| Trolltech Home | Qt-interest Home | Recent Threads | All Threads | Author | Date | |
| All threads index page 1 | |
Hi list! I am looking for a way to sign or sometime encrypt files using QT. I had a look to openssl, which would come pretty close to what I need, but how would one implement such things, using qt? I need to sign one or more files with a key to verify, if these files are from a valid source. Can anyone point me to some sort of example or some qt-class, which would allow such things? thanks in advance and a happy new year! kind regards, Andy
You could use QCA [http://delta.affinix.com/qca/]. It's a cryptography library using Qt. However, the available algorithms are quite small, and both of the hash algorithms they provide have already been broken [this is a theoretical break for SHA-1, as it still takes 2^69 operations to find a collision, whereas for MD5 it can be done in 31 seconds] If you require more algorithms, you can implement it yourself within QCA, or you could use other cryptographic libraries, but they are entirely independent of Qt. I get the feeling that OpenSSL is a bit overkill if you don't need SSL but just need encryption, so if you only want to do cryptography in general, you can use Crypto++ [http://www.cryptopp.com/] or Botan [http://botan.randombit.net/]. Botan has better documentation, but Crypto++ has more algorithms. In the end, it all depends if the algorithm you want is there or not. What you would do then if it isn't is up to you. Hope this helps. Benjamin Lau P/s Just curious, but why would you need a cryptographic implemented using Qt, rather than using a generic cryptographic library? -- [ signature omitted ]
Hi! "Benjamin Lau" <blwy10v@xxxxxxxxx> wrote on 01/02/2007 08:50:04 AM: > You could use QCA [http://delta.affinix.com/qca/]. It's a cryptography > library using Qt. However, the available algorithms are quite small, > and both of the hash algorithms they provide have already been broken > [this is a theoretical break for SHA-1, as it still takes 2^69 > operations to find a collision, whereas for MD5 it can be done in 31 > seconds] > > If you require more algorithms, you can implement it yourself within > QCA, or you could use other cryptographic libraries, but they are > entirely independent of Qt. I get the feeling that OpenSSL is a bit > overkill if you don't need SSL but just need encryption, so if you > only want to do cryptography in general, you can use Crypto++ > [http://www.cryptopp.com/] or Botan [http://botan.randombit.net/]. > Botan has better documentation, but Crypto++ has more algorithms. Thanks! I will give them a try. > In the end, it all depends if the algorithm you want is there or not. > What you would do then if it isn't is up to you. > > Hope this helps. > Benjamin Lau > > P/s Just curious, but why would you need a cryptographic implemented > using Qt, rather than using a generic cryptographic library? > The software has to run on three different OSes (winXP, linux and embedded linux) So implementing the application in QT makes life much easier instead of installing different libraries and hoping, that all systems use the same versions, methods, ... That is why, we chose QT for developing our applications with... Thanks! Bye, Andy
On Tuesday 02 January 2007 18:24, andreas.sumper@xxxxxxxxxxxx wrote: > Hi list! > > I am looking for a way to sign or sometime encrypt files using QT. I had a > look to openssl, which would come pretty close to what I need, but how > would one implement such things, using qt? > > I need to sign one or more files with a key to verify, if these files are > from a valid source. > > Can anyone point me to some sort of example or some qt-class, which would > allow such things? As Benjamin Lau pointed out, QCA can help with this (although your problem is a bit underspecified - do you need a public key or private key or certificate based solution?). There is a Qt4 version, currently being developed in KDE's SVN archive. It is portable to *nix, macos and windows. We certainly have stronger hashes that SHA-1, if you have the right backend providers (e.g. openssl 0.9.8 or libgcrypt). Brad
Attachment:
Attachment:
pgpjLx2r8UKC0.pgp
Attachment:
Attachment:
pgpvUvtl4ymUY.pgp
Attachment:
Attachment:
pgpfxR1CL4HRX.pgp
Attachment:
Attachment:
pgpEVyWYsA2GK.pgp
Attachment:
Attachment:
pgp4DO1ON2yPD.pgp
Description: PGP signature
Message 5 in thread
Hi Brad!
Brad Hards <bradh@xxxxxxxxxxxxx> wrote on 01/02/2007 09:10:04 AM:
> On Tuesday 02 January 2007 18:24, andreas.sumper@xxxxxxxxxxxx wrote:
> > Hi list!
> >
> > I am looking for a way to sign or sometime encrypt files using QT. I
had a
> > look to openssl, which would come pretty close to what I need, but how
> > would one implement such things, using qt?
> >
> > I need to sign one or more files with a key to verify, if these files
are
> > from a valid source.
> >
> > Can anyone point me to some sort of example or some qt-class, which
would
> > allow such things?
> As Benjamin Lau pointed out, QCA can help with this (although your
problem is
> a bit underspecified - do you need a public key or private key or
certificate
> based solution?). There is a Qt4 version, currently being developed in
KDE's
> SVN archive. It is portable to *nix, macos and windows.
First I thought of something like RSA, where I use private- and public
key. I tried to implement this algorithm using some of the headers of
openssl, but this does not work by now. So I googled for examples on how
to use openssl. But as Benjamin allready said, openssl is some sort of
overkill for this task. The main advantage would be, that I have openssl
allready running on the embedded linux, which should run the application
in the end.
What I need to do is the following:
If we want to update our application running on winXP, Linux and embedded
linux, we want to make sure, that the new files were created from a valid
source. One way would be to encrypt the files, using a given key. The
other way would be to sign the files, using a given key. The
update-application should then verify, if the files are valid by checking
the signature or unencrypting the files and only if the key was valid, the
update should be performed.
> We certainly have stronger hashes that SHA-1, if you have the right
backend
> providers (e.g. openssl 0.9.8 or libgcrypt).
>
> Brad
> [attachment "att4tdz7.dat" deleted by Andreas Sumper/CNSystems]
Thanks!
Andy
Message 6 in thread
You'll want to use a public key for signature verification and a private
key for signing. The private key lives on your developer computer and
the public key ships with your application.
If you just decrypt using a symmetric cipher, you'll have to store the
passphrase (the private key) inside your application in "more or less"
plaintext. Any attacker would be able to get it from there using
standard debugging techniques.
Regards,
Georg
andreas.sumper@xxxxxxxxxxxx wrote:
> Hi Brad!
>
> Brad Hards <bradh@xxxxxxxxxxxxx> wrote on 01/02/2007 09:10:04 AM:
>
>> On Tuesday 02 January 2007 18:24, andreas.sumper@xxxxxxxxxxxx wrote:
>>> Hi list!
>>>
>>> I am looking for a way to sign or sometime encrypt files using QT. I
> had a
>>> look to openssl, which would come pretty close to what I need, but how
>>> would one implement such things, using qt?
>>>
>>> I need to sign one or more files with a key to verify, if these files
> are
>>> from a valid source.
>>>
>>> Can anyone point me to some sort of example or some qt-class, which
> would
>>> allow such things?
>> As Benjamin Lau pointed out, QCA can help with this (although your
> problem is
>> a bit underspecified - do you need a public key or private key or
> certificate
>> based solution?). There is a Qt4 version, currently being developed in
> KDE's
>> SVN archive. It is portable to *nix, macos and windows.
>
> First I thought of something like RSA, where I use private- and public
> key. I tried to implement this algorithm using some of the headers of
> openssl, but this does not work by now. So I googled for examples on how
> to use openssl. But as Benjamin allready said, openssl is some sort of
> overkill for this task. The main advantage would be, that I have openssl
> allready running on the embedded linux, which should run the application
> in the end.
>
> What I need to do is the following:
> If we want to update our application running on winXP, Linux and embedded
> linux, we want to make sure, that the new files were created from a valid
> source. One way would be to encrypt the files, using a given key. The
> other way would be to sign the files, using a given key. The
> update-application should then verify, if the files are valid by checking
> the signature or unencrypting the files and only if the key was valid, the
> update should be performed.
>
>> We certainly have stronger hashes that SHA-1, if you have the right
> backend
>> providers (e.g. openssl 0.9.8 or libgcrypt).
>>
>> Brad
>> [attachment "att4tdz7.dat" deleted by Andreas Sumper/CNSystems]
>
> Thanks!
> Andy
>
--
[ signature omitted ]
Message 7 in thread
On Tuesday 02 January 2007 19:19, andreas.sumper@xxxxxxxxxxxx wrote:
> What I need to do is the following:
> If we want to update our application running on winXP, Linux and embedded
> linux, we want to make sure, that the new files were created from a valid
> source. One way would be to encrypt the files, using a given key. The
> other way would be to sign the files, using a given key. The
> update-application should then verify, if the files are valid by checking
> the signature or unencrypting the files and only if the key was valid, the
> update should be performed.
If you are happy to have the key on the machine, then a HMAC would be fine for
this. If you are worried about someone extracting the key from the target
machine, then you'll have to use some kind of public key system: PGP or
Cryptographic Message Syntax (CMS).
Mucking about with raw RSA (or DSA or Diffie-Hellman) requires significant
crypto understanding. I strongly advise using something higher level - in
your case, with OpenSSL already on the box, then you can use QCA+the
qca-openssl plugin to use CMS.
Brad
Description: PGP signature
Message 8 in thread
Hi Brad!
Brad Hards <bradh@xxxxxxxxxxxxx> wrote on 01/02/2007 09:41:30 AM:
> On Tuesday 02 January 2007 19:19, andreas.sumper@xxxxxxxxxxxx wrote:
> > What I need to do is the following:
> > If we want to update our application running on winXP, Linux and
embedded
> > linux, we want to make sure, that the new files were created from a
valid
> > source. One way would be to encrypt the files, using a given key. The
> > other way would be to sign the files, using a given key. The
> > update-application should then verify, if the files are valid by
checking
> > the signature or unencrypting the files and only if the key was valid,
the
> > update should be performed.
> If you are happy to have the key on the machine, then a HMAC would
> be fine for
> this. If you are worried about someone extracting the key from the
target
> machine, then you'll have to use some kind of public key system: PGP or
> Cryptographic Message Syntax (CMS).
>
> Mucking about with raw RSA (or DSA or Diffie-Hellman) requires
significant
> crypto understanding. I strongly advise using something higher level -
in
> your case, with OpenSSL already on the box, then you can use QCA+the
> qca-openssl plugin to use CMS.
Okay, this sounds like the thing I need. I allready checked out the QCA -
Source from the svn-repository. I installed qconf and compiled and
installed qca. Now where to go from here? Could you please point me to any
sort of documentation? I had a quick look at rsatest.cpp from
frogmouth.net. But I guess I have to read through the documentation.
> Brad
> [attachment "attn26dg.dat" deleted by Andreas Sumper/CNSystems]
Thanks!
Bye,
Andy
Message 9 in thread
On Tuesday 02 January 2007 20:10, andreas.sumper@xxxxxxxxxxxx wrote:
> Okay, this sounds like the thing I need. I allready checked out the QCA -
> Source from the svn-repository. I installed qconf and compiled and
> installed qca. Now where to go from here? Could you please point me to any
> sort of documentation? I had a quick look at rsatest.cpp from
> frogmouth.net. But I guess I have to read through the documentation.
It comes with documentation built into the headers - use Doxygen to generate
the HTML or Latex/PDF version as appropriate.
There are some samples in both the example/ directory, and also in the
tools/qcatool/ directory. qcatool is a command line tool that exercises QCA.
Note that the svn-repo is the Qt4 version, which I understand you want.
Brad
Description: PGP signature
Message 10 in thread
On Tuesday 02 January 2007 09:19, andreas.sumper@xxxxxxxxxxxx wrote:
> What I need to do is the following:
> If we want to update our application running on winXP, Linux and embedded
> linux, we want to make sure, that the new files were created from a valid
> source. One way would be to encrypt the files, using a given key. The
> other way would be to sign the files, using a given key. The
> update-application should then verify, if the files are valid by checking
> the signature or unencrypting the files and only if the key was valid,
> the update should be performed.
Install GnuPG or the OpenSSL binaries alongside your application and use
QProcess to call them (for GnuPG there is also libgpgme to make this easier
for you). Messing around with the crypto directly is almost never a good
idea: first it is very difficult to program and test, second it almost
always fails badly (eg. to get RSA behave in a secure manner is about as
easy as balancing a dish on a ten-foot pole while cooking dinner).
Konrad
Description: PGP signature
Message 11 in thread
Hi Konrad!
Konrad Rosenbaum <konrad@xxxxxxxxx> wrote on 01/02/2007 11:10:00 AM:
> On Tuesday 02 January 2007 09:19, andreas.sumper@xxxxxxxxxxxx wrote:
> > What I need to do is the following:
> > If we want to update our application running on winXP, Linux and
embedded
> > linux, we want to make sure, that the new files were created from a
valid
> > source. One way would be to encrypt the files, using a given key. The
> > other way would be to sign the files, using a given key. The
> > update-application should then verify, if the files are valid by
checking
> > the signature or unencrypting the files and only if the key was valid,
> > the update should be performed.
>
> Install GnuPG or the OpenSSL binaries alongside your application and use
> QProcess to call them (for GnuPG there is also libgpgme to make this
easier
> for you). Messing around with the crypto directly is almost never a good
> idea: first it is very difficult to program and test, second it almost
> always fails badly (eg. to get RSA behave in a secure manner is about as
> easy as balancing a dish on a ten-foot pole while cooking dinner).
>
I would do, but first of all, it is not that easy to cross compile and
install on embedded systems, but this can be achieved. What is much more
disapointing, is the fact, that e.g. openssl-implementation of rsa utility
(rsautl) can not cope with large files, as rsa can not handle large files
either. So I first of all wanted to just implement a wrapper for rsautl,
but this is much harder than I thought.
That was one of the reasons, why I wanted to have some sort of
qt-CryptoLibrary (like java Cryptography Architecture) to be used in our
application.
This would make life much easier *sigh*
Bye,
Andy
Message 12 in thread
On Tuesday 02 January 2007 11:19, andreas.sumper@xxxxxxxxxxxx wrote:
> I would do, but first of all, it is not that easy to cross compile and
> install on embedded systems, but this can be achieved. What is much more
> disapointing, is the fact, that e.g. openssl-implementation of rsa
> utility (rsautl) can not cope with large files, as rsa can not handle
> large files either. So I first of all wanted to just implement a wrapper
> for rsautl, but this is much harder than I thought.
Using rsautl directly is not a good idea - too many too complicated
parameters with results that only professional cryptographers understand
(so that also excludes me). Looking at the other subcommands of openssl:
well I don't think it is a good idea for a non-expert to use openssl at all
as a signing utility. Use GnuPG instead.
> That was one of the reasons, why I wanted to have some sort of
> qt-CryptoLibrary (like java Cryptography Architecture) to be used in our
> application.
> This would make life much easier *sigh*
To be perfectly honest: the Java Crypto Lib only seems to make life easier.
In fact it lures you into the illusion that you have just done seriously
secure stuff when indeed you screwed up royally (I've been bitten by that).
Konrad
Description: PGP signature