivation (in addition to asymmetric-key crypto key transport or agreement, and also a symmetric-cryptography key transport mechanism). See section 6.2.

It looks like password based key derivation wasn't in the original PKCS#7, but was introduced in a 2001 specification (RFC 3211) and was folded into the 2002 revision of CMS (RFC 3369).


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CMS with Symmetric key

Salz, Rich
In reply to this post by Abe Racioppo
> I'm trying to use the CMS operations in libcrypto but with a symmetric key encryption key instead of x509.

We don't support this.

--  
Senior Architect, Akamai Technologies
IM: [hidden email] Twitter: RichSalz


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CMS with Symmetric key

Viktor Dukhovni

> On Apr 4, 2016, at 11:34 PM, Salz, Rich <[hidden email]> wrote:
>
>> I'm trying to use the CMS operations in libcrypto but with a symmetric key encryption key instead of x509.
>
> We don't support this.

It looks like we do.  See crypto/cms/cms_pwri.c and the
undocumented "-pwri_password" option of the cms(1) command.

Documentation would of course be great...

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CMS with Symmetric key

Dr. Stephen Henson
In reply to this post by Abe Racioppo
On Mon, Apr 04, 2016, Abe Racioppo wrote:

> Hey guys,
>
> I'm trying to use the CMS operations in libcrypto but with a symmetric key
> encryption key instead of x509.
>
> I'm thinking I want to use a combination of
>
> CMS_RecipientInfo_set0_pkey,
> SMIME_write_CMS,
> and
> CMS_EncryptedData_encrypt.
>
> Has anyone done this before and can give me some direction?  This is my
> first time working with openssl and am getting kinda lost.
>

You have several options here.

You can just use the encrypted data type with a key directly.

You can use the enveloped data type with a symmetric wrapping key.

You can use the enveloped data type with a password based recipient info.

Which you use depends on the application you have in mind.

In the first case you just call CMS_EncryptData_encrypt() followed by
SMIME_write_CMS().

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CMS with Symmetric key

Abe Racioppo
Thank you for the responses.

I have implemented encryption that adds a secret key, and secret key id using:
CMS_add0_recipient_key,
CMS_EncryptData_encrypt,
SMIME_write_CMS
The output file looks correct, but I need to decrypt it back to be sure.

I would like to be able to get the secret key id from the envelope data to then search a database for the key, and then CMS_decrypt.  I have yet to determine the most straightforward way of getting the key ids from the envelope/wrapped content of cms.

Is there a combination if I have SMIME_read the cms from a file like:
  keyId =  cms->envelopedData->keyId?

Or do I need to handle a stack_of recipient infos in order to get the key id from kekri0_get_id?

Thanks again,
Abe


On Tue, Apr 5, 2016 at 7:39 AM, Dr. Stephen Henson <[hidden email]> wrote:
On Mon, Apr 04, 2016, Abe Racioppo wrote:

> Hey guys,
>
> I'm trying to use the CMS operations in libcrypto but with a symmetric key
> encryption key instead of x509.
>
> I'm thinking I want to use a combination of
>
> CMS_RecipientInfo_set0_pkey,
> SMIME_write_CMS,
> and
> CMS_EncryptedData_encrypt.
>
> Has anyone done this before and can give me some direction?  This is my
> first time working with openssl and am getting kinda lost.
>

You have several options here.

You can just use the encrypted data type with a key directly.

You can use the enveloped data type with a symmetric wrapping key.

You can use the enveloped data type with a password based recipient info.

Which you use depends on the application you have in mind.

In the first case you just call CMS_EncryptData_encrypt() followed by
SMIME_write_CMS().

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
signature

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CMS with Symmetric key

Dr. Stephen Henson
On Mon, Apr 11, 2016, Abe Racioppo wrote:

> Thank you for the responses.
>
> I have implemented encryption that adds a secret key, and secret key id
> using:
> CMS_add0_recipient_key,
> CMS_EncryptData_encrypt,
> SMIME_write_CMS
> The output file looks correct, but I need to decrypt it back to be sure.
>

Ah CMS_EncryptedData_encrypt() just creates the encrypted data type. If you
want to use enveloped data you use CMS_encrypt() first then
CMS_add0_recipient_key() and finally SMIME_write_CMS().

> I would like to be able to get the secret key id from the envelope data to
> then search a database for the key, and then CMS_decrypt.  I have yet to
> determine the most straightforward way of getting the key ids from the
> envelope/wrapped content of cms.
>
> Is there a combination if I have SMIME_read the cms from a file like:
>   keyId =  cms->envelopedData->keyId?
>
> Or do I need to handle a stack_of recipient infos in order to get the key
> id from kekri0_get_id?
>

Yes. You need to use CMS_get0_RecipientInfos() as there can be multiple
recipients of different types.

For each recipient info you check the type with:

        CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_KEY

For each match retrieve the key ID using CMS_RecipientInfo_kekri_get0_id().

If the id doesn't match a value in you database continue to the next recipient
info. If no matches return an error.

If you do get a match then call CMS_RecipientInfo_set0_key().

Finally call CMS_decrypt(): setting the key and certificate parameters to
NULL.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users