Lasso cipher_encrypt / AES headache (Lasso 8.6)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Lasso cipher_encrypt / AES headache (Lasso 8.6)

James Harvard
As noted by several people on Lasso Talk over the years, Lasso’s cipher tags don’t seem to support AES by default on either CentOS or Mac OS. I couldn’t find any answer as to how to add to the list of ciphers either.

Did anyone ever crack (heh!) this? I don’t think expecting Lasso to support AES is unreasonable!

Running openssl from os_process is problem in my server environment, for reasons I won’t bore you with. Anyway if it were I'd probably just run on the command line the PHP reference code I’ve been given.

Thanks in advance,
James

List of ciphers from cipher_list() on CentOS:
DES-ECB, DES-EDE, DES-CFB, DES-OFB, DES-CBC, DES-EDE3-CBC, RC4, RC2-CBC, BF-CBC, CAST5-CBC

On my MacBook the list is identical, with the addition of RC5-CBC.
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Lasso cipher_encrypt / AES headache (Lasso 8.6)

Seth Ganahl
From the Lasso Language Guide:

" Note: The actual list of supported algorithms may vary from Lasso
installation to Lasso installation depending on platform and system version
. The algorithms listed in this manual should be available on all systems,
but other more esoteric algorithms may be available on some systems and not
on others "

It's not a limitation of Lasso, but rather the OS. I think MacOS at least
inherently lacks AES support by default, hence the need for OpenSSL.


On 11/16/12 10:01 AM, "James Harvard"
<[hidden email]> did quoth:

> As noted by several people on Lasso Talk over the years, Lasso¹s cipher tags
> don¹t seem to support AES by default on either CentOS or Mac OS. I couldn¹t
> find any answer as to how to add to the list of ciphers either.
>
> Did anyone ever crack (heh!) this? I don¹t think expecting Lasso to support
> AES is unreasonable!
>
> Running openssl from os_process is problem in my server environment, for
> reasons I won¹t bore you with. Anyway if it were I'd probably just run on the
> command line the PHP reference code I¹ve been given.
>
> Thanks in advance,
> James
>
> List of ciphers from cipher_list() on CentOS:
> DES-ECB, DES-EDE, DES-CFB, DES-OFB, DES-CBC, DES-EDE3-CBC, RC4, RC2-CBC,
> BF-CBC, CAST5-CBC
>
> On my MacBook the list is identical, with the addition of RC5-CBC.
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

-------------------------------------------------------
Seth C Ganahl (501) 282-4867
Ganahl Consulting ­ Web Applications
http://www.ganahlconsulting.com/
[hidden email]
-------------------------------------------------------


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Lasso cipher_encrypt / AES headache (Lasso 8.6)

James Harvard
In reply to this post by James Harvard
Similar problem to a couple of years ago. Lasso's apparently limited access to cipher algorithms is a PITA when trying to integrate with third party systems or products that require any kind of encryption or hashing for authentication!

This time I want to compare a hashed value from a PHP script that is prepared with hash_hmac('sha256', 'myseedvalue', 'mysecretpwd'). The only SHA ciphers Lasso seems to offer are 'SHA' and 'SHA1' (DSA-SHA seems to produce the same output as SHA1), but neither matches the result of using SHA256 via PHP.

When I asked this question before, Seth Ganahl said that this was an OS limitation, but if that's the case I'm a bit puzzled as to how PHP can successfully access that cipher while Lasso, on the same computer, cannot!

Is there some way to extend the list of ciphers that Lasso considers or can access?

TIA,
James

On 16 Nov 2012, at 16:01, James Harvard wrote:

> As noted by several people on Lasso Talk over the years, Lasso’s cipher tags don’t seem to support AES by default on either CentOS or Mac OS. I couldn’t find any answer as to how to add to the list of ciphers either.
>
> Did anyone ever crack (heh!) this? I don’t think expecting Lasso to support AES is unreasonable!
>
> Running openssl from os_process is problem in my server environment, for reasons I won’t bore you with. Anyway if it were I'd probably just run on the command line the PHP reference code I’ve been given.
>
> Thanks in advance,
> James
>
> List of ciphers from cipher_list() on CentOS:
> DES-ECB, DES-EDE, DES-CFB, DES-OFB, DES-CBC, DES-EDE3-CBC, RC4, RC2-CBC, BF-CBC, CAST5-CBC
>
> On my MacBook the list is identical, with the addition of RC5-CBC.

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Lasso cipher_encrypt / AES headache (Lasso 8.6)

fletcher sandbeck-2
On Aug 4, 2014, at 10:55 AM, James Harvard <[hidden email]> wrote:

> Similar problem to a couple of years ago. Lasso's apparently limited access to cipher algorithms is a PITA when trying to integrate with third party systems or products that require any kind of encryption or hashing for authentication!
>
> This time I want to compare a hashed value from a PHP script that is prepared with hash_hmac('sha256', 'myseedvalue', 'mysecretpwd'). The only SHA ciphers Lasso seems to offer are 'SHA' and 'SHA1' (DSA-SHA seems to produce the same output as SHA1), but neither matches the result of using SHA256 via PHP.
>
> When I asked this question before, Seth Ganahl said that this was an OS limitation, but if that's the case I'm a bit puzzled as to how PHP can successfully access that cipher while Lasso, on the same computer, cannot!
>
> Is there some way to extend the list of ciphers that Lasso considers or can access?

The easiest way is to use a command line tool with [oc_process] to access the algorithm you need.  The GNU coreutils have a utility named “sha256sum” which probably computes the value you are looking for.

<?LassoScript

  var('msg' = 'my message');
  var('hash' = os_process('/usr/bin/sha256sum')->write($msg) & closewrite & read);
 $hash;
?>

ea38e30f75767d7e6c21eba85b14016646a3b60ade426ca966dac940a5db1bab -

[fletcher]

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Lasso cipher_encrypt / AES headache (Lasso 8.6)

Brad Lindsay
In reply to this post by James Harvard
On 8/4/14, 1:55 PM, James Harvard wrote:
> Similar problem to a couple of years ago. Lasso's apparently limited access to cipher algorithms is a PITA when trying to integrate with third party systems or products that require any kind of encryption or hashing for authentication!
>
> This time I want to compare a hashed value from a PHP script that is prepared with hash_hmac('sha256', 'myseedvalue', 'mysecretpwd'). The only SHA ciphers Lasso seems to offer are 'SHA' and 'SHA1' (DSA-SHA seems to produce the same output as SHA1), but neither matches the result of using SHA256 via PHP.
>
> When I asked this question before, Seth Ganahl said that this was an OS limitation, but if that's the case I'm a bit puzzled as to how PHP can successfully access that cipher while Lasso, on the same computer, cannot!
>
> Is there some way to extend the list of ciphers that Lasso considers or can access?

As far as I understand it, Lasso is using the openssl library. For some
reason, the library doesn't report all the options it actually has
available. I don't know if this is due to a bug in the openssl API or if
there's a newer API that Lasso could be implementing. Either way, the
best option is to use the command-line tools via [os_process] for 8.x
and [sys_process] for 9.x

HTH,
Brad
#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>