PEM_write_bio_RSAPrivateKey assure Randomness of PK

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

PEM_write_bio_RSAPrivateKey assure Randomness of PK

redpath
My question is:
   I have this handy function to create a Private and Public key
But what is the magic I put around it to make sure it is random not the same
Private and Public key when I run this program each time?

I am using openSSL on OSX and Android. I am not familiar with the random API
seeding
though I can pick the UUID of the device or whatever.

* I am sure there is some standard call unless of course the Initialization
of openSSL does the random seed nicely?*

Thanks in advance.



===========
/**
 * Compile for testmipluginSecurity.c
 * Self Testing
 *   cc -o main -DTEST -Wno-deprecated-declarations main.c -lcrypto

 * Origin: r redpath
 * Project: wouldn't you like to know
 ************************/
#include <string.h>
#include <stdlib.h>
#include <memory.h>
#include <stdio.h>

#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#include <openssl/rand.h>
#include <openssl/aes.h>
/**
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
**/

void init_openssl(void){

    ERR_load_BIO_strings();
    ERR_load_crypto_strings();
    OpenSSL_add_all_algorithms();
    OpenSSL_add_all_ciphers();
    OpenSSL_add_all_digests();
}


/****************
 * Create Public and Private Key and return the PEMs as string data
 * origin: redpath
PEM_write_bio_PUBKEY (Traditional PEM format). Notice BEGIN PUBLIC KEY
PEM_write_bio_RSAPublicKey (PKCS PEM format). Notice BEGIN RSA PUBLIC KEY

PEM_write_bio_PrivateKey (PEM). Notice BEGIN PRIVATE KEY
PEM_write_bio_PKCS8PrivateKey (PEM). Notice BEGIN PRIVATE KEY
PEM_write_bio_RSAPrivateKey (PEM). Notice BEGIN RSA PRIVATE KEY
 *****************/
void createRSAkeyPair(char **private, char **public){
   EVP_PKEY* evp= EVP_PKEY_new();
   RSA      *rsa= RSA_generate_key(2048,RSA_F4,NULL,NULL);
   int    keylen;
   char *pem_key;

   EVP_PKEY_assign_RSA(evp,rsa);
    BIO *bio = BIO_new(BIO_s_mem());
      PEM_write_bio_RSAPrivateKey(bio, rsa, NULL, NULL, 0, NULL, NULL);
      keylen = BIO_pending(bio);
      pem_key = calloc(keylen+1, 1); /* Null-terminate */
      BIO_read(bio, pem_key, keylen);
      *private = pem_key;
    BIO_free(bio);

    bio = BIO_new(BIO_s_mem());
      //PEM_write_bio_RSAPublicKey(bio,rsa); // (PKCS PEM format).
      PEM_write_bio_PUBKEY(bio, evp);  //(Traditional PEM format).
      keylen = BIO_pending(bio);
      pem_key = calloc(keylen+1, 1); /* Null-terminate */
      BIO_read(bio, pem_key, keylen);
      *public = pem_key;
    BIO_free(bio);
    EVP_PKEY_free(evp);
}


#if defined TEST

int main(int argc, char **argv){
   unsigned char key[16];
   unsigned char iv[16];
   char *private, *public;
   X509 *x;
   char *pem;
   size_t g_length;

   init_openssl();
   
   createRSAkeyPair(&private, &public);
   printf("%s",private);
   printf("\n\n");
   printf("%s",public);

}

#endif



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

redpath
SO if I add this RAND usage below, em I seeding to assure a different RSA key
pair each time run of
creating a RSA pair.

I would certainly replace the time with the UUID of the device to be unique
to the device.
You would have to acquire the device to know the seeding. Hey  keep the Time
one too.

void init_openssl(void){
    if (initialized!=0)
      return;
    initialized= 1;
    ERR_load_BIO_strings();
    ERR_load_crypto_strings();
    OpenSSL_add_all_algorithms();
    OpenSSL_add_all_ciphers();
    OpenSSL_add_all_digests();

    unsigned long Time=(unsigned long)time(NULL);
    RAND_add(&Time,sizeof(Time),0);  //better than nothing for a starting
point
}



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

Viktor Dukhovni


> On May 23, 2018, at 1:08 PM, redpath <[hidden email]> wrote:
>
> SO if I add this RAND usage below, em I seeding to assure a different RSA key
> pair each time run of
> creating a RSA pair.
>
> I would certainly replace the time with the UUID of the device to be unique
> to the device.
> You would have to acquire the device to know the seeding. Hey  keep the Time
> one too.

NO.  Seeding exclusively in this way is a terrible idea and MUST NOT be
done.  You need considerably more randomness than found in a timestamp
or a device serial number.

It is not enough for keys to be unique, they need to be computationally
unpredictable.

If the device is generating keys it needs a decent source of randomness.
Otherwise, keys might need to be generated elsewhere and loaded onto the
device.

--
--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

OpenSSL - User mailing list
In reply to this post by redpath
What version of OpenSSL are you using?

Using the time to seed the RNG is horrible; DO NOT DO THAT.

Not trying to be insulting, but if you think time is a good source, then you really don't know what you're doing for RNG's.  Consider looking at the master branch, with its highly-improve seeding and RNG code.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

Michael Wojcik
In reply to this post by redpath
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of redpath
> Sent: Wednesday, May 23, 2018 13:08
> To: [hidden email]
> Subject: Re: [openssl-users] PEM_write_bio_RSAPrivateKey assure
> Randomness of PK
>
> SO if I add this RAND usage below, em I seeding to assure a different RSA key
> pair each time run of creating a RSA pair.

You'll get a *different* key pair (with high probability) each time, provided you wait at least a second between generating keys. That is, if you get anything at all; you may not, if there isn't enough entropy in the pool.

You'll also get completely pointless keys, because the wall-clock time contains little entropy.

As Viktor wrote: DO NOT DO THIS. If you don't understand why, stop trying to use cryptography until you've learned enough about the subject to be a bit less dangerous.

> I would certainly replace the time with the UUID of the device to be unique
> to the device. You would have to acquire the device to know the seeding.

Or get the UUID through any other means, such as a malicious app.

And generating two key pairs after seeding with UUID || time means the CPRNG state differs only by the 32 bits in time - and most of those will be the same, unless a *long* time has passed. So the joint information of the pairs is high, which is a Bad Thing.

And UUIDs are only 128 bits, so the total seed size is 160 bits; and neither the UUID nor the time are completely random (far from it), so you only have a small amount of entropy. DO NOT DO THIS.

There's no point in using a real cipher if you're going to starve your CPRNG. Just use a toy cipher - it's less work for you, and you won't be making false promises of security.

If you want to do this right:

1) Learn something about cryptography.
2) Gather sufficient entropy from suitable sources. If nothing else, have the user scribble on the touchscreen and track pointer movement. It's still easy to overestimate the entropy of that sort of thing, but it's better than nothing, and indeed better than what many people do for seeding.

Oh, and asking questions about OpenSSL, a smart move is to mention what version of OpenSSL you're using, platform details, and something about the problem you're trying to solve.

--
Michael Wojcik
Distinguished Engineer, Micro Focus
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

Marian Beermann
On 23.05.2018 20:39, Michael Wojcik wrote:

>> From: openssl-users [mailto:[hidden email]] On Behalf
>> Of redpath
>> Sent: Wednesday, May 23, 2018 13:08
>> To: [hidden email]
>> Subject: Re: [openssl-users] PEM_write_bio_RSAPrivateKey assure
>> Randomness of PK
>>
>> SO if I add this RAND usage below, em I seeding to assure a different RSA key
>> pair each time run of creating a RSA pair.
>
> You'll get a *different* key pair (with high probability) each time, provided you wait at least a second between generating keys. That is, if you get anything at all; you may not, if there isn't enough entropy in the pool.
>
> You'll also get completely pointless keys, because the wall-clock time contains little entropy.
>
> As Viktor wrote: DO NOT DO THIS. If you don't understand why, stop trying to use cryptography until you've learned enough about the subject to be a bit less dangerous.
>

... if this is code going in the general direction of "production
deployment", then get a crypto-person on board, or at least get them to
review and sign off the code. Otherwise this *will* end in a debacle.

-Marian
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

redpath
In reply to this post by Michael Wojcik
Well what I was alluding to is this the correct use of the RAND_add function
to seed the Key generation. Its a bit confusing certainly. I will use more
than the UUID
of the device but you have to have the device in hand to know that and know
it came from
a device.

I certainly will use better than time and UUID, just need to know calling
this seed of the rand function
is the right thing to do to effect the  Key generation?

Then second all I need to do is solve the random seeding to be less than a
toy input for entropy, this is just an example that I must use RAND_add

So my correct usage of RAND_add validate? and second I will find a good
input for it.
Just let me know, thanks for taking the quick time to address this.


Thanks




--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

OpenSSL - User mailing list
>    Well what I was alluding to is this the correct use of the RAND_add function
    to seed the Key generation. Its a bit confusing certainly.

You are calling the API correctly.  That should have been clear from the manpage.

You still did not tell us what version of OpenSSL you are using.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

redpath
Oh I am using openssl-1.0.2o just for development

But I certainly will take a recommendation of version.
Thats always appreciated.



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of redpath
> Sent: Wednesday, May 23, 2018 16:02
> To: [hidden email]
> Subject: Re: [openssl-users] PEM_write_bio_RSAPrivateKey assure
> Randomness of PK
>
> Oh I am using         openssl-1.0.2o just for development
>
> But I certainly will take a recommendation of version.

1.0.2 is currently a Long-Term Support (LTS) release, but support ends at the end of 2019. 1.1.1 is the new LTS release, and since 1.1 introduced a number of API changes and new features, I think it's worthwhile moving to 1.1.1 (at the latest fix level) as soon as is convenient.

That said, 1.0.2o is fine as well - just keep in mind that at some point you'll need to change to the 1.1 API, and you may need to move sooner to get features you want. As Rich mentioned, 1.1 has some improvements regarding random seeding, so it may be worth doing that now.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

Wim Lewis-3
In reply to this post by redpath

On 23. maĆ­ 2018, at 10:08 f.h., redpath <[hidden email]> wrote:
> SO if I add this RAND usage below, em I seeding to assure a different RSA key
> pair each time run of creating a RSA pair.
>
> I would certainly replace the time with the UUID of the device to be unique
> to the device. You would have to acquire the device to know the seeding. Hey  keep the Time
> one too.


Attempting to provide a more useful response ...

That is the right way to add entropy to the pool, but (as everyone else has said) neither the current time nor the device's UUID provide enough entropy to satisfy any cryptographic requirements. Adding them to the random pool won't hurt, but you should set the entropy-estimate argument equal to zero (like you did in your example).

Depending on your OpenSSL version *and the platform it's running on*, OpenSSL may automatically seed the random pool from the platform's random-number source(s). It does this by calling RAND_poll(), which is documented in the same manual page as RAND_add(). So, normally you do not need to worry about explicitly seeding the random number generator.

However, if you're running on an embedded device, or running immediately after bootup, or some other situation in which OpenSSL can't get good entropy from the system, you may need to figure out how to supply some yourself. That's pretty difficult to do.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: PEM_write_bio_RSAPrivateKey assure Randomness of PK

redpath
I thought the new openSSL did the pool hence why I started this post as I
wanted to assure that
use of the function is correct for key generation effect; then next step to
figure out some entropy.

thanks a whole bunch




--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users