(please forgive me for the messiness of this email.) * Dr. Henson: When OpenSSL encrypts the private key, does it encrypt the public key and exponent as well, or just the private part of the key? if it encrypts the pubkey and exp as well, is this to verify the proper private key when it's loaded?
Chris, the short answer is: no, RSA decryption does not require the public exponent. However, there's a couple of caveats that apply with OpenSSL due to design decisions. Also: nothing should ever cause a SEGV, so this is a bug. (Security against DoS depends on always checking your parameters, no matter what you think the source is going to be. ;) ) e and n are the public key, d is the private key, and the primes that generated them should be discarded. (more detail: choose 2 primes that are not equal to each other but are of equal length to each other, p and q. Let n = (p*q). Compute the totient of p*q (that is, ((p-1)*(q-1))), and randomly generate a key e such that 1 < e < (p-1)(q-1) AND e is relatively prime to that totient. Compute decryption key d such that e*d = 1 (mod ((p-1)*(q-1)) e and n make up the public key. d makes up the private key.) Encryption occurs on blocks of size < n, and I'm going to assume just a single block here (cuz it's easier): ciphertext = exp(message,e) % n; message = exp(ciphertext,d) % n; Theoretically, there should be no need for e during decryption. However, in OpenSSL the assumption has been made that the public key can always be extracted from the private key file, since the keys that it generates are stored such. * reference material provided by Applied Cryptography 2nd Edition, Schneier 1996 and http://en.wikipedia.org/wiki/RSA -Kyle H On 2/22/06, Chris <[EMAIL PROTECTED]> wrote: > On 2/22/06, Chris <[EMAIL PROTECTED]> wrote: > > Decryption seg faults without e and is incorrect with e: > > <snip> > > Seems strange to seg fault, doesn't it know something is > missing/incorrect? Does RSA_new not initialize the structure to a clean > state? Wouldn't an error be appropriate here? > > OK, I worked this out. It was the public exponent requirement that was > throwing me off. > > After tracing this I see it's some call to BLINDING_HELPER() (rsa_eay.c > line 466 of ossl 0.9.7i) that needs the public exponent and is causing the > seg fault. AFAIK the rest of the algorithm does not need the public > exponent... Not too big a deal to keep that in there but seems unnecessary. > Hmmm. > Is the public exponent really necessary for decryption? It has been a > while since I looked at the RSA algorithm. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
