Monthly Archives: January 2009

AES Encryption Via OpenSSL

On January 31, 2009 by Paul Kehrer With 1 Comments - Posts

If you have ever wanted to encrypt a blob of data for transmission or archival, OpenSSL provides a simple way to accomplish this task without resorting to platform specific tools.
To encrypt1:

openssl enc -e -aes-256-cbc -in filename -out filename.enc

To decrypt:

openssl enc -d -aes-256-cbc -in filename.enc -out filename.dec

The example above uses AES256 in cipher block chaining mode, however there are almost 50 different cipher functions available for encryption. To see a list, just type openssl enc help. I would very seriously recommend staying with well-known and accepted standard ciphers like AES unless you have an explicit need to choose something more esoteric.

  1. You can also add -a to encode to base64 so you can easily send via email or other methods that don’t support binary encoding.
, ,

Announcing Fidgetr

On January 29, 2009 by Paul Kehrer With 3 Comments - Posts

For the past few weeks I have been working on a small coding project and today I am proud to announce its first public release!

Fidgetr is a WordPress widget that displays the latest photos from your Flickr photostream in an attractive manner.  It features support for its own themes along with very simple setup and good compatibility with various WordPress themes.  I will likely continue to announce releases here, but Fidgetr’s homepage will always have the latest news. The code is hosted via subversion on wordpress.org and is licensed under the GPL. I welcome any improvements and/or theme contributions!

A big thanks goes out to the following people:
Matt Pennig for his invaluable assistance with various javascript and CSS questions.
Major Hayden for testing the widget and tolerating my constant chattering about WP plugin development.

If you have any questions, comments, or suggestions feel free to leave them here or on Fidgetr’s homepage.

, , ,

Crossplatform GPU MD5 Cracking

On January 27, 2009 by Paul Kehrer With 0 Comments - Posts

Today I discovered a crossplatform GPU based MD5 cracker called CUDA Multiforcer. This CUDA-based software works on OS X, Linux, and Windows and allows the user to specify a charset (single byte only at this time, no unicode) as well as n hashes to brute force.

In testing on my unibody Macbook Pro I was able to get stepping rates of 24-25 million per second using the 9400M and 35-36 million per second with the 9600M. Not spectacular, but pretty good for unoptimized software running on a laptop! At the latter rate the 96 char key space for a 6 character MD5 hash would be exhausted in just over 6 hours. Of course, none of this is particularly new, but it’s nice to see tools like this increasingly making their way to OS X/Linux.

If you’d like to play with some hashes generated on your own here’s a quick script. Please note that the passwords generated are in no way cryptographically random since it uses PHP’s rand().

<?
function generateRandomPassword($length) {
	$charset=" ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz!\"#$%&'()*+,-./0123456789:;<=>?@[\]^_`{|}~";
	for($i=0;$i<$length;$i++) {
		$rand = rand(0,95);
		$password .= $charset[$rand];
	}
	return $password;
}
for($j=0;$j<100;$j++) {
	$pass = generateRandomPassword(5);
	$passwords[] = $pass;
	$hashes[] = md5($pass);
}
file_put_contents("passwords.txt",implode("\n",$passwords));
file_put_contents("hashes.txt",implode("\n",$hashes));
?>

You can change the password length generated by altering the integer passed to generateRandomPassword()

Generating a PKCS12 (PFX) Via OpenSSL

On January 24, 2009 by Paul Kehrer With 1 Comments - Posts

Sometimes there are cases when you have a separate private key/certificate pair (perhaps with an intermediate or two) that need to be combined into a single file.  This merge can be performed on the command line using OpenSSL.

openssl pkcs12 -export -in my.cer -inkey my.key -out mycert.pfx

This is the most basic use case and assumes that we have no intermediates, the private key has no password associated, my.cer is a PEM encoded file, and that we wish to supply a password interactively to protect the output file.  Great, but what if that’s not true?

Common Optional Flags

-passin If your private key has a password, you can supply it via this flag (Example: -passin pass:mypass).  Note: This flag is not necessary as OpenSSL will ask you for the password interactively if it detects that the private key is passworded, but can be useful for automation.

-in You can add extra certificates via additional -in parameters. (Example: -in anothercert.cer)

-inform If your certificates are DER (binary) encoded rather than PEM (base64) use this flag (Example: -inform DER)

-password You can use this flag to specify the output file’s password in a non-interactive fashion (Example: -password pass:mypass).  Note: Again, this is useful primarily to reduce interactivity and increase automation/scripting capability.

Much more advanced behavior is available, but if you need that it’s probably time to check the man page.

,

New Camera in Hawaii

On January 22, 2009 by Paul Kehrer With 0 Comments - Posts

I recently replaced my Canon Rebel XTi with a 5D Mark II, so I thought I’d share a few shots I got with the new camera while on vacation in Hawaii.  The higher resolution and (much) lower noise has been the biggest advantage at this point, but it helps that I now have two L glass lenses (70-200 f/4L IS and 24-105 f/4L IS).  I’m still on the fence about whether I like the new auto ISO features as I find myself turning it off and controlling ISO manually quite frequently.

Clicking the image will take you to Flickr where you can see EXIF data and view other sizes.

Fire Dancer

Daylit Explosions

Incoming Water

OpenSSL Self-Signed CA

On January 18, 2009 by Paul Kehrer With 7 Comments - Posts

Setting up a basic CA for development certificate issuance via OpenSSL is fairly simple, but most of the tutorials available online don’t show every step. This guide attempts to be as clear as possible, but if you spot anything that could use more explanation don’t hesitate to leave a comment.

If you don’t have a copy of OpenSSL on your machine, download it now.  Linux and OS X users should already have it on their systems, but Windows users can get the latest binaries here.  Please note that if you are running a version of OpenSSL prior to 0.9.8 that signing the same CSR multiple times will cause an error (due to lack of support for unique_subject=no).  RHEL4 ships with 0.9.7a.

Creating a Self-Signed Root Certificate

First we must create a signing cert (a certificate with basicConstraints set to CA:True) for use.  This will write out a privkey.pem file (base64 encoded RSA private key) as well as a root.cer file containing the self-signed public key with a 3650 day validity period.

openssl req -newkey rsa:2048 -days 3650 -x509 -nodes -out root.cer

You will see output in the following form.  Fill in the fields as you desire.  Example choices are filled in below.

Generating a 2048 bit RSA private key
............................................+++
.................................................+++
writing new private key to 'privkey.pem'
 
----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
 
----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Illinois
Locality Name (eg, city) [Newbury]:Chicago
Organization Name (eg, company) [My Company Ltd]:My Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:My Development CA
Email Address []:

Setting Up a Custom Openssl.conf

Create a new file named “myca.conf” save the following configuration into it substituting the proper private key, certificate (public key), and new_certs_dir (random temp dir) paths.  On Windows if you choose to use backslash delimited paths, please note that you will need to escape the backslashes with an additional backslash (e.g. C:pathtocert becomes C:\path\to\cert).

[ ca ]
default_ca = myca
 
[ crl_ext ]
# issuerAltName=issuer:copy  #this would copy the issuer name to altname
authorityKeyIdentifier=keyid:always
 
[ myca ]
new_certs_dir = /tmp
unique_subject = no
certificate = /path/to/root.cer
database = /path/to/certindex
private_key = /path/to/privkey.pem
serial = /path/to/serialfile
default_days = 365
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
 
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
 
[ myca_extensions ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://path.to.crl/myca.crl

You will also need to create empty files located at /path/to/certindex and /path/to/serialfile.  For the serialfile add “000a” (without the quotes) as a hexadecimal seed for the serial number. 

Create a CSR and Issue A Cert

 We now have our CA infrastructure configured so let’s create a CSR (certificate signing request) and issue our first certificate. 

 openssl req -newkey rsa:1024 -nodes -out ourdomain.csr -keyout ourdomain.key

  This will write out a req.key and req.csr after you choose the fields you desire.  If you are setting up a serverAuth certificate the common name should be the FQDN of your server.  You can also leave the challenge password blank. 

Generating a 1024 bit RSA private key
..........++++++
..................++++++
writing new private key to 'req.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Illinois
Locality Name (eg, city) [Newbury]:Chicago
Organization Name (eg, company) [My Company Ltd]:End Entity, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.examplefqdn.com
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now we’re ready to issue the certificate!  We will let our configuration file do most of the heavy lifting.  Just specify the path to the config and the path for the output certificate.

 openssl ca -batch -config /path/to/myca.conf -notext -in req.csr -out /path/to/ourdomain.cer

Your certificate should now be written to the path you specified.  To verify the contents of the certificate:
 

 openssl x509 -noout -text -in /path/to/ourdomain.cer

Browser Trust Configuration

To be trusted a certificate must have a root at the top of its chain inside the certificate store of whatever client you are attempting to use. This means you will need to import your self-signed public key (root.cer) into the store.  While each browser/OS is different, let’s demonstrate via Firefox 3.

  • Go to the preferences, choose advanced, click the encryption tab, then click "view certificates".
    Go to the preferences, choose advanced, click the encryption tab, then click "view certificates".
  • Click the authorities tab and then click import...
    Click the authorities tab and then click import...
  • Choose which options you plan to use the cert for. Check at least "identify web sites".
    Choose which options you plan to use the cert for. Check at least "identify web sites".
  • Your certificate is now trusted. You can see it under the Organization name you chose for your root certificate.
    Your certificate is now trusted. You can see it under the Organization name you chose for your root certificate.

,