Force TLS 1.2 Android

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Force TLS 1.2 Android

David Templar-2
Does anybody know how to disable everything but TLS1.2 sockets in android?

Great 1.65 is out should start to use!

Thanks David and all!

Kind regards,

David Templar


Kind regards,

David Templar
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS 1.2 Android

Peter Dettman-3
Hi David,
Usually just:
    sslSocket.setEnabledProtocols(new String[]{ "TLSv1.2" });

Or if you are setting SSLParameters, this also works:
    sslParameters.setProtocols(new String[]{ "TLSv1.2" });

If you mean something more global than a single connection, please
explain further.

Regards,
Pete Dettman

On 1/4/20 8:32 pm, David Templar wrote:
> Does anybody know how to disable everything but TLS1.2 sockets in android?
>
> Great 1.65 is out should start to use!
>
> Thanks David and all!
>
> Kind regards,
>
> David Templar

Reply | Threaded
Open this post in threaded view
|

FIPS META-INF/HMAC.SHA256

David Templar-2

Hi (esp Mr Dettman),

In the FIPS jar there is a file HMAC.SHA256. By importing that jar into a java project and running it an error is originally produced (Module checksum failed: SHA-256 digest error).

Every time a change is made to a program the expected value changes (as seen when building Android apps).

From https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry "The checksum you have to calculate yourself on the downloaded file using e.g. "openssl sha256 file.jar" – Peter Dettman Mar 27 '18 at 6:32" 

Thus, I am assuming that the way this BC FIPS works is that (even though it is a signed jar), one must calculate the value of the program/app and change it in the bc-fips-1.0.2.jar. Am I correct?

By doing the above, I am lucky that Android actually outputs in the error what the expected value should be and thus the app runs fine.

However, in regular desktop java the error does not output the expected value - how do I get it?

So, is there an easy way to get the expected value and is the correct way of using the FIPS jar to actually edit the file in it?

-- 
Kind regards,

David Templar

Reply | Threaded
Open this post in threaded view
|

Re: FIPS META-INF/HMAC.SHA256

David Hook-3

A word of warning. The checksum actually means something - NIST sign off on the version of the software that computes to that checksum. Anything else is not valid.

With the way DEX works, on Android you need to install BCFIPS on the device, this is what our StripyCastle (SCFIPS) release does, the alternative is do things SpongyCastle style and just remove the checksum validation, or update the jar on each build.

Note, this does mean the application is not FIPS compliant. There are a few devices on the market now using the StripyCastle version though which has the FIPS jar installed on it - in this case the devices themselves are FIPS certified and if you develop your application correctly it will also be FIPS compliant. Any other path faces the need to do a full certification.

Regards,

David

On 6/4/20 1:07 am, David Templar wrote:

Hi (esp Mr Dettman),

In the FIPS jar there is a file HMAC.SHA256. By importing that jar into a java project and running it an error is originally produced (Module checksum failed: SHA-256 digest error).

Every time a change is made to a program the expected value changes (as seen when building Android apps).

From https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry "The checksum you have to calculate yourself on the downloaded file using e.g. "openssl sha256 file.jar" – Peter Dettman Mar 27 '18 at 6:32" 

Thus, I am assuming that the way this BC FIPS works is that (even though it is a signed jar), one must calculate the value of the program/app and change it in the bc-fips-1.0.2.jar. Am I correct?

By doing the above, I am lucky that Android actually outputs in the error what the expected value should be and thus the app runs fine.

However, in regular desktop java the error does not output the expected value - how do I get it?

So, is there an easy way to get the expected value and is the correct way of using the FIPS jar to actually edit the file in it?

-- 
Kind regards,

David Templar


Reply | Threaded
Open this post in threaded view
|

Re: FIPS META-INF/HMAC.SHA256

Peter Dettman-3
In reply to this post by David Templar-2
Hi David,
First, please don't confuse the different "checksums".

- At the stackoverflow link I was only talking about the file checksum
on our website that lets you check that you downloaded the file correctly.

- META-INF/HMAC.SHA256 in the fips jar is a checksum over the
FIPS-relevant contents of the jar; mainly it ensures that classes
haven't been added, removed or modified. You can use
FipsStatus.getModuleHMAC() to find out what the validator is
calculating, and therefore what it expects to find in HMAC.SHA256.
However as David Hook pointed out, you can't just change this checksum,
it's tied to the certification.

- BC provider jars are signed. Some JDKs require this signature to be
present and valid before a cryptographic provider can be used.

I'm not sure what you mean by "importing that jar into a java project",
but anything that modifies the jar in any way e.g. obfuscators, or tries
to merge it with other jars, will generally not work.

Regards,
Pete Dettman


On 5/4/20 10:07 pm, David Templar wrote:

> Hi (esp Mr Dettman),
>
> In the FIPS jar there is a file HMAC.SHA256. By importing that jar into
> a java project and running it an error is originally produced (Module
> checksum failed: SHA-256 digest error).
>
> Every time a change is made to a program the expected value changes (as
> seen when building Android apps).
>
> From
> https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry
> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
> "The checksum you have to calculate yourself on the downloaded file
> using e.g. "openssl sha256 file.jar" – Peter Dettman
> <https://stackoverflow.com/users/264294/peter-dettman> Mar 27 '18 at 6:32" 
> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>
> Thus, I am assuming that the way this BC FIPS works is that (even though
> it is a signed jar), one must calculate the value of the program/app and
> change it in the bc-fips-1.0.2.jar. Am I correct?
>
> By doing the above, I am lucky that Android actually outputs in the
> error what the expected value should be and thus the app runs fine.
>
> However, in regular desktop java the error does not output the expected
> value - how do I get it?
>
> *So, is there an easy way to get the expected value and is the correct
> way of using the FIPS jar to actually edit the file in it?*
> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>
> --
> Kind regards,
>
> David Templar
>


Reply | Threaded
Open this post in threaded view
|

Re: FIPS META-INF/HMAC.SHA256

David Templar-2
Hi Peter and David,

Both thanks for the replies.

Yes I understand and agree META-INF/HMAC.SHA256 is to verify the
bc-fips-1.0.2.jar has not been changed.

As you know Android does use the import (either copy or Android Studio
gui include) of jars into the /lib directly of the project to build App
.apk.

As you mentioned when it is built it gets included in classes.dex it
obviously gets changed and thus its checksum changes each time the
entire app changes. Thus the checksum errors for FIPS jars (as I assume
this verification is explicitly built into FIPS and why traditional BC
jars do not provide errors in Android).

As David wrote, modifying the FIPS jar breaks the certification of it.
And to directly import the jar into Android device would need root and a
"bit" more - and is not viable. StripyBC is rare.

So, is there another way to get the bc-fips-1.0.2.jar into an Android
App .APK to run without it being changed by DEX?

Failing the above, the next best option is importing into Android app
/lib the original jar but disable FIPS checksum check outside i.e. in
the Android program itself - any idea how to do this? Yes I know this
will result in the App not getting certified - but at least It uses the
original jar!

Thanks for FipsStatus.getModuleHMAC().

Kind regards,

David


I really want to use the

On 07/04/2020 08:08, Peter Dettman wrote:

> Hi David,
> First, please don't confuse the different "checksums".
>
> - At the stackoverflow link I was only talking about the file checksum
> on our website that lets you check that you downloaded the file correctly.
>
> - META-INF/HMAC.SHA256 in the fips jar is a checksum over the
> FIPS-relevant contents of the jar; mainly it ensures that classes
> haven't been added, removed or modified. You can use
> FipsStatus.getModuleHMAC() to find out what the validator is
> calculating, and therefore what it expects to find in HMAC.SHA256.
> However as David Hook pointed out, you can't just change this checksum,
> it's tied to the certification.
>
> - BC provider jars are signed. Some JDKs require this signature to be
> present and valid before a cryptographic provider can be used.
>
> I'm not sure what you mean by "importing that jar into a java project",
> but anything that modifies the jar in any way e.g. obfuscators, or tries
> to merge it with other jars, will generally not work.
>
> Regards,
> Pete Dettman
>
>
> On 5/4/20 10:07 pm, David Templar wrote:
>> Hi (esp Mr Dettman),
>>
>> In the FIPS jar there is a file HMAC.SHA256. By importing that jar into
>> a java project and running it an error is originally produced (Module
>> checksum failed: SHA-256 digest error).
>>
>> Every time a change is made to a program the expected value changes (as
>> seen when building Android apps).
>>
>> From
>> https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry
>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>> "The checksum you have to calculate yourself on the downloaded file
>> using e.g. "openssl sha256 file.jar" – Peter Dettman
>> <https://stackoverflow.com/users/264294/peter-dettman> Mar 27 '18 at 6:32"
>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>
>> Thus, I am assuming that the way this BC FIPS works is that (even though
>> it is a signed jar), one must calculate the value of the program/app and
>> change it in the bc-fips-1.0.2.jar. Am I correct?
>>
>> By doing the above, I am lucky that Android actually outputs in the
>> error what the expected value should be and thus the app runs fine.
>>
>> However, in regular desktop java the error does not output the expected
>> value - how do I get it?
>>
>> *So, is there an easy way to get the expected value and is the correct
>> way of using the FIPS jar to actually edit the file in it?*
>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>
>> --
>> Kind regards,
>>
>> David Templar
>>
>
> .


Reply | Threaded
Open this post in threaded view
|

RE: FIPS META-INF/HMAC.SHA256

Eckenfels. Bernd
Warning here comes my unpopular personal oppinion.

If you don't care about a valid FIPS approval (which given the idiosyncrasies of the spec and the practical usage is a good thing) you can use the normal BC versions, you can still claim you support all/only FIPS approved algorithms if you take the time and limit the configuration to them.

Any hack you do will void the FIPS compliance and you will be bordering on false advertising if you claim otherwise. (For example if you ship an unmodified lib but don't use it unmodified)

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: David Templar [[hidden email]]
Sent: Tuesday, April 07, 2020 11:18
To: [hidden email]
Subject: Re: [dev-crypto] FIPS META-INF/HMAC.SHA256

Hi Peter and David,

Both thanks for the replies.

Yes I understand and agree META-INF/HMAC.SHA256 is to verify the
bc-fips-1.0.2.jar has not been changed.

As you know Android does use the import (either copy or Android Studio
gui include) of jars into the /lib directly of the project to build App
.apk.

As you mentioned when it is built it gets included in classes.dex it
obviously gets changed and thus its checksum changes each time the
entire app changes. Thus the checksum errors for FIPS jars (as I assume
this verification is explicitly built into FIPS and why traditional BC
jars do not provide errors in Android).

As David wrote, modifying the FIPS jar breaks the certification of it.
And to directly import the jar into Android device would need root and a
"bit" more - and is not viable. StripyBC is rare.

So, is there another way to get the bc-fips-1.0.2.jar into an Android
App .APK to run without it being changed by DEX?

Failing the above, the next best option is importing into Android app
/lib the original jar but disable FIPS checksum check outside i.e. in
the Android program itself - any idea how to do this? Yes I know this
will result in the App not getting certified - but at least It uses the
original jar!

Thanks for FipsStatus.getModuleHMAC().

Kind regards,

David


I really want to use the

On 07/04/2020 08:08, Peter Dettman wrote:

> Hi David,
> First, please don't confuse the different "checksums".
>
> - At the stackoverflow link I was only talking about the file checksum
> on our website that lets you check that you downloaded the file correctly.
>
> - META-INF/HMAC.SHA256 in the fips jar is a checksum over the
> FIPS-relevant contents of the jar; mainly it ensures that classes
> haven't been added, removed or modified. You can use
> FipsStatus.getModuleHMAC() to find out what the validator is
> calculating, and therefore what it expects to find in HMAC.SHA256.
> However as David Hook pointed out, you can't just change this checksum,
> it's tied to the certification.
>
> - BC provider jars are signed. Some JDKs require this signature to be
> present and valid before a cryptographic provider can be used.
>
> I'm not sure what you mean by "importing that jar into a java project",
> but anything that modifies the jar in any way e.g. obfuscators, or tries
> to merge it with other jars, will generally not work.
>
> Regards,
> Pete Dettman
>
>
> On 5/4/20 10:07 pm, David Templar wrote:
>> Hi (esp Mr Dettman),
>>
>> In the FIPS jar there is a file HMAC.SHA256. By importing that jar into
>> a java project and running it an error is originally produced (Module
>> checksum failed: SHA-256 digest error).
>>
>> Every time a change is made to a program the expected value changes (as
>> seen when building Android apps).
>>
>> From
>> https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry
>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>> "The checksum you have to calculate yourself on the downloaded file
>> using e.g. "openssl sha256 file.jar" – Peter Dettman
>> <https://stackoverflow.com/users/264294/peter-dettman> Mar 27 '18 at 6:32"
>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>
>> Thus, I am assuming that the way this BC FIPS works is that (even though
>> it is a signed jar), one must calculate the value of the program/app and
>> change it in the bc-fips-1.0.2.jar. Am I correct?
>>
>> By doing the above, I am lucky that Android actually outputs in the
>> error what the expected value should be and thus the app runs fine.
>>
>> However, in regular desktop java the error does not output the expected
>> value - how do I get it?
>>
>> *So, is there an easy way to get the expected value and is the correct
>> way of using the FIPS jar to actually edit the file in it?*
>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>
>> --
>> Kind regards,
>>
>> David Templar
>>
>
> .










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Reply | Threaded
Open this post in threaded view
|

Re: FIPS META-INF/HMAC.SHA256

David Templar-2
Hi Bernd,

No false advertising intended nor do I intend to say the app is FIPS
compliant or derived from FIPS certified jars.

Have already been able to include the BC FIPS jar in the Android .apk
and run (just need to change the value in META-INF/HMAC.SHA256 every
time you build the .apk).

Just for personal happiness I would like to have fully signed FIPS jars
running in the app by any of the 2 previous questions today. With each
change of Android version at some point signed jars may be required in
imports.

Kind regards,

David


On 07/04/2020 10:26, Eckenfels. Bernd wrote:

> Warning here comes my unpopular personal oppinion.
>
> If you don't care about a valid FIPS approval (which given the idiosyncrasies of the spec and the practical usage is a good thing) you can use the normal BC versions, you can still claim you support all/only FIPS approved algorithms if you take the time and limit the configuration to them.
>
> Any hack you do will void the FIPS compliance and you will be bordering on false advertising if you claim otherwise. (For example if you ship an unmodified lib but don't use it unmodified)
>
> Gruss
> Bernd
> --
> http://www.seeburger.com
> ________________________________________
> From: David Templar [[hidden email]]
> Sent: Tuesday, April 07, 2020 11:18
> To: [hidden email]
> Subject: Re: [dev-crypto] FIPS META-INF/HMAC.SHA256
>
> Hi Peter and David,
>
> Both thanks for the replies.
>
> Yes I understand and agree META-INF/HMAC.SHA256 is to verify the
> bc-fips-1.0.2.jar has not been changed.
>
> As you know Android does use the import (either copy or Android Studio
> gui include) of jars into the /lib directly of the project to build App
> .apk.
>
> As you mentioned when it is built it gets included in classes.dex it
> obviously gets changed and thus its checksum changes each time the
> entire app changes. Thus the checksum errors for FIPS jars (as I assume
> this verification is explicitly built into FIPS and why traditional BC
> jars do not provide errors in Android).
>
> As David wrote, modifying the FIPS jar breaks the certification of it.
> And to directly import the jar into Android device would need root and a
> "bit" more - and is not viable. StripyBC is rare.
>
> So, is there another way to get the bc-fips-1.0.2.jar into an Android
> App .APK to run without it being changed by DEX?
>
> Failing the above, the next best option is importing into Android app
> /lib the original jar but disable FIPS checksum check outside i.e. in
> the Android program itself - any idea how to do this? Yes I know this
> will result in the App not getting certified - but at least It uses the
> original jar!
>
> Thanks for FipsStatus.getModuleHMAC().
>
> Kind regards,
>
> David
>
>
> I really want to use the
>
> On 07/04/2020 08:08, Peter Dettman wrote:
>> Hi David,
>> First, please don't confuse the different "checksums".
>>
>> - At the stackoverflow link I was only talking about the file checksum
>> on our website that lets you check that you downloaded the file correctly.
>>
>> - META-INF/HMAC.SHA256 in the fips jar is a checksum over the
>> FIPS-relevant contents of the jar; mainly it ensures that classes
>> haven't been added, removed or modified. You can use
>> FipsStatus.getModuleHMAC() to find out what the validator is
>> calculating, and therefore what it expects to find in HMAC.SHA256.
>> However as David Hook pointed out, you can't just change this checksum,
>> it's tied to the certification.
>>
>> - BC provider jars are signed. Some JDKs require this signature to be
>> present and valid before a cryptographic provider can be used.
>>
>> I'm not sure what you mean by "importing that jar into a java project",
>> but anything that modifies the jar in any way e.g. obfuscators, or tries
>> to merge it with other jars, will generally not work.
>>
>> Regards,
>> Pete Dettman
>>
>>
>> On 5/4/20 10:07 pm, David Templar wrote:
>>> Hi (esp Mr Dettman),
>>>
>>> In the FIPS jar there is a file HMAC.SHA256. By importing that jar into
>>> a java project and running it an error is originally produced (Module
>>> checksum failed: SHA-256 digest error).
>>>
>>> Every time a change is made to a program the expected value changes (as
>>> seen when building Android apps).
>>>
>>> From
>>> https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry
>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>> "The checksum you have to calculate yourself on the downloaded file
>>> using e.g. "openssl sha256 file.jar" – Peter Dettman
>>> <https://stackoverflow.com/users/264294/peter-dettman> Mar 27 '18 at 6:32"
>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>>
>>> Thus, I am assuming that the way this BC FIPS works is that (even though
>>> it is a signed jar), one must calculate the value of the program/app and
>>> change it in the bc-fips-1.0.2.jar. Am I correct?
>>>
>>> By doing the above, I am lucky that Android actually outputs in the
>>> error what the expected value should be and thus the app runs fine.
>>>
>>> However, in regular desktop java the error does not output the expected
>>> value - how do I get it?
>>>
>>> *So, is there an easy way to get the expected value and is the correct
>>> way of using the FIPS jar to actually edit the file in it?*
>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>>
>>> --
>>> Kind regards,
>>>
>>> David Templar
>>>
>> .
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
> .


Reply | Threaded
Open this post in threaded view
|

RE: FIPS META-INF/HMAC.SHA256

Eckenfels. Bernd
You can use the normal bcprov jars, they are signed as well. It's much less hassle to use the normal provider anyway. The FIPS HMAC function is not helping with Android JAR signing anyway.

--
http://www.seeburger.com
________________________________________
From: David Templar [[hidden email]]
Sent: Tuesday, April 07, 2020 11:39
To: [hidden email]
Subject: Re: [dev-crypto] FIPS META-INF/HMAC.SHA256

Hi Bernd,

No false advertising intended nor do I intend to say the app is FIPS
compliant or derived from FIPS certified jars.

Have already been able to include the BC FIPS jar in the Android .apk
and run (just need to change the value in META-INF/HMAC.SHA256 every
time you build the .apk).

Just for personal happiness I would like to have fully signed FIPS jars
running in the app by any of the 2 previous questions today. With each
change of Android version at some point signed jars may be required in
imports.

Kind regards,

David


On 07/04/2020 10:26, Eckenfels. Bernd wrote:

> Warning here comes my unpopular personal oppinion.
>
> If you don't care about a valid FIPS approval (which given the idiosyncrasies of the spec and the practical usage is a good thing) you can use the normal BC versions, you can still claim you support all/only FIPS approved algorithms if you take the time and limit the configuration to them.
>
> Any hack you do will void the FIPS compliance and you will be bordering on false advertising if you claim otherwise. (For example if you ship an unmodified lib but don't use it unmodified)
>
> Gruss
> Bernd
> --
> http://www.seeburger.com
> ________________________________________
> From: David Templar [[hidden email]]
> Sent: Tuesday, April 07, 2020 11:18
> To: [hidden email]
> Subject: Re: [dev-crypto] FIPS META-INF/HMAC.SHA256
>
> Hi Peter and David,
>
> Both thanks for the replies.
>
> Yes I understand and agree META-INF/HMAC.SHA256 is to verify the
> bc-fips-1.0.2.jar has not been changed.
>
> As you know Android does use the import (either copy or Android Studio
> gui include) of jars into the /lib directly of the project to build App
> .apk.
>
> As you mentioned when it is built it gets included in classes.dex it
> obviously gets changed and thus its checksum changes each time the
> entire app changes. Thus the checksum errors for FIPS jars (as I assume
> this verification is explicitly built into FIPS and why traditional BC
> jars do not provide errors in Android).
>
> As David wrote, modifying the FIPS jar breaks the certification of it.
> And to directly import the jar into Android device would need root and a
> "bit" more - and is not viable. StripyBC is rare.
>
> So, is there another way to get the bc-fips-1.0.2.jar into an Android
> App .APK to run without it being changed by DEX?
>
> Failing the above, the next best option is importing into Android app
> /lib the original jar but disable FIPS checksum check outside i.e. in
> the Android program itself - any idea how to do this? Yes I know this
> will result in the App not getting certified - but at least It uses the
> original jar!
>
> Thanks for FipsStatus.getModuleHMAC().
>
> Kind regards,
>
> David
>
>
> I really want to use the
>
> On 07/04/2020 08:08, Peter Dettman wrote:
>> Hi David,
>> First, please don't confuse the different "checksums".
>>
>> - At the stackoverflow link I was only talking about the file checksum
>> on our website that lets you check that you downloaded the file correctly.
>>
>> - META-INF/HMAC.SHA256 in the fips jar is a checksum over the
>> FIPS-relevant contents of the jar; mainly it ensures that classes
>> haven't been added, removed or modified. You can use
>> FipsStatus.getModuleHMAC() to find out what the validator is
>> calculating, and therefore what it expects to find in HMAC.SHA256.
>> However as David Hook pointed out, you can't just change this checksum,
>> it's tied to the certification.
>>
>> - BC provider jars are signed. Some JDKs require this signature to be
>> present and valid before a cryptographic provider can be used.
>>
>> I'm not sure what you mean by "importing that jar into a java project",
>> but anything that modifies the jar in any way e.g. obfuscators, or tries
>> to merge it with other jars, will generally not work.
>>
>> Regards,
>> Pete Dettman
>>
>>
>> On 5/4/20 10:07 pm, David Templar wrote:
>>> Hi (esp Mr Dettman),
>>>
>>> In the FIPS jar there is a file HMAC.SHA256. By importing that jar into
>>> a java project and running it an error is originally produced (Module
>>> checksum failed: SHA-256 digest error).
>>>
>>> Every time a change is made to a program the expected value changes (as
>>> seen when building Android apps).
>>>
>>> From
>>> https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry
>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>> "The checksum you have to calculate yourself on the downloaded file
>>> using e.g. "openssl sha256 file.jar" – Peter Dettman
>>> <https://stackoverflow.com/users/264294/peter-dettman> Mar 27 '18 at 6:32"
>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>>
>>> Thus, I am assuming that the way this BC FIPS works is that (even though
>>> it is a signed jar), one must calculate the value of the program/app and
>>> change it in the bc-fips-1.0.2.jar. Am I correct?
>>>
>>> By doing the above, I am lucky that Android actually outputs in the
>>> error what the expected value should be and thus the app runs fine.
>>>
>>> However, in regular desktop java the error does not output the expected
>>> value - how do I get it?
>>>
>>> *So, is there an easy way to get the expected value and is the correct
>>> way of using the FIPS jar to actually edit the file in it?*
>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>>
>>> --
>>> Kind regards,
>>>
>>> David Templar
>>>
>> .
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
> .










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Reply | Threaded
Open this post in threaded view
|

Re: FIPS META-INF/HMAC.SHA256

David Templar-2
Hi Bernd,

Have already used the traditional BC jars in many Apps - maybe time for
a change of jar (rather than taking a holiday :) )!

Thanks.

On 07/04/2020 10:45, Eckenfels. Bernd wrote:

> You can use the normal bcprov jars, they are signed as well. It's much less hassle to use the normal provider anyway. The FIPS HMAC function is not helping with Android JAR signing anyway.
>
> --
> http://www.seeburger.com
> ________________________________________
> From: David Templar [[hidden email]]
> Sent: Tuesday, April 07, 2020 11:39
> To: [hidden email]
> Subject: Re: [dev-crypto] FIPS META-INF/HMAC.SHA256
>
> Hi Bernd,
>
> No false advertising intended nor do I intend to say the app is FIPS
> compliant or derived from FIPS certified jars.
>
> Have already been able to include the BC FIPS jar in the Android .apk
> and run (just need to change the value in META-INF/HMAC.SHA256 every
> time you build the .apk).
>
> Just for personal happiness I would like to have fully signed FIPS jars
> running in the app by any of the 2 previous questions today. With each
> change of Android version at some point signed jars may be required in
> imports.
>
> Kind regards,
>
> David
>
>
> On 07/04/2020 10:26, Eckenfels. Bernd wrote:
>> Warning here comes my unpopular personal oppinion.
>>
>> If you don't care about a valid FIPS approval (which given the idiosyncrasies of the spec and the practical usage is a good thing) you can use the normal BC versions, you can still claim you support all/only FIPS approved algorithms if you take the time and limit the configuration to them.
>>
>> Any hack you do will void the FIPS compliance and you will be bordering on false advertising if you claim otherwise. (For example if you ship an unmodified lib but don't use it unmodified)
>>
>> Gruss
>> Bernd
>> --
>> http://www.seeburger.com
>> ________________________________________
>> From: David Templar [[hidden email]]
>> Sent: Tuesday, April 07, 2020 11:18
>> To: [hidden email]
>> Subject: Re: [dev-crypto] FIPS META-INF/HMAC.SHA256
>>
>> Hi Peter and David,
>>
>> Both thanks for the replies.
>>
>> Yes I understand and agree META-INF/HMAC.SHA256 is to verify the
>> bc-fips-1.0.2.jar has not been changed.
>>
>> As you know Android does use the import (either copy or Android Studio
>> gui include) of jars into the /lib directly of the project to build App
>> .apk.
>>
>> As you mentioned when it is built it gets included in classes.dex it
>> obviously gets changed and thus its checksum changes each time the
>> entire app changes. Thus the checksum errors for FIPS jars (as I assume
>> this verification is explicitly built into FIPS and why traditional BC
>> jars do not provide errors in Android).
>>
>> As David wrote, modifying the FIPS jar breaks the certification of it.
>> And to directly import the jar into Android device would need root and a
>> "bit" more - and is not viable. StripyBC is rare.
>>
>> So, is there another way to get the bc-fips-1.0.2.jar into an Android
>> App .APK to run without it being changed by DEX?
>>
>> Failing the above, the next best option is importing into Android app
>> /lib the original jar but disable FIPS checksum check outside i.e. in
>> the Android program itself - any idea how to do this? Yes I know this
>> will result in the App not getting certified - but at least It uses the
>> original jar!
>>
>> Thanks for FipsStatus.getModuleHMAC().
>>
>> Kind regards,
>>
>> David
>>
>>
>> I really want to use the
>>
>> On 07/04/2020 08:08, Peter Dettman wrote:
>>> Hi David,
>>> First, please don't confuse the different "checksums".
>>>
>>> - At the stackoverflow link I was only talking about the file checksum
>>> on our website that lets you check that you downloaded the file correctly.
>>>
>>> - META-INF/HMAC.SHA256 in the fips jar is a checksum over the
>>> FIPS-relevant contents of the jar; mainly it ensures that classes
>>> haven't been added, removed or modified. You can use
>>> FipsStatus.getModuleHMAC() to find out what the validator is
>>> calculating, and therefore what it expects to find in HMAC.SHA256.
>>> However as David Hook pointed out, you can't just change this checksum,
>>> it's tied to the certification.
>>>
>>> - BC provider jars are signed. Some JDKs require this signature to be
>>> present and valid before a cryptographic provider can be used.
>>>
>>> I'm not sure what you mean by "importing that jar into a java project",
>>> but anything that modifies the jar in any way e.g. obfuscators, or tries
>>> to merge it with other jars, will generally not work.
>>>
>>> Regards,
>>> Pete Dettman
>>>
>>>
>>> On 5/4/20 10:07 pm, David Templar wrote:
>>>> Hi (esp Mr Dettman),
>>>>
>>>> In the FIPS jar there is a file HMAC.SHA256. By importing that jar into
>>>> a java project and running it an error is originally produced (Module
>>>> checksum failed: SHA-256 digest error).
>>>>
>>>> Every time a change is made to a program the expected value changes (as
>>>> seen when building Android apps).
>>>>
>>>> From
>>>> https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry
>>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>>> "The checksum you have to calculate yourself on the downloaded file
>>>> using e.g. "openssl sha256 file.jar" – Peter Dettman
>>>> <https://stackoverflow.com/users/264294/peter-dettman> Mar 27 '18 at 6:32"
>>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>>>
>>>> Thus, I am assuming that the way this BC FIPS works is that (even though
>>>> it is a signed jar), one must calculate the value of the program/app and
>>>> change it in the bc-fips-1.0.2.jar. Am I correct?
>>>>
>>>> By doing the above, I am lucky that Android actually outputs in the
>>>> error what the expected value should be and thus the app runs fine.
>>>>
>>>> However, in regular desktop java the error does not output the expected
>>>> value - how do I get it?
>>>>
>>>> *So, is there an easy way to get the expected value and is the correct
>>>> way of using the FIPS jar to actually edit the file in it?*
>>>> <https://stackoverflow.com/questions/49443127/org-bouncycastle-crypto-fips-fipsoperationerror-module-checksum-failed-entry#comment86015612_49443127>
>>>>
>>>> --
>>>> Kind regards,
>>>>
>>>> David Templar
>>>>
>>> .
>>
>>
>>
>>
>>
>>
>>
>>
>> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
>> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
>> Edisonstr. 1
>> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
>> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
>> Fax: 07252 / 96 - 2222
>> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
>> e-mail: [hidden email]               HRB 240708 Mannheim
>>
>>
>> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>>
>>
>> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>>
>>
>> .
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
> .


Reply | Threaded
Open this post in threaded view
|

And Android Experiment

David Templar-2
In reply to this post by Peter Dettman-3
Hi,

I think I shall start with an old Samsung 4.0.1 tablet. I have run the
1.0.2 Fips version on it using checksum modification - as per previous
posts.

I now want to move forward and actually install the jar so
(theoretically a checksum issue should not happen).

I think that rather than modding the JVM a replacement of the existing
/system/framework Bouncy castle file will work... Have not tried yet and
I can assume a million problems OR all works!

Yes Mr Hook has noted entropy... yes, TrueCrypt stopped when the FBI
case began... and yes I think recovery was about 40% data? I have no
will to stop law enforcement etc... but at the same time do we shut down
https, bank data, and encryption and a lot more? When there is a legal
duty to secure data?

Kind regards!


Reply | Threaded
Open this post in threaded view
|

Re: An Android Experiment

David Templar-2
Ha Ha Android wins again :)

Their restricted version of BC is actually another DEX file in
/system/framework/:

root@android:/system/framework # ls -la bouncycastle.*
-rw-r--r-- root     root          313 2013-05-21 10:40 bouncycastle.jar
-rw-r--r-- root     root       983016 2013-05-21 10:40 bouncycastle.odex

So, by that very nature trying to replace the above with a clean BC FIPS
jar will have a different checksum (as it will need to be Dexed and thus
changing the file) -  and will thus fail at run-time!

Please do not get me wrong - I fully support BC and BC FIPS - just
irritating trying FIPS on Android (although it can work as per a
previous post of mine).

GIve up, have a drink or back to the drawing board?

... :)

On 16/04/2020 20:25, David Templar wrote:

> Hi,
>
> I think I shall start with an old Samsung 4.0.1 tablet. I have run the
> 1.0.2 Fips version on it using checksum modification - as per previous
> posts.
>
> I now want to move forward and actually install the jar so
> (theoretically a checksum issue should not happen).
>
> I think that rather than modding the JVM a replacement of the existing
> /system/framework Bouncy castle file will work... Have not tried yet
> and I can assume a million problems OR all works!
>
> Yes Mr Hook has noted entropy... yes, TrueCrypt stopped when the FBI
> case began... and yes I think recovery was about 40% data? I have no
> will to stop law enforcement etc... but at the same time do we shut
> down https, bank data, and encryption and a lot more? When there is a
> legal duty to secure data?
>
> Kind regards!
>
>
> .


Reply | Threaded
Open this post in threaded view
|

AW: [dev-crypto] And Android Experiment

Eckenfels. Bernd
In reply to this post by David Templar-2
Entropy is not an issue, if you stick to SecureRandom() on Android you will get a system implementation oft he OpenSSLRandom provider which ist he supported entropy source for Android. They explicitely deprecate SHA1PRNG.

Gruss
Bernd

-----Ursprüngliche Nachricht-----
Von: David Templar <[hidden email]>
Gesendet: Donnerstag, 16. April 2020 21:25
An: [hidden email]
Betreff: [dev-crypto] And Android Experiment

Hi,

I think I shall start with an old Samsung 4.0.1 tablet. I have run the
1.0.2 Fips version on it using checksum modification - as per previous posts.

I now want to move forward and actually install the jar so (theoretically a checksum issue should not happen).

I think that rather than modding the JVM a replacement of the existing /system/framework Bouncy castle file will work... Have not tried yet and I can assume a million problems OR all works!

Yes Mr Hook has noted entropy... yes, TrueCrypt stopped when the FBI case began... and yes I think recovery was about 40% data? I have no will to stop law enforcement etc... but at the same time do we shut down https, bank data, and encryption and a lot more? When there is a legal duty to secure data?

Kind regards!










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.