Which Software Took 12 Years To Reach Version 1, and Doesn’t Have a Version 2?

I am going to ask a few questions and see if you can identify the software.
Photo by Matt Walsh on Unsplash

Which Software Took 12 Years To Reach Version 1, and Doesn’t Have a Version 2?

I am going to ask a few questions and see if you can identify the software.

It still has the names of the original code writers as part of the DLL integration.

Any ideas? Well, let’s ask the next question.

It was released as Version 0.98 in 1998, and didn’t reach Version 1.0 until 2010.

Any ideas? Well, let’s ask the next question.

I had its FIPS 140–1 certification revoked by NIST when it failed some security tests.

Any ideas? Well, let’s ask the next question.

It took until 2018 to reach Version 1.1.

Any ideas? Well, let’s ask the next question.

It skipped Version 2, and went to Version 3 in 2021.

Any ideas? Well, let’s ask the next question.

Google released Tink and Boring SSL, in order to replace its operations.

And, finally:

In 2014, Versions 1.0.1 through 1.0.1f exposed over half a million servers to Heartbleed.

I hope you got it.

The software is, of course, OpenSSL, and the two DDLs in question are related to ssleay32.dll and libeay32.dll (and you often have to make sure that these files are in a place that can be found on your computer). EAY is Eric Andrew Young, and who, along with Tim Hudson, created the first version of OpenSSL in 1998 (Version 0.89). It then took until 2010 for the software to become Version 1.0.

In 2014, a bug in the code opened up a large part of the Internet to the Heartbleed vulnerability. This bug was fixed with Version 1.1, and many in the industry breathed a sigh of relief. An unpatched server could have released passwords and encryption keys. Some, too, have questioned its code, and, in 2006, it lost its FIPS140–1 certification, but Version 3.0 has now been certified by NIST for FIPS140–2.

In fact, OpenSSL is the Swiss Army knife of Cybersecurity and is the place that many turn to, in order to implement or test a range of encryption methods, including symmetric key, public key, hashing, digital signatures, and MACs (Message Authentications Codes). So here are some examples of its power …

Symmetric key (Command line)

  • Symmetric Key Encryption [here]. In this case we will create cipher text from OpenSSL using a key derived from a password, and a salt value (defined in hex).
  • Symmetric Key Decryption [here].In this case we will decrypt cipher text from OpenSSL using a key derived from a password
  • Symmetric Key Encryption with PBKDF2 key derivation [here]. In this case we will create cipher text from OpenSSL using a key derived from a password, and a salt value (defined in hex). In this case we will use the PBKDF2 key derivation method.
  • Symmetric Key Decryption with PBKDF2 key derivation [here]. In this case we will decrypt cipher text from OpenSSL using a key derived from a password.

Hashing

  • Hashing [here] OpenSSL supports a wide range of hashing methods including BLAKE2b, Gost, MD4, MD5, RMD-160, SHA-1, SHA-3, SHA-256 and SHA-512.

Key derivation function

  • PBKDF2 key derivation with OpenSSL [here] PBKDF2 (Password Key Derivation Function 2) is a key derivation method. Overall it is relatively slow in its operation and where we take a password, a salt value, hashing method, and a number of iterations, in order to produce a given size of encryption key.
  • HKDF key derivation with OpenSSL [here] HKDF (HMAC Key Derivation function) is used to derive an encryption key from a pass phrase. Initially HKDF creates a pseudorandom key (PRK) using a pass phrase and a salt value (and any other random functions which are relavent), in order to produce an HMAC hash function (such as HMAC-SHA256), andalong with a salt value. Next the PRK output is used to produce a key of the required length. If we generate a 16-byte output (32 hex characters), we have a 128-bit key, and a 32-byte output (64 hex characters) will generate a 256-bit key. HKDF is used in TLS 1.3 for generating encryption keys.
  • HKDF, PBKDF2, SCRYPT, SSKDF, X963KDF and X942KDF-CONCAT key derivation with OpenSSL [here]. With ths we will generate an encryption key based on a key/password, a hashing method, a salt value and a key derviation method (HKDF, PBKDF2, SCRYPT, SSKDF, X963KDF and X942KDF-CONCAT).

Passwords

  • Password example [here]. This page uses the OpenSSL library hash password generator, which is used in UNIX systems for the hashing of passwords which are contained in /etc/shadow and /etc/passwd. For newer passwords, the “-1” options is used to created the hashed value.
  • Hashed passwords with OpenSSL [here].
  • Hashed passwords with OpenSSL (crypt, MD5, APR1, SHA-256 and SHA-512) with salt [here]. In this case we will generate hashed passwords in different formats, and using a salt value. The methods are implemented with OpenSSL, and include crypt, APR1, SHA512 and SHA256.

Public key

  • Generating an ECC key pair with OpenSSL [here]. In the page, we generate an ECC key pair including with secp256k1 (as used in Bitcoin and Ethereum) and secp256r1 (NIST P-256). For a curve of y2=x3+a.x+b(modp), we have the parameters include of p, a and b. We also have the generator point (G), and the order (n).
  • Generating an RSA key pair with OpenSSL [here]. This page implements RSA key pair generation. It uses either a 128-bit, 256-bit, 512-bit, 738-bit or a 1024-bit key, and where the public key is (e,N) and the decryption key is (d,N). The value of N is the modulus and is calculated by the product of two prime numbers N=pq. The number of bits in N defines the key size for RSA. The e is normally selected as 65,537, and the d value selected to solve e×d(mod(p−1)(q−1))=1, and where p and q are the selected prime numbers. The elements of the key are: N (Modulus), e (Exponent key), d (Decryption key), p (prime 1) and q (prime 2).
  • Generating an RSA key pair with OpenSSL with encryption [here]. This page implements RSA key pair generation with an encrypted key pair. It uses either a 128-bit, 256-bit, 512-bit, 738-bit or a 1024-bit key, and where the public key is (e,N) and the decryption key is (d,N). The value of N is the modulus and is calculated by the product of two prime numbers N=pq. The number of bits in N defines the key size for RSA. The e is normally selected as 65,537, and the d value selected to solve e×d(mod(p−1)(q−1))=1, and where p and q are the selected prime numbers. The elements of the key are: N (Modulus), e (Exponent key), d (Decryption key), p (prime 1) and q (prime 2). In this case we will encrypt the key pair with either 3DES, 128-bit AES, 192-bit AES or 256-bit AES. The same password must be used to encrypt and decrypt.
  • Generate prime with OpenSSL [here]. Prime numbers are important in public key encrytion, and are used with RSA and ECC. For RSA, we generate two prime numbers (p and q) and which are multiplied together to create a modulus (N). If these prime numbers have 512 bit values, the modulus will be a 1,024 bit value. This defines the basic secure of RSA. With elliptic curve we use smaller prime numbers, such as 256-bit values for the secp256k1 curve.

Diffie-Hellman parameter generation

  • DH Parameters with OpenSSL [here]. The Diffie-Hellman (DH) method is perhaps one of the greatest inventions in Cybersecurity, and was created by Whitfield Diffie and Marty Hellman. With the DH method, Bob creates a random value (b) and Alice also creates a random value (a). Next Bob computes B=g^b (mod p) and sends it to Alice. Alice computes A=g^a (mod p) and sends this to Bob. Bob raises the value of A to the power of b and takes (mod p), and Alice raises B to the power of a and takes (mod p). In the end, they will have the same shared value: g^{ab} (mod p). This can then be used to derive an encryption key that they can use for a secure tunnel. Overall, p is the large prime number, and also known as the shared modulus between Bob and Alice.

MAC (Message Authentication Code)

  • HMAC with OpenSSL. MACs with OpenSSL. HMAC (hash-based message authentication code) supports the usage of a key to hash data. This key is kept secret between Bob and Alice, and can be used to authenticate both the data and that the sender still knows the secret. Overall HMAC can be used with a range of different hashing methods, such as MD5, SHA-1, SHA-256 (SHA-2) and SHA-3. In this case we will use OpenSSL to generate the HMAC value.
  • MACs with OpenSSL. MACs with OpenSSL. In the following we will generate MACs for HMAC, GMAC, CMAC, Blake2bmac, Blake2smac, KMAC128 and KMAC256. Overall, we will use an encryption key defined as a hex value for GMAC and CMAC, and a pass phrase for the others. The message is “hello”.

Signing

  • Digital signing a plaintext message with OpenSSL. Signing with OpenSSL. With digital signing, we can take a message, and create a signature. This normally involves signing with a private key and digital certificate. The signed message can be an a MIME format, and which can be integrated into an email message. In this can we have a 512-bit RSA key pair that will sign a plain text message.

Encrypting emails

  • Encrypting an email message in OpenSSL. Encrypting messages with OpenSSL. With public key encryption, we can take a message, and encrypt it with the recipiant’s public key. In this can we have a 512-bit RSA public key to encrypt a message.

Random number generation with OpenSSL

  • Random number generator [here]. Random numbers are important in generating encryption keys and salt values. In this case OpenSSL generates a random number (in a Base64 format) for a given number of bytes.

Outline (C#/Python)

  • Symmetric Key Encryption (C#) [here]. This page uses the OpenSSL library through a C#/.NET wrapper. The DLLs it interfaces to are libeay32.dll and ssleay32.dll. OpenSSL supports a wide range of encryption methods, including 128-bit AES, 192-bit AES, 256-bit AES and Blowfish (bf). Different modes of ECB, CBC, and OFB are implemented. The examples use a default IV of “1234”.
  • AES in Python with OpenSSL output [here]
  • Producing OpenSSL AES Encrypted String from C# [here]