I'm in the US, but I'm french. Am I "safe"? ;-)
Thanks for the detailed explanations. It definitely helps in assessing the
effort and risks of such a project. I would limit the ASN.1 modifs to what
is required by PKCS#7: does this include the last ASN.1 quirks? IMHO, no...
All this seems to involve a long time. If I need PKCS#7-like confidentiality
rapidly, what do you think of the following (lazy) workaround?
1- sign the file --> p7 Signed-data (external contents)
2- envelop the DER of p7 Signed-data --> p7 Enveloped-data
3- re-use the symmetric session key to encrypt the file
4- voila! we have an "external envelope"
To decrypt/verify:
1- decrypt the p7 enveloped data:
--> get the session key
--> get the p7 signed data
2- decrypt the file
3- verify the signature w/ the p7 Signed-data
Would that work w/ RSA as the asymmetric algorithm, and DES3 as the
symmetric algorithm? I didnt look yet how to snatch the symmetric session
key in the PKCS#7 primitives.
----- Original Message -----
From: Dr Stephen Henson <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 25, 2000 12:23 PM
Subject: Re: pkcs7 encryption limited by memory?
> Richard Dykiel wrote:
> >
> > Thanks.
> > Assuming I'd undertake this endeavor:
> >
> > 1- would this be of any interest for openssl?
>
> Yes. Well me at least. The encryption side is fairly easy and I've got
> some code that does most of it: basically prototype code that can
> convert a stream of data of indeterminate length into an indefinite
> length constructed OCTET STRING on the fly.
>
> I may be able to merge this into the next release, time permitting.
>
> > 2- if yes, would some openssl developer assist in the design? I can do
the
> > coding, but I'm new on openssl and the modifications require knowledge
of
> > BIO & ASN1 internals: I'd need some hints to design properly and take
the
> > right implementation choices.
> >
>
> Re the decryption side.
>
> Doing this would require considerable knowledge of OpenSSL. In fact I'm
> not even sure this can be done cleanly without making ***HUGE***
> modifications to the way it handles ASN1.
>
> In fact it would probably be much simpler to dump the whole horrible
> ASN1 stuff and use something like SNACC.
>
> The primary problem is that it OpenSSL handles ASN1 by assuming the
> whole structure is in memory. This is assumed in just about every single
> piece of OpenSSL ASN1 code and there are lots of them.
>
> You could hack this by reading in a big chunk in memory, seeing if it
> had read up to the "content" then switching to the input stream and
> finally passing what is left to the rest of the memory based stuff.
> Thats messy but its the only way I can see that wouldn't involve
> changing every single piece of ASN1 code :-(
>
> The ASN1 side is not trivial. If you want to handle things according to
> the last spec I saw you need to potentially handle nested constructed
> structures which can be definite or indefinite length constructed to
> arbitrary depth. I've never come across anything that uses more than
> indefinite+primitive but it could theoretically be used.
>
> > This project could start something like end april, beg may. In the
meantime
> > I must implement a solution based on signed data structures.
> >
>
> One other thing if the above hasn't put you off. Are you in the US? Its
> just that the group hasn't yet determined that US contributions are
> "safe".
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
