Does anyone know how difficult it would be to have 7-zip use openssl's implementation of SHA-256 and AES-256 to encrypt 7z files? I am looking to use 7-zip in an environment that prefers FIPS 140-2 and reusing the existing openssl certification would be nice.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There isn't a technical difference, more a legal / risk compliance one.
Basically if you are using encryption in a place that mandates the FIPS 140-2 standard (US Federal Government, Canadian Government, large banks) you must get your code certified by an independent laboratory. This is a very expensive and time consuming task and costs at least $10,000 each time you have to get it certified (ie every time you change a version). There is an industry group http://www.oss-institute.org that pays to get each version of openssl certified for anyone to use. So if you link against openssl in fips mode you can outsource the encryption to that module and gain the certification status.
I know this is an edge use case for 7-zip, I was just wondering if you would be open to the idea / patches to link against openssl at compile time.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
In that case, you should not use 7zip internal encryption. Just use the compression feature of 7-zip and then use the encryption feature of Openssl. For example: openssl enc -aes-256-cbc -salt -in file.7z -out file.7z.enc
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Igor - Can you explain how encryption is used from the command line?
I'm not prompted and I don't see any way to add a password or generate a key using 7zip from the command line:
7zip -a -memAES256 archive.7z directory1/
BTW - I'm compressing/encrypting on Solaris 10 and decompressing on 64bit windows
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2010-06-17
In that case, you should not use 7zip internal encryption. http://www.gojerseyshop.com Just use the compression feature of 7-zip and then use the encryption feature of Openssl. For example: openssl enc -aes-256-cbc -salt -in file.7z -out file.7z.enc
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What about using another 140-2 approved crypto library like libgcrypt http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1305 We have clients that pay through the nose just to use Pkware's SecureZip, and never even use the password protection! It may even be a way to sell 7zip to gov't institutions, if not certified itself, the crypo could be;and I'm sure there is no REAL fundamental difference between what you use and openssl/libgcrypt, but on paper "there is a difference". I don't think it's a real edge case, I'm encountering it more and more, companies who aren't gov't, are adopting NIST standards all the time with small and large companies alike.
-rich
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Does anyone know how difficult it would be to have 7-zip use openssl's implementation of SHA-256 and AES-256 to encrypt 7z files? I am looking to use 7-zip in an environment that prefers FIPS 140-2 and reusing the existing openssl certification would be nice.
I like my current 7-Zip's implementation of AES and SHA-256.
I don't think that openssl's code is better.
BTW, what the difference?
There isn't a technical difference, more a legal / risk compliance one.
Basically if you are using encryption in a place that mandates the FIPS 140-2 standard (US Federal Government, Canadian Government, large banks) you must get your code certified by an independent laboratory. This is a very expensive and time consuming task and costs at least $10,000 each time you have to get it certified (ie every time you change a version). There is an industry group http://www.oss-institute.org that pays to get each version of openssl certified for anyone to use. So if you link against openssl in fips mode you can outsource the encryption to that module and gain the certification status.
I know this is an edge use case for 7-zip, I was just wondering if you would be open to the idea / patches to link against openssl at compile time.
In that case, you should not use 7zip internal encryption. Just use the compression feature of 7-zip and then use the encryption feature of Openssl. For example: openssl enc -aes-256-cbc -salt -in file.7z -out file.7z.enc
I will not change my AES code to openssl.
ftsf, Thats a good point!
ipavlov, I completely understand. Thanks!
Igor - Can you explain how encryption is used from the command line?
I'm not prompted and I don't see any way to add a password or generate a key using 7zip from the command line:
7zip -a -memAES256 archive.7z directory1/
BTW - I'm compressing/encrypting on Solaris 10 and decompressing on 64bit windows
Never mind… I got it. Thanks
In that case, you should not use 7zip internal encryption. http://www.gojerseyshop.com Just use the compression feature of 7-zip and then use the encryption feature of Openssl. For example: openssl enc -aes-256-cbc -salt -in file.7z -out file.7z.enc
What about using another 140-2 approved crypto library like libgcrypt http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1305 We have clients that pay through the nose just to use Pkware's SecureZip, and never even use the password protection! It may even be a way to sell 7zip to gov't institutions, if not certified itself, the crypo could be;and I'm sure there is no REAL fundamental difference between what you use and openssl/libgcrypt, but on paper "there is a difference". I don't think it's a real edge case, I'm encountering it more and more, companies who aren't gov't, are adopting NIST standards all the time with small and large companies alike.
-rich
I don't want to sell 7-zip to gov't institutions. I'd like to be far from them.