EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Decrypting outside SecureBlackBox

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#36922
Posted: 06/08/2016 08:18:36
by Carlo Wolter (Basic support level)
Joined: 06/08/2016
Posts: 2

Hi, we are testing PKIBlackBox for a Delphi app we are developing.
We managed to make the whole cycle work.
That is, we generate keys, we encrypt the payload, send the package and decrypt at the other side. All well.
Now, the customer wants to share some content with other parties, than cannot have Delphi apps. So they need to decrypt on Web app (JS, php...) or at least with some openssl command.
We tried to make the sample work, but unsuccessfully.
We can handle and convert the certificates, but when we try to decrypt we get:
Quote
RSA operation error
5468:error:0406506C:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data greater than mod len:.\crypto\rsa\rsa_eay.c:518:


AFAIK, we should first extract and decrypt the RSA encoded symmetric key, and then use the extracted AES-256 key to symmetric decrypt the real payload.

The Delphi code is as follows:

Code
function TCryptoEldos.EncryptString(const AString, ACert: string): string;
....
  LCert := TElX509Certificate.Create(nil);
  try
    LCertBuffer := TEncoding.UTF8.GetBytes(ACert);
    LCert.LoadFromBufferPEM(@LCertBuffer[0], Length(LCertBuffer), '');
    ElMemoryCertStorage.Add(LCert);

    LInputBuffer := TEncoding.UTF8.GetBytes(AString);
    ElMessageEncryptor.Algorithm := SB_ALGORITHM_CNT_AES256;
    LSize := 0;
    ElMessageEncryptor.Encrypt(@LInputBuffer[0], Length(LInputBuffer), nil, LSize);
    SetLength(LOutputBuffer, LSize);
    I := ElMessageEncryptor.Encrypt(@LInputBuffer[0], Length(LInputBuffer), @LOutputBuffer[0], LSize);
    if I = 0 then
      Result := TNetEncoding.Base64.EncodeBytesToString(LOutputBuffer).Replace(sLineBreak, '')
    else
      Result := 'error ' + I.ToString;
  finally
    FreeAndNil(LCert);
  end;



Code
function TCryptoEldos.DecryptString(const ABase64String, ACertWithPrivateKey: string): string;
....
  LCert := TElX509Certificate.Create(nil);
  try
    LCertBuffer := TEncoding.UTF8.GetBytes(ACertWithPrivateKey);
    LCert.LoadFromBufferPEM(@LCertBuffer[0], Length(LCertBuffer), '');
    ElMemoryCertStorage.Add(LCert);

    LInputBuffer := TNetEncoding.Base64.DecodeStringToBytes(ABase64String);
    LSize := 0;
    ElMessageDecryptor.Decrypt(@LInputBuffer[0], Length(LInputBuffer), nil, LSize);
    SetLength(LOutputBuffer, LSize);
    I := ElMessageDecryptor.Decrypt(@LInputBuffer[0], Length(LInputBuffer), @LOutputBuffer[0], LSize);
    if I = 0 then
      Result := TEncoding.UTF8.GetString(LOutputBuffer, 0, LSize)
    else
      Result := 'error ' + I.ToString;
  finally
    FreeAndNil(LCert);
  end;


Can you please give us some tip ?
#36924
Posted: 06/08/2016 08:57:15
by Ken Ivanov (EldoS Corp.)

Hi Carlo,

Thank you for getting in touch with us.

As far as I am aware, OpenSSL supports standard PKCS#7-based encryption and decryption mechanism. Essentially, what you need to pass to the other party is the private key that corresponds to your certificate.

SecureBlackbox saves RSA private keys in commonly used PKCS#1 format. Please use the SaveKeyToBuffer()/SaveKeyToStream() method of a TElX509Certificate object containing the private key to create an RSA key in PKCS#1/DER format. To create a password-encrypted key, use SaveKeyToStreamPEM()/SaveKeyToBufferPEM() methods.

Keys exported in such was are understandable by OpenSSL and many other implementations.

Alternatively, you can export the whole certificate together with its private key in PFX format.

Ken
#36948
Posted: 06/09/2016 14:16:28
by Carlo Wolter (Basic support level)
Joined: 06/08/2016
Posts: 2

Hi Ken,
thanks for the attention.
Perhaps I poorly explained our problem.
In fact we already can handle the certificates well.
The problem is to decrypt the payload created as per EncryptString function above with openssl commands.
We already managed to transfer the certificates/privateKey to the other party in PEM or in DER format.
The problem is to define how to decrypt the payload output by EncryptString.
After your answer, we've wrapped the payload in ---- BEGIN PKCS7 ---- / --- END PKCS7 ---- header and footer

Then we've tried:
Code
openssl smime -decrypt -inform pem -in payloadA.p7 -inkey CertA.pem


obtaining error:
Quote
... garbage ... Error decrypting PKCS#7 structure
11304:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:.\crypto\evp\evp_enc.c:529:


Any thought ?
Is our command incorrect ?

Thanks
#36966
Posted: 06/10/2016 08:53:00
by Ken Ivanov (EldoS Corp.)

Hi Carlo,

Thank you for the clarification.

The command is correct and should work. Could you please share a sample encrypted document with us so that we could check it? You can use the sample certificate from the SecureBlackbox distribution to encrypt it.

Ken
#37678
Posted: 09/09/2016 12:07:29
by Vladek Pavelka (Basic support level)
Joined: 09/09/2016
Posts: 3

Hello,

please help us to solve a similar issue as discussed in this topic.
Our business partner uses your PKIBlackBox to encrypt data. What we need is simply to decrypt the data.
If your PKIBlackBox encrypts data with X.509 certificates based on PKCS#7 message standard, it should be possible to decrypt the data using common built-in PHP functions of our Apache server. Right? Unfortunately we are unsuccessful yet.

What we know from our partner:
1. Your TElMessageEncryptor class is used for the encryption
2. 3DES - 192 bit key algorithm is used
3. We have .pem file with the required private key for decrypting

Please can you provide us with the necessary PHP code for the decryption using common built-in PHP functions?

Thanks a lot
Vladek
#37679
Posted: 09/09/2016 12:45:00
by Eugene Mayevski (EldoS Corp.)

Quote
Vladek Pavelka wrote:
built-in PHP functions of our Apache server. Right? Unfortunately we are unsuccessful yet.


Apache doesn't have any built-in PHP functions -- you install PHP as an external module. Moreover, PHP itself also doesn't have any built-in encryption -- PHP in turn uses extension modules for particular functionality.

So the answer largely depends on whether you have the proper module installed in PHP, and whether you are using it.

Quote
Vladek Pavelka wrote:
Please can you provide us with the necessary PHP code for the decryption using common built-in PHP functions?


Given that you the right module installed, we can create some small sample, if you have Premium support. Premium support comes with SecureBlackbox licenses and can be purchased separately on https://www.eldos.com/support/calc.php .


Sincerely yours
Eugene Mayevski
#37681
Posted: 09/09/2016 14:47:16
by Vladek Pavelka (Basic support level)
Joined: 09/09/2016
Posts: 3

OK, sorry for my wrong formulation.
[QUOTE]
On the server are installed these cryptography extensions:
1. OpenSSL Library Version 1.0.1t and OpenSSL Header Version 1.0.1e
2. Mcrypt Version 2.5.8
3. Hash, Mhash

We was trying to use functions like openssl_pkcs7_decrypt() or mcrypt_decrypt(). No success. Please can you advise us how to decrypt the data encrypted by your TElMessageEncryptor class and 3DES - 192 bit key algorithm? Or do you need to know something more?

Thanks a lot
Vladek
#37682
Posted: 09/09/2016 15:14:47
by Eugene Mayevski (EldoS Corp.)

I am sorry, but we don't provide support for third-party APIs. If you had Premium support, we'd take a look at the issue. Otherwise we are unable to help you. You might want to search for help in the places, where open-source is supported.


Sincerely yours
Eugene Mayevski
#37683
Posted: 09/09/2016 16:04:54
by Vladek Pavelka (Basic support level)
Joined: 09/09/2016
Posts: 3

OK, please let me have just this last simple question. Should it be possible to decrypt the data encrypted by PKIBlackBox using an open-source cryptography library? Is it enough to know the 3DES - 192 bit key algorithm is used or not?

Thanks
Vladek
#37684
Posted: 09/09/2016 16:31:53
by Eugene Mayevski (EldoS Corp.)

PKCS#7 (and its later incarnation, CMS) is the standard, which defines both the format of the data and the algorithms, that can be used in data encryption or signing. 192-bit 3DES is one of those algorithms. You don't even need to know the used algorithm - the packet, encrypted according to PKCS#7, should be decryptable by any other PKCS#7-compliant implementation.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1002 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!