info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OpenSSL Library Call Redirection, OpenPGP, DANE
26 views
Skip to first unread message
Coyo
Jan 24, 2015, 2:34:36 PM1/24/15
to
I have three separate questions, and I apologize in advance for posting
to multiple newsgroups and mailservs.
But I was taught two things by some very smart individuals:
1) The only dumb question is an unasked one, and
2) When dealing with serious cryptography, do not guess, ask an actual
cryptographer.
So I have a few separate but related questions:
Is is possible to use OpenPGP in DANE? What do I need to do this?
Can I redirect applications that rely specifically on OpenSSL to use NSS
or GnuTLS instead somehow?
My understanding of external library calls is severely limited, but my
understanding is that there's such a thing as DLL/SO injection, which
renames the library and then places an imposter library in its place so
that calls to that library are intercepted, and either handled by the
imposter or transparently forwarded to the real library.
This happens all of the time in the PC gaming world, and is a critical
tool in cheating on multiplayer games. It is a method to manipulate the
game client's internal binary logic.
It follows logically that such a technique SHOULD be possible with
OpenSSL, NSS and GnuTLS. It may be that there are wrappers or special
programs or tools that already do this, but I am unaware of any that
work universally.
Are calls to OpenSSL standardized in some what? Could a simple symlink work?
DANE is a fascinating system, and some applications I am interested in
optionally use DANE to verify the authenticity of certificates/keys. Is
it possible to use DANE locally to indirectly use GnuTLS or NSS as
backend cryptographic libraries?
Does PowerDNS or any of the common DANE-supporting nameservers
explicitly support cryptographic libraries other than OpenSSL? I made
several attempts to divine this knowledge, and was unsucessful. Perhaps
my Google-fu is not enough.
I fail to grok how I should this.
While applications like Pidgin use NSS, which is refreshing, most
applications I take an interest in specifically link to OpenSSL, rather
than being written as cryptographic library agnostic.
As a mere padawan, I do not know what I can do about this.
The project I have in mind uses PostFix and INN on a private LAN/VPN to
exchange files amongst a group. This group is a set of local
neighborhoods connected by explicit links.
These links use CJDNS for IP addresss allocation and NameCoin for name
allocation. However, NameCoin does not necessarily provide DANE
emulation. NameCoin does support arbitrary extensions, because it can
use any prefix:key=value binding by "spending" a NameCoin.
This should be trivial enough to write with a simple Bash Shell Script.
I am competent enough to write Bash Shell Scripts. However, I am too
smart to attempt mucking about with cryptographic libraries without
consulting a cryptography guru.
I realize I could somehow get PowerDNS to serve NameCoin .bit records
using the local DNS cache or perhaps a script, but I'm not sure how to
inject OpenPGP certs into DANE records.
I do know I can bind OpenPGP keys into NameCoin .bit addresses in the
same manner as regular DNS records, but I'm not sure if this is
cryptographically sound. Thus why I'm asking people who DO know what
they are doing.
So by manually posting OpenPGP keys along with names into .bit records,
then using a PowerDNS authoritative server to serve the .bit records
from a local DNS cache (somehow), i could provide DANE records to bind
.bit names to CJDNS IPv6 addresses.
This would provide a completely decentralized network, both at the IP
addressspace and DNS namespace levels, IF it works.
However, some of the servers I'd host on this infrastructure relies
specifically on OpenSSL, and I suspect OpenSSL does not support
verifying keys using OpenPGP, and perhaps not DANE. I'm honestly not sure.
But INN and PostFix would have problems with server-to-server TLS links
if the certs don't validate. I really want to use TLS, even though CJDNS
does use NACL cryptography for its peering links.
I don't like relying on only one cryptographic library for security. I
want both underlying NACL cryptography and TLS cryptography to help
protect sensitive data.
But the idea of using NameCoin + CJDNS -> PowerDNS + GnuPG + NSS/GnuTLS
-> Nginx + INN + PostFix + ... stack seems a little precarious to me.
Thank you very much for you patience, time and attention.
Thank you very much in advance for any help, advice, instruction,
protips, hints or references you may give me.
Thank you.
-- Alex Maurin <coyo AT darkdna DOT net>
to multiple newsgroups and mailservs.
But I was taught two things by some very smart individuals:
1) The only dumb question is an unasked one, and
2) When dealing with serious cryptography, do not guess, ask an actual
cryptographer.
So I have a few separate but related questions:
Is is possible to use OpenPGP in DANE? What do I need to do this?
Can I redirect applications that rely specifically on OpenSSL to use NSS
or GnuTLS instead somehow?
My understanding of external library calls is severely limited, but my
understanding is that there's such a thing as DLL/SO injection, which
renames the library and then places an imposter library in its place so
that calls to that library are intercepted, and either handled by the
imposter or transparently forwarded to the real library.
This happens all of the time in the PC gaming world, and is a critical
tool in cheating on multiplayer games. It is a method to manipulate the
game client's internal binary logic.
It follows logically that such a technique SHOULD be possible with
OpenSSL, NSS and GnuTLS. It may be that there are wrappers or special
programs or tools that already do this, but I am unaware of any that
work universally.
Are calls to OpenSSL standardized in some what? Could a simple symlink work?
DANE is a fascinating system, and some applications I am interested in
optionally use DANE to verify the authenticity of certificates/keys. Is
it possible to use DANE locally to indirectly use GnuTLS or NSS as
backend cryptographic libraries?
Does PowerDNS or any of the common DANE-supporting nameservers
explicitly support cryptographic libraries other than OpenSSL? I made
several attempts to divine this knowledge, and was unsucessful. Perhaps
my Google-fu is not enough.
I fail to grok how I should this.
While applications like Pidgin use NSS, which is refreshing, most
applications I take an interest in specifically link to OpenSSL, rather
than being written as cryptographic library agnostic.
As a mere padawan, I do not know what I can do about this.
The project I have in mind uses PostFix and INN on a private LAN/VPN to
exchange files amongst a group. This group is a set of local
neighborhoods connected by explicit links.
These links use CJDNS for IP addresss allocation and NameCoin for name
allocation. However, NameCoin does not necessarily provide DANE
emulation. NameCoin does support arbitrary extensions, because it can
use any prefix:key=value binding by "spending" a NameCoin.
This should be trivial enough to write with a simple Bash Shell Script.
I am competent enough to write Bash Shell Scripts. However, I am too
smart to attempt mucking about with cryptographic libraries without
consulting a cryptography guru.
I realize I could somehow get PowerDNS to serve NameCoin .bit records
using the local DNS cache or perhaps a script, but I'm not sure how to
inject OpenPGP certs into DANE records.
I do know I can bind OpenPGP keys into NameCoin .bit addresses in the
same manner as regular DNS records, but I'm not sure if this is
cryptographically sound. Thus why I'm asking people who DO know what
they are doing.
So by manually posting OpenPGP keys along with names into .bit records,
then using a PowerDNS authoritative server to serve the .bit records
from a local DNS cache (somehow), i could provide DANE records to bind
.bit names to CJDNS IPv6 addresses.
This would provide a completely decentralized network, both at the IP
addressspace and DNS namespace levels, IF it works.
However, some of the servers I'd host on this infrastructure relies
specifically on OpenSSL, and I suspect OpenSSL does not support
verifying keys using OpenPGP, and perhaps not DANE. I'm honestly not sure.
But INN and PostFix would have problems with server-to-server TLS links
if the certs don't validate. I really want to use TLS, even though CJDNS
does use NACL cryptography for its peering links.
I don't like relying on only one cryptographic library for security. I
want both underlying NACL cryptography and TLS cryptography to help
protect sensitive data.
But the idea of using NameCoin + CJDNS -> PowerDNS + GnuPG + NSS/GnuTLS
-> Nginx + INN + PostFix + ... stack seems a little precarious to me.
Thank you very much for you patience, time and attention.
Thank you very much in advance for any help, advice, instruction,
protips, hints or references you may give me.
Thank you.
-- Alex Maurin <coyo AT darkdna DOT net>
J.O. Aho
Jan 24, 2015, 6:18:25 PM1/24/15
to
On 24/01/15 20:34, Coyo wrote:
> I have three separate questions, and I apologize in advance for posting
> to multiple newsgroups and mailservs.
>
> But I was taught two things by some very smart individuals:
>
> 1) The only dumb question is an unasked one, and
> 2) When dealing with serious cryptography, do not guess, ask an actual
> cryptographer.
>
> So I have a few separate but related questions:
>
> Is is possible to use OpenPGP in DANE? What do I need to do this?
>
> Can I redirect applications that rely specifically on OpenSSL to use NSS
> or GnuTLS instead somehow?
You need to recompile them with support for NSS or GnuTLS, this may
> I have three separate questions, and I apologize in advance for posting
> to multiple newsgroups and mailservs.
>
> But I was taught two things by some very smart individuals:
>
> 1) The only dumb question is an unasked one, and
> 2) When dealing with serious cryptography, do not guess, ask an actual
> cryptographer.
>
> So I have a few separate but related questions:
>
> Is is possible to use OpenPGP in DANE? What do I need to do this?
>
> Can I redirect applications that rely specifically on OpenSSL to use NSS
> or GnuTLS instead somehow?
require some coding from your part as not all applications has the code
written so that they can support all the different libraries.
You can of course recompile your applications to use LibreSSL instead of
OpenSSL, this will not require any code change, but needs the
application to be compiled against LibreSSL or else you will have some
really nasty vulnerabilities.
> Are calls to OpenSSL standardized in some what? Could a simple symlink work?
names/arguments. LibreSSL could replace OpenSSL, but due of some
differences between them, this would cause some vulnerabilities which do
not exist in LibeSSL nor OpenSSL, but due of compiling an application
against one of them and then using the other.
> DANE is a fascinating system, and some applications I am interested in
> optionally use DANE to verify the authenticity of certificates/keys. Is
> it possible to use DANE locally to indirectly use GnuTLS or NSS as
> backend cryptographic libraries?
see if there is support for alternatives for OpenSSL.
> Does PowerDNS or any of the common DANE-supporting nameservers
> explicitly support cryptographic libraries other than OpenSSL? I made
> several attempts to divine this knowledge, and was unsucessful. Perhaps
> my Google-fu is not enough.
--
//Aho
0 new messages