Decryption with RSA public keys not possible?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Decryption with RSA public keys not possible?

Simon de Hartog-3
Hi,

I have a rather complicated situation in the sense that I need to
realize licensing checks of software. This is done through a config file
that is signed through a USB smartcard (crypto-token). Next to that, I
have a symmetric blowfish key that I need for that. This key has been
encrypted (yes, an encrypted encryptionkey :-)) by an RSA-private key.
However, when I try to use openssl to decrypt using the corresponding
RSA-public key, I get:

A private key is needed for this operation

The command used is:

openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc

The blowfish.enc file was generated through:

dd if=/dev/random of=blowfishkey bs=16 count=1
openssl rsautl -encrypt -in blowfishkey -out blowfishkey.enc \
-inkey myrsakey.key

I use:
OpenSSL 0.9.7g 11 Apr 2005

I know RSA encryption and decryption can only be used for very small
pieces of data. I need to encrypt more data, so I use a symmetric key to
encrypt and decrypt data and I make sure the key used to encrypt stuff
was encrypted by myself.

So in short: why can't I decrypt data with an RSA public key that has
been encrypted with the corresponding RSA private key?

BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I
can't use the RSA_public_decrypt() subroutine which, judging from
internet comments, *can* actually decrypt data with an RSA public key...

Any comments are welcome. Thanks in advance.

Kind regards,

Simon de Hartog
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption with RSA public keys not possible?

Dr. Stephen Henson
On Thu, Apr 13, 2006, Simon de Hartog wrote:

> Hi,
>
> I have a rather complicated situation in the sense that I need to
> realize licensing checks of software. This is done through a config file
> that is signed through a USB smartcard (crypto-token). Next to that, I
> have a symmetric blowfish key that I need for that. This key has been
> encrypted (yes, an encrypted encryptionkey :-)) by an RSA-private key.
> However, when I try to use openssl to decrypt using the corresponding
> RSA-public key, I get:
>
> A private key is needed for this operation
>
> The command used is:
>
> openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc
>
> The blowfish.enc file was generated through:
>
> dd if=/dev/random of=blowfishkey bs=16 count=1
> openssl rsautl -encrypt -in blowfishkey -out blowfishkey.enc \
> -inkey myrsakey.key
>
> I use:
> OpenSSL 0.9.7g 11 Apr 2005
>
> I know RSA encryption and decryption can only be used for very small
> pieces of data. I need to encrypt more data, so I use a symmetric key to
> encrypt and decrypt data and I make sure the key used to encrypt stuff
> was encrypted by myself.
>
> So in short: why can't I decrypt data with an RSA public key that has
> been encrypted with the corresponding RSA private key?
>
> BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I
> can't use the RSA_public_decrypt() subroutine which, judging from
> internet comments, *can* actually decrypt data with an RSA public key...
>

You can't because that isn't what the operation is doing. If you perform an
"encrypt" operation with RSA it is encrypting the data using a *public* key.
It accepts a private key but only uses the public key portion of it.

That's what the decrypt operation fails: it needs a private key.

It seems a bit odd to do what you are suggesting. Symmetric keys are normally
secret and doing that would make it readable to anyone with access to the
public key.

If you really want to do that then you probably want the sign/verify
operations instead which call RSA_private_encrypt() and RSA_public_decrypt().

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption with RSA public keys not possible?

Simon de Hartog-3
Dr. Stephen Henson wrote:
> You can't because that isn't what the operation is doing. If you perform an
> "encrypt" operation with RSA it is encrypting the data using a *public* key.
> It accepts a private key but only uses the public key portion of it.
>
> That's what the decrypt operation fails: it needs a private key.

Ok, now I understand. Thanks for the answer.

> It seems a bit odd to do what you are suggesting. Symmetric keys are normally
> secret and doing that would make it readable to anyone with access to the
> public key.
> If you really want to do that then you probably want the sign/verify
> operations instead which call RSA_private_encrypt() and RSA_public_decrypt().

What I want to do is the following: I want to restrict use of software
by specifying limits such as number of CPU's and validity until a
certain date. This data will be put in an .xml file. But, I want to be
able to make sure that the software has to use a Smartcard (with public
and private key) to check the integrity of this .xml file so nobody can
alter it, but I *also* want to make sure that the .xml file was made and
certified by the company that owns the software.

The easy solution would be to just use certificates and use the validity
periods therein. I could use the company's CA cert and store the
software user's cert in the smartcard. However, this would imply having
to update the smartcard every time they pay license fees and this is not
what desirable. So I just want to use public/private keys, no
certificates for this.

> Steve.

Kind regards,

Simon de Hartog
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Decryption with RSA public keys not possible?

JoelKatz
In reply to this post by Simon de Hartog-3

> However, when I try to use openssl to decrypt using the corresponding
> RSA-public key, I get:
>
> A private key is needed for this operation

        That is how RSA encryption works:

        1) There is a public key that you can distribute.

        2) There is a private key from which the public key can be derived.

        3) The private key cannot be derived from the public key.

        4) You can sign with the private key and verify that signature with the
public key.

        5) You can encrypt with the public key and the private key is necessary to
decrypt.

        It sounds like you're not doing any of these five things. What sensible
algorithm permits decryption with the public key?

> The command used is:
>
> openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc

        You cannot decrypt with the public key, otherwise you would have a piece of
encrypted data that anyone could decrypt. If your goal is to make sure that
the information was somehow processed with the private key, you want a
signature, not an encryption.

> I know RSA encryption and decryption can only be used for very small
> pieces of data. I need to encrypt more data, so I use a symmetric key to
> encrypt and decrypt data and I make sure the key used to encrypt stuff
> was encrypted by myself.

        Sounds like you need to both encrypt and sign the key.

> So in short: why can't I decrypt data with an RSA public key that has
> been encrypted with the corresponding RSA private key?

        Because you actually encrypted with the public key, which can be trivially
derived from the private key.

> BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I
> can't use the RSA_public_decrypt() subroutine which, judging from
> internet comments, *can* actually decrypt data with an RSA public key...

        It's hard to tell you what to do without understanding your security and
threat model. But the reason what you're trying to do won't work is that RSA
decryption requires the private key so that only the owner of the key can
decrypt. The standard RSA routines don't imagine a situation where only one
person should be allowed to encrypt but anyone can decrypt, other than a
digital signature.

>What I want to do is the following: I want to restrict use of software
>by specifying limits such as number of CPU's and validity until a
>certain date. This data will be put in an .xml file. But, I want to be
>able to make sure that the software has to use a Smartcard (with public
>and private key) to check the integrity of this .xml file so nobody can
>alter it, but I *also* want to make sure that the .xml file was made and
>certified by the company that owns the software.

        That is not easy to do. You are trying to give the information to and keep
the information from the same entity.

>The easy solution would be to just use certificates and use the validity
>periods therein. I could use the company's CA cert and store the
>software user's cert in the smartcard. However, this would imply having
>to update the smartcard every time they pay license fees and this is not
>what desirable. So I just want to use public/private keys, no
>certificates for this.

        I don't follow at all. When someone pays license fees, you need to somehow
track the information that their validity period was extended. If not by
updating the smartcard, how do you want to do that?

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption with RSA public keys not possible?

Simon de Hartog-3
Hi all,

I've removed the replies, for shortness. Thank you very much for them,
they have been very enlightning. I think I've found my solution. What I
wanted to do is make sure that the software only runs on a system that
has a smartcard connected to it that the software owner has sent the
customer.
Next to that, I want the configuration file to also only have been
created by the software owner. Therefore I think I need to sign the
configuration twice.

My theory (please correct me if I'm wrong): there are two ways to verify
that a signature on a piece of data is correct:

1) Creating the digest of that data and verifying it with the
corresponding public key to see if the signature was created with that
private key;

2) Recreate the signature with the private key (assuming I have it) and
see if it matches the signature.

I know 2) is not really a common option, but in this case it should be
worthwhile. My plan is:

- sign the configuration with the smartcard;
- sign the resulting signature with the private key of the software owner.

To check, I can now:

- re-sign the configuration file with the smartcard (method 2);
- make a digest of the resulting signature and check wether the "signed
signature" was actually signed by the software owner's private key by
validating the digest with the software owner's public key (method 1).

David Schwartz told me it was not easy and I agree. But to me it looks
like this could do the trick. Please bear in mind that the software user
has control over the smartcard but not over the software owner's public key.

So, is this safe? Any comments? Thanks in advance :-)

Kind regards,

Simon de Hartog
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption with RSA public keys not possible?

Kyle Hamilton
In reply to this post by JoelKatz
just a side note:

RSA private keys can be used to encrypt data that can be decrypted
with the public key.

RSA public keys can be used to encrypt data that can be decrypted with
the private key.

The speed of the operation is 3 to 4 orders of magnitude slower than
the equivalent encryption/decryption with a symmetric key.  However,
the fact that the RSA function is invertible is what allows it to be
used for secure asymmetric authentication.

On 4/13/06, David Schwartz <[hidden email]> wrote:

>
> > However, when I try to use openssl to decrypt using the corresponding
> > RSA-public key, I get:
> >
> > A private key is needed for this operation
>
>         That is how RSA encryption works:
>
>         1) There is a public key that you can distribute.
>
>         2) There is a private key from which the public key can be derived.
>
>         3) The private key cannot be derived from the public key.
>
>         4) You can sign with the private key and verify that signature with the
> public key.
>
>         5) You can encrypt with the public key and the private key is necessary to
> decrypt.
>
>         It sounds like you're not doing any of these five things. What sensible
> algorithm permits decryption with the public key?
>
> > The command used is:
> >
> > openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc
>
>         You cannot decrypt with the public key, otherwise you would have a piece of
> encrypted data that anyone could decrypt. If your goal is to make sure that
> the information was somehow processed with the private key, you want a
> signature, not an encryption.
>
> > I know RSA encryption and decryption can only be used for very small
> > pieces of data. I need to encrypt more data, so I use a symmetric key to
> > encrypt and decrypt data and I make sure the key used to encrypt stuff
> > was encrypted by myself.
>
>         Sounds like you need to both encrypt and sign the key.
>
> > So in short: why can't I decrypt data with an RSA public key that has
> > been encrypted with the corresponding RSA private key?
>
>         Because you actually encrypted with the public key, which can be trivially
> derived from the private key.
>
> > BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I
> > can't use the RSA_public_decrypt() subroutine which, judging from
> > internet comments, *can* actually decrypt data with an RSA public key...
>
>         It's hard to tell you what to do without understanding your security and
> threat model. But the reason what you're trying to do won't work is that RSA
> decryption requires the private key so that only the owner of the key can
> decrypt. The standard RSA routines don't imagine a situation where only one
> person should be allowed to encrypt but anyone can decrypt, other than a
> digital signature.
>
> >What I want to do is the following: I want to restrict use of software
> >by specifying limits such as number of CPU's and validity until a
> >certain date. This data will be put in an .xml file. But, I want to be
> >able to make sure that the software has to use a Smartcard (with public
> >and private key) to check the integrity of this .xml file so nobody can
> >alter it, but I *also* want to make sure that the .xml file was made and
> >certified by the company that owns the software.
>
>         That is not easy to do. You are trying to give the information to and keep
> the information from the same entity.
>
> >The easy solution would be to just use certificates and use the validity
> >periods therein. I could use the company's CA cert and store the
> >software user's cert in the smartcard. However, this would imply having
> >to update the smartcard every time they pay license fees and this is not
> >what desirable. So I just want to use public/private keys, no
> >certificates for this.
>
>         I don't follow at all. When someone pays license fees, you need to somehow
> track the information that their validity period was extended. If not by
> updating the smartcard, how do you want to do that?
>
>         DS
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption with RSA public keys not possible?

Marek.Marcola
Hello,
> just a side note:
>
> RSA private keys can be used to encrypt data that can be decrypted
> with the public key.
>
> RSA public keys can be used to encrypt data that can be decrypted with
> the private key.
Thats true, "signing" is technically nothing else as encrypting some
data (md hash) with private key. Where "verifying" is decrypting
some data with public key (with added memcmp() magic :-).
Command "openssl" can not encrypt with private key because is written
in this way, not because it is not possible.
My suggestion is to write little utility for this purpose using
RSA_private_encrypt()/RSA_public_decrypt() functions which will
be 2 page long. And may be called from Python.
If someone really wants this functionality of course :-)

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption with RSA public keys not possible?

Dr. Stephen Henson
On Fri, Apr 14, 2006, Marek Marcola wrote:

> Hello,
> > just a side note:
> >
> > RSA private keys can be used to encrypt data that can be decrypted
> > with the public key.
> >
> > RSA public keys can be used to encrypt data that can be decrypted with
> > the private key.
> Thats true, "signing" is technically nothing else as encrypting some
> data (md hash) with private key. Where "verifying" is decrypting
> some data with public key (with added memcmp() magic :-).

That is true for RSA but not for other algorithms BTW...

Well actually is isn't completely true for RSA either, PSS mode doesn't work
like that.

> Command "openssl" can not encrypt with private key because is written
> in this way, not because it is not possible.

The rsautl utility can do this using the -sign and -verify options. In rsautl
"verify" does a public decrypt and writes the result rather than a memcmp
and a Yes/No answer.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption with RSA public keys not possible?

Marek.Marcola
Hello,

> The rsautl utility can do this using the -sign and -verify options. In rsautl
> "verify" does a public decrypt and writes the result rather than a memcmp
> and a Yes/No answer.
You are right:
--------------

$ openssl genrsa -out rsa.pem 1024
Generating RSA private key, 1024 bit long modulus
...............................................++++++
...................++++++
e is 65537 (0x10001)

$ openssl rsa -in rsa.pem -out rsa_pub.pem -pubout
writing RSA key

$ dd if=/dev/random of=key.bin bs=1 count=16
16+0 records in
16+0 records out

$ od -x key.bin
0000000 f06a cc91 ae4a 2112 e8e7 08ef 928c 10e2
0000020

$ openssl rsautl -sign -inkey rsa.pem -in key.bin -out key_enc.bin

$ openssl rsautl -verify -inkey rsa_pub.pem -pubin -in key_enc.bin -out
key_dec.bin

$ od -x key_dec.bin
0000000 f06a cc91 ae4a 2112 e8e7 08ef 928c 10e2
0000020

I should check this before.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]