Inf's Lair

By Paul Yang

The Untold Story - Anecdotes from the OpenSSL China tour

Table of Contents

  1. Why this article is here?
  2. The Pick-up Adventure
  3. Do you have WeChat, Dude?
  4. What’s Your Feeling back in Alibaba
  5. The “Twins”
  6. Liger or Tigon?
  7. Damn, the Boarding Pass is Lost
  8. Did We Fuck up the OpenSource Event?
  9. Worm Dinner
  10. Drunk as a Lord
  11. The Final “Haul Ass”

Why this article is here?

As most people have already known that OpenSSL has been in China for several days in September, from 17th to 25th specifically. The stories describing the very formal activities we had experienced during those days, have been reported by some media articles after the tour, thus many people knew what we have done in China, in particular the business part. But from my perspective, there were also things which were not disclosed yet, but should be told. I consider them as ‘anecdotes’: something made this China tour much more vivid and enjoyable. And this is why I decided to write these words. I would like to record the moments and memories we had together back in those nine days in China.

Before I tell you the amazing and funny stories, I will thank again the following BaishanCloud staffs who put huge efforts into this tour (In order of appearance in the stories): Jane, Sean, Jedo, Paul (me, absolutely), Shirley, Alan. And also the people didn’t show them up in the stories: Jenna, Amy, Mr. Wei An, our CTO Mr. Jian Tong and my boss Terence and Mel :-). Thank you all very much for supporting our ‘operation’. I also would like to thank the guys from OpenSSL for your patience for suffering a lot from our poor oral English ;-).

The Pick-up Adventure

The pick-up at the airport for the guys of OpenSSL was more scared than hurt. The original plan was: “Jane and Sean went to Shanghai Pudong airport to pick up Matt in the morning and then Jane accompanied with Matt back to the hotel while Sean stayed at the airport waiting for Steve, who would arrive at noon. Meanwhile, Jedo would go to Shanghai Hongqiao airport to pick Richard”.

After Matt and Jane arrived at the hotel, we took this photo, and this was also the first photo in the China tour:

first photo in China

Lunch with Matt

Everthing ran smoothly until the afternoon. Sean called to tell me that Steve didn’t show up at the airport but the plane had already landed for almost 2 hours. We didn’t have any method to contace Steve since Steve bought himself a SIM card in US but that card didn’t work in his phone before he left his country. So we asked the airlinesm and they told us Steve didn’t board. That was very confused for us, so we contacted Beijing to check the filght information of Steve. Finally we found that someone in BaishanCloud made the flight wrong and the true time of arrival of Steve should be in the evening. So Sean had to continue to wait at the airport to pick up Steve. That was a though day for him anyway…

At last in the evening, around 7 o’clock, we picked up Steve, Tim and Rich. On the way back to the hotel, Rich teased me that I also needed to handle the problem with jetlag. And he was correct about this, since I usually slept at 3:00AM and woke up at 9:00 ~ 10:00AM in the same day, but during the tour I needed to adjust that life style.

Do you have WeChat, Dude?

When I met Matt, I gave him a Chinese local SIM card thus he could use the mobile network in China. We also prepared one SIM card for Richard, and both of the cards worked well with their cell phones. As mentioned before, Steve used a Chinese local SIM card bought by himself. Tim and Rich just used their own numbers ‘internationally’. So the result was, except Steve (he used a 2G network GSM phone), all other guys had 3G/4G access, it’s time to move to a more Chinese style communication.

I first helped Matt set up a WeChat account, and the next day all guys had their WeChat account, we even created a chat group there. Richard seemed to be interested of the WeChat app and played with the funny features for some time. That chat group helped a lot to coordinate schedules during the 8-day tour.

All guys kept using their WeChat even after they left China, for instance Tim and I chatted a lot by WeChat.

What’s Your Feeling back in Alibaba

On 18th September, we went to Alibaba HQ, the Xixi campus in Hangzhou. Rich and I have met here back in 2015, two days before that year’s Tmall double eleven festival. I resigned from Alibaba in June 2016, and this was the first time I came back here since then.

met with Rich in 2015

First met with Rich in 2015

After the meeting we took a walk in the campus, Rich asked me about what I felt coming back again here. Well, it’s a little complicated. I first worked on OpenSSL (as well as other SSL/TLS and cryptography stuffs) was in Alibaba, in 2014. The most important thing I’ve gotten in this company was the opportunities to widen my vision during last two years. That meant a lot to me. Back to the feelings, I was very happy to meet some old buddies there and was cherished the memory a little of those day-and-night when we fought together.

sculpture in Ali HQ

Sculpture in Alibaba

The “Twins”

After hanging out in Alibaba HQ, we departed for Shenzhen next day and it’s Shirley who picked us up at the airport and we planed to visit Tencent and Huawei.

depart for Shenzhen

Depart for Shenzhen

It’s very interested when we took a tour in Huawei’s exhibition center - a place showing the company’s most advantage techniques. One of the most interesting thing was there was a VR game section and two person could play it together to experience Huawei’s 5G tech. To play the VR game, a special device was needed and it would be convenient if the player didn’t wear glasses. Since Matt and Rich were the only two guys who didn’t wear glasses, so they went on the stage.

twins

The “Twins”

This is funny and it reminded people of a 1988 movie with the name ‘Twins’. The game was about shooting zombies and it was very entertaining even just to watch the players shooting to the air for audience.

Liger or Tigon?

Having finished the visit to Huawei in the morning, we went to the zoo in the afternoon. This was a very educational trip that I learned two new English words - Liger and Tigon.

photographer

Richard was photographing

A Liger is the hybrid cross of a lion father and a tiger mother, apparently the word Liger itself indicates this already. To the contrary, a Tigon comes from a tiger father and a lion mother. I have seen them in the zoo in Shenzhen, but to be honest, I still can not distinguish them accurately as I always considered no matter which one is the father, the children should seem very similar but only the names are different. It could be interesting if I dig into this topic deeper in the future.

And we also had the chance to feed the big cats in a well ‘armoured’ bus, that was excited.

armoured bus

The bus we were in

The driver drove the bus into the ‘free-ranging’ area. Everyone in the bus had a fork and a piece of chicken leg - which was used to feed the tigon/liger/tigers.

park gate

The portal to the wild, Jurassic Park?

Actually it was a little tricky to feed the big cats - the best method was to ‘seduce’ the big cats with the chicken and didn’t put it too close to them, thus the big cats would cling to the safety nets of the bus and people inside could have more time to watch them.

Liger or Tigon

I think this should be a Tigon

If you put the chicken too close to them, they would have the chicken and kept far from the bus - but in practice, it was hard to achieve this so we ran out of chicken quickly.

Tiger

This is a real tiger

Damn, the Boarding Pass is Lost

On 21 September, we left Shenzhen and headed to Beijing. An adventure happened in the airport - I lost my boarding pass just before the boarding gate was closed.

at the airport

Moment that I still had my boarding pass

I went to the boarding gate to ask if I could use the ID card for boarding, the answer was negative and I had to go to the counter of Shenzhen Airlines to reprint the boarding pass - the counter located several hundreds meters away from the gate and it was only 15 minutes before the gate got closed.

Sean and I rushed madly back to the counter of the airlines and meanwhile Rich and Jedo stayed at the boarding gate trying their best to prevent the gate from closing. I have not run at that pace for a decade I guess. Eventually we made it and boarded into the plane.

It felt good to see the night of Beijing with all other guys! It was more scared than hurt anyway!

Arrival in beijing

Arrival in Beijing

Postscript: Several days later when I got home and cleared up my backpack, I found the ‘lost’ boarding pass at the bottom of my backpack. Damn it, I should be more careful.

Did We Fuck up the OpenSource Event?

In Beijing we had lots of work. And the most important agenda would be the open source event on 23 September. Everyone was going to give a speech in that afternoon.

Meeting with BaishanCloud

Meeting in BaishanCloud office

We actually didn’t know what we prepared interested the audience or not. And we didn’t know if the simultaneous interpretation service in the saloon was good or not. It was not easy for the audience to have a most-English open source event.

Preparing

Preparing

Everyone didn’t know if we would mess up the presentations or not. If no one likes to ask questions or doesn’t understand the speech well, that would a catastrophe. Lots of media persons awaited for writing report there, I hoped the atmosphere could be ‘hot’.

matt-tls13

Matt’s talking about TLS13

After I have done my presentation, Steve, Tim and I were grabbed to another room to have an interview so I didn’t really aware of how it was going outside there. And I missed all the presentations after mine, which should be Rich, Richard and Tim. Some topics in their slides were also interest me a lot, but no chance to listen the speech lively.

The result was excellent by the feedback from staffs of BaishanCloud.

group photo

Group photo with some audience

According to Tim, they were asked questions after the event was over. And many Chinese technical guys were very interested in TLS 1.3, Post-Quantum Cryptography and also other topics we have talked about.

This was the first time BaishanCloud held such an event and it was also the first time OpenSSL presented in China. It was not easy, but we conquered it. We have done a great job and the what left was just to have a relax time in China!

Worm Dinner

Our CTO Mr. Jian Tong, on behalf of BaishanCloud, held a small banquet for our guests in the evening of 23 September. The dinner was in a very decent Spanish restaurant and I was lucky again that night…

I ordered fish, fried if I recall correctly. Along with the fish, there was salad in the dish. After I have eaten half of the fish, I found something wriggling in the dish, the light was poor so I didn’t see it clearly at first. And then that thing kept moving. I took a close look and I found it was like a ‘thread’ there, alive. I was panic. Then I called the waiter and they were panic.

Very quickly, the manager, a foreigner I couldn’t figure out his nationality, came to me and apologized very sincerely for the disaster, in English. I was curious that why he didn’t talk in Chinese since Tim heard he talked in Chinese to the waiters. But anyway, I pardoned this tragedy because I was in very good mood that night. After all we have done a tough job in the afternoon.

Finally they supplied new food for me, for free of course. By the way, the wine was good in that restaurant ignoring the ‘worm’ ;-)

We took a walk in the shops nearby after finishing the dinner, waiting for the bus to pick us up back to the hotel. Guys were happy and played around.

Rich

Rich with cool glasses

Drunk as a Lord

Tim, Rich and I went to a bar at night to celebrate. We drank several ‘cannon’s beer that night. For me, I might need some alcohol to reduce the effect of ‘worm’.

We have talked a lot of interesting stuffs such as the culture difference, the history of OpenSSL project, the Tao of open source etc. Some friends of mine joined the party and thus it’s more diverse to understand different Chinese attitudes toward open source.

We got back at around 4 AM in the morning and I went to bed in my boots, literally. And I woke up at around 6, because we have schedule to take a tour in Beijing.

When I was in the bus, I was something like this:

Paul

Photographed by Tim. Good capture!

The Final ‘Haul Ass’

The last part was the touring in several places in Beijing city, including the Forbidden City and Shichahai. This was described in Tim’s blog post on OpenSSL website, so I will skip this part in this article since here comes only the ‘untold’ parts.

The phrase ‘Haul Ass’ and its synonyms were frequently used by me during the whole journey when I needed to call for a move. I didn’t notice it had comedy effect at first, but it seemed so.

Tim was the first person who departed, on 24 September. And then the other guys on 25th. I made my final ‘Haul Ass’ at the airport to bid them farewell.

Rich, on behalf of OpenSSL, has sent me a party hat after he got back to USA and I like that very much, thanks!

Beer hat

Party hat with two beer slots

It was not a long trip in China, but as I mentioned earlier, this was the first time members of OpenSSL were here, so it’s important. I hope this trip was a start to make a channel of communication between China and the international open source community, which can help more Chinese developers to understand how to participate in the community. The community can also benefit from intelligence in China, to help the software being more widely used in Chinese market.

All things are difficult before they are easy. And the first step is always the hardest. But fortunately, we get this done and I am optimistic about the future.

Hope to meet you guys again!

haul ass

Chapter 01 - A Brief History of OpenSSL

A Brief History of OpenSSL

SSL Protocol

When people talk about the history of Internet, a famous legacy name will be always mentioned, Netscape. This company, whose headquarters were located in California, made a huge contribution to the technical evolution of humanity, including JavaScript, Gecho, Project Mozilla and of course SSL protocol. Back in 1995, Netscape released the first production-ready version of SSL, SSL 2.0. In 1996, Netscape released the SSL 3.0 specification. At that point the era of encrypted Web traffic has begun. Taher Elgamal, who worked for Netscape as ‘Chief Scientist’ at that time, is recognized as ‘father of SSL’.

Taher Elgamal Dr. Taher Elgamal is the creator of the famous ElGamal asymmetric key encryption and signature algorithm The widely used DSA algorithm is a variant of ElGamal signature algorithm. Dr. Taher Elgamal’s Doctoral advisor was Martin Hellman, the ‘H’ in DH algorithm, and ElGammal alogorithm is based on DH key exchange algorithm. Dr. Taher Elgamal serves as CTO of Security at Salesforce.com.

Netscape has supported the SSL protocol in its own product line, including Netscape Navigator and FastTrack, Enterprise web server etc. on the server side. But since Netscape was an U.S. based company, due to limits on the export of cryptography from the U.S., Netscape’s product could not be used outside the U.S. with strong encryption. For instance, at that time, Netscape’s products were separated into a ‘domestic version’ and an ‘international version’. For those ‘international’ products, symmetric key length was limited to 40-bit, the RSA private key was limited to 512-bit, and all of the above keys were easy to break even back in those days. Along with the rise of the Internet and open source software, many great cryptographic systems are widely used. Nowadays the effect of the cryptographic export limitations is greatly reduced, but those limits were indeed a problem back to the 1990s.

SSLeay

In 1995 Tim Hudson, who worked for Bond University in Australia, had several projects which needed to use SSL. But, due to the export limits for cryptography from the U.S., the only way he could obtain SSL was to use the export version of Netscape products and purchase their license. According to Tim Hudson, that would have had some issues:

  1. First, it required a patent license from RSA Data Security (now RSA Security LLC).
  2. Second, it was expensive, USD 30,000 at that time.
  3. Last, Netscape didn’t offer strong encryption except weakened 40-bit export form.

From Tim Hudson’s point of view, even though he used the expensive Netscape products, all he got was only weakened cryptography, which would not resolve the problems he met in his project, so at last he decided to implement a new SSL library from scratch and made it useful in his projects. Then Tim asked Eric Young, who was working for his Ph.D. in Bond University, to implement a new SSL library with him. Both Eric and Tim are Alumni of the University of Queensland. Since Eric had already implemented the DES cipher and had more spare time, they decided Eric would implement the new SSL library itself and Tim went to deal with application side compatibility, documentation and user issues. The new SSL library was named after Eric’s full name ‘Eric Andrew Young’, SSLeay, read as S-S-L-E-A-Y. SSLeay supported SSLv2, SSLv3 and TLSv1, and most of its APIs are almost the same to today’s OpenSSL. You can see some old documentation about SSLeay at http://www.umich.edu/~x509/ssleay/

In August 1998, Eric and Tim joined RSA Data Security, and developed SSL-C for RSA Data Security. SSL-C is an SSL SDK used in the BSAFE product of RSA Data Security. At the same time, SSLeay development stopped with no future releases. In 2007, Tim left RSA Data Security and returned to operate a company called Cryptsoft, which was started by Tim and Eric before they joined RSA Data Security. In 2012, Tim became a partner of the OpenSSL Foundation and a member of the core development team in 2014.

Previous to working for RSA Data Security, Eric and Tim worked at a company called C2Net for around one and a half years, developing SSLeay. This work experience led to the birth of OpenSSL.

C2Net

C2Net was a company based in California that provided cryptographic software, founded in 1994. The products the company developed, including web browser, web server and proxy server software, etc, included full support for encryption to protect user’s data. In 1997, C2Net opened a branch in Europe, C2Net Europe Ltd, with Mark J. Cox as the Managing Director. He was in charge of development of international products for C2Net. As the same time, Eric and Tim also joined C2Net in 1997, to develop SSLeay, which was used in those international products of C2Net to provide SSL and cryptographic functionality.

At that time, the primary product that C2Net offered was a web server named Stronghold which supported the SSL/TLS protocol and strong encryption alogorithms and competed with the Netscape web server software. Stronghold was the only one that provided strong encryption globally among commercial web server software products. That was because Stronghold was developed outside the United States (In Europe and Australia). Anyway, C2Net needed to pay for the RSA patent until it expired in 2000.

In 1998, Tim and Eric left C2Net, and joined RSA Data Security. In 2000, C2Net was acquired by Red Hat and Mark Cox worked as Senior Director of Product Security for Red Hat till now.

C2Net C2Net played a very important role in the history of Internet security, read more at: https://awe.com/mark/history/c2net.html and more info about Stronghold at: https://awe.com/mark/history/stronghold.html

OpenSSL

When Tim and Eric left C2Net in 1998, Mark decided to launch a new open source project to succeed SSLeay, OpenSSL. OpenSSL then replaced SSLeay in the C2Net products and was widely used as a successful open source software product.

From the first release 0.9.1c in 1998, to the latest 1.1.0 branch, the OpenSSL project has experinced ups and downs. The most significant event that ever influnced the project was the ‘Heartbleed’ vulnerability in 2014.

Heartbleed http://heartbleed.com/, the impact is that attacker could read the memory data in HTTPS servers and eventually recover a lot of important information including private keys, user passwords etc.

After Heartbleed was disclosed, the Linux Foundation initiated a project named CII (Core Infrastructure Initiative), which aimed to help improve the quality of Internet infrastructure software. The CII project collaborated with companies including IBM, Microsoft, Intel, AWS, etc. to fund some key-role open source projects to help them be better and more secure. OpenSSL was among the first projects that were funded by CII undoubtedly and this ended the ‘underfunded’ status of OpenSSL, which until then was receiving only about USD 2,000 per year in donations. CII sponsored two full-time OpenSSL core developers and with the goal of a well-developed OpenSSL.

At the time Heartbleed was disclosed, OpenSSL was independently forked by OpenBSD and Google, each pursuing their own SSL/TLS library. Their libraries were called LibreSSL (OpenBSD fork) and BoringSSL (Google fork). LibreSSL was forked from OpenSSL by OpenBSD in April 2014, with the goal of refactoring OpenSSL and enhancing security. The first release of LibreSSL was in July 2014 with the version 2.0.0. In LibreSSL, plenty of legacy and useless code were removed and some new features were introduced, such as ChaCha and Poly1305. In Jun 2014, Google forked OpenSSL as BoringSSL. BoringSSL didn’t aim to replace OpenSSL as a generic SSL library, instead, it was more like a Google-customized SSL library to support Google’s own requirements, and was primarily used in Chrome and Android.

According to Mark Cox, “OpenSSL is likely to be the most useful library for general purpose needs, and the changes post Heartbleed (having dedicated team members, responding to security issues, published policies, obtaining CII badging) should change the brand impression to one which is positive”. For LibreSSL and BoringSSL, OpenSSL likes to maintain good relationships with both teams and collaborates on security issues with them.

RSA Padding

一个有意思的问题,如果一段数据用RSA私钥进行加密,针对加密的密文,如果使用和加密私钥不匹配的公钥进行解密,会解密出无意义的内容,还是会解密失败?

答案是:it depends!

首先要了解两个概念:密码学原语(Cryptographic Primitive)和密码体制(Cryptographic Scheme)

Primitive

密码学原语指的是某种数学计算的方式,可以对数据进行某种密码学处理。例如在RSA中,有加密原语和解密原语,顾名思义,这两个原语分别定义了RSA的加密和解密算法。

例如,RSA的公钥加密过程可以表示为:

c = RSAEP((n, e), m)

其中:

  • c是密文
  • m是明文
  • (n, e)是公钥,其中n是modulus,e是RSA的公钥指数
  • RSAEP是RSA Encryption Primitive的意思,即RSA加密原语

RSAEP的具体内容,就是RSA的加密算法,也就是“数学层面”的内容:

c = m^e mod n

对应的还有一个RSADP,就是解密的原语,解密的原语根据私钥表述类型的不同,除了可以进行和加密原语类似的指数运算之外,还可以利用中国剩余定理,使用分离的素数而不是模数n进行计算,避免了性能开销较大的指数运算,实现优化,这也是实现多素数RSA的基础原理。具体可以参考RFC3447的5.1.2节,在此不再赘述。

那么,再回到最初的问题,如果用于解密的公钥(或私钥)与加密用的私钥(或公钥)不配对,那么结果就是你会经过计算得出一个数值,但是这个数值不是原来的明文,因此从这个意义上来说,解密算法不会“失败”。

Scheme

但是在现实生活中,几乎没有直接对于primitives的使用,我们可以用openssl来对一段数据进行加密,然后用不匹配的秘钥进行解密。

先生成两对儿公私钥,A对儿和B对儿:

$ ./openssl genpkey -algorithm RSA -out priv_A.key -pkeyopt rsa_keygen_bits:2048
...................+++
......................+++

$ ./openssl genpkey -algorithm RSA -out priv_B.key -pkeyopt rsa_keygen_bits:2048
...................+++
......................+++

从私钥导出公钥:

$ ./openssl rsa -pubout -in priv_A.key -out pub_A.key
$ ./openssl rsa -pubout -in priv_B.key -out pub_B.key

这样就有了两个key pair:

-rw-------. 1 paul paul   1704 Nov 28 17:50 priv_A.key
-rw-------. 1 paul paul   1704 Nov 28 17:50 priv_B.key
-rw-rw-r--. 1 paul paul    451 Nov 28 17:54 pub_A.key
-rw-rw-r--. 1 paul paul    451 Nov 28 17:55 pub_B.key

OK,接下来测试一下正常的加密和解密,用pub_A加密,用priv_A解密的效果:

rsa_good

可以正常解密出原文,接下来常使用错误的私钥进行解密,使用priv_B:

rsa_bad

并没有出现无意义的内容,而是openssl直接报错:

rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
rsa routines:rsa_ossl_private_decrypt:padding check failed

这个就是因为在实际中,一般不会直接使用原语对数据进行操作,因为直接使用原语进行运算会产生很多的安全问题,可以参考:这里

为此,实践中的RSA都会填充(padding)随机数据,然后再进行加密,可以使密文多样化,这种规定如何填充的方法就是scheme。

RSA padding的主要scheme有几种:

  • 加密:
    • RSAES-PKCS1-v1_5: PKCS #1中规定的老式方法,从PKCS #1 version 1.5开始使用
    • RSAES-OAEP,新式方法,可见:OAEP,有图
  • 签名:
    • RSASSA-PKCS-v1_5: 老式方法
    • RSASSA-PSS: 新式方法

在openssl命令中可以使用参数来指定使用哪种padding scheme,默认是PKCS #1的老式方法:

rsa_padding

当然,你也可以不padding,那就和直接使用原语无差别了。

我们再基于PKCS的padding方式来看为何openssl能发现解密失败,而不是返回数据。首先要了解一下具体的padding方法,根据RFC 3447的7.2.1节的2.b步骤:

EM = 0x00 || 0x02 || PS || 0x00 || M.
  • PS,padding string,随机数
  • M,明文

padding的方式是在固定的pattern之中加上随机数,然后作为明文的前缀进行加密原语的运算。

对于解密,会对上述解密出来的加上了padding的数据进行decode,从而最后拿到明文M,根据RFC 3447 7.2.2的步骤三:

rsa_padding_failed

可以发现padding不对,从而直接判断出解密失败。

Archive