I have a encryption scheme implemented, the constituent components: The symetric cypher and its chaining mode, and the HMAC algorithm are hard-coded into the binary. Additionally, the parameters of the algorithms (HMAC key, symetric-key symetric IVEC) are specified in binary files, one for each parameter.
I would like to specify the choice of algorithms, and modes, and their parameters in a single file. Do I need my own format, or is this possible using existing OpenSSL infrastructure ? If there is infrastructure, could someone please provide some references.
p.s., I know of the config file parsing code, and the PEM/x.509 code in OpenSSL. However anything built from this won't be cohesive.
I would like to specify the choice of algorithms, and modes, and their
parameters in a single file
That type of agility sounds like you will allow the user to make a choice. Don't do it, since they might pick a bad cipher (or cipher combination). Make good choices for them.
The symetric cypher and its chaining mode, and the HMAC algorithm are
hard-coded into the binary.
I would first look into an authenticated encryption mode - EAX, CCM, or GCM. I believe OpenSSL only has CCM at the moment (or is it GCM?). If you can't use an authenticated encrpytion mode, move on to Encrypt-Then-Authenticate (ie, encrypt then authnticate the cipher text with a HMAC or CMAC), which it sounds like you are doing.
Additionally, the parameters of the algorithms (HMAC key, symetric-key
symetric IVEC)
HMAC (and CMAC) are good. Don't use a CBC-MAC since it suffers from weaknesses on variable length messages.
symetric-key [in binary file]
Hmmm...
symmetric IVEC
IVs are considered public parameters. Pick a random IV for the message, and send it along with the cipher text. Make sure to MAC both the cipher text and IV to detect tampering.
Do I need my own format, or is this possible using existing OpenSSL infrastructure
Look at BIOs for I/O. The encoding is up to you. You can write out raw bytes, you could Base{16|32|64} encode it, you can encode and store it in XML, or store it as name/value pairs.
Related
I'm trying to better understand the google web applications, the HTML source has JSON that has been encoded in some unknown way which i would like to decode. For example the below source contains parameter such as DpimGf, EP1ykd which makes no sense
view-source:https://contacts.google.com/
..window.WIZ_global_data = {"DpimGf":false,"EP1ykd":.....
So far i have tried the following
1. Decoded using the base64 decoder, but results are unprintable/not usable.
2. Decoded using poly-line encoding used in Google Maps.
3. Built an app from scratch to perform base64->binary->XOR->ASCII char and to shift the binary values up-to 7 places [inspired by poly-line algorithm]
Is there any documentation from google or known encoding for such formats.
Assumptions : I'm pretty sure that this encoding of some sort and not encryption, because
1) Length of the encrypted text dont match the common encryption algorithms
2) There is some sort of pattern with value of the parameters,
So good chance that its just encoded without any encryption.
Because common encryption provides completely different strings each time.
3) There is a good chance that they may not decode,
because it might have a mapping at server side to a meaningful parameter.
Thanks
try using this http://ddecode.com/hexdecoder/?results=cddb95fa500e7c1af427d005985260a7. try running the whole thing in this it might help
How can I verify if a firmware (.bin file) is signed or not , if there is a tool or script that can be used as much I understand sigcheck does not work with firmwares, any help on this ?
A bin file is generally just a binary file. There is no such thing as a (single) standard for firmware files. Undoubtedly the file internally has structure but for us it is impossible to tell what it is. Generally a tool only works for a specific protocol.
RSA signatures themselves are the result of modular exponentiation with the public exponent. The result is then converted to a byte array that is almost indistinguishable from random. The size has the size of the modulus, which is the same size as the key size, in bytes. RSA may be used in various formats such as RSA with PKCS#1 v1.5 padding or RSA with PSS padding; the output however looks the same. Other signature types exist, e.g. ECDSA signatures that are completely different from RSA. They have a different (smaller) size and can be both dynamically and statically sized. ECDSA makes a lot of sense if the signature needs to be checked on resource constrained hardware.
Generally the signature is calculated as the very last step, so often the last bytes of the .bin file will be the signature. If you're lucky the signature is performed using a standard, e.g. PGP compliant signatures or CMS compliant signatures. For CMS signatures you may check if the file contains so called ASN.1 structures. These are encoded using something called BER, which can be parsed (e.g. using openssl asn1parse -inform BER).
So it all depends on the protocol. There is no single tool that can check if something is signed or not, the protocols are too different and signatures themselves just look like random data.
I would like to know whether there is some standard that specifies binary formats using JSON as the describing language, similar to google's protocol buffers.
Protocol buffers seem very powerful but they require parsing of yet another language and considerable overhead, especially for compiled languages such as C++.
So I am wondering whether there is some accepted standard that uses JSON to describe a binary format. (Parsing the binary data might then still require some manual steps, but at least a clear and unique description of the data can be made available.)
To be clear, I am not talking about encoding binary data in JSON, I am talking about describing binary data in JSON.
Head to the ultimate Wikipedia listing and evaluate for yourself. I don't know what is the right argument to overcome your programmer's inertia. I'd consider Apache Avro the most fitting your requirement - it has JSON description.
For least friction, you could try MessagePack or BSON, which are JSON themselves, just better packed. But, by not having external declaration, need to be self descriptive, so must transport the field names on wire - so it's not as "binary" and compact as Protocol Buffers or Avro.
The Mainline DHT, used in BitTorrent to distribute lists of peers, implements a custom RPC protocol called KRPC. KRPC consists of BEncoded dictionaries, which are essentially a more compact form of JSON.
Is there any benefit of using BEncode over something like BSON (or even just compressing the data)?
I suspect that bencode is being used for historical reasons and to lighten the burden on developers wanting to implement the DHT extension. Since all BitTorrent clients must have a working bencode implementation to work with torrent files (which are simply bencoded dictionaries of metadata), implementing the DHT with bencode would require no new project dependencies.
Also, consider that the DHT is using bencode along with binary encoding. Among others, the 26 byte node identifier string (20 bytes for the node-id, 6 bytes for the ipv4 address / port) is being stored as a binary string (see: http://bittorrent.org/beps/bep_0005.html#contact-encoding), so in-effect, there is already some minimal data-compression that is happening.
I want to test my application and I need to generate different load. Application is SUPL RRLP protocol parser, I have ASN.1 specification for this protocol. Packets have a lot of optional fields and number of varians may be over billion - I can't go through all the options manually. I want to automate it.
The first way to generate packets automatically, the other way is to create a lot different value assignments sets and encode each into binary format.
I found some tools, for example libtasn and Asn1Editor, but the first one can't parse existing ASN.1 spec file; the second one can't encode packets by specification.
I'm afraid to create thousandth ASN.1 parser because I can introduce errors in test process.
I hoped it's easy to find something existing, but... I'm capitulating.
Maybe, someone faced with the same problem on stackowerflow and found the solution? Or know something to recommend. I'll thank you.
Please try going to https://asn1.io/asn1playground/ and try your specification there. You can ask it to generate a sample value for a given ASN.1 type. You can encode it and edit either the encoded (hex) data, or decoded values to create additional values.
You can also download a free trial of the OSS ASN.1 Tools from http://www.oss.com/asn1/products/asn1-download.html which includes OSS ASN.1 Studio. This also allows you to generate (and modify) sample values for a given ASN.1 type.
Note that these don't generate thousands of different test values for you automatically, but will parse valid value notation and encode the values for you if you are able to generate valid ASN.1 value notation.