000026112 - How does DES-encrypted data interoperate with other DES encryption/decryption packages?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026112
Applies ToRSA BSAFE Crypto-C
IssueHow does DES-encrypted data interoperate with other DES encryption/decryption packages?
To provide information to a recipient indicating what algorithm and associated parameters were used to create the ciphertext and which must be used to decrypt the ciphertext.  We demonstrate with DES in CBC mode.
ResolutionThe encrypted output of the DES cipher does not have a standard file format. The user needs to be informed that the file that has been passed to them is DES encrypted. One way to inform the user is to send the BER-encoded algorithm identifier for DES along with the file as long as the user's software will accept the algorithm identifier.

To get this algorithm identifier in Crypto-C, call B_GetAlgorithmInfo and specify an ITEM structure that will hold the algorithm identifier, the algorithm object, and the appropriate BER AI for the algorithm being used (in the case of AI_DES_CBCPadIV8, use AI_DES_CBCPadBER for the third argument). The results of this call will be stored in the ITEM structure that was passed as the first argument. Then, determine a way of passing this algorithm identifier with the encrypted file (perhaps in another file).

Using Crypto-C, assume that encryptionObject and decryptionObject are both B_ALGORITHM_OBJs which have already been created.  The encryptionObject must already have been created with B_CreateAlgorithmInfo and set, using B_SetAlgorithmInfo with AI_DES_CBCPadIV8.  Go through the following steps to obtain the BER-encoded algorithm identifier:

ITEM *getInfoBER;

/*  Get the BER-encoded algorithm identifier */
status = B_GetAlgorithmInfo ((POINTER *)&getInfoBER, encryptionObject, AI_DES_CBCPadBER);

At this point, you'd make a copy of the information that getInfoBER points to (remember that B_GetAlgorithmInfo gives you a pointer to memory that belongs to Crypto-C) if you want to store it for later use.  Note that the BER-encoded algorithm identifier contains any public parameters associated with the algorithm.  In this case of DES in CBC mode, the public parameters associated with the algorithm takes the form of an IV (initialization vector), which was passed into the algorithm object when B_SetAlgorithmInfo was called with AI_DES_CBCPadIV8.

On the other hand, if you are given a particular algorithm identifier (for example, the data pointed to by getInfoBER), you'd create an ITEM structure and set a given algorithm object:

unsigned char algId[] = {
 0x30, ..., 0x01, 0x01

ITEM algIdItem;

algIdItem.data = algId;
algIdItem.len = sizeof (algId);

/* Use the BER-encoded algorithm identifier to set an algorithm object */
status = B_SetAlgorithmInfo (decryptionObject, AI_DES_CBCPadBER, (POINTER)&algIdItem));

If the algorithm identifier in algIdItem does correspond to AI_DES_CBCPadBER (algorithm identifier for DES in CBC mode with PKCS #5 padding), the status returned by B_SetAlgorithmInfo will be 0.
In Crypto-J, the basic idea is the same.  Assume that we have a properly initialized instance of JSAFE_SecureRandom, randomObj.  To extract an algorithm identifier, we must first initialize our encryption object:

JSAFE_SymmetricCipher encryptionObj = JSAFE_SymmetricCipher.getInstance ("DES/CBC/PKCS5Padding", "Java");

// Set our initialization vector
encryptionObj.generateIV (random);

// Get the BER-encoded algorithm identifier
byte[] algId = encryptionObj.getDERAlgorithmID();

Now, the algId byte array contains the algorithm identifier.  That information can be sent with the ciphertext and the assume that the recipient takes that algorithm identifier and places it in a byte array, also called algId.  This is how we would create an instance of a JSAFE_SymmetricCipher with the same algorithm and IV:

JSAFE_SymmetricCipher decryptionObj = JSAFE_SymmetricCipher.getInstance (algId, 0, "Java");

That's all it takes to create and set an instance of JSAFE_SymmetricCipher using the algorithm and parameters specified by the algorithm identifier.
Legacy Article ID6.0.3318141.2914371