[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Réf. : RE: SMTI_Encrypt (SMTI_EncryptCryptoPP)


I did not notice the reset command in sm_free3.cpp SMTI_Encrypt.  Sorry, but
we have hardcoded the encryption capability to certain constants for all
content encryption.  Over these past few years I have been modifying the
code to accept various lengths on input and output (in some cases) to
accommodate customer's needs.  As to the input, the key length could
probably be made to accommodate only the length specified by the user, but
the problem I ran into was that many key lengths were short.  We have no API
interface item to specify the encyrption key length so it was made a
constant.  In your case, simply modify the code to accommodate only the
length specified on the input (as in the decyrption side).  Please let me
know if this works.  I can modify the sm_free3.cpp source to accommodate set
key lengths, so if a key is less than 5 for example, I would set it to 5,
not 16.  This would accommodate everyone, but still provide some integrity
for smaller key lengths.  (Smaller key lengths are especially a problem for
Password Based Protection).

Bob Colestock

-----Original Message-----
From: eboudreault@xxxxxxxxx [mailto:eboudreault@xxxxxxxxx]
Sent: Thursday, June 21, 2001 3:26 PM
To: Colestock, Robert
Cc: imc-sfl@xxxxxxx
Subject: Réf. : RE: SMTI_Encrypt (SMTI_EncryptCryptoPP)


I think i have not correctly explained my bug in the previous mail.

I have an EncryptedData to make (to put in a PKCS-12).  The encryption
algorithm that i want to use is RC2_CBC with a key of 5 byes that was
generated by that algorithm : pbewithSHAAnd40BitRC2_CBC.

When i do SMTI_Encrypt(...), the function SMTI_EncryptCryptoPP(...) extend
the 5 bytes key to 16 bytes(a bad key is generated here).

   else         // Adjust incomming MEK to proper length.
       CSM_Buffer tmpBuf((size_t)CBC_KeyLength);
       if (pMEK->Length() < (unsigned int)CBC_KeyLength)
         memcpy(tmpBuf.Access(), pMEK->Access(), pMEK->Length());
         pMEK->ReSet(tmpBuf);   <------------------- line 821    (The key
genereted here is not correct.)

 When it's time to do SMTI_Decrypt(...), the function SMTI_DecryptCryptoPP
(...) doing this :

   // check for preferred oid content encryption or key wrap oid
   if (*pPreferredOID == rc2_cbc || *pPreferredOID == id_alg_CMSRC2wrap)
<--- line 1720
      int keybits = 0;

      // decode the parameters to get the keybits and the IV
      pIv = UnloadParams(pPreferredOID, *pParameters, keybits);

      if (keybits != 0)
         CBC_KeyLength = keybits/8;  // bytes

After that, the key length is equal to 5 bytes (that's correct), so the
decryption's not working correctly beacause of the bad generated key in



                    "Colestock, Robert"

                    <Robert.Colestock@Getroni        Pour :
"'eboudreault@xxxxxxxxx'" <eboudreault@xxxxxxxxx>,                
                    csGov.com>                       imc-sfl@xxxxxxx

                                                     cc :

                    21/06/01 15:43                   Objet :      RE:
SMTI_Encrypt (SMTI_EncryptCryptoPP)                      



I am no expert on these encryption algorithms, I have to re-investigate the
code every time I look into this particular logic.  After looking at
SMTI_Encrypt(...) and SMTI_Decrypt(...), I notice that the MEK->Length() is
passed to the appropriate CRYPTO++ data class constructors.  The CBC key
length of 16 you mention is simply the buffer length for the primitive
operations (including the initialization vector length).  The decrypt
operations also specify this length. It would appear they should work fine
with 5 byte (40 bit) key lengths.

We do directly support "pbeWithMD5AndDES_CBC" in
CSM_Free3::DecryptPrivateKey(...), but it uses the key length of 128 bytes.
I do not believe the code has been tested with smaller key lengths.  If you
discover problems, I will investigate further and attempt to test smaller
key lengths.

Bob Colestock

-----Original Message-----
From: eboudreault@xxxxxxxxx [mailto:eboudreault@xxxxxxxxx]
Sent: Thursday, June 21, 2001 10:43 AM
To: imc-sfl@xxxxxxx
Subject: SMTI_Encrypt (SMTI_EncryptCryptoPP)


I try to make an EncryptedData with pbewithSHAAnd40BitRC2_CBC and i've
notice that the function SMTI_EncryptCryptoPP accept only keys of 16 bytes
of length.

The thing that i don't understand is that we can decrypt an EncryptedData
with pbewithSHAAnd40BitRC2_CBC (key of 5 bytes of length).

Can you tel me if it'is an error ?????

What can i do to encrypt with a key of 5 bytes with RC2 in CSM_Free3 ???


Eric Boudreault
Motus Technologies
390, St-Vallier Est
Bureau 100
Québec, Qc
G1K 3P6
Tél.: 521-2100  ext.#242
Fax.: 521-2101
courriel: eboudreault@xxxxxxxxx