Decrypting RSA Private Key

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Decrypting RSA Private Key

Nick G.
Hello,
I have a need to read an encrypted RSA Private Key generated using
openssl with a java program. I have included some background at the end
of this message, but my question is basically: how is the pass phrase
converted into the key part? I can get the IV from the DEK-Info line,
but I can't seem to figure out (by looking at the openssl source) how
the key portion of the decryption key is created from the password
entered by the user. Right now I am simply converting the pass phrase
into a bytes and using that as the key portion. I believe this is
incorrect, but I don't know what else to try. Also, I assume that the
key is _not_ encrypted with PBE (since it is not padded per pkcs5). Is
this assumption correct? Finally, once decrypted, will the key have the
same asn1 schema as a key written in the clear?

Please excuse me if these questions are already answered in the
archives, as I was unable to locate any posts with this information
(probably poor choice of search terms!) Also, if the transformation of
the pass phrase into key is covered in some rfc I have yet to discover a
shove in the right direction would be appreciated!

Background:
I have been able to generate/convert keys using openssl in the following
formats and successfully read them using a java program:

pkcs8 - clear text
pkcs8 - des encrypted
rsa - clear text

However, I'm using the key for Apache mod_ssl and the only formats it
seems to accept are:

pkcs8 - clear text
rsa - clear text
rsa - des encrypted

Since we want to protect the key using at least des encryption and I
can't seem to make Apache read the pkcs8 format keys when they are
encrypted (perhaps the httpd folks are using the wrong callback?), I
thought making java decrypt the RSA key would be the "simplest" solution.

Regards,

Nick Grynkewich
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decrypting RSA Private Key

Dr. Stephen Henson
On Tue, Jun 21, 2005, Nick G. wrote:

> Hello,
> I have a need to read an encrypted RSA Private Key generated using
> openssl with a java program. I have included some background at the end
> of this message, but my question is basically: how is the pass phrase
> converted into the key part? I can get the IV from the DEK-Info line,
> but I can't seem to figure out (by looking at the openssl source) how
> the key portion of the decryption key is created from the password
> entered by the user. Right now I am simply converting the pass phrase
> into a bytes and using that as the key portion. I believe this is
> incorrect, but I don't know what else to try. Also, I assume that the
> key is _not_ encrypted with PBE (since it is not padded per pkcs5). Is
> this assumption correct? Finally, once decrypted, will the key have the
> same asn1 schema as a key written in the clear?
>
> Please excuse me if these questions are already answered in the
> archives, as I was unable to locate any posts with this information
> (probably poor choice of search terms!) Also, if the transformation of
> the pass phrase into key is covered in some rfc I have yet to discover a
> shove in the right direction would be appreciated!
>
> Background:
> I have been able to generate/convert keys using openssl in the following
> formats and successfully read them using a java program:
>
> pkcs8 - clear text
> pkcs8 - des encrypted
> rsa - clear text
>
> However, I'm using the key for Apache mod_ssl and the only formats it
> seems to accept are:
>
> pkcs8 - clear text
> rsa - clear text
> rsa - des encrypted
>
> Since we want to protect the key using at least des encryption and I
> can't seem to make Apache read the pkcs8 format keys when they are
> encrypted (perhaps the httpd folks are using the wrong callback?), I
> thought making java decrypt the RSA key would be the "simplest" solution.
>

Any OpenSSL application should transparently handle PKCS#8 clear text or
encrypted keys. But make sure you have the correct PEM headers.

If you try:

openssl rsa -in key.pem -noout -text

and that can correctly decrypt the key you should have no problems with Apache
unless it does something weird.

The PKCS#8 formats OpenSSL uses are all standard and it can use a variety of
password based encryption (PBE) algorithms included PKCS#5  v1.5, v2.0 and
PKCS#12.

The other 'traditional' format for OpenSSL private key encyption is
non-standard and has remained unchanged since the SSLeay days.

It *is* documented. See:

http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT

and

http://www.openssl.org/docs/crypto/EVP_BytesToKey.html#KEY_DERIVATION_ALGORITHM

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decrypting RSA Private Key

Nick G.
Dr. Stephen Henson wrote:

> On Tue, Jun 21, 2005, Nick G. wrote:
>
>
>>Hello,
>>I have a need to read an encrypted RSA Private Key generated using
>>openssl with a java program. I have included some background at the end
>>of this message, but my question is basically: how is the pass phrase
>>converted into the key part? I can get the IV from the DEK-Info line,
>>but I can't seem to figure out (by looking at the openssl source) how
>>the key portion of the decryption key is created from the password
>>entered by the user. Right now I am simply converting the pass phrase
>>into a bytes and using that as the key portion. I believe this is
>>incorrect, but I don't know what else to try. Also, I assume that the
>>key is _not_ encrypted with PBE (since it is not padded per pkcs5). Is
>>this assumption correct? Finally, once decrypted, will the key have the
>>same asn1 schema as a key written in the clear?
>>
>>Please excuse me if these questions are already answered in the
>>archives, as I was unable to locate any posts with this information
>>(probably poor choice of search terms!) Also, if the transformation of
>>the pass phrase into key is covered in some rfc I have yet to discover a
>>shove in the right direction would be appreciated!
>>
>>Background:
>>I have been able to generate/convert keys using openssl in the following
>>formats and successfully read them using a java program:
>>
>>pkcs8 - clear text
>>pkcs8 - des encrypted
>>rsa - clear text
>>
>>However, I'm using the key for Apache mod_ssl and the only formats it
>>seems to accept are:
>>
>>pkcs8 - clear text
>>rsa - clear text
>>rsa - des encrypted
>>
>>Since we want to protect the key using at least des encryption and I
>>can't seem to make Apache read the pkcs8 format keys when they are
>>encrypted (perhaps the httpd folks are using the wrong callback?), I
>>thought making java decrypt the RSA key would be the "simplest" solution.
>>
>
>
> Any OpenSSL application should transparently handle PKCS#8 clear text or
> encrypted keys. But make sure you have the correct PEM headers.
>
> If you try:
>
> openssl rsa -in key.pem -noout -text
>
> and that can correctly decrypt the key you should have no problems with Apache
> unless it does something weird.
>
> The PKCS#8 formats OpenSSL uses are all standard and it can use a variety of
> password based encryption (PBE) algorithms included PKCS#5  v1.5, v2.0 and
> PKCS#12.
>
> The other 'traditional' format for OpenSSL private key encyption is
> non-standard and has remained unchanged since the SSLeay days.
>
> It *is* documented. See:
>
> http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT
>
> and
>
> http://www.openssl.org/docs/crypto/EVP_BytesToKey.html#KEY_DERIVATION_ALGORITHM
>
Thank you, this is exactly what I was searching for. Sadly, I had even
guessed that maybe the DEK-Info was the salt [and not an IV], and
guessed the iteration count might be one, but couldn't get that to work
either. Obviously, I gave up to soon!

WRT Apache I did verify that OpenSSL can read the keys I created using:

openssl genrsa -out clr.rsa 1024
  then
openssl pkcs8 -v1 PBE-MD5-DES -in clr.rsa -topk8 -out enc.des.v1.pkcs8
  or
openssl pkcs8 -v2 des -in clr.rsa -topk8 -out enc.des.v2.pkcs8
  or
openssl pkcs8 -v2 des3 -in clr.rsa -topk8 -out enc.des3.v2.pkcs8

and that the output from the command you suggested above is identical
for all the keys but that Apache will not accept any of the encrypted
PKCS#8 versions (prompts for passphrase, but then claims the pass phrase
was bad no matter how many times I try to type it in correctly!). I will
report this as bug to them.

FYI, The new Java5 stuff will also croak when deciphering the v2
algorithms claiming that it:  "Cannot find any provider supporting
1.2.840.113549.1.5.13" (1.2.etc is the OID for TripleDES, right?)<sigh>

Again, thank you for the help.

Cheers!

Nick
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Decrypting RSA Private Key

David C. Partridge
Strictly speaking 1.2.840.113549.1.5.13 is the OID for the "PBES2 encryption
scheme" from PKCS#5 V2.

Dave


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decrypting RSA Private Key

Dr. Stephen Henson
In reply to this post by Nick G.
On Wed, Jun 22, 2005, Nick G. wrote:

>
> WRT Apache I did verify that OpenSSL can read the keys I created using:
>
> openssl genrsa -out clr.rsa 1024
>  then
> openssl pkcs8 -v1 PBE-MD5-DES -in clr.rsa -topk8 -out enc.des.v1.pkcs8
>  or
> openssl pkcs8 -v2 des -in clr.rsa -topk8 -out enc.des.v2.pkcs8
>  or
> openssl pkcs8 -v2 des3 -in clr.rsa -topk8 -out enc.des3.v2.pkcs8
>
> and that the output from the command you suggested above is identical
> for all the keys but that Apache will not accept any of the encrypted
> PKCS#8 versions (prompts for passphrase, but then claims the pass phrase
> was bad no matter how many times I try to type it in correctly!). I will
> report this as bug to them.
>

They may be missing some calls to add the PBE algorithms. This is automatic if
you call OpenSSL_add_all_algorithms() but needs to be handled if algorithms
are being added manually.

A meaningful error code would help too...

> FYI, The new Java5 stuff will also croak when deciphering the v2
> algorithms claiming that it:  "Cannot find any provider supporting
> 1.2.840.113549.1.5.13" (1.2.etc is the OID for TripleDES, right?)<sigh>
>

No that's the PKCS#5 v2.0 OID. You'd expect that message if it didn't
understand PKCS#5 v2.0.

Unfortunately PKCS#5 v1.5 doesn't include any schemes for strong encryption
because the algorithm only derives 128 bits of data (key+IV).

You may have more luck with the PKCS#12 PBE algorithms: see the examples on
the manual page to the pkcs8 utility for more info.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]