Відео

openssl genrsa -aes-256-cbc would generate an encrypted private key. The content of rsa.pri.enc is encrypted using the key derived from the passphrase.

OpenSSL does not include OQSProvider. I made a video introducing PQC, I'm working on a follow up video, which will eventually lead to a video on OQSProvider. Target: Jan/2025.

@@CyberHashira Thank you for your reply. I'll be waiting for your content. I hope it comes out soon ^^.

it simply means token is not ready for use.

@@CyberHashira Is it on token to decide when it is ready to be used? And then token should internally set it initialized?

@@michanowinski9361 Token is ready to be used when it has been initialized. Initializing a token involves setting a label and pins for SO and USER role. A uninitialized token does not have SO/USER pin set, which means there's no way to authenticate, and use that token.

@@CyberHashira So, as far as I understand, there is no way to 'create' not existing slot/token via C_InitToken if, for example, C_InitToken is called with not existing slotId? This slot must be already present with token available.

That's what envelop is all about. Secret key used for encrypting the message is also encrypted and put in the envelop along with the encrypted message. Recipient's private key is used to decrypt the secret key.. and if successful, the secret key decrypts the message.

Yikes!, I didn't notice that. You're right, type should have been public.. not private. I believe the reason why verification still worked was because it read the public key modulus from the private key, else I'd expect failed signature verification.

Upon further inspection using debug logs, the PKCS#11 engine appears to be ignoring the "type" option. It searches for the public key and reads its modulus. This modulus is later used by OpenSSL to verify the signature. My initial assumption that PKCS#11 reads the modulus from the private key was incorrect.

you're welcome!

Thanks! I agree, setting up a Certificate Authority (CA) with keys secured within an HSM is an interesting topic for a video. However, it’s not going to be an easy task. There are many different HSM vendors, each with its own way of setting up a CA. Additionally, there are various CA programs to consider, such as MSCA, OpenSSL, EJBCA, and StepCA. Nevertheless, I'll find a way... thank you.

you're welcome!

Thank you very much!

We have the first Bitcoin replacement Tidecoin(TDC) in NIST with PQC in the Quantum Era. At least US$760million Bit Password Lost Purse will be released. Let's prepare for a new era. Start mining. I recommend storing 1,000 each in your wallet.

You're welcome!

Very useful comment, Thanks for sharing!

I'd refer you to my video about digital certificate.. You need to specify key usage and extended key usage for code signing.. watch that other video for more info.. thank you.

Thank you very much!

Hi, Thanks for posting this comment. The executable you get after compiling connect_disconnect_windows.cpp file, is it 32 bit or 64 bit? I try to test my sample using Luna HSM. Will post an update soon.

update: sample worked with Luna HSM.

@@CyberHashira How to verify that the produced application is 32bit or 64bit?

​@@sergioeaeapp check the list of OS under compatibility mode to see if any old Windows OS such as Win 98, Win Xp is listed.

@@CyberHashira Thanks for the answer. It does not have checked the compatibility feature.

not possible if you're using keytool to create a keystore. Why do you want you want create a keystore without password?

@@CyberHashira actually our client hsbc needed it

@@CyberHashira Is there any tool to create it password less ?

@@subhrajitsaha233 I don't think so.. May using a programmatic approach but I have never tried it Why can't they use a password?

@@CyberHashira Exactly sir we just raise this point only

Sure.. I'll consider this as part of my future content.

Thank you so much 😀

What do you mean by "CA CSR"? A CSR that a trusted CA will use to generate a certificate or a CSR with CA extension set? CSR with CA extension : openssl req -new -subj "/CN=Test" -key <private_key_file> -addext "basicConstraints=CA:true" -out test.csr Remove -addext "basicConstraints=CA:true" if you need a standard CSR.

@@CyberHashira Thanks for this info. I'm trying to create a 15 year validity CA cert at work through openssl. So that's why I need to create that csr and create a CA cert signed by the root with a 15 year validity.

@@CyberHashira I'll try it out during the week, thanks

@@rellirel82 Sure. By the way, I do have a bash scripted utility that uses OpenSSL to automate creation of CA (2-tier). You might want to check out "QuickCA" project from my github. I use it for my testing and I think you'd find it useful too!

Great! OpenSSL gets updated with new features and option with every update.. I guess it's time to update my videos as well. haha.. Thanks for commenting!

Thank you. I don't think it makes much difference whether I use a Private or a Public CA signed certificate. Public CA code signing certs are not free and they certainly are not cheap.

Thank you very much, cheers!

Check out the video titled "Java Cryptography : Signing JAR files using Luna HSM." on this channel.

You're welcome!

@@CyberHashira Thank you so much for your response to my compliment. I really appreciate the content you create, and I’d like to suggest a topic for future videos. Would you consider making a video about PDF signing? I think many of us would find it very valuable to understand the process better, especially regarding security and best practices. Thank you for your attention and for the excellent work!

@@devmenezes I always respond to every comment made to a video. 🙂 Thanks for writing! ..and Yes, I'll surely include your suggested topic as one of my future content. Cheers!

Same as you do it on Unix/Linux..

You don't use asymmetric keys to encrypt/decrypt large files.. you should either use secret key or hybrid (asymmetric + symmetric).

I did provide a github link in the description with notes for all of my OpenSSL related videos.

@@CyberHashira You are a good teacher. Teach us Python or anything from scratch (for beginners who are ready to commit time and effort).

@@HutS-e5c may be some day, I'll try..although I'm not a python expert..

because it's PEM encoded (Base64)..

@@CyberHashira I followed the video encrypting with the RSA public key and decrypting with the RSA private key and it worked fine. But when I tried to encrypt with the private RSA key, I was not able to decrypt with the RSA public key.

​@@HutS-e5c Private keys are not used for encrypting. I highly recommend that you learn the fundamentals of cryptography before diving into OpenSSL.

@@CyberHashira ​ Would you please recommend a source for me to learn the fundamentals of cryptography?

@@HutS-e5c google

encrypted file contains encrypted data and nothing else.

@@CyberHashira So how would openssl tool know if I do not entered the correct password or if I do not enter the correct -pbkdf2 flag or if I do not enter the correct number of -iter and as a result of that it writes to me an error message? Also, how does openssl know what random salt was used so when I want the openssl tool to remove the encryption for me, it adds that exact salt to the password that I enter (at the time I want to remove the encryption) and hash them together the correct number of times to decrypt the file for me? By the way, I found online that -pbkdf2 is called "Password Based Key Derivation Function 2" --- "Function" instead of "Format".

@@HutS-e5c openssl utility would expect the user to enter all required information correctly; failed cryptographic operations would return an error.

@@CyberHashira How the openssl utility get to know that the decryption failed to show me an error message? It is not a human. It would not know the difference between text that has meaning (to determine that the operation has succeeded) and gibberish (to determine that the operation has failed).

@@HutS-e5c padding scheme checks after decrypt is one way to see if decrypt was successful.

That's because the focus of this video is OpenSSL. I don't want to make a lengthy video covering every fundamental aspect, as there are plenty of other online resources available for that. If you're unfamiliar with terms like digests and ciphers, it might be helpful to start with those before diving into OpenSSL.

Excellent question! "Default", as the name implies, is the default provider for OpenSSL. So, if you try to generate an RSA key pair while both the default and FIPS providers are configured, the default provider will be loaded. If you want to achieve true FIPS security restrictions, then the FIPS and BASE providers are the ideal options.

@@CyberHashira Thank you. I will try that.

You're welcome!

Glad you found this video to be helpful..

Thank you.

"no such file or directory" means g++ did not find connect_disconnect.cpp. Execute this command in from the directory where that file exists.

@@CyberHashira I do not have that file tho, where can I find it or how do I make it? I only have the include file and do not have the connect disconnect file like you have on the beginning of your video... pls help

@@thechuckydoll there should be a github link in the description. github.com/CyberHashira/PKCS-11-Tutorials Find it in the samples directory.

@@CyberHashira thank you, I finally got it now I was just doing the wrong thing. thank you!

@@thechuckydoll You're welcome!

The error self-explains what the issue is.. You're trying to use binaries built for x86_64 hardware. Mac M1, M2, and M3 uses arm. Not sure how you installed those packages, I use homebrew.

@@CyberHashira Thank you for your reply. I also used Homebrew to install it (as shown in the log below). According to the information published on Homebrew's official website, this application supports Apple's M chip architecture. However, I am not sure if the version I installed is indeed the version for Mac M1. If you know a way or have any ideas on how to check and fix this error, please let me know. I would be extremely grateful and appreciative! --------------------------------------------------------- #brew install softhsm ==> Auto-updating Homebrew... Adjust how often this is run with HOMEBREW_AUTO_UPDATE_SECS or disable with HOMEBREW_NO_AUTO_UPDATE. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`). ==> Auto-updated Homebrew! Updated 2 taps (homebrew/core and homebrew/cask). ==> New Formulae chkbit cyme egctl envelope h26forge kubevpn lando-cli mako otree porter qrtool subliminal topfew ==> New Casks airdash font-afacad-flux font-big-shoulders-stencil-display-sc font-gulim lazycat positron ball font-batang font-big-shoulders-stencil-text-sc font-gulimche monokle productive blip font-batangche font-big-shoulders-text-sc font-gungsuh navicat-premium-lite retroarch-metal@nightly charmstone font-big-shoulders-display-sc font-dotum font-gungsuhche orka-desktop wd-security clash-verge-rev font-big-shoulders-inline-display-sc font-dotumche inkdown pia yaak ea font-big-shoulders-inline-text-sc font-fragment-mono-sc k8studio plugdata@nightly You have 37 outdated formulae installed. ==> Downloading ghcr.io/v2/homebrew/core/softhsm/manifests/2.6.1-2 ############################################################################################################################################################################################################################################ 100.0% ==> Fetching softhsm ==> Downloading ghcr.io/v2/homebrew/core/softhsm/blobs/sha256:2883177ca802dcf95f7fe8eaf5118399eaab1c6cf1e1d3f2d8b4a6771708f2d7 ############################################################################################################################################################################################################################################ 100.0% ==> Pouring softhsm--2.6.1.sonoma.bottle.2.tar.gz 🍺 /usr/local/Cellar/softhsm/2.6.1: 17 files, 2.6MB ==> Running `brew cleanup softhsm`... Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`). --------------------------------------------------------- ---------------------------------------------------------

I have just found a solution to my issue: 1. add alias to startup script: alias armbrew="arch -arm64 /opt/homebrew/bin/brew" alias x86brew="arch -x86_64 /usr/local/bin/brew" 2. then can use armbrew install softhsm opensc

@@olesport7536 Good to know..

Well, it depends on where and how you installed that program. Find where the executable is and update the path. By pkcs11, i'm assuming you mean pkcs11-tool.

You're welcome!

For Java, you'd have to use a pkcs11 security provider for Java such as SunPKCS11, IBMPKCS11, and IAIK. I would eventually cover these topics but not anytime soon.

@@CyberHashira implemented using SunPKCS11 but while configuring the PKCS11 file i face issue now it's cleared if you explain complete softhsm key generation and key storage using openssl tool it will help for so many students and learners who working on cryptography and softhsm thank you for replying and give hope to cover the topic in future

@@appu9588 Sure, you're welcome!

You're welcome and thanks for watching!

Thank you.

Hello, you're welcome! Yes, 'enc.key' is a file containing the data that will be used as an input by PBKDF2, to derive an encryption key. I generated it using 'openssl rand -out enc.key 32'. The encryption key is not picked randomly from 100k iteration; it is the final result of 100k iterations.Therefore, changing the number of iteration would result in a different key value, causing decryption to fail. I hope this clear any doubts. good question 🙂 I appreciate you taking time to watch my content.

@@CyberHashira Pleasure watching your series :) Just a quick question then -- how does iteration really impact the procedure? I mean -- how come 100k is better than just 10 iteration?

@@BhavinMoriya-i8i Iteration is the number of times a PRF is executed on an input data in PBKDF2. The more iterations, the more scrambled the output becomes. NIST recommends a minimum of 1,000 iterations for PBKDF2 (SP 800-132). A higher number of iterations increases the difficulty of guessing, calculating, brute-forcing, or reassembling the output back to the original input. Imagine that I have a piece of paper with some secret information printed on it. Instead of giving you that paper as it is, I tear it into many pieces. Which one do you think would be more difficult to reassemble: paper torn into 10, 100, or 1000 pieces?

lol, just so you know.. haha

Thank you, you're awesome!

homebrew may have updated openssl to 3.x but I believe 1.1.1 should still exist somewhere in the file system. Assuming your homebrew home is /opt/homebrew, look inside /opt/homebrew/Cellar.. You should see openssl1.1 if not, try "brew reinstall openssl@1.1" and check again. you may have to then update that openssl path somewhere in your automation program. hope this helps!

Yes, I think it's doable, I've never tried AWS though. I know Azure Key vault has an OpenSSL engine. There is a similar engine for AWS Cloud HSM. You can write your own OpenSSL implementation to utilize AWS KMS.