My adventures with PKCS#7 and OpenSSL

By Ylian Saint-hilaire (Intel) (120 posts) on April 30, 2009 at 7:40 am

(warning, really technical)

I have been working on this idea of peer-to-peer mesh networking for a while now and run into problems with OpenSSL. Just a little warning, this blog is for people who are a little crazy about cryptography and already know a bunch about OpenSSL & PKI. With this warning, let’s go ahead…

Let’s put the following problem on the table: I want a computer to sign a block of data into a PKCS7 package and include only the signer leaf certificate in that PKCS7 envelope. The signed block is going to be propagated from computer to computer on the network and each one wants to make sure the block was not tampered with. Computers must check that the block is signed by the holder of the private key of the certificate included in the envelope, but don’t necessarily trust the certificate chain (So I can’t verify the chain).

Ok, so, basic cryptographic stuff. I create a PKCS7 signed block using PKCS7_Sign() in OpenSSL, and each node that receives it uses PKCS7_Verify() to check it. Sadly, it’s not sufficient. Because I don’t check the certificate chain, anyone can tamper with the X509 certificate itself. To fix this, I added the thumbprint of the certificate in the first bytes of the signed data.

Now we are getting somewhere. A man in the middle can’t change the message or certificate without having the private key. Seems pretty good so far? Well, not quite. A middleman could still add a bunch of data at the tail end of the PKCS7 package and forward it on to other nodes who would keep forwarding it on. To fix this, I have OpenSSL tell me the length of the PKCS7 and if I get more than the length, I reject the message. Well, but the length could be tampered with. Another option is to look at the length of the X509 certificate and signed message and only allow at most a given overhead for the rest of the message. If the overhead is too large, reject the message.

Lastly, I ran tests where I randomly change something in a PKCS7 message and try to verity the message. To my surprise, OpenSSL sometimes leaks memory during the process of parsing a bad message, and in some cases, there are a few places in the PKCS7 messages where bits can be changed and will not be detected. Still lots of work to do to make my code really secure and leak proof…

Ylian

Categories: Academic

Comments (2)

May 1, 2009 2:45 PM PDT

saifikhan
saifikhan
 Hi Yalin:

Thats a very nice writeup on PKCS usage with OpenSSL.

The package is transmitted using definite-length BER enoding with signed-and-enveloped content type with attendant encryption. So would adding random data at the end of the PKCS7 package really make any difference ?

thanks
Saifi.
May 1, 2009 4:36 PM PDT

Ylian Saint-hilaire (Intel)
Ylian Saint-hilaire (Intel)Total Points:
8,183
Status Points:
7,683
Brown Belt
 Thanks.

Random data at the end would not make a difference in verifying the data, but since each node in a mesh network relays the information to others, I want to prevent a node adding garbage at the end and forwarding it as a way to bog down the mesh network (or passing unwanted data in a covert way). In the end, only the data that was generated using the private key of the originator should be forwarded, nothing more. So, I have to write a little extra code to check.

Ylian

Trackbacks (0)


Leave a comment  

To obtain technical support, please go to Software Support.
Name (required)*

Email (required; will not be displayed on this page)*

Your URL (optional)


Comment*