[Message Prev][Message Next][Thread Prev][Thread Next][Message Index][Thread Index]

Re: Security related Query

To: "Ranjan Vishwarupe" <ranjanv@xxxxxxxxxx>,<rdesktop@xxxxxxxxxxxx>
Subject: Re: Security related Query
From: Jeff.Kelly@xxxxxxxxxxx (Christian Flügel)
Date: Mon, 8 Apr 2002 00:06:06 +0200
References: <3CAF523A.30178.15A80EF2@localhost> <003d01c1dbe8$329ab5a0$8502a8c0@ca21>

----- Original Message -----
From: "Ranjan Vishwarupe" <ranjanv@cybage.com>
To: <rdesktop@rdesktop.org>
Sent: Thursday, April 04, 2002 4:51 PM
Subject: Security related Query

>In the RDekstop - 1.1.0 code, the RSA and RC4 encryption algorithms seem to
>do more than what these algorithms generally do.

No they don't rest assured ;-)

>Actually I am using an open source Java crypto library called Cryptix.
>If I pass the same data to Cryptix's RSA and the same to sec_rsa_encrypt,
>I get different output. I saw that sec_rsa_encrypt, is reversing all the
binary >arrays ie input as well as output.
>I tried doing that but still my data after Cryptix RSA encryption is
totally >different from sec_rsa_encrypt.

Rdesktop uses just BigIntegers for the RSA Stuff (Bignum is a Big Number
representation used in the OpenSSL Library) so if you use the
java.math.BigInteger class and its related functions the rsa_encrypt stuff
is very easy to port considering that java BigIntegers are signed and
OpenSSL Integers are unsigned.

You dont need any of the RSA stuff in Cryptix just BigInteger in the JDK and
the modpow-method. (Since I did that myself recently, I know that it works)

>Again in RC4, Cryptix's output and RDesktop's crypto package differ
totally.

Since a sequence of random bytes is used to generate the keys the output of
rrdesktop and cryptix will be different. Even if you hack rdesktop enough so
that it uses the same data as cryptix the output will be different if you
are using a Win 2000 Server since the Win 2k Server generates a new random
every time you connect.

But you might have fallen into the same pit as I. RC4 is a stateful cipher.
This means that if you cipher a the output for a is different than when you
cipher b and then a. OpenSSL saves the state in its key structure, cryptix
does not!

So you will have to use a different rc4 object for ciphering and
deciphering, because every time you do an initDecrypt(key) or
initEncrypt(key) the state info will be lost.

HTH

Christian

References:
- Re: XGrabKey problems
  - From: Jay Sorg
- Security related Query
  - From: Ranjan Vishwarupe

Prev by Message: Re: bad colors
Next by Message: escape from full-screen mode?
Previous by thread: Security related Query
Next by thread: Re: XGrabKey problems
Index(es):
- Message
- Thread