<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020, 9:46 PM Michael Richardson <<a href="mailto:mcr@sandelman.ca">mcr@sandelman.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Michael Mueller <<a href="mailto:abaci.mjm@gmail.com" target="_blank" rel="noreferrer">abaci.mjm@gmail.com</a>> wrote:<br>
> We've implemented what I gather can be called a CMS on Linux and Windows<br>
> using openssl evp functions.<br>
<br>
I'm not sure why you say it this way.<br>
OpenSSL includes CMS (RFC3369) support, but I think not until 1.1.0.<br>
Did you implement RFC3369, or something else?<br>
<br>
You don't say if this is email or something else.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">My bad. I thought CMS could be used as a generic reference to packaging encrypted messages. </div><div dir="auto"><br></div><div dir="auto">We are not implementing CMS as specified by IETF.</div><div dir="auto"><br></div><div dir="auto">We used the openssl evp functions to quickly improve the security of an existing proprietary data exchange system.</div><div dir="auto"><br></div><div dir="auto">Now we are being asked if our evp based solution can interoperate with a system that may support PKCS7. The thought is PKCS7 would be used to envelope data in a manner similar to how the evp functions operate. </div><div dir="auto"><br></div><div dir="auto">The request came up because the word "envelope" is used to describe evp and PKCS7 functionality.</div><div dir="auto"><br></div><div dir="auto">I suspect that evp functions are not compatible with PKCS7, but I don't know how to easily confirm this. I also suspect it will be difficult to explain why they are incompatible.</div><div dir="auto"><br></div><div dir="auto">If evp and PKCS7 are incompatible, we might be asked if we can use PKCS7 enveloping instead of evp.</div><div dir="auto"><br></div><div dir="auto">Any insights, thoughts, advice, code to read, etc would be appreciated.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
> We need to expand this CMS to other systems, on which we have not been able<br>
> to build openssl. These other systems have a vendor supplied security<br>
> application. This application supports PKCS7.<br>
<br>
> We are being asked if our evp CMS is interoperable with PKCS7.<br>
<br>
CMS (RFC3369/2630) is an upward revision to PKCS7 (RFC2315) 1.5.<br>
CMS can read PKCS7 messages, but converse is not true.<br>
<br>
I think it is possible to configure the CMS routines to produce PKCS7<br>
messages, but I didn't do this in my RFC8366 support. I just forklift<br>
upgraded to CMS.<br>
<br>
> If it is possible and more information is required to answer this question,<br>
> I'll provide such information.<br>
<br>
> If not, advice on how to present that argument to management would be<br>
> appreciated.<br>
<br>
You will understand them, but they won't understand you.<br>
<br>
You may be able to configure your end to generate PKCS7 easily, and it may<br>
have little effect. This might degenerate until just using PKCS7 everywhere.<br>
<br>
The major difference is the eContentType that is lacking in PKCS7.<br>
And algorithms: I think that there are few modern algorithms defined for PKCS7.<br>
<br>
You could easily run in PKCS7 mode until you receive a CMS message from the<br>
peer, and then upgrade to CMS. But this winds up in a bid-down attack if<br>
both parties run this algorithm, so you'd want to insert some extension that<br>
said: "I can do CMS" into your PKCS7 messages.<br>
<br>
--<br>
] Never tell me the odds! | ipv6 mesh networks [<br>
] Michael Richardson, Sandelman Software Works | IoT architect [<br>
] <a href="mailto:mcr@sandelman.ca" target="_blank" rel="noreferrer">mcr@sandelman.ca</a> <a href="http://www.sandelman.ca/" rel="noreferrer noreferrer" target="_blank">http://www.sandelman.ca/</a> | ruby on rails [<br>
<br>
<br>
</blockquote></div></div></div>