On Mon, Jan 26, 2004, Andrew H. Derbyshire wrote: > I have a requirement to implement cross-platform 3DES encryption (driven by > a text pass phrase) between Microsoft and various UNIX platforms. Both > platforms use the vendor supplied libraries: In the case of UNIX that's > OpenSSL, and in the case of Microsoft it's the Windows routines declared by > <wincrypt.h>. > > Invoking 3DES on either platform looks straightforward, except for the > transformation of the pass phrase into a key. On the Microsoft platform, I > can hash the pass phrase which is directly passed into the 3DES processing. > The OpenSSL environment provides DES_string_to_key() but its use is > discouraged in place of a cryptographic hash function. .. but the man page > doesn't define a standard procedure to do so. > > So, I am open to suggestions (read: NEED HELP) as to how to consistently use > a pass phrase with both libraries. >
There are a few other complications which you may not be aware of. Under CryptoAPI you can't directly set the actual key. There are various tricks involving things like exponent of one RSA keys to get round this though. CryptoAPI does some weird stuff when the key length exceeds the digest length. This is true for 3DES since SHA1 is 160 bits and it uses 192 bits for 3DES. This is however documented in that some postings to the CryptoAPI mailing list documented it. OpenSSL allows you to set the actual key and has support for various standard key derivation algorithms like PKCS#12 or PKCS#5v2.0 . Its advisable to use the EVP interface on OpenSSL rather the the low level routines. It isn't a good idea to just make up a key derivation algorithm: there are lots of these about that are horribly insecure. Many don't even use a salt whcih makes them vulnerable to attack. What this means for 3DES is that there isn't a common password based key derivation algorithm. The solution would be to implement one in either CryptoAPI or OpenSSL. For example you could implement PKCS#5 v2.0 under CryptoAPI or even the odd 3DES derivation algorithm under OpenSSL. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
