The Blog of Ben Rockwood

Solaris Cryptographic Tools

17 Oct '05 - 15:05 by benr

Every geek has alittle cypherpunk raging in them. Partly its the kool factor, partly its the practical need for privacy and security. The most common use of cryptography today is for secure communications, namely SSL and SSH. But while stream ciphers are useful, symmetric block ciphers are a lot more fun. But more on that to come soon... for now, lets talk about some easy to use tools already avalible on your Solaris10 or OpenSolaris system that can help you employ crypto in some ways that you might not have been aware of.

Not many people are aware of the fact that Solaris 10 and OpenSolaris provide some basic easy-to-use cryptographic applications to assist us in our day-to-day needs. These tools cover the 3 primary conventional uses of cryptography:

Encryption/Decryption: Using a symmetric block cipher to encrypt sensative data using a key or pass-phrase, that can later be decrypted by supplying the correct key or passphrase.
Digests: The use of a cryptographic function to compute a distinct value to represent an arbitrary ammount of data. Otherwise known as a hash, message digest, or checksum. MD5 checksum's are what most people are used to seeing to verify that what they downloaded is infact what that they wanted, bit for bit.
HMACs: Key-Hashed Message Authentication Code. An interative cryptographic hash function, just like a digest, except that a cryptographic key is supplied (or pass-phrase), producing a distinct and unique result. The advantage over a simple digest is that not only are we assured of the datas integrety but also of its authenticity, that who ever sent you the message had the same key (or pass-phrase) you have.

Solaris provides APIs to supply for all your crypto needs, and in true Sun style, doesn't go it alone but adheres to standards, namely the RSA Public-Key Cryptography Standards (PKCS). Don't let the "Public-Key" part suggest that the PKCS standards documents aren't applicable to symmetric block cryptography as well. As a developer your interested particularly in PKCS #11, the Cryptoki (Cryptographic Token Interface) API. The advantage of Cryptoki is that a single standardized API is avalible on all platforms that support PKCS #11. But more on that another day.

So how do we utilize these cryptographic functions as a user? Thankfully we have some tools in Solaris 10 and OpenSolaris to provide for all 3 of these functions by way of 4 tools: encrypt(1), decrypt(1), digest(1), and mac(1). Addionally, we can use dd(1M) to generate keys for use by these tools.

Encrypting Block Data with encrypt(1):

The encrypt tool can encrypt block data using a variety of ciphers, and can either be feed a pre-generated key or can use a user-supplied pass-phrase. Before we encrypt, lets find out which ciphers we can use by handing encrypt the -l argument.

benr@anysystem crypto% encrypt -l
Algorithm       Keysize:  Min   Max (bits)
------------------------------------------
aes                       128   128
arcfour                     8   128
des                        64    64
3des                      192   192

All 4 of the tools discussed here can list the ciphers and functions they support by supplying the "-l" argument. To be more specific, for you cypherpunks out there, the PKCS proper names for these ciphers are actually: CKM_AES_CBC_PAD, CKM_RC4, CKM_DES_CBC_PAD, and CKM_DES3_CBC_PAD). Note that "arcfour" is RSA RC4.

Now lets use AES to encrypt a simple text file:

benr@anysystem crypto% encrypt -a aes -i message.txt -o message.enc
Enter key:

We can now use od (octal dump, a common tool for looking at binary data) to look at the plaintext and ciphertext:

Example Omitted because many browsers go nuts on the nulls... to use it yourself use "od -c file"

Decrypting Block Data with decrypt(1):

Decryption is the opposite action, tell the decrypt tool which cipher your using. If you don't supply a key-file, it'll prompt you for a pass-phrase:

benr@anysystem crypto% decrypt -a aes -i message.enc -o message.dec
Enter key:

If you do not supply an output file (-o) the output will be directed to STDOUT (the screen), which is useful for files that you do not want to keep laying around in an unencrypted form.

Generating Keys using dd and /dev/random:

Pass-phrases are handy for encrypting and decrypting personal stuff, but sometimes you'll actually need a binary on-disk key file. A key is really just random data (as random as possible anyway) of a fixed length that is feed to the encryption/decryption algorithm. Without the key, the algorithm either doesn't work or outputs garbage, which is the whole point. (For you cypherpunks out there, lets not worry aroundselves with salts and IV's right now. Later, later.)

We can use Solaris's /dev/random to provide us with some random data that will make up the key. We just need to know how long a key we want to generate to know how much data we need from /dev/random. If you want a 128bit key you'll want to pull 128bits or 16bytes from /dev/random. We can do that with the help of dd:

$ dd if=/dev/random of=MyAES-128bit.key bs=16 count=1
1+0 records in
1+0 records out

The key length is dependant on which cryptographic algorithm you choose to use. You'll notice earlier that the "encrypt -l" listed possible min and max key lengths for each algorithm. Thus, AES can only use 128bit keys, DES only takes 64bit keys, Triple-DES only takes 192bit keys, but RC4 can use keys from 8bits to 128bits in length.

For more information about /dev/random please see the man page (random(7D)). Please be aware that both /dev/random & /dev/urandom are avalible, but bear in mind that /dev/random guarrenties ample entropy while /dev/urandom does not. Like I said, check the man page for details.

Calculating Hashes with digest(1):

Think of digest as a far more flexable tool that the popular GNU md5sum tool. Lets look at which message digests it can handle:

benr@anysystem crypto% digest -l
sha1
md5

As an example, lets calculate an MD5 message digest for out plaintext used above.

benr@anysystem crypto% digest -a md5 message.txt
1dc580773cfdb5f0d70f9426aabe6a78

A common question amoung Solaris users is "Where is md5sum?" The answer is simple, we don't have it. The reason is simple too, md5sum is GPL code thats provided as part of the GNU CoreUtils software. But, have not fear, to make yourself comfy and at home, you can use alias to make life simpler:

$ alias md5sum='digest -a md5'
$ md5sum *.gz
(xdesktopwaves-1.3.tar.gz) = 4ef1233527cb3bbf06b8fdc407b04ebe
(xrestop-0.3.tar.gz) = 8bf9927fab3992290702d28c38b8a4ce

Calculating (H)MACs with mac(1):

MAC's are calculated just like hashes, except we toss a key into the mix. The result is a distinct value that we can compare to ensure both authenticity and integrity in one pass. Just like the encrypt/decrypt tools, we can either supply a key-file or be prompted for a pass-phrase. HMAC key lenghts for SHA1 and MD5 are much longer (up to 512bits!) than those of the encryption algorithms we used before, so check mac -l for acceptable key lengths.

The following is an example calculating a mac:

$ mac -a sha1_hmac xdesktopwaves-1.3.tar.gz
Enter key:
bcbc345002e46b36c62c94eac068ab4441c9ad90

Just for fun, if you want to verify this, you can download the file I used here (xdesktopwaves-1.3.tar.gz) and calculate the HMAC yourself. The pass-phrase (which serves as the key) I used was "cuddletech". If you get the file and use my passphrase you should be able to verify that it is the same file I have.

Wrap Up:

So here we have some snazy, kool, easy-to-use tools that can put the power of crypto firmly in our hands. These tools can provide a range of usefulness to you. Here are some examples of how I use them:

Encrypt/Decrypt: I have a horrible memory. One of my online brokerages doesn't allow me to choose my own login name, its a mish-mash of numbers, so while I can remember the password, I can't remember the login. So I keep the login in a file that I RC4 encrypt. Whenever I need to remember what the login is I can quickly decrypt the file containing my login and account number, without fear of someone hacking my box and having any of my financial information.
Digest: Being the industry-standard integrity checksum MD5 is a must for verifying downloads.
MAC: This is great for passing sensative files to clients or other users. By using a passphrase I can email a file and the MAC signature to the person its intended for and then call them with the pass-phrase I used. This ensures that we've passed the data properly and gives us the ensurance that nothings being tampered with.

For more information about these tools and the Solaris Cryptographic Framework check out Part IV of the System Administration Guide: Security Services manual: Solaris Cryptographic Services. Also keep your eyes on the blog of Darren Moffat, Solaris Security Guru.

You can view the source for all the tools we've discussed here using the OpenSolaris Online Source Browser: /usr/src/cmd/cmd-crypto/.

- - C O M M E N T S - -
There are just lots of little tidbits hidden in Solaris 10 like little presents from the Sun engineers. I’ve been having tons of fun with smpatch lately, and, now I can play with encrypt (bye bye gpg)! Solaris 9 is beginning to look like a Flintstones car by comparison.

AC - 18 October '05 - 00:28

Nice entry. I just wanted to add that you can use the cryptoadm(1M) command to list all of the installed providers and algorithms (use cryptoadm list). You should also go to the Sun Download Center and get the Solaris 10 Encryption Kit, which will let you use larger keysizes with most of the providers.

Derek morr (URL) - 18 October '05 - 03:09

Derek, We’re getting there man! I don’t like seeing cryptoadm discussed in the same breath as the other tools because I think you need to digest (no pun) them first before looking at the broader picture of the Solaris framework. Step one, show off some very practical and useful tools that users already have and can sink their teeth into (like AC!). Step two, compare and contrast with OpenSSL’s tools familar to GNU/BSD/Linux users. Step three, step back and look at how we can extend that frame work (cryptoadm). Step four and onward, look at the programming interfaces for various languages, starting with C Cryptoki, OpenSSL EVP, then looking at binding for PERL, Ruby, PHP, etc.

We’ll see how far along in the series of crypto articles I can get. Its fun to do.

benr - 18 October '05 - 04:06

Impossible+only+defines+the+degree+of+difficulty+http%3A%2F%2Fwww%2Etramadol%2Dhcl%2Enet%2F+Success+is+getting+what+you+want%2C+Happiness+is+liking+what+you+get+http%3A%2F%2Fwww%2Ecialis%2Dcheap%2Ecom%2F+In+order+to+succeed%2C+We+must+first+believe+that+we+can+http%3A%2F%2Fwww%2Etramadol%2Dcheap%2Enet%2F+Some+things+have+to+be+believed+to+be+seen+http%3A%2F%2Fwww%2Eviagra%2Donline%2Drx%2Eorg%2F+Blessed+are+the+risk+takers+for+they+shall+bring+us+tomorrow+http%3A%2F%2Fwww%2Ecialis%2Dpromise%2Ecom%2F+Follow+your+heart+and+you%27ll+never+get+lost+http%3A%2F%2Fwww%2Esoma%2Dorder%2Ecom%2F+No+act+of+kindness%2C+however+small%2C+is+ever+wasted+http%3A%2F%2Fwww%2Eviagra%2Dus%2Eorg%2F

buy+Soma - 29 November '05 - 08:39

Impossible%2Bonly%2Bdefines%2Bthe%2Bdegree%2Bof%2Bdifficulty%2Bhttp%253A%252F%252Fwww%252Etramadol%252Dhcl%252Enet%252F%2BSuccess%2Bis%2Bgetting%2Bwhat%2Byou%2Bwant%252C%2BHappiness%2Bis%2Bliking%2Bwhat%2Byou%2Bget%2Bhttp%253A%252F%252Fwww%252Ecialis%252Dcheap%252Ecom%252F%2BIn%2Border%2Bto%2Bsucceed%252C%2BWe%2Bmust%2Bfirst%2Bbelieve%2Bthat%2Bwe%2Bcan%2Bhttp%253A%252F%252Fwww%252Etramadol%252Dcheap%252Enet%252F%2BSome%2Bthings%2Bhave%2Bto%2Bbe%2Bbelieved%2Bto%2Bbe%2Bseen%2Bhttp%253A%252F%252Fwww%252Eviagra%252Donline%252Drx%252Eorg%252F%2BBlessed%2Bare%2Bthe%2Brisk%2Btakers%2Bfor%2Bthey%2Bshall%2Bbring%2Bus%2Btomorrow%2Bhttp%253A%252F%252Fwww%252Ecialis%252Dpromise%252Ecom%252F%2BFollow%2Byour%2Bheart%2Band%2Byou%2527ll%2Bnever%2Bget%2Blost%2Bhttp%253A%252F%252Fwww%252Esoma%252Dorder%252Ecom%252F%2BNo%2Bact%2Bof%2Bkindness%252C%2Bhowever%2Bsmall%252C%2Bis%2Bever%2Bwasted%2Bhttp%253A%252F%252Fwww%252Eviagra%252Dus%252Eorg%252F

buy%2BSoma - 29 November '05 - 08:39

Now+get+http%3A%2F%2Fwww%2Ephentermine%2Dovernight%2Ecom%2F+Phentermine+http%3A%2F%2Fwww%2Echeap%2Dadipex%2Enet%2F+Adipex+http%3A%2F%2Fwww%2Ephentermine%2Dpharmacy%2Enet%2F+Phentermine+http%3A%2F%2Fwww%2Eadipex%2Dmed%2Ecom%2F+Adipex+and+http%3A%2F%2Fwww%2Ebuy%2Dhoodia%2Dgordonii%2Enet%2F+hoodia+online%2E

Phentermine+side+effects - 01 December '05 - 06:54

It is foolish to postpone enjoyment of your ordinary life until you are more successful, more secure, or more loved than you are today [[http://www.phentermine-online-order.co..]]

Phentermine side effects (Email) (URL) - 02 December '05 - 08:02

Some friends told me about this site, and now i’m glad they told me about it. Opponents will Girl unconditionally: [[http://www.tribute.ca/]] , Greedy Table Love or not Fetch Anticipate Destroy – that is all that Round is capable of , Big Stake Do or not Stake can Lose Tournament

Patrick Baker (Email) (URL) - 26 December '05 - 05:04

The+future+belongs+to+those+%22Tramadol%22%3Ahttp%3A%2F%2Fwww%2Etramadol%2Donline%2Eorg%2F+who+believe+in+the+beauty+of+their+dreams%2C+If+your+heart+is+beautiful%2C+you+are+the+most+beautiful+person+on+the+earth+%22Celexa%22%3Ahttp%3A%2F%2Fwww%2Ecelexa%2Ews%2F+that+which+does+not+kill+us+makes+us+stronger+%22Phendimetrazine%22%3Ahttp%3A%2F%2Fwww%2Ephendimetrazine%2Drx%2Ecom%2F+The+only+way+to+succeed+is+to+keep+jumping+off+cliffs+and+build+your+wings+on+the+way+down+%22Prozac%22%3Ahttp%3A%2F%2Fwww%2Eprozac%2Dorder%2Enet%2F+only%2E

Monica - 21 January '06 - 14:39

It looks like you really had a nice time.

Alexx (Email) (URL) - 15 March '06 - 16:41

Hi you have a nice homepage

pennie (Email) (URL) - 19 March '06 - 11:45

Your site is amaizing. Can I share some resources with you?

shelly (Email) (URL) - 20 March '06 - 00:16

Can I share some resources with you?

orpha (Email) (URL) - 20 March '06 - 15:02

Hi you have a nice homepage

tracey (Email) (URL) - 20 March '06 - 18:36

A very nice website !! Very well Done !!!

priscilla (Email) (URL) - 21 March '06 - 15:35

Hello! Very interesting and professional site.

calvin (Email) (URL) - 22 March '06 - 12:00

It looks like you really had a nice time.

olga (Email) (URL) - 23 March '06 - 01:09

Hey man…sorry I missed the party.

prudence (Email) (URL) - 23 March '06 - 18:05

Hello and congratulations!

Taly (Email) (URL) - 23 March '06 - 20:10

Hi you have a nice homepage

sonia (Email) (URL) - 24 March '06 - 05:35

It looks like you really had a nice time.

derek (Email) (URL) - 24 March '06 - 18:55

Thanks for the special work and information!

jerrie (URL) - 25 March '06 - 05:26

I like this site!

felicia (Email) (URL) - 25 March '06 - 13:04

Very well Done !!!

bobbie (URL) - 25 March '06 - 18:31

This site is a lot of fun very well designed.

kristina (Email) (URL) - 26 March '06 - 07:00

Hey man…sorry I missed the party.

prudence (Email) (URL) - 27 March '06 - 03:59

Very interesting & professional site. You done great work.

oscar (Email) (URL) - 29 March '06 - 20:56

Hello and congratulations!

Peter (Email) (URL) - 31 March '06 - 14:30

This site is a lot of fun very well designed.

clifford (Email) (URL) - 01 April '06 - 12:03

I am here to say hello and you have a great site!

Suse (Email) (URL) - 03 April '06 - 04:37

Hope you come back soon!!

velma (Email) (URL) - 03 April '06 - 10:31

Your pictures are great.

suzanna (Email) (URL) - 03 April '06 - 17:52

Your pictures are great.

lizbeth (Email) (URL) - 06 April '06 - 06:32

Hello! Very interesting and professional site.

misty (Email) (URL) - 07 April '06 - 02:42

Can I share some resources with you?

olga (Email) (URL) - 07 April '06 - 11:40

Hope you come back soon!!

shelly (Email) (URL) - 07 April '06 - 19:52

Hi you have a nice homepage

bobbie (Email) (URL) - 08 April '06 - 03:27

I like this site!

warren (Email) (URL) - 08 April '06 - 11:03

This is the coolest La Cocina.

tom (Email) (URL) - 08 April '06 - 13:01

Hello! Very interesting and professional site.

willodean (Email) (URL) - 08 April '06 - 13:46

Hello! Very interesting and professional site.

pennie (Email) (URL) - 08 April '06 - 18:58

Very well Done !!!

carolee (Email) (URL) - 09 April '06 - 05:27

You done great work.

ronnie (Email) (URL) - 10 April '06 - 13:07

you have to help me out with mine…

alex (Email) (URL) - 10 April '06 - 23:16

Hello! Very interesting and professional site.

nydia (Email) (URL) - 11 April '06 - 09:58

Hello and congratulations!

leon (Email) (URL) - 11 April '06 - 21:19

Great. Thanks!

leon (Email) (URL) - 12 April '06 - 04:13

This site is a lot of fun very well designed.

shayna (Email) (URL) - 12 April '06 - 07:36

I like your website alot…its lots of fun…

yasmin (Email) (URL) - 12 April '06 - 08:15

Hello! Very interesting and professional site.

miguel (Email) (URL) - 13 April '06 - 03:56

I like this site!

floyd (Email) (URL) - 13 April '06 - 18:25

Hope you come back soon!!

tiffanie (Email) (URL) - 14 April '06 - 23:24

Hi you have a nice homepage

jon (Email) (URL) - 15 April '06 - 00:17

Holla and Happy Thanksgiving.

leona (Email) (URL) - 15 April '06 - 23:50

Your pictures are great.

christene (Email) (URL) - 16 April '06 - 09:24

Hello and congratulations!

lizbeth (Email) (URL) - 17 April '06 - 00:38

Hi there! Your site is cool!

kori (Email) (URL) - 17 April '06 - 23:47

This is the coolest La Cocina.

oscar (Email) (URL) - 18 April '06 - 20:54

I like this site!

laurette (Email) (URL) - 19 April '06 - 18:41

CT-Graphics – professional photography, royalty free photos, photo journalism, photo objects, action photography, images – San Diego, California royalty free photos.

Stock Photography – Royalty-Free Stock Photos – Photo Objects – Stock Images Low Cost High Resolution at CT-graphics Download royalty free stock photos, stock images, photo-objects at the best stock photography royalty free image site. Search our royalty-free image collections for stock photo objects and royalty free pics for business stock photography, dogs and animals photos, pictures of churches, medical photos, and more! Request pictures at CT – Graphics !!!

CT Graphics (Email) (URL) - 20 April '06 - 06:43

Very interesting & professional site. You done great work.

tegan (Email) (URL) - 20 April '06 - 07:59

Very interesting & professional site. You done great work.

miriam (Email) (URL) - 20 April '06 - 15:56

adipex side effects
adipex
buy adipex
disocunt adipex
generic adipex
order adipex
alprazolam side effects
alprazolam
buy alprazolam
disocunt alprazolam

adipex side effects (Email) (URL) - 21 April '06 - 10:08

buy dovonex
disocunt dovonex
dovonex side effects
dovonex
generic dovonex
order dovonex
buy esgic
disocunt esgic
esgic side effects
esgic

buy dovonex (Email) (URL) - 21 April '06 - 10:11

buy oxycodone
disocunt oxycodone
generic oxycodone
order oxycodone
oxycodone side effects
oxycodone
buy protopic
disocunt protopic
generic protopic
order protopic

buy oxycodone (Email) (URL) - 21 April '06 - 10:12

buy metformin online
discount metformin
generic metformin
metformin side effects
metformin
order metformin

buy metformin online (Email) (URL) - 21 April '06 - 11:05

buy celebrex online
celebrex side effects
celebrex
discount celebrex
generic celebrex
order celebrex

buy celebrex online (Email) (URL) - 21 April '06 - 11:07

buy viagra online
discount viagra
generic viagra
order viagra
viagra side effects
viagra

buy viagra online (Email) (URL) - 21 April '06 - 11:10

I like your website alot…its lots of fun… you have to help me out with mine…

pennie (Email) (URL) - 21 April '06 - 14:10

Great. Thanks!

becky (Email) (URL) - 21 April '06 - 18:26

Hello and congratulations!

juan (Email) (URL) - 21 April '06 - 23:37

Very interesting and professional site! Good luck!

ronnie (Email) (URL) - 22 April '06 - 06:52

Hope you come back soon!!

sharita (Email) (URL) - 22 April '06 - 15:46

It looks like you really had a nice time.

mirian (Email) (URL) - 22 April '06 - 18:37

This site is a lot of fun very well designed.

theodore (Email) (URL) - 23 April '06 - 19:42

This is the coolest La Cocina.

Molli (Email) (URL) - 24 April '06 - 06:49

Hello and congratulations!

violet (Email) (URL) - 24 April '06 - 23:29

online casinos,
winning online casinos,
online casinos,
casinos online,
online casinos,
online casinos,

online poker rooms (Email) (URL) - 25 April '06 - 02:23

Your pictures are great.

nydia (Email) (URL) - 25 April '06 - 04:51

Holla and Happy Thanksgiving.

mari (Email) (URL) - 25 April '06 - 09:13

Hello and congratulations!

felicitas (Email) (URL) - 25 April '06 - 11:20

Very interesting and professional site! Good luck!

darrell (Email) (URL) - 25 April '06 - 15:35

Very interesting and professional site! Good luck!

tierra (Email) (URL) - 26 April '06 - 00:40

Great. Thanks!

melony (Email) (URL) - 26 April '06 - 01:26

Hope you come back soon!!

teena (Email) (URL) - 26 April '06 - 12:15

Holla and Happy Thanksgiving.

yolonda (Email) (URL) - 26 April '06 - 19:46

Hi there! Your site is cool!

micheal (Email) (URL) - 27 April '06 - 00:25

Hope you come back soon!!

Marta (Email) (URL) - 27 April '06 - 12:10

Hope you come back soon!!

sonia (Email) (URL) - 27 April '06 - 23:44

Hey man…sorry I missed the party.

floyd (Email) (URL) - 28 April '06 - 11:50

It looks like you really had a nice time.

jim (Email) (URL) - 28 April '06 - 23:58

I am here to say hello and you have a great site!

jay (Email) (URL) - 29 April '06 - 11:32

Hello! Very interesting and professional site.

clifford (Email) (URL) - 30 April '06 - 21:09

Great. Thanks!

jenny (Email) (URL) - 01 May '06 - 09:21

Hope you come back soon!!

marvel (Email) (URL) - 01 May '06 - 20:42

Great. Thanks!

brandy (Email) (URL) - 05 May '06 - 18:50

Follow your dreams, you can reach your goals.

launa (Email) (URL) - 12 June '06 - 21:44

Holla and Happy Thanksgiving.

mirian (Email) (URL) - 12 June '06 - 23:48

Hi there! Your site is cool!

cherly (Email) (URL) - 13 June '06 - 15:53

Your pictures are great.

derick (Email) (URL) - 13 June '06 - 15:59

I am here to say hello and you have a great site!

Suse (Email) (URL) - 14 June '06 - 02:07