Francisco Puentes wrote, On 2008-09-17 14:27: > Yes, I know. > > Precisely I need RSA to encrypt a buffer to exchange sessions keys (very > small xml document), which will be used to encrypt the session with AES. > > So :-) Can NSS encrypt raw data?
With RSA? NSS was designed around the FIPS 140 model of cryptography, in which all symmetric and private keys are kept within the boundaries of a "cryptographic module". They are generated or derived inside the module, and as a rule, they do not come out of the module except when in "wrapped" (encrypted) form. So, the typical expected sequence of events might follow one of these models: Model 1: System A: - generates a new symmetric session key in the module. This can be a key for a specific algorithm, or a generic secret value. - wraps the symmetric key with the RSA public key of its peer, outputting the wrapped result to the program memory outside of the module. - sends the wrapped session key to System B System B: - unwraps the received wrapped session key with its RSA private key, with the unwrapped result becoming a new key inside the module Then both systems - derive any other keys (encryption keys, MAC keys) from the session key, with all the newly derived keys remaining inside their respective modules, - use the newly derived keys, still inside the module, to do the bulk data encryption and MACing. That's essentially a description of RSA SSL with a few details left out. :) Model 2: - Rather than System A generating the new session key, System A and System B both generate keys of some other form, such as Diffie Hellman key pairs, in the respective modules, and then output & exchange the DH public keys. Each system inputs the other system's public value, and then do a DH key derivation inside their respective modules, yielding a new session key, which is then used as in Model 1. In practice, numerous other steps must be done to avoid MITM attacks on those DH values, such as signing them, and verifying the signatures, or doing a double-DH exchange using both certified and ephemeral DH values, as in NIST's KEA (used in Clipper), also implemented in NSS. :) SSL offers either model. Anyway, NSS is quite capable of - generating or deriving symmetric session keys, - wrapping symmetric session keys with RSA public keys, and outputting the wrapped result, - inputting and unwrapping the received wrapped session key, - deriving other keys from the unwrapped session key (or just using it directly as an encryption key). Here are some functions to look at for wrapping and unwrapping. - PK11_PubWrapSymKey - PK11_PubUnwrapWithFlagsPerm You'll probably find most of the functions you need in this file: http://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11pub.h I might suggest using SSL, and let all that heavy lifting be done for you. That gives you the advantage of using a well designed and thoroughly analyzed crypto protocol. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
