Hi,
I have a rather complicated situation in the sense that I need to realize licensing checks of software. This is done through a config file that is signed through a USB smartcard (crypto-token). Next to that, I have a symmetric blowfish key that I need for that. This key has been encrypted (yes, an encrypted encryptionkey :-)) by an RSA-private key. However, when I try to use openssl to decrypt using the corresponding RSA-public key, I get: A private key is needed for this operation The command used is: openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc The blowfish.enc file was generated through: dd if=/dev/random of=blowfishkey bs=16 count=1 openssl rsautl -encrypt -in blowfishkey -out blowfishkey.enc \ -inkey myrsakey.key I use: OpenSSL 0.9.7g 11 Apr 2005 I know RSA encryption and decryption can only be used for very small pieces of data. I need to encrypt more data, so I use a symmetric key to encrypt and decrypt data and I make sure the key used to encrypt stuff was encrypted by myself. So in short: why can't I decrypt data with an RSA public key that has been encrypted with the corresponding RSA private key? BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I can't use the RSA_public_decrypt() subroutine which, judging from internet comments, *can* actually decrypt data with an RSA public key... Any comments are welcome. Thanks in advance. Kind regards, Simon de Hartog ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
On Thu, Apr 13, 2006, Simon de Hartog wrote:
> Hi, > > I have a rather complicated situation in the sense that I need to > realize licensing checks of software. This is done through a config file > that is signed through a USB smartcard (crypto-token). Next to that, I > have a symmetric blowfish key that I need for that. This key has been > encrypted (yes, an encrypted encryptionkey :-)) by an RSA-private key. > However, when I try to use openssl to decrypt using the corresponding > RSA-public key, I get: > > A private key is needed for this operation > > The command used is: > > openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc > > The blowfish.enc file was generated through: > > dd if=/dev/random of=blowfishkey bs=16 count=1 > openssl rsautl -encrypt -in blowfishkey -out blowfishkey.enc \ > -inkey myrsakey.key > > I use: > OpenSSL 0.9.7g 11 Apr 2005 > > I know RSA encryption and decryption can only be used for very small > pieces of data. I need to encrypt more data, so I use a symmetric key to > encrypt and decrypt data and I make sure the key used to encrypt stuff > was encrypted by myself. > > So in short: why can't I decrypt data with an RSA public key that has > been encrypted with the corresponding RSA private key? > > BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I > can't use the RSA_public_decrypt() subroutine which, judging from > internet comments, *can* actually decrypt data with an RSA public key... > You can't because that isn't what the operation is doing. If you perform an "encrypt" operation with RSA it is encrypting the data using a *public* key. It accepts a private key but only uses the public key portion of it. That's what the decrypt operation fails: it needs a private key. It seems a bit odd to do what you are suggesting. Symmetric keys are normally secret and doing that would make it readable to anyone with access to the public key. If you really want to do that then you probably want the sign/verify operations instead which call RSA_private_encrypt() and RSA_public_decrypt(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Dr. Stephen Henson wrote:
> You can't because that isn't what the operation is doing. If you perform an > "encrypt" operation with RSA it is encrypting the data using a *public* key. > It accepts a private key but only uses the public key portion of it. > > That's what the decrypt operation fails: it needs a private key. Ok, now I understand. Thanks for the answer. > It seems a bit odd to do what you are suggesting. Symmetric keys are normally > secret and doing that would make it readable to anyone with access to the > public key. > If you really want to do that then you probably want the sign/verify > operations instead which call RSA_private_encrypt() and RSA_public_decrypt(). What I want to do is the following: I want to restrict use of software by specifying limits such as number of CPU's and validity until a certain date. This data will be put in an .xml file. But, I want to be able to make sure that the software has to use a Smartcard (with public and private key) to check the integrity of this .xml file so nobody can alter it, but I *also* want to make sure that the .xml file was made and certified by the company that owns the software. The easy solution would be to just use certificates and use the validity periods therein. I could use the company's CA cert and store the software user's cert in the smartcard. However, this would imply having to update the smartcard every time they pay license fees and this is not what desirable. So I just want to use public/private keys, no certificates for this. > Steve. Kind regards, Simon de Hartog ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Simon de Hartog-3
> However, when I try to use openssl to decrypt using the corresponding > RSA-public key, I get: > > A private key is needed for this operation That is how RSA encryption works: 1) There is a public key that you can distribute. 2) There is a private key from which the public key can be derived. 3) The private key cannot be derived from the public key. 4) You can sign with the private key and verify that signature with the public key. 5) You can encrypt with the public key and the private key is necessary to decrypt. It sounds like you're not doing any of these five things. What sensible algorithm permits decryption with the public key? > The command used is: > > openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc You cannot decrypt with the public key, otherwise you would have a piece of encrypted data that anyone could decrypt. If your goal is to make sure that the information was somehow processed with the private key, you want a signature, not an encryption. > I know RSA encryption and decryption can only be used for very small > pieces of data. I need to encrypt more data, so I use a symmetric key to > encrypt and decrypt data and I make sure the key used to encrypt stuff > was encrypted by myself. Sounds like you need to both encrypt and sign the key. > So in short: why can't I decrypt data with an RSA public key that has > been encrypted with the corresponding RSA private key? Because you actually encrypted with the public key, which can be trivially derived from the private key. > BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I > can't use the RSA_public_decrypt() subroutine which, judging from > internet comments, *can* actually decrypt data with an RSA public key... It's hard to tell you what to do without understanding your security and threat model. But the reason what you're trying to do won't work is that RSA decryption requires the private key so that only the owner of the key can decrypt. The standard RSA routines don't imagine a situation where only one person should be allowed to encrypt but anyone can decrypt, other than a digital signature. >What I want to do is the following: I want to restrict use of software >by specifying limits such as number of CPU's and validity until a >certain date. This data will be put in an .xml file. But, I want to be >able to make sure that the software has to use a Smartcard (with public >and private key) to check the integrity of this .xml file so nobody can >alter it, but I *also* want to make sure that the .xml file was made and >certified by the company that owns the software. That is not easy to do. You are trying to give the information to and keep the information from the same entity. >The easy solution would be to just use certificates and use the validity >periods therein. I could use the company's CA cert and store the >software user's cert in the smartcard. However, this would imply having >to update the smartcard every time they pay license fees and this is not >what desirable. So I just want to use public/private keys, no >certificates for this. I don't follow at all. When someone pays license fees, you need to somehow track the information that their validity period was extended. If not by updating the smartcard, how do you want to do that? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Hi all,
I've removed the replies, for shortness. Thank you very much for them, they have been very enlightning. I think I've found my solution. What I wanted to do is make sure that the software only runs on a system that has a smartcard connected to it that the software owner has sent the customer. Next to that, I want the configuration file to also only have been created by the software owner. Therefore I think I need to sign the configuration twice. My theory (please correct me if I'm wrong): there are two ways to verify that a signature on a piece of data is correct: 1) Creating the digest of that data and verifying it with the corresponding public key to see if the signature was created with that private key; 2) Recreate the signature with the private key (assuming I have it) and see if it matches the signature. I know 2) is not really a common option, but in this case it should be worthwhile. My plan is: - sign the configuration with the smartcard; - sign the resulting signature with the private key of the software owner. To check, I can now: - re-sign the configuration file with the smartcard (method 2); - make a digest of the resulting signature and check wether the "signed signature" was actually signed by the software owner's private key by validating the digest with the software owner's public key (method 1). David Schwartz told me it was not easy and I agree. But to me it looks like this could do the trick. Please bear in mind that the software user has control over the smartcard but not over the software owner's public key. So, is this safe? Any comments? Thanks in advance :-) Kind regards, Simon de Hartog ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by JoelKatz
just a side note:
RSA private keys can be used to encrypt data that can be decrypted with the public key. RSA public keys can be used to encrypt data that can be decrypted with the private key. The speed of the operation is 3 to 4 orders of magnitude slower than the equivalent encryption/decryption with a symmetric key. However, the fact that the RSA function is invertible is what allows it to be used for secure asymmetric authentication. On 4/13/06, David Schwartz <[hidden email]> wrote: > > > However, when I try to use openssl to decrypt using the corresponding > > RSA-public key, I get: > > > > A private key is needed for this operation > > That is how RSA encryption works: > > 1) There is a public key that you can distribute. > > 2) There is a private key from which the public key can be derived. > > 3) The private key cannot be derived from the public key. > > 4) You can sign with the private key and verify that signature with the > public key. > > 5) You can encrypt with the public key and the private key is necessary to > decrypt. > > It sounds like you're not doing any of these five things. What sensible > algorithm permits decryption with the public key? > > > The command used is: > > > > openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc > > You cannot decrypt with the public key, otherwise you would have a piece of > encrypted data that anyone could decrypt. If your goal is to make sure that > the information was somehow processed with the private key, you want a > signature, not an encryption. > > > I know RSA encryption and decryption can only be used for very small > > pieces of data. I need to encrypt more data, so I use a symmetric key to > > encrypt and decrypt data and I make sure the key used to encrypt stuff > > was encrypted by myself. > > Sounds like you need to both encrypt and sign the key. > > > So in short: why can't I decrypt data with an RSA public key that has > > been encrypted with the corresponding RSA private key? > > Because you actually encrypted with the public key, which can be trivially > derived from the private key. > > > BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I > > can't use the RSA_public_decrypt() subroutine which, judging from > > internet comments, *can* actually decrypt data with an RSA public key... > > It's hard to tell you what to do without understanding your security and > threat model. But the reason what you're trying to do won't work is that RSA > decryption requires the private key so that only the owner of the key can > decrypt. The standard RSA routines don't imagine a situation where only one > person should be allowed to encrypt but anyone can decrypt, other than a > digital signature. > > >What I want to do is the following: I want to restrict use of software > >by specifying limits such as number of CPU's and validity until a > >certain date. This data will be put in an .xml file. But, I want to be > >able to make sure that the software has to use a Smartcard (with public > >and private key) to check the integrity of this .xml file so nobody can > >alter it, but I *also* want to make sure that the .xml file was made and > >certified by the company that owns the software. > > That is not easy to do. You are trying to give the information to and keep > the information from the same entity. > > >The easy solution would be to just use certificates and use the validity > >periods therein. I could use the company's CA cert and store the > >software user's cert in the smartcard. However, this would imply having > >to update the smartcard every time they pay license fees and this is not > >what desirable. So I just want to use public/private keys, no > >certificates for this. > > I don't follow at all. When someone pays license fees, you need to somehow > track the information that their validity period was extended. If not by > updating the smartcard, how do you want to do that? > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [hidden email] > Automated List Manager [hidden email] > OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Hello,
> just a side note: > > RSA private keys can be used to encrypt data that can be decrypted > with the public key. > > RSA public keys can be used to encrypt data that can be decrypted with > the private key. Thats true, "signing" is technically nothing else as encrypting some data (md hash) with private key. Where "verifying" is decrypting some data with public key (with added memcmp() magic :-). Command "openssl" can not encrypt with private key because is written in this way, not because it is not possible. My suggestion is to write little utility for this purpose using RSA_private_encrypt()/RSA_public_decrypt() functions which will be 2 page long. And may be called from Python. If someone really wants this functionality of course :-) Best regards, -- Marek Marcola <[hidden email]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
On Fri, Apr 14, 2006, Marek Marcola wrote:
> Hello, > > just a side note: > > > > RSA private keys can be used to encrypt data that can be decrypted > > with the public key. > > > > RSA public keys can be used to encrypt data that can be decrypted with > > the private key. > Thats true, "signing" is technically nothing else as encrypting some > data (md hash) with private key. Where "verifying" is decrypting > some data with public key (with added memcmp() magic :-). That is true for RSA but not for other algorithms BTW... Well actually is isn't completely true for RSA either, PSS mode doesn't work like that. > Command "openssl" can not encrypt with private key because is written > in this way, not because it is not possible. The rsautl utility can do this using the -sign and -verify options. In rsautl "verify" does a public decrypt and writes the result rather than a memcmp and a Yes/No answer. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Hello,
> The rsautl utility can do this using the -sign and -verify options. In rsautl > "verify" does a public decrypt and writes the result rather than a memcmp > and a Yes/No answer. You are right: -------------- $ openssl genrsa -out rsa.pem 1024 Generating RSA private key, 1024 bit long modulus ...............................................++++++ ...................++++++ e is 65537 (0x10001) $ openssl rsa -in rsa.pem -out rsa_pub.pem -pubout writing RSA key $ dd if=/dev/random of=key.bin bs=1 count=16 16+0 records in 16+0 records out $ od -x key.bin 0000000 f06a cc91 ae4a 2112 e8e7 08ef 928c 10e2 0000020 $ openssl rsautl -sign -inkey rsa.pem -in key.bin -out key_enc.bin $ openssl rsautl -verify -inkey rsa_pub.pem -pubin -in key_enc.bin -out key_dec.bin $ od -x key_dec.bin 0000000 f06a cc91 ae4a 2112 e8e7 08ef 928c 10e2 0000020 I should check this before. Best regards, -- Marek Marcola <[hidden email]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |