Imported from previous forum
[ original email was from Bob Lamoureux - blamoureux@bridge.com ]
This thread should be used to discuss how particular encryption techniques impact the FIX specification. For example, if a particular encryption technique cannot be represented inside today’s FIX message structure, we should discuss here the best way to suggest changes to the spec to accomodate the required changes.
> This thread should be used to discuss how particular encryption techniques impact the FIX specification. For example, if a particular encryption technique cannot be represented inside today’s FIX message structure, we should discuss here the best way to suggest changes to the spec to accomodate the required changes.
>
What would be the data format before and after appling DES or any othere encryption method.
I added some examples of the Logon message exchange to the ExampleFixMessages.txt document under Organization, Tech Committee. I added an example of a Logon message exchange unencrypted and one when using PGP-DES-MD5. I hope that answers your question.
> > This thread should be used to discuss how particular encryption techniques impact the FIX specification. For example, if a particular encryption technique cannot be represented inside today’s FIX message structure, we should discuss here the best way to suggest changes to the spec to accomodate the required changes.
> >
> What would be the data format before and after appling DES or any othere encryption method.
>
[ original email was from Alik Rivkind - alik@btobits.com ]
As I understand, FIX standard is based on developed software (PGP) instead of developed encryption standards, isn’t it?
So, to realize the encryption schema PGP-DES-MD5 I have to execute the external program PGP. Is that right?
> I added some examples of the Logon message exchange to the ExampleFixMessages.txt document under Organization, Tech Committee. I added an example of a Logon message exchange unencrypted and one when using PGP-DES-MD5. I hope that answers your question.
>
> > > This thread should be used to discuss how particular encryption techniques impact the FIX specification. For example, if a particular encryption technique cannot be represented inside today’s FIX message structure, we should discuss here the best way to suggest changes to the spec to accomodate the required changes.
> > >
> > What would be the data format before and after appling DES or any othere encryption method.
> >
>
Not exactly. PGP (Pretty Good Privacy) is one of several de-facto crypto “standards”. It has been around for a while (originally developed by Phil Zimmerman). FIX’s use of “PGP-DES-MD5” is a custom approach using three existing and understood crypto technologies. The reference implementation of how to implement “PGP-DES-MD5” which was published by a member of the FIX Committee back in 1996 used ViaCrypt PGP (firm’s name changed from ViaCrypt to PGP Inc. and then later acquired by Network Associates) on Unix which had to be invoked from the command line. Thus the reference implementation “shells out” to the command line to invoke PGP. I know that the Windows version of this software is API-based and does not require command line invocation. PGP is also available in downloadable form from Ireland, I beleive.
In short, FIX uses PGP but doesn’t supply and didn’t create PGP, rather FIX defined how PGP can be combined with the use of DES and MD5 to implement what we refer to as “PGP-DES-MD5”. A white paper regarding how this is implemented and the reference implementation can be found under “Specifications”, “App Notes”.
> As I understand, FIX standard is based on developed software (PGP) instead of developed encryption standards, isn’t it?
> So, to realize the encryption schema PGP-DES-MD5 I have to execute the external program PGP. Is that right?
>
> > I added some examples of the Logon message exchange to the ExampleFixMessages.txt document under Organization, Tech Committee. I added an example of a Logon message exchange unencrypted and one when using PGP-DES-MD5. I hope that answers your question.
> >
> > > > This thread should be used to discuss how particular encryption techniques impact the FIX specification. For example, if a particular encryption technique cannot be represented inside today’s FIX message structure, we should discuss here the best way to suggest changes to the spec to accomodate the required changes.
> > > >
> > > What would be the data format before and after appling DES or any othere encryption method.
> > >
> >
>
[ original email was from Alik Rivkind - alik@btobits.com ]
As far as I know PGP does not identically define the crypting schema. Moreover, different versions of software realizes different schema. What can be understood under PGP crypto technology? Does it mean, for instance, that IDEA encryption is used? How can I provide compatibility and interoperability with other vendors?
> Not exactly. PGP (Pretty Good Privacy) is one of several de-facto crypto “standards”. It has been around for a while (originally developed by Phil Zimmerman). FIX’s use of “PGP-DES-MD5” is a custom approach using three existing and understood crypto technologies. The reference implementation of how to implement “PGP-DES-MD5” which was published by a member of the FIX Committee back in 1996 used ViaCrypt PGP (firm’s name changed from ViaCrypt to PGP Inc. and then later acquired by Network Associates) on Unix which had to be invoked from the command line. Thus the reference implementation “shells out” to the command line to invoke PGP. I know that the Windows version of this software is API-based and does not require command line invocation. PGP is also available in downloadable form from Ireland, I beleive.
>
> In short, FIX uses PGP but doesn’t supply and didn’t create PGP, rather FIX defined how PGP can be combined with the use of DES and MD5 to implement what we refer to as “PGP-DES-MD5”. A white paper regarding how this is implemented and the reference implementation can be found under “Specifications”, “App Notes”.
>
>
> > As I understand, FIX standard is based on developed software (PGP) instead of developed encryption standards, isn’t it?
> > So, to realize the encryption schema PGP-DES-MD5 I have to execute the external program PGP. Is that right?
I believe the PGP software in use today with FIX uses the RSA cipher. That is, what’s in use today is based upon ViaCrypt PGP as it was implemented in 1996 or an alternate implementation compatible with that.
> As far as I know PGP does not identically define the crypting schema. Moreover, different versions of software realizes different schema. What can be understood under PGP crypto technology? Does it mean, for instance, that IDEA encryption is used? How can I provide compatibility and interoperability with other vendors?
>
> > Not exactly. PGP (Pretty Good Privacy) is one of several de-facto crypto “standards”. It has been around for a while (originally developed by Phil Zimmerman). FIX’s use of “PGP-DES-MD5” is a custom approach using three existing and understood crypto technologies. The reference implementation of how to implement “PGP-DES-MD5” which was published by a member of the FIX Committee back in 1996 used ViaCrypt PGP (firm’s name changed from ViaCrypt to PGP Inc. and then later acquired by Network Associates) on Unix which had to be invoked from the command line. Thus the reference implementation “shells out” to the command line to invoke PGP. I know that the Windows version of this software is API-based and does not require command line invocation. PGP is also available in downloadable form from Ireland, I beleive.
> >
> > In short, FIX uses PGP but doesn’t supply and didn’t create PGP, rather FIX defined how PGP can be combined with the use of DES and MD5 to implement what we refer to as “PGP-DES-MD5”. A white paper regarding how this is implemented and the reference implementation can be found under “Specifications”, “App Notes”.
> >
> >
> > > As I understand, FIX standard is based on developed software (PGP) instead of developed encryption standards, isn’t it?
> > > So, to realize the encryption schema PGP-DES-MD5 I have to execute the external program PGP. Is that right?
>
>
[ original email was from Alik Rivkind - alik@btobits.com ]
So we have (sorry for thoroughness) in PGP-DES-MD5, that source message is encrypted with DES, then secret DES key is encrypted with RSA using recipient public key (and surely apply MD5 to the source message as described in papers). Right?
> I believe the PGP software in use today with FIX uses the RSA cipher. That is, what’s in use today is based upon ViaCrypt PGP as it was implemented in 1996 or an alternate implementation compatible with that.
>
>
> > As far as I know PGP does not identically define the crypting schema. Moreover, different versions of software realizes different schema. What can be understood under PGP crypto technology? Does it mean, for instance, that IDEA encryption is used? How can I provide compatibility and interoperability with other vendors?
Let’s separate the Logon message from all other messages.
When constructing the Logon message, a random DES key (after weak key check) is generated. This session key is encrypted using PGP (e.g. 1024 bit). The resulting PGP “transport armor file” (starts with “BEGIN PGP” in the first line) contents are placed in the Logon message’s RawData field. The Logon message is signed with MD5 and sent without any additional encryption. The receiver of the Logon message parses and performs the steps in reverse eventually obtaining the DES session key to use. The receiver after reading the Logon message constructs and sends a Logon message with the same key in the PGP-encrypted block as an ack to the Logon.
After the Logon messages have been processed, all subsequent messages are DES (CBC vs. ECB mode) encrypted using that DES session key and a chaining vector. Those messages also contain a MD5 signature.
The key is that PGP is used for the Logon message only and is used to provide a secure, random session key exchange. Subsequent messages are DES encrypted.
> So we have (sorry for thoroughness) in PGP-DES-MD5, that source message is encrypted with DES, then secret DES key is encrypted with RSA using recipient public key (and surely apply MD5 to the source message as described in papers). Right?
>
> > I believe the PGP software in use today with FIX uses the RSA cipher. That is, what’s in use today is based upon ViaCrypt PGP as it was implemented in 1996 or an alternate implementation compatible with that.
> >
> >
> > > As far as I know PGP does not identically define the crypting schema. Moreover, different versions of software realizes different schema. What can be understood under PGP crypto technology? Does it mean, for instance, that IDEA encryption is used? How can I provide compatibility and interoperability with other vendors?
>
As a follow-up, a real crypto expert within the FIX community provided me this which provides a more detailed explanation:
This is a direct quote from ‘An
Introduction to Cryptography’, written by Phil Zimmerman and included with PGP from Network Associates. This might somewhat clarify the
discussions that are taking place regarding this.
"…PGP offers a selection of different secret key algorithms to encrypt the actual
message. By secret key algorithm, we mean a conventional, or symmetric,
block cipher that uses the same key to both encrypt and decrypt. The three
symmetric block ciphers offered by PGP are CAST, Triple-DES, and IDEA.
They are not "home-grown" algorithms. They were all developed by teams of
cryptographers with distinguished reputations.
“PGP public keys that were generated by PGP Version 5.0 or later have
information embedded in them that tells a sender what block ciphers are
understood by the recipient’s software, so that the sender’s software knows
which ciphers can be used to encrypt. Diffie-Hellman/DSS public keys accept
CAST, IDEA, or Triple-DES as the block cipher, with CAST as the default
selection. At present, for compatibility reasons, RSA keys do not provide
this
feature. Only the IDEA cipher is used by PGP to send messages to RSA keys,
because older versions of PGP only supported RSA and IDEA.”
> I believe the PGP software in use today with FIX uses the RSA cipher. That is, what’s in use today is based upon ViaCrypt PGP as it was implemented in 1996 or an alternate implementation compatible with that.
>
>
> > As far as I know PGP does not identically define the crypting schema. Moreover, different versions of software realizes different schema. What can be understood under PGP crypto technology? Does it mean, for instance, that IDEA encryption is used? How can I provide compatibility and interoperability with other vendors?
> >
> > > Not exactly. PGP (Pretty Good Privacy) is one of several de-facto crypto “standards”. It has been around for a while (originally developed by Phil Zimmerman). FIX’s use of “PGP-DES-MD5” is a custom approach using three existing and understood crypto technologies. The reference implementation of how to implement “PGP-DES-MD5” which was published by a member of the FIX Committee back in 1996 used ViaCrypt PGP (firm’s name changed from ViaCrypt to PGP Inc. and then later acquired by Network Associates) on Unix which had to be invoked from the command line. Thus the reference implementation “shells out” to the command line to invoke PGP. I know that the Windows version of this software is API-based and does not require command line invocation. PGP is also available in downloadable form from Ireland, I beleive.
> > >
> > > In short, FIX uses PGP but doesn’t supply and didn’t create PGP, rather FIX defined how PGP can be combined with the use of DES and MD5 to implement what we refer to as “PGP-DES-MD5”. A white paper regarding how this is implemented and the reference implementation can be found under “Specifications”, “App Notes”.
> > >
> > >
> > > > As I understand, FIX standard is based on developed software (PGP) instead of developed encryption standards, isn’t it?
> > > > So, to realize the encryption schema PGP-DES-MD5 I have to execute the external program PGP. Is that right?
> >
> >
>