Re: openssl pkcs7 object incompatible with outlook,netscape??

Fri, 16 Jul 1999 04:02:14 -0700 

NortonNg wrote:
> 
>         hello all,
>                 i wonder if the openssl pkcs7 object is compatible with outlook
>         express5 and netscape messager. Because i have success to decrypt
>         the smime.p7m produced by outlook express5 to plaintext(smime.txt)
>          by command
>         dec -k server.pem smime.p7m (of course i and the -----BEGIN PKCS7--- and
>                 -----END PKCS7----- to smime.p7m file.)
>         but, unfortunately, when i try to encrypt the smime.txt to smime2.p7m
>         ,i found that smime2.p7m is not equal to smime.p7m. but both can
>         generate the same plaintext by dec.c. And if i replace the smime.p7m file
>         to smime2.p7m , then outlook express or netscape messager does not
>         recognize it! (invalid encryption!!) Why?????????
> 

Heres some more info. When you encrypt a message with enc it generates a
random encryption key and includes it encrypted with the recipients
public key. This is one reason why the output is different each time: it
wouldn't be very secure if it always used the same key!

Now your two messages. The one from MS Outlook is encrypted using weak
40 bit RC2. The one you generated uses triple DES. 

Export versions of software cannot decrypt triple DES which is probably
the problem. Check what the security window says when you click on the
invalid encryption icon. 

So you have two options. Either patch your software to use strong
encryption (using fortify or the MS domestic security patch) or just
change the encryption used: there is a -c option to enc.c which allows
an alternative cipher to be used. If you use -c RC2-40-CBC then it will
use 40 bit RC2 as well.

BTW if the security window says something about invalid DER data or
something like that then this is usually a problem with the MIME
headers. If you use the output of, for example, Messenger as a template
and substitute your own data at the end then you should be OK.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to