4

I have been trying for a couple of hours without much luck though I suspect this is just me being dense.

First the setup so you won’t try talk me out of it. :P I have a box which has restrictions on its openssl lib such that it will not do rc4 in as low an encryption as 40 bit. I have a legacy function which uses rc4-40 and I'm not at liberty to upgrade the encryption to a harder bit level because it speaks to other software over which I have no control or authority.

So, constrained to 40 bit RC4 and cannot use openssl. Any XS/perl that doesn’t fall back to openssl should be great. I’ve been playing with several modules but nothing works out of the box and I’m not good at this kind of thing so can’t see how to modify/monkey-patch/fork the key/bit handling code myself.

The code is currently doing this-

echo -ne "OHAI" |  openssl rc4-40 -d -nosalt -k  KeyPhrase0123456 | xxd
0000000: cbf7 71b2                                ..q.

Naïve stab at replacing it is made of FAIL-

perl -MCrypt::RC4 -e 'print RC4("KeyPhrase0123456", "OHAI")' | xxd
0000000: bc14 808b                                ....

So I need some version of perl code to match the openssl call. I have been trying everything sensible (c.f., not openssl-based) I can find on the CPAN, including Crypt::RC4(::XS) and Net::SSH::Perl::Cipher::RC4. Google led me to some apparently related and adapted code in Authen::SASL — it was too confusing to follow other than it seems to support authentication with rc4-40. I did not try Crypt::GCrypt though it looks promising, I can’t see the proper usage. Stymied.

This — RC4 doesn't work correctly with openssl command? — was edifying but ultimately didn't help me with the key/phrase handling or setup.

Thanks for looking!

Update: after reading a bit more on FIPS mode, I think Crypt::GCrypt will also be nonfunctional even if I knew if the right invocation.

Community
  • 1
  • 1
Ashley
  • 4,307
  • 2
  • 19
  • 28
  • Are you saying you must use an existing Perl install with these restrictions? Or that you don't know how to install another Perl? (perlbrew). – David-SkyMesh Sep 19 '13 at 03:18
  • As you're currently using a shell script, there's no reason you can't shell out to a different perl. As the shell script has to reside *somewhere* there's no reason the alternate perl can't reside in the same place. Any talk of the *security* of doing so is silly, as it doesn't reduce the security of the existing install at all. – David-SkyMesh Sep 19 '13 at 03:24
  • @David-SkyMesh, sorry, no. I can use any perl but nothing that relies on openssl which quite a few of the perl libs do. The perl side is fully in my control, the locked-down openssl is not. – Ashley Sep 19 '13 at 05:13
  • Try https://metacpan.org/module/Alien::OpenSSL – Slaven Rezic Sep 19 '13 at 05:42
  • @Slaven, thanks, but it appears to use openssl. The box is locked in a mode which prevents the openssl from operating at the low-ish level of encryption the legacy software needs to speak with some external code. – Ashley Sep 19 '13 at 05:46
  • 3
    `Alien::OpenSSL` does not _use_ openssl, it _provides_ openssl. – Slaven Rezic Sep 19 '13 at 05:48
  • @Slaven... interesting, thanks. It would violate the spirit if perhaps not the absolute letter of the security requirements though. It's a legal requirement that the box is locked down as it is and circumventing it with an additional copy of openssl (even if it might work) could cause a loss of security certification... still, it would be at least good to know if it works. Thank you. – Ashley Sep 19 '13 at 12:36
  • @David-SkyMesh, the box is in FIPS mode and openssl and quite a bit of other low level encryption tools are either guaranteed technically to be unavailable or guaranteed by security certification testing (re Slaven's suggestion). This is an edge case internal only usage grandfathered in but cannot use the "old" tools. It has no bearing on perl version at all and I have no constraints other than licenses in that area. I'm quite sure it could work with perl4, I'm just no good with encryption algorithms. :| – Ashley Sep 19 '13 at 13:10

1 Answers1

1
echo -ne "OHAI" |  openssl rc4-40 -d  -nosalt -k KeyPhrase0123456 | xxd
0000000: cbf7 71b2                                ..q.

perl -MCrypt::RC4 -MDigest::MD5 -e 'print RC4(substr(Digest::MD5::md5("KeyPhrase0123456"),0,5), "OHAI")' | xxd
0000000: cbf7 71b2                                ..q.

substr(Digest::MD5::md5("KeyPhrase0123456"),0,5) - 5*8=40bit
askovpen
  • 2,438
  • 22
  • 37