Applied Cryptography: Protocols, Algorithms, and Source Code in C

Author: Bruce Schneier
All Stack Overflow 21

Applied Cryptography: Protocols, Algorithms, and Source Code in C


Review Date:


by anonymous   2017-08-20

A general rule of thumb involving encryption is, if you haven't done it before, you're going to do it wrong. If the encryption is important, then use someone else's package (that you have source to, preferably, so that they don't introduce backdoors), because they will have ironed out the bugs. Check out Schneier's book on Crypto for some general equations and implementations.

But, if you just want to use encryption and not really mess with implementing it (even if that's just copying over code from the book), then check out the encryption namespace that others have mentioned.

by anonymous   2017-08-20

You generally would not encrypt a string using the public key of an X.509 directly. Instead you would generate a strong random(of a specific quality) key; use normal symmetric encryption (such as AES) and then encyrpt the string with that. You then encrypt the random key with the X.509.

Consult a good PKI/Crypto book (e.g. as to why (sections on key leakage, bit-flipping, padding and (re)encrypting twice).

If you really insist on doing this -have a look at its pkcs7_encode_rinfo function.

x509cert = ... something to read your x509 byte array in.

unsigned char *stuff = "Some zecret string";
int stufflen = strlen(stuff);

EVP_PKEY *pkey;

assert(pkey =  = X509_get_pubkey( x509cert));
assert(pctx = EVP_PKEY_CTX_new(pkey, NULL));
assert((EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT
                      EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri)==1);

size_t eklen;
assert(EVP_PKEY_encrypt(pctx, NULL, &eklen, stuff, stufflen)==1);

ek = OPENSSL_malloc(eklen);

unsigned char *ek = NULL;
assert((EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen)==1);

printf("Encrypted blurp: ");
for(int i = 0; i < eklen; i++) {
    printf("0x%02X ", ek[i];
by anonymous   2017-08-20

The bottom line is, you can't. See any other comment here for the reasons why. Even encryption software like PGP/GPG stores the keys in a file, and then stridently urges those files to be kept on a flash drive in a safe, or something else secure. Keys stored as part of executable code will be discovered.

In fact, if you're trying to encrypt anything on a client machine that will be decrypted by the client as part of normal operations, that is also a fool's errand. The client machines are inherently insecure, and you can't control what they're going to be able to do to your data.

If you're trying to authenticate, instead, look at Internet based authentication with logins to a server, or some kind of generated KeyCode that is used to validate the software.

Secret keys as part of a Public-Private Keypair should be kept in data files that can be secured. Symmetric keys should be generated on the fly as Session Keys, then discarded. Always assume that anyone who has a Secret or Session key on their computer will be able to discover it, and use it against your intentions.

Read "Applied Cryptography" by Bruce Schneier for more information.