On 8/22/2012 10:51 AM, j.witvl...@mindef.nl wrote: > -----Original Message----- > From: opensc-devel-boun...@lists.opensc-project.org > [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas > E. Engert > Sent: Wednesday, August 22, 2012 5:12 PM > To: opensc-devel@lists.opensc-project.org > Subject: Re: [opensc-devel] encrypt / decrypt > > > > On 8/22/2012 9:50 AM, j.witvl...@mindef.nl wrote: >> Hi all, >> >> I've been trying to make more use of our smartcards, but I think I am >> missing the point some how. >> What I would like to do is: >> a) encrypt some data, by means of one of my private keys on my smartcard >> someone else should be able to decrypt it with the public key on my >> certificate. >> >> b) let someone else encrypt some data, by means of my public key on my >> certificate. >> I should be able to decrypt it with one of my private keys on my smartcard. >> >> I speak in plural about keys/certificates, cause we have different pairs for >> authentication/non-repodiation/etc >> >> So first I load the engine: >> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre >> ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre >> MODULE_PATH:/usr/lib/libaetpkss.so.3.0 >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0 >> Loaded: (pkcs11) pkcs11 engine >> OpenSSL> >> >> And next I try to encrypt something: >> OpenSSL> >> OpenSSL> enc -base64 -in /root/data.txt -out file.txt.enc -engine pkcs11 >> engine "pkcs11" set. >> OpenSSL> >>
openssl enc only works with symmetric keys. You could write your own program to use openssl to use RSA. >> OpenSSL> enc -d -aes-256-cbc -a -in file.txt.enc -engine pkcs11 >> engine "pkcs11" set. >> enter aes-256-cbc decryption password: >> error in enc >> OpenSSL> >> >> >> I presume, I'll have to specify which private-key (and PIN), although "-k >> 41" or "-k 43" does not work either, neither does "-key id_43" >> Am I missing something, or is this just not possible? > > Yes you are missing something. Because asymmetric key encryption like RSA is > slow and the amount of data that can be encrypted is limited, what is usually > done is to encrypt the data in a symmetric key, like AES, then encrypt the AES > key using the RSA public key. the encrypted data and the encrypted key are > then > sent, and the process is reversed using the RSA private key. > > This packaging of the message is usually done with something like smime or CMS > Openssl can do both. (CMS in newer versions only) > -----Original Message----- > > No, the aspect of using a symmetric key didn't slip my mind. > That very well when encrypting large amount of data... > But when the symmetric key is large (compared to the data), then the overhead > does not justify the means. (I think) > And you have to transfer the encrypted key as well as the encrypted data. > How short are these messages? Using PKCS#11 CKM_RSA_X_509, the size of the message must be less then the size of the modulus and if using some padded version between 11 bytes less and maybe half the size of the modulus. Using RSA directly of a previously sent message will produce the same encrypted output which could be subject examination or re-play. Smime and CMS avoid many of these security issues and others. > Hw > > ______________________________________________________________________ > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet > de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt > u verzocht dat aan de afzender te melden en het bericht te verwijderen. De > Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die > verband houdt met risico's verbonden aan het elektronisch verzenden van > berichten. > > This message may contain information that is not intended for you. If you are > not the addressee or if this message was sent to you by mistake, you are > requested to inform the sender and delete the message. The State accepts no > liability for damage of any kind resulting from the risks inherent in the > electronic transmission of messages. > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
