Openssl ocsp

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl ocsp

thomas.beckmann
Hi all,

I try to ask an ocsp responder for the status of some certificates using
openssl as ocsp client.
Doing that the client produces the following Messages:

------------------------------------------------------------------------
-----------------------
C:\Programme\OpenSSL\bin>openssl ocsp -issuer
c:\Programme\OpenSSL\bin\certs\cert.pem -serial 1123 -url
http://161.90.190.254:2560 -verify_other
c:\Programme\OpenSSL\bin\certs\ocsp.pem -trust_other
Response Verify Failure
2492:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
type is not 01:.\crypto\rsa\rsa_pk1.c:100:
2492:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:.\crypto\rsa\rsa_eay.c:699:
2492:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
lib:.\crypto\asn1\a_verify.c:168:
2492:error:27069075:OCSP routines:OCSP_basic_verify:signature
failure:.\crypto\ocsp\ocsp_vfy.c:98:
1123: revoked
        This Update: Mar 30 15:51:13 2007 GMT
        Next Update: Apr  2 10:33:23 2007 GMT
        Revocation Time: Mar 30 15:00:00 2007 GMT
------------------------------------------------------------------------
-----------------------

What will openssl tell me? Whats going wrong here? Any ideas?

Best regards

Thomas

Atos Origin GmbH, Theodor-Althoff-Str. 47, D-45133 Essen, Postfach 100 123, D-45001 Essen
Telefon: +49 201 4305 0, Fax: +49 201 4305 689095, www.atosorigin.de
Dresdner Bank AG, Hamburg: Kto. 0954411200, BLZ 200 800 00, Swift Code DRESDEFF200, IBAN DE69200800000954411200
Geschäftsführer: Dominique Illien, Handelsregister Essen HRB 19354, Ust.-ID.-Nr.: DE147861238
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

EVP Envelope & PKI Confusion...

Usman Riaz

Hi All,

        I want to use PKI to encrypt some data and send it to the customer to be decrypted. With my limitied knowledge about PKI, the data can be encrypted using "private key" and then lateron that encrypted data could be decrypted with the "public key". While trying to find a way to achive the same, I've found an exmaple using the EVP Envelope interface (openssl-dir/tools/maurice/example1.c). But within this example, the data is encrypted via "public key" and decrypted via "private key". My questions are...

a. Shouldn't this be other way round? i.e encryption with public key and decryption with private key, perhaps PKI allows the usage this way, but is it the preferred way?? since in that case I have to provide the private key to the customer (along with the symetric key & intialzation vector) & also, private key is meant to be "private" not to be shared.

b. Secondly, is there any other interface or API that does the same (encrypt with pubkey and decrypt with privkey) without using symetric key and iv, so that I dont have to provide them to the customer for decryption.

Thanks for your time,

Kind Regards,

Usman.

PS: The data to be en/de-crypted is just 30-50 chars long, so performance is not an issue here.



FREE pop-up blocking with the new MSN Toolbar MSN Toolbar Get it now! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl ocsp

Nils Larsch
In reply to this post by thomas.beckmann
[hidden email] wrote:

> Hi all,
>
> I try to ask an ocsp responder for the status of some certificates using
> openssl as ocsp client.
> Doing that the client produces the following Messages:
>
> ------------------------------------------------------------------------
> -----------------------
> C:\Programme\OpenSSL\bin>openssl ocsp -issuer
> c:\Programme\OpenSSL\bin\certs\cert.pem -serial 1123 -url
> http://161.90.190.254:2560 -verify_other
> c:\Programme\OpenSSL\bin\certs\ocsp.pem -trust_other
> Response Verify Failure
> 2492:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
> type is not 01:.\crypto\rsa\rsa_pk1.c:100:
> 2492:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed:.\crypto\rsa\rsa_eay.c:699:
> 2492:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
> lib:.\crypto\asn1\a_verify.c:168:
> 2492:error:27069075:OCSP routines:OCSP_basic_verify:signature
> failure:.\crypto\ocsp\ocsp_vfy.c:98:
> 1123: revoked
>         This Update: Mar 30 15:51:13 2007 GMT
>         Next Update: Apr  2 10:33:23 2007 GMT
>         Revocation Time: Mar 30 15:00:00 2007 GMT
> ------------------------------------------------------------------------
> -----------------------
>
> What will openssl tell me? Whats going wrong here? Any ideas?

the signature within the ocsp response seems to be broken
or a wrong public key is used when openssl tries to verify
it (if the response contains the hash of the oscp signers
public key this should be rather unlikely).

Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EVP Envelope & PKI Confusion...

jcr83
In reply to this post by Usman Riaz
Usman Riaz wrote :
>
>         I want to use PKI to encrypt some data and send it to the
> customer to be decrypted. With my limitied knowledge about PKI, the data
> can be encrypted using "private key" and then lateron that
> encrypted data could be decrypted with the "public key".

No, you encrypt the data using the public key of the customer, and the
customer will decrypt it using its private key.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EVP Envelope & PKI Confusion...

Usman Riaz

Thanks for the reply Jean-Claude, appreciated! Actually the whole senario is like this. I have a software that I am selling to the customers. I want to encrypt the information (license info) with my private key, and the software will contain (embedded/hardcoded) public key (the way I would like to do) and with that key the software will be able to decrypt the lincese information. I dont want to use symetric encoding/decoding, then its too easy to findout the key and generate a new license using that key even without hex editing. So that was the reason looking into PKI. I'd higly appreciate if anyone could comment if there is a better way to do what I am trying to achieve.

Thanks for your time,

Regards,

Usman.


From:  Jean-Claude Repetto <[hidden email]>
To:  [hidden email]
CC:  [hidden email]
Subject:  Re: EVP Envelope & PKI Confusion...
Date:  Tue, 03 Apr 2007 16:29:56 +0200
MIME-Version:  1.0
Received:  from spock.galacsys.net ([88.191.250.29]) by bay0-mc7-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 3 Apr 2007 07:30:04 -0700
Received:  from gelas.mail.mxm (LPuteaux-151-41-15-109.w217-128.abo.wanadoo.fr [217.128.30.109])by spock.galacsys.net (Postfix) with ESMTP id D1D674546E;Tue, 3 Apr 2007 16:30:03 +0200 (CEST)
Received:  from localhost (localhost [127.0.0.1])by gelas.mail.mxm (Postfix) with ESMTP id 4D498A7833;Tue, 3 Apr 2007 16:30:01 +0200 (CEST)
Received:  from gelas.mail.mxm ([127.0.0.1])by localhost (gelas.mxm [127.0.0.1]) (amavisd-new, port 10024)with ESMTP id 3FqWMKgyK+Bs; Tue, 3 Apr 2007 16:29:53 +0200 (CEST)
Received:  from [192.168.0.98] (jean-claude.mxm [192.168.0.98])by gelas.mail.mxm (Postfix) with ESMTP id CD9E53C0AE;Tue, 3 Apr 2007 16:29:53 +0200 (CEST)

>Usman Riaz wrote :
>>
>>         I want to use PKI to encrypt some data and send it to the
>>customer to be decrypted. With my limitied knowledge about PKI, the
>>data can be encrypted using "private key" and then lateron that
>>encrypted data could be decrypted with the "public key".
>
>No, you encrypt the data using the public key of the customer, and
>the customer will decrypt it using its private key.
>
>


Express yourself instantly with MSN Messenger! MSN Messenger Download today it's FREE! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EVP Envelope & PKI Confusion...

Goetz Babin-Ebell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Usman,

Usman Riaz schrieb:

> Thanks for the reply Jean-Claude, appreciated! Actually the whole senario is
> like this. I have a software that I am selling to the customers. I want to
> encrypt the information (license info) with my private key, and the software
> will contain (embedded/hardcoded) public key (the way I would like to do) and
> with that key the software will be able to decrypt the lincese information. I
> dont want to use symetric encoding/decoding, then its too easy to findout the
> key and generate a new license using that key even without hex editing. So that
> was the reason looking into PKI. I'd higly appreciate if anyone could comment if
> there is a better way to do what I am trying to achieve.

I think you don't want to encrypt your license information,
but you want to sign it.

Signing is the operation that protects your data against manipulation.
Encryption is the operation that protects your data against unauthorized
reading.

There is no need to protect the license info against the customer:
he should know which entity may use it on which systems...
But you want to protect it against unauthorized manipulation
(including forged licenses).

Bye

Goetz

- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGEne92iGqZUF3qPYRAijwAJ9NkpBzlyoe+L+J+cr4C/K8DTDMfQCcCZ7m
LHsXGhDFeYsY8tr9YVtQ+Nc=
=7KDS
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EVP Envelope & PKI Confusion...

Usman Riaz
Thanks for the reply Goetz, appreciated! I believe with signing the license
information (correct me if I am wrong), I have to provide the actually
license info/data (in plain clear text) along with the data generated during
the signing process. The problem with this approach is, that providing the
license info in clear text I think will make it little more tempting &
almost all the softwares that I have used, don't supply license info in
clear text. Even though I agree the customer should know what is in the
license information thats why my software will display info about it, after
reading the license data but how this license info is interpreted &
transformed from one form to another should be left to the software vendor.

Regards,
Usman.


>From: Goetz Babin-Ebell <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: Re: EVP Envelope & PKI Confusion...
>Date: Tue, 03 Apr 2007 17:50:21 +0200
>MIME-Version: 1.0
>X-Sender: Goetz Babin-Ebell <[hidden email]>
>Received: from mmx1.engelschall.com ([195.30.6.154]) by
>bay0-mc7-f7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 3
>Apr 2007 08:52:22 -0700
>Received: by mmx1.engelschall.com (Postfix)id D1BA956418; Tue,  3 Apr 2007
>17:51:14 +0200 (CEST)
>Received: from master.openssl.org (master.openssl.org [195.30.6.166])by
>mmx1.engelschall.com (Postfix) with ESMTP id B4C1056413for
><[hidden email]>; Tue,  3 Apr 2007 17:51:14 +0200
>(CEST)
>Received: by master.openssl.org (Postfix)id 184FE1AC6145; Tue,  3 Apr 2007
>17:51:14 +0200 (CEST)
>Received: by master.openssl.org (Postfix, from userid 29101)id
>D61111AC6103; Tue,  3 Apr 2007 17:51:13 +0200 (CEST)
>Received: from webmail.hansenet.de (mail04.hansenet.de [213.191.73.12])by
>master.openssl.org (Postfix) with ESMTP id 34DFF1AC60A0for
><[hidden email]>; Tue,  3 Apr 2007 17:50:59 +0200 (CEST)
>Received: from mail.shomitefo.de (80.171.107.171) by webmail.hansenet.de
>(7.2.074) (authenticated as goetz%shomitefo.de)        id 4600BA1E006236DD
>for [hidden email]; Tue, 3 Apr 2007 17:50:23 +0200
>Received: from hal64.shomitefo.de ([192.168.1.91])by mail.shomitefo.de with
>esmtp (Exim 4.50)id 1HYlH4-0001AE-4J; Tue, 03 Apr 2007 17:50:22 +0200
>X-Message-Info:
>txF49lGdW418YJutn6vSQ1bBDeUxNwnxvie2IqhPf50JnsfNrIWfxVRxl2UuB8Bi
>Delivered-To: [hidden email]
>X-Original-To: [hidden email]
>Delivered-To: [hidden email]
>User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.0.10)
>Gecko/20070221 Thunderbird/1.5.0.10 Mnenhy/0.7.5.666
>References: <[hidden email]>
>X-Enigmail-Version: 0.94.2.0
>Precedence: bulk
>X-List-Manager: OpenSSL Majordomo [version 1.94.5]
>X-List-Name: openssl-users
>Return-Path: [hidden email]
>X-OriginalArrivalTime: 03 Apr 2007 15:52:23.0193 (UTC)
>FILETIME=[11B04890:01C77608]
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello Usman,
>
>Usman Riaz schrieb:
>
> > Thanks for the reply Jean-Claude, appreciated! Actually the whole
>senario is
> > like this. I have a software that I am selling to the customers. I want
>to
> > encrypt the information (license info) with my private key, and the
>software
> > will contain (embedded/hardcoded) public key (the way I would like to
>do) and
> > with that key the software will be able to decrypt the lincese
>information. I
> > dont want to use symetric encoding/decoding, then its too easy to
>findout the
> > key and generate a new license using that key even without hex editing.
>So that
> > was the reason looking into PKI. I'd higly appreciate if anyone could
>comment if
> > there is a better way to do what I am trying to achieve.
>
>I think you don't want to encrypt your license information,
>but you want to sign it.
>
>Signing is the operation that protects your data against manipulation.
>Encryption is the operation that protects your data against unauthorized
>reading.
>
>There is no need to protect the license info against the customer:
>he should know which entity may use it on which systems...
>But you want to protect it against unauthorized manipulation
>(including forged licenses).
>
>Bye
>
>Goetz
>
>- --
>DMCA: The greed of the few outweights the freedom of the many
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFGEne92iGqZUF3qPYRAijwAJ9NkpBzlyoe+L+J+cr4C/K8DTDMfQCcCZ7m
>LHsXGhDFeYsY8tr9YVtQ+Nc=
>=7KDS
>-----END PGP SIGNATURE-----
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EVP Envelope & PKI Confusion...

Goetz Babin-Ebell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Usman Riaz schrieb:
> I believe with signing the
> license information (correct me if I am wrong), I have to provide the
> actually license info/data (in plain clear text) along with the data
> generated during the signing process.
Yes.

> The problem with this approach is,
> that providing the license info in clear text I think will make it
> little more tempting & almost all the softwares that I have used,
> don't supply license info in clear text.
To what could the user be tempted ?
To generate an own license ?
For that he needs your private key,
and if he has that, you have lost anyway...

if you really do not want the license data to be readable in plain text,
you may obfuscate it in some way (ROT-13, base64,...)

The question here is:
What do you gain from encrypting the license information ?
Unencrypted license information has the advantage that your user
in case of an license error may look into the license file and
see something like:

product: not working piece of junk
version: 0.99.8.123a
company: Stupid Loosers Inc.
user: Brain Dead
IP: 192.168.1.1
from: 2007-01-01
until: 2008-01-01
key: fgjfgjfghhjsdfgjfhjkasdrt6be78utxdyvtdr6zungzbxcdbzr6...

Indicating that user "Brain Dead",
working in company "Stupid Loosers Inc."
may use the software "not working piece of junk"
starting with version "0.99.8.123a"
on the host with the IP address "192.168.1.1"
from 2007-01-01 until 2008-01-01.

> Even though I agree the customer
> should know what is in the license information thats why my software
> will display info about it, after reading the license data but how
> this license info is interpreted & transformed from one form to
> another should be left to the software vendor.
Naturally.
The way you store the license data in the license file is completely
to be defined by the vendor.
But from the point of security you gain nothing from adding some
encryption to the license data.

Bye

Goetz

- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGEqdS2iGqZUF3qPYRAsZuAJwOVC5BmtleLurf4Ony8WLIBUf2zwCcCCe0
ORwK5B07Xb4DTYh1Kek3h54=
=cDgq
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: EVP Envelope & PKI Confusion...

JoelKatz
In reply to this post by Usman Riaz

> Thanks for the reply Goetz, appreciated! I believe with signing
> the license
> information (correct me if I am wrong), I have to provide the actually
> license info/data (in plain clear text) along with the data
> generated during
> the signing process. The problem with this approach is, that
> providing the
> license info in clear text I think will make it little more tempting &
> almost all the softwares that I have used, don't supply license info in
> clear text. Even though I agree the customer should know what is in the
> license information thats why my software will display info about
> it, after
> reading the license data but how this license info is interpreted &
> transformed from one form to another should be left to the
> software vendor.

I don't mean to be rude, and I really hope you don't take this the wrong
way, but you simply don't have nearly enough knowledge to devise a security
scheme that could be relied upon in any way, shape or form. If this matters
to you, you need to find someone who does to help you or spend a few years
learning how to do it right.

I'm sorry, but that's just the truth.

What you're trying to do is like building a bridge. There is no substitute
for knowing how to do it *right* and knowing what can go wrong, and so on.

I would strongly caution you that it is very easy to make something that
seems secure but really is a disaster of one form or another. It's very easy
to compromise the security of your own license but also very easy to
compromise the security of other people's computers in the attempt to secure
your own software thereon.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: EVP Envelope & PKI Confusion...

Usman Riaz

Hi David,

           Sorry to be rude, but your post just told me what I already know :), my lack of knowledge at security, but didn't help me a bit :( (not sure if the post was meant to be helpful). If you have spend the same amount of time writing *what* is wrong with my approch & why this should be avoided that would have helped me or anyone who might be tempeted to do what I am trying to do. 

Thanks for your understanding,

Regards,

Usman.


From:  "David Schwartz" <[hidden email]>
Reply-To:  [hidden email]
To:  <[hidden email]>
Subject:  RE: EVP Envelope & PKI Confusion...
Date:  Tue, 3 Apr 2007 21:08:55 -0700
MIME-Version:  1.0
X-Sender:  "David Schwartz" <[hidden email]>
Received:  from mmx1.engelschall.com ([195.30.6.154]) by bay0-mc8-f10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 3 Apr 2007 21:11:05 -0700
Received:  by mmx1.engelschall.com (Postfix)id B959B56423; Wed, 4 Apr 2007 06:10:07 +0200 (CEST)
Received:  from master.openssl.org (master.openssl.org [195.30.6.166])by mmx1.engelschall.com (Postfix) with ESMTP id 19FED56417for <[hidden email]>; Wed, 4 Apr 2007 06:10:06 +0200 (CEST)
Received:  by master.openssl.org (Postfix)id 177311AC61C3; Wed, 4 Apr 2007 06:10:04 +0200 (CEST)
Received:  by master.openssl.org (Postfix, from userid 29101)id 116131AC617A; Wed, 4 Apr 2007 06:10:04 +0200 (CEST)
Received:  from mail1.webmaster.com (mail1.webmaster.com [216.152.64.169])by master.openssl.org (Postfix) with ESMTP id F2EB31AC604Efor <[hidden email]>; Wed, 4 Apr 2007 06:09:43 +0200 (CEST)
Received:  from however by webmaster.com(MDaemon.PRO.v8.1.3.R)with ESMTP id md50001470879.msgfor <[hidden email]>; Tue, 03 Apr 2007 22:09:15 -0700

>
> > Thanks for the reply Goetz, appreciated! I believe with signing
> > the license
> > information (correct me if I am wrong), I have to provide the actually
> > license info/data (in plain clear text) along with the data
> > generated during
> > the signing process. The problem with this approach is, that
> > providing the
> > license info in clear text I think will make it little more tempting &
> > almost all the softwares that I have used, don't supply license info in
> > clear text. Even though I agree the customer should know what is in the
> > license information thats why my software will display info about
> > it, after
> > reading the license data but how this license info is interpreted &
> > transformed from one form to another should be left to the
> > software vendor.
>
>I don't mean to be rude, and I really hope you don't take this the wrong
>way, but you simply don't have nearly enough knowledge to devise a security
>scheme that could be relied upon in any way, shape or form. If this matters
>to you, you need to find someone who does to help you or spend a few years
>learning how to do it right.
>
>I'm sorry, but that's just the truth.
>
>What you're trying to do is like building a bridge. There is no substitute
>for knowing how to do it *right* and knowing what can go wrong, and so on.
>
>I would strongly caution you that it is very easy to make something that
>seems secure but really is a disaster of one form or another. It's very easy
>to compromise the security of your own license but also very easy to
>compromise the security of other people's computers in the attempt to secure
>your own software thereon.
>
>DS
>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


Don't just search. Find. MSN Search Check out the new MSN Search! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EVP Envelope & PKI Confusion...

Usman Riaz
In reply to this post by Goetz Babin-Ebell




From:  Goetz Babin-Ebell <[hidden email]>
Reply-To:  [hidden email]
To:  [hidden email]
Subject:  Re: EVP Envelope & PKI Confusion...
Date:  Tue, 03 Apr 2007 21:13:22 +0200
MIME-Version:  1.0
X-Sender:  Goetz Babin-Ebell <[hidden email]>
Received:  from mmx1.engelschall.com ([195.30.6.154]) by bay0-mc6-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 3 Apr 2007 12:15:10 -0700
Received:  by mmx1.engelschall.com (Postfix)id E72A75647D; Tue, 3 Apr 2007 21:14:11 +0200 (CEST)
Received:  from master.openssl.org (master.openssl.org [195.30.6.166])by mmx1.engelschall.com (Postfix) with ESMTP id C9E2456413for <[hidden email]>; Tue, 3 Apr 2007 21:14:11 +0200 (CEST)
Received:  by master.openssl.org (Postfix)id 480131AC6145; Tue, 3 Apr 2007 21:14:11 +0200 (CEST)
Received:  by master.openssl.org (Postfix, from userid 29101)id 3FC971AC6103; Tue, 3 Apr 2007 21:14:11 +0200 (CEST)
Received:  from webmail.hansenet.de (mail01.hansenet.de [213.191.73.61])by master.openssl.org (Postfix) with ESMTP id 7CBFC1AC60A0for <[hidden email]>; Tue, 3 Apr 2007 21:13:59 +0200 (CEST)
Received:  from mail.shomitefo.de (80.171.107.171) by webmail.hansenet.de (7.2.074) (authenticated as goetz%shomitefo.de) id 4600B9930063B1EA for [hidden email]; Tue, 3 Apr 2007 21:13:23 +0200
Received:  from hal64.shomitefo.de ([192.168.1.91])by mail.shomitefo.de with esmtp (Exim 4.50)id 1HYoRW-0001EE-Bx; Tue, 03 Apr 2007 21:13:22 +0200


>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Usman Riaz schrieb:
> > I believe with signing the
> > license information (correct me if I am wrong), I have to provide the
> > actually license info/data (in plain clear text) along with the data
> > generated during the signing process.
>Yes.
>
> > The problem with this approach is,
> > that providing the license info in clear text I think will make it
> > little more tempting & almost all the softwares that I have used,
> > don't supply license info in clear text.
>To what could the user be tempted ?
>To generate an own license ?
>For that he needs your private key,
>and if he has that, you have lost anyway...
>
>if you really do not want the license data to be readable in plain text,
>you may obfuscate it in some way (ROT-13, base64,...)
>
>The question here is:
>What do you gain from encrypting the license information ?
>Unencrypted license information has the advantage that your user
>in case of an license error may look into the license file and
>see something like:
>
>product: not working piece of junk
>version: 0.99.8.123a
>company: Stupid Loosers Inc.
>user: Brain Dead
>IP: 192.168.1.1
>from: 2007-01-01
>until: 2008-01-01
>key: fgjfgjfghhjsdfgjfhjkasdrt6be78utxdyvtdr6zungzbxcdbzr6...
>
>Indicating that user "Brain Dead",
>working in company "Stupid Loosers Inc."
>may use the software "not working piece of junk"
>starting with version "0.99.8.123a"
>on the host with the IP address "192.168.1.1"
>from 2007-01-01 until 2008-01-01.

 

 

haha, that surely can't be my license, I sell working piece of junk :D

 

 


>
> > Even though I agree the customer
> > should know what is in the license information thats why my software
> > will display info about it, after reading the license data but how
> > this license info is interpreted & transformed from one form to
> > another should be left to the software vendor.
>Naturally.
>The way you store the license data in the license file is completely
>to be defined by the vendor.
>But from the point of security you gain nothing from adding some
>encryption to the license data.
>
>Bye
>
>Goetz
>
>- --
>DMCA: The greed of the few outweights the freedom of the many
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFGEqdS2iGqZUF3qPYRAsZuAJwOVC5BmtleLurf4Ony8WLIBUf2zwCcCCe0
>ORwK5B07Xb4DTYh1Kek3h54=
>=cDgq
>-----END PGP SIGNATURE-----
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]



Express yourself instantly with MSN Messenger! MSN Messenger Download today it's FREE! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EVP Envelope & PKI Confusion...

Goetz Babin-Ebell
In reply to this post by Usman Riaz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Usman Riaz schrieb:
>            Sorry to be rude, but your post just told me what I already know :),
> my lack of knowledge at security, but didn't help me a bit :( (not sure if the
> post was meant to be helpful).
Davids post was meant in the following way:

"I got the impression that you are developing a security system.
 But you are lacking the required basic knowledge to do it.
 So any security system you develop will be terribly broken.
 The only advise I can give you is to stop immediately and get
 somebody who has experience in this area."

> If you have spend the same amount of time writing
> *what* is wrong with my approach & why this should be avoided that would have
> helped me or anyone who might be tempted to do what I am trying to do.
And here is the misconception in your assumptions:
Security/Cryptography si so complex with many pit falls.
So to develop a security system that is not broken by design,
you need years of experience in this area.
This is nothing that could be explained in a short mail.

Bye

Goetz

- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE4pY2iGqZUF3qPYRAvDCAJ9mWUkeC0TqCIkyTVubj/m/inCUrgCeOcEV
hlTnjYetsZUc3wB31VS6/no=
=0qz5
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: EVP Envelope & PKI Confusion...

JoelKatz
In reply to this post by Usman Riaz

> Sorry to be rude, but your post just told me what I already know :),

If that's true, then you are asking the wrong questions.

> my lack of knowledge at security, but didn't help me a bit :(
> (not sure if the post was meant to be helpful).

I told you exactly what you need to do. Spend several years studying
computer security or find an expert and get them to assist you. Seriously,
that is probably the only way you can produce a trustworthy scheme.

> If you have spend the same amount of time writing *what* is wrong with my
> approch & why this should be avoided that would have helped me or anyone
> who might be tempeted to do what I am trying to do.

I told you precisely what was wrong with your scheme -- you don't have the
knowledge necessary to execute it properly. Even the most detailed recipe
won't change that. It's not specific issues, it's a comprehensive
understanding of what it takes to make something secure and what can go
wrong.

I'm trying to prevent yet another software security disaster. They all start
with someone who is reasonably knowledgeable in fields other than security
who thinks security is simple -- they just get a secure toolkit (like
OpenSSL) and 'sprinkle it on' the program. It doesn't work that way. You can
take the most secure algorithms and toolkits and produce a worthless program
out of them.

You would not even have any way to know when or whether you got it right.
It's like someone with no engineering experience building a bridge and then,
when they thought they were done even though they had no idea how to test a
bridge, putting real trucks and cars on it. The bridge is very likely to
break with the real traffic on it.

On the bright side, with a license scheme the most likely result is that
only your own software licensing scheme will be compromisable in seconds by
someone who knows what they're doing. But if you try to put in security
enforcement schemes, and the security you are enforcing is broken, those
schemes can do serious damage.

Someone who doesn't fully understand the distinction between encrypting and
signing with respect to public key schemes lacks a massive amount of
knowledge that is necessary to devise any secure application or scheme. It's
like a person who fully understand the differences between cement and steel
trying to build a road bridge.

While people can certainly point you in the right direction and get you
further towards designing something that you think does the job, that would
be doing a disservice to anyone who wound up with a copy of your code.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]