[SNIP]
>> However this looks like the key is encrypted with 3DES, but I "exported" it
>> from the Cert+Key with "-aes256" - so I'm puzzled why I'd have a 3DES
>> encrypted p12.
DT> You thought you did but you didn't.
DT> The doc is a bit subtle, but the -$cipher option is listed under "PARSING"
> From: owner-openssl-us...@openssl.org On Behalf Of Gregory Sloop
> Sent: Monday, September 15, 2014 22:50
> And, one more question:
> How can I tell what format/encryption my pkcs12 files are in?
> [I believe for Android platform use, I need p12 certs/keys - so I'm working
> on the export/con
> From: owner-openssl-us...@openssl.org On Behalf Of Gregory Sloop
> Sent: Monday, September 15, 2014 17:14
> I've gone back and re-encrypted the private keys [thanks Dave, again!]
> and this is the result from an asn1parse
> Is that the new format? [It looks like it, but I'm such a "babe in the
And, one more question:
How can I tell what format/encryption my pkcs12 files are in?
[I believe for Android platform use, I need p12 certs/keys - so I'm working on
the export/conversion part too.]
I export my cert+key like so:
[openssl pkcs12 -export -aes256 -in somecert.crt -inkey somekey.ke
So, hopefully this will be the last post in the thread. [fat chance, eh!?]
I've gone back and re-encrypted the private keys [thanks Dave, again!] and this
is the result from an asn1parse
openssl asn1parse http://www.sloop.net
---
On Behalf Of Gregory Sloop
Sent: Tuesday, September 09, 2014 01:19
To: <mailto:openssl-users@openssl.org> openssl-users@openssl.org
Subject: Re: Certificate pass phrase brute force...
I used the asn1parse command [thanks Dave!] and while the key looks "old style"
it parses as f
xpect it to happen anytime
>soon unless someone wants to submit a patch.
>
>Michael Wojcik
>Technology Specialist, Micro Focus
>
>
>From: Kyle Hamilton [mailto:aerow...@gmail.com]
>Sent: Tuesday, 09 September, 2014 13:43
>To: openssl-users@openssl.org; Michael Wojcik
>
n't be a bad idea, but it's not
a high priority, so I wouldn't expect it to happen anytime soon unless someone
wants to submit a patch.
Michael Wojcik
Technology Specialist, Micro Focus
From: Kyle Hamilton [mailto:aerow...@gmail.com]
Sent: Tuesday, 09 September, 2014 13:43
o I wouldn't expect it to happen anytime soon unless someone
wants to submit a patch.
Michael Wojcik
Technology Specialist, Micro Focus
From: Kyle Hamilton [mailto:aerow...@gmail.com]
Sent: Tuesday, 09 September, 2014 13:43
To: openssl-users@openssl.org; Michael Wojcik
Subject: RE: Certifica
fore encrypting it with your preferred cipher.
>
>
>Michael Wojcik
>Technology Specialist, Micro Focus
>
>
>From: owner-openssl-us...@openssl.org
>[mailto:owner-openssl-us...@openssl.org] On Behalf Of Gregory Sloop
>Sent: Tuesday, 09 September, 2014 01:19
>To: openssl-users@ope
sl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Tuesday, 09 September, 2014 01:19
To: openssl-users@openssl.org
Subject: Re: Certificate pass phrase brute force...
I used the asn1parse command [thanks Dave!] and while the key looks "old style"
it pa
I used the asn1parse command [thanks Dave!] and while the key looks "old style"
it parses as follows:
50:d=4 hl=2 l= 8 prim: OBJECT:des-ede3-cbc
Which appears to equate to: des-ede3-cbc Three key triple DES EDE in CBC
mode
The full asn parse is:
---
0:d=0 hl=4 l=2446 c
For the legacy formats (dashes-BEGIN PRIVATE RSA KEY or PRIVATE EC KEY)
just look on the DEK-Info: header line.
For PKCS#8 format (dashes-BEGIN ENCRYPTED PRIVATE KEY) do
openssl asn1parse and.
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf O
Well, as I said, given my reading of the code, the newest version of EasyRSA
[line 861] shows the following:
local crypto="-des3"
It's in the set_pass function. [On further review of the code, this appears to
only be used by the "set-rsa-pass" or "set-ec-pass" functions, and I can't
determine w
I think it's safe to assume that 3DES is almost certainly a lousier choice
than AES or Camellia on multiple fronts.
Two key triple DES provides about 80-bits of security, and three key triple
DES provides 112-bits of security. Do you know which they are using?
AES-128 provides about 128-bits of se
el Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Friday, 05 September, 2014 16:32
To: Salz, Rich
Subject: Re: Certificate pass phrase brute force...
There is nothing special about crac
n't look like a plausible threat to me, unless you're protecting
something really valuable.
Disclaimer - I haven't double-checked any of those figures.
Does that help?
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-opens
05/2014 3:33 PM (GMT-05:00)
>To: openssl-users@openssl.org
>Cc:
>Subject: Re: Certificate pass phrase brute force...
>
>That is easy. Just restrict the number of different passwords per day.
>Any account. Thus the old school brute force idea passes out the
>wind
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption is that your users will pick truly random 10char passw
an AT&T 4G LTE smartphone
Original message
From: Gregory Sloop <mailto:gr...@sloop.net>
Date:09/05/2014 1:36 PM (GMT-05:00)
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Cc:
Subject: Certificate pass phrase brute force...
General question:
I've done a
message
> From: dave paxton
> Date:09/05/2014 3:33 PM (GMT-05:00)
> To: openssl-users@openssl.org
> Cc:
> Subject: Re: Certificate pass phrase brute force...
>
> That is easy. Just restrict the number of different passwords per day.
> Any account. Thus the old
sponse, but deplore your rudeness
>
>
> Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone
>
>
> Original message
> From: dave paxton
> Date:09/05/2014 3:33 PM (GMT-05:00)
> To: openssl-users@openssl.org
> Cc:
> Subject: Re: Certificate
.org
Cc:
Subject: Re: Certificate pass phrase brute force...
That is easy. Just restrict the number of different passwords per day. Any
account. Thus the old school brute force idea passes out the window. Most of
what you are looking at it a signing issue. Basically one person do
#x27;m afraid.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Friday, 05 September, 2014 13:37
To: openssl-users@openssl.org
Subject: Certificate pass phrase brute force...
General question:
Original message
> From: Gregory Sloop
> Date:09/05/2014 1:36 PM (GMT-05:00)
> To: openssl-users@openssl.org
> Cc:
> Subject: Certificate pass phrase brute force...
>
> General question:
>
> I've done a number of searches and can't find a lot
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption is that your users will pick truly random 10char passwor
How do I unsubscribe from all of this?
Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone
Original message
From: Gregory Sloop
Date:09/05/2014 1:36 PM (GMT-05:00)
To: openssl-users@openssl.org
Cc:
Subject: Certificate pass phrase brute force...
Gen
General question:
I've done a number of searches and can't find a lot about the subject. [I've
searched the list archives too...at least as best I could.]
In several cases, the most obvious being OpenVPN, I use client certificates
generated by openssl, with a pass-phrase [password]. This means
28 matches
Mail list logo
