The issue is if you enforce FIPS validated cryptography in the Windows security policy settings, an exception will be thrown because RADIUS protocol uses the MD5 algorithm to hash the request authenticator. There is not an alternative MD5 algorithm that is FIPS validated so it does not appear any code implementation of RADIUS would be possible on a machine providing FIPS validated cryptography.
Does this mean RADIUS is mutually exclusive with FIPS validation?
The code implements the RADIUS protocol as specified by the official RFC (https://www.rfc-editor.org/rfc/rfc2865).
When you enable FIPS validated cryptography in Windows, you're asserting that you are now going to use only the FIPS-validated encryption and hash algorithms. More specifically, it's the cryptographic module in Windows that has been validated only to allow users to use approved FIPS algorithms. The list of acceptable algorithms is defined in Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules.
MD5 is not an approved hash algorithm, so no, applications cannot use it. For hashing, you're limited to the SHA family of algorithms. So MD5-based Radius is out because it cannot use MD5 from a FIPS-validated security module.
If you peruse the FIPS-validated modules, you may notice that some declare MD5 as a non-approved algorithm. What this means is that the certified module internally uses MD5, but does not expose the functionality to applications, or use it for communication. For example, a hardware encryption module running embedded linux may use MD5 to hash passwords in /etc/passwd. That's OK because users of the module cannot use MD5.
Related
I am working with MicroChips's ATECC508a, which is a designed for highly secure hardware-based key storage. It implements asymmetric (public/private) key cryptographic signature solution
based upon Elliptic Curve Cryptography and the ECDSA signature protocol.
The device is able to create public/private key pairs, create signatures and verify them. It falls short of being able to perform encryption and decryption based on the Elliptic Curve Cryptography and the ECDSA signature protocol. Are there any "lightweight" c libraries that can do asymmetric encryption/decryption with the Elliptic Curve Cryptography and the ECDSA signature protocol?
By lightweight, this is obviously a relative term, but if it helps the code is for a ATSAMD21J18A 32bit ARM processor. So the smaller footprint the better if possible.
I am looking for options to see if this type of library is available.or do I need to try to implement one. I am not looking for recommendations.
I have built a server in C from sratch using sockets and I was wandering if it is possible for me to add an extra layer of security by adding RSA encryption to make sure that the client and the server have a encrypted communication.
I am quite familiar with the theory behind RSA, and I have built the encryption tool before and succesfully was able to encrypt keys. I was just wondering I could include this in my C server.
I'm afraid there's a lot more to TLS -- that is, Transport-Level Security, which is used to implement HTTPS -- than RSA encryption.
Your best bet will be to integrate the OpenSSL library, which implements TLS. Otherwise, you will have a number of major hurdles to overcome, including:
Parsing the TLS message format
Parsing X.509 certificates and validating the certificate chain
Performing a TLS handshake, which requires:
Implementing one or more key exchange algorithms (like RSA-DSS)
Implementing one or more encryption suites (like AES-CBC)
Implementing one or more data integrity suites (like SHA256)
Implementing workarounds for known errata of other TLS implementations
I would like to re-program in C the program Burp (https://portswigger.net/burp), at least the part with the proxy.
Burp starts on the computer a proxy over which then the clients in the network "log in" or "access" can.
A CA certificate from Burp will be installed on the clients.
From now on Burp can also read HTTPS traffic.
I would like to re-program this principle in C.
I do not know which libraries to use for
- the proxy
- decrypting the data with de certificate key
Many people already wrote a proxy in C (for example, nginx).
You can often look through their C code and discover what they did and which libraries they used.
As for the network layer, I am biased since I'm the author of facil.io, which I love... But a quick search will offer libev, libuv and libevent as very common choices that support more platforms (such as Windows).
I am currently looking to add encryption to a server application (programmed in C) that passes raw data, unencrypted data over TCP to clients (a large number of different applications programmed in many different languages).
What is the best way to do this? Public-key cryptography? If so, how would the process go?
Thanks!
If you have to ask, you're probably not qualified to be doing cryptographic work. It is far to easy to make a subtle mistake in crypto processing that breaks your entire system's security, and unlike most other bugs, it is not at all obvious until someone else breaks your system.
Just use SSL (aka TLS). The folks that designed the SSL/TLS specs and libraries have already done all the hard work for you.
SSL: secure socket layers, which initiates and transmits encrypted data.
TLS: transport layer security, which asks to starttls and the answer to that is a list of capabilities, then the transmission can continue using the best mutually accepted encryption.
Note: the capabilities may include cleartext.
I suggest reading upon how to extend your existing protocol to support TLS, by looking at an example, say, the smtp starttls( rfc 2487 ). your time invested will be rewarded.
OpenSSL suits my needs! A quick view at the documentation and tutorials pointed me in the right direction.
If I did not want to use ssl and transport security does silverlight 4 support message encryption or some sort of alternative?
Silverlight doesn't support message encryption because it doesn't provide (as of SL4, I haven't looked in SL5 beta) asymmetric crypto support. You can do some custom message security if you are willing to create your own channel (which is really, really hard to do, unfortunately) which uses some out-of-band shared key and use the symmetric crypto (which is available on SL).