So I am interacting between OpenSSL and the BCrypt functions on windows. I am writing an app in QT and can only use BCrypt for client side and OpenSSL on the server side. I have successfully done a DH key exchange the only issue I am having is how would I manage to derive a AES 128 key from a shared secret. The code I am using for the AES 128 encryption is https://github.com/Microsoft/Windows-classic-samples/blob/master/Samples/Security/CipherEncryptionDecryption/cpp/CipherEncryptionDecryption.cpp where I pass the spassword as sha1 of the shared secret.
the code on the PHP server side that I am using is:
echo bin2hex(openssl_pbkdf2(sha1($shared_secret), $salt, $keylen, $iterations, 'sha256'));
The iterations, salt, and everything matches on the client & server side. However the results do not match. What is the reason for this?
You seem to be mixing sha1 and sha256:
...sha1($shared_secret)...'sha256'...
Related
from the dev document, i got that opengauss support several encryption type for cleint authentication:
md5
sha256 (as default)
local is a Unix domain socket. host is a common or SSL-encrypted TCP/IP socket. hostssl is an SSL-encrypted TCP/IP socket. hostnossl is a TCP/IP-only socket.
authmehod-options is an optional parameter. Value range:
As i know that md5 is not safe enough?
so why opengauss still support it, which authentication encryption type is recommanded ?
Use MD5 only for compatibility with legacy applications and data.
Sha256 is recommanded.
for your question, i guess openGauss have to sovle compatibility issue.
that is there are many old version deploying in customer's env, they may use the md5 encryption type.
so that openGauss can not delete the type directly.
then use sha256 authentication encryption as default for secure;
use md5 for compatibility, but better make sure use it in trusted network.
I am working to upgrade TLS version form 1.0 to 1.2 for existing windows/Win CE application. Right now my application is using Openssl 0.9.8k(supports TLS 1.0). To upgrade TLS version I am using Openssl-1.0.2p(supports TLS 1.2). I was signing data using MD5-SHA1 similar to steps followed in MD5-SHA1 hash using CryptoAPI (my requirement was same as this)
Created hash using Certificate key handle provider and use CALG_SSL3_SHAMD5 algorithm.
Using CryptSetHashParam, I set the initial hash value
Signed the hash using CryptSignHash.
After that, reverse the bytes order (as OpenSSL signature is Big endian mentioned.
But TLS 1.2 has to sign hash using RSA-SHA256. How can I achieve using Crypto APIs?
I have tried to Created hash using Certificate key handle provider and use CALG_SHA_256 algorithm instead of CALG_SSL3_SHAMD5. But Certificate verification failed at server with error as "Bad Signature".
I have been surfing MSDN pages and I assuming that CNG APIs can do my Job for Windows 7 OS. If it is true, How can I achieve? Also I am not seeing CNG equivalent APIs in Windows CE, How can I achieve in Windows CE?
Thanks.
Assume, I have two choices.
Use self-signed x.509 certificate on both the server and client and validate server using its certificate stored in client and authenticate client using client certificate stored in server.
Create only keys on both the server and client and validate server using server key stored in the client and authenticate client using client key stored in the server.
Assume we will use RSA with key length of 2048.
My query is what will be the performance difference. My worry is overhead involved in taking key out of certificate and doing channel encryption.
Our case is there will more number of requests and not much data to flow.
Let me know if you have any queries or concerns.
SSL and SSH they are all have the same functionality, which is Encryption. Both are Cryptographic Network protocols.
SSL:
port: 443
Application : Encryption between browser and server
SSH :
port : 22
Application : Between two Computers
This is the picture of Version Control system which has got SSH key to communicate between user and their repository!
Know how to generate SSH key Here!!
Know how to Generate SSL key Here!!
Credits :Medium
After executing the below command
openssl engine capi -t -post list_options:33 -post list_certs
Output
Private Key Info:
Provider Name: Microsoft Base Cryptographic Provider v1.0, Provider Type 1
Now i need to change this CSP type to Microsoft Enhanced RSA and AES Cryptographic Provider.
Is that possible ?
And Also at what point of time it is decided that this certificate will bind/register to a CSP ? Does that occur at the time of certficate and private key creation or it happens while Signing the Certificate from CA ?
No,
a CSP will define, among others, the key size. If you used the Base Provider to generate an RSA key it will be 512 bits will the Enhanced Provider uses 1024 bits.
This is decided at a key generation. Microsoft CAs can enforce the CSP used before signing the certificate.
I've just been doing a bit of wondering and learning, and I wanted to know how this works. I'm pretty sure I understand the concept of public/private key pairs, as i've gotten it to work with ssh, but I was wondering about https sites too. Where does my machine get the key pairs. Does chrome automatically generate a new key pair every session? Is there one hidden on my machine I don't know about?
I could be getting this all wrong, but any help would be great. :)
Browsers only generate key-pairs when the user needs to request a new (typically client) certificate. This is not necessarily related to SSL/TLS, but more of a convenience facility to issue certificates. This has nothing to do with day to day use of HTTPS. (Even if you are using a client-certificate, you only generate the key-pair when that certificate needs to be issued/renewed, typically once a year.)
The keys used for encryption are symmetric keys, negotiated during the handshake, where only the server certificate is required (for authenticated negotiation). You may find more details in this similar question: Can One Public Key be Used to Encrypt and Decrypt Data during the SSL Handshake?
Yes your browser generates only symmetric keys
see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame2.doc_5.1/ss7aumst18.htm