RE: RSA_private_decrypt without e and d
Hello, I think that if you have only p, q, dmp1, dmq1, iqmp and n = p*q (which is not too hard to calculate) you can decrypt message with OpenSSL API. No d and e. In attached file you have small example. There is created private key without e and d and decryption succeeds. Before decryption you should disable RSA blinding if you do not have e in your private key. For example if you comment line: RSA_blinding_off(rsa_priv); then you will get decryption error: *** error:0408808C:rsa routines:RSA_setup_blinding:no public exponent *** error:04065044:rsa routines:RSA_EAY_PRIVATE_DECRYPT:internal error You can experiment. Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 02/24/2011 10:30:17 PM: Shaheed Bacchus (sbacchus) sbacc...@cisco.com Sent by: owner-openssl-us...@openssl.org 02/24/2011 10:32 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: RSA_private_decrypt without e and d Hi Marek, My understanding was that while it's mathematically possible, from an OpenSSL API perspective there is no way to do it. Did I misunderstand? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of marek.marc...@malkom.pl Sent: Thursday, February 24, 2011 11:23 AM To: openssl-users@openssl.org Cc: openssl-users@openssl.org; owner-openssl-us...@openssl.org Subject: RE: RSA_private_decrypt without e and d Hello, Remember, you do not need to recover this parameters to decrypt message. Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 02/24/2011 05:19:30 PM: Shaheed Bacchus (sbacchus) sbacc...@cisco.com Sent by: owner-openssl-us...@openssl.org 02/24/2011 05:21 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: RSA_private_decrypt without e and d Thanks Mounir and Marek, I will try to recover these parameters. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: Thursday, February 24, 2011 2:27 AM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt without e and d Hi Shaheed, The OpenSSL error you are getting means that OpenSSL decrypted the ciphered text but couldn't find the PKCS1 padding byte. This means that the wrong CRT parameters were supplied. Usually this comes from the fact that the parameters p and q (and the corresponding dmp1, dmq1) must be swapped : p instead of q and q instead of p (same thing for dmp1 and dmq1). In order to check this, you can use a tool I have written and that enables you to recover e and d from these 5 parameters. You can get it from sourceForge using the following link : http://rsaconverter.sourceforge.net/ . Thanks to it, you can check that these 5 parameters give you the correct d and e. In your case, I'm sure you'll get the wrong d and e. Swap the parameters and see if you get the correct d this time. I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/24/2011 4:03 AM, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would **like** to be able to do (or something close). *From:*owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Shaheed Bacchus (sbacchus) *Sent:* Wednesday, February 23, 2011 9:47 PM *To:* openssl-users@openssl.org *Subject:* RSA_private_decrypt without e and d Hi, I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). I'm trying to do something like: If (!(new_key = RSA_new())) return -1; new_key-n = BN_bin2bn(n_data, n_data_len, NULL); new_key-p = BN_bin2bn(p_data, p_data_len, NULL); new_key-q = BN_bin2bn(q_data, q_data_len, NULL); new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL); new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL); new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL); resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, decrypted, new_key, RSA_PKCS1_PADDING); This decrypt fails with error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 Supplying the correct e and d component causes it work properly, but I will not have those under normal circumstances. Is there any way to do this without d and e? __ OpenSSL Project
Re: RSA_private_decrypt without e and d
On Thu, Feb 24, 2011 at 08:15:47AM +0100, Mounir IDRASSI wrote:
Your analysis is not true because the original poster says he has dmp1,
dmq1 and iqmp, not only p and q.
Yes, naturally if the OP has d (or equivalently d mod (p-1) and (q-1),
which are presumed co-prime), he can recover e if he chooses, or just
use d (for efficiency its projections onto Z/Z_{p-1} and Z/Z_{q-1})
to decrypt the messages. I assumed that d and e were truly unavailable,
should have read the OP's message more carefully.
--
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: RSA_private_decrypt without e and d
Thanks Mounir and Marek, I will try to recover these parameters. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: Thursday, February 24, 2011 2:27 AM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt without e and d Hi Shaheed, The OpenSSL error you are getting means that OpenSSL decrypted the ciphered text but couldn't find the PKCS1 padding byte. This means that the wrong CRT parameters were supplied. Usually this comes from the fact that the parameters p and q (and the corresponding dmp1, dmq1) must be swapped : p instead of q and q instead of p (same thing for dmp1 and dmq1). In order to check this, you can use a tool I have written and that enables you to recover e and d from these 5 parameters. You can get it from sourceForge using the following link : http://rsaconverter.sourceforge.net/ . Thanks to it, you can check that these 5 parameters give you the correct d and e. In your case, I'm sure you'll get the wrong d and e. Swap the parameters and see if you get the correct d this time. I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/24/2011 4:03 AM, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would **like** to be able to do (or something close). *From:*owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Shaheed Bacchus (sbacchus) *Sent:* Wednesday, February 23, 2011 9:47 PM *To:* openssl-users@openssl.org *Subject:* RSA_private_decrypt without e and d Hi, I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). I'm trying to do something like: If (!(new_key = RSA_new())) return -1; new_key-n = BN_bin2bn(n_data, n_data_len, NULL); new_key-p = BN_bin2bn(p_data, p_data_len, NULL); new_key-q = BN_bin2bn(q_data, q_data_len, NULL); new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL); new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL); new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL); resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, decrypted, new_key, RSA_PKCS1_PADDING); This decrypt fails with error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 Supplying the correct e and d component causes it work properly, but I will not have those under normal circumstances. Is there any way to do this without d and e? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: RSA_private_decrypt without e and d
Hello, Remember, you do not need to recover this parameters to decrypt message. Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 02/24/2011 05:19:30 PM: Shaheed Bacchus (sbacchus) sbacc...@cisco.com Sent by: owner-openssl-us...@openssl.org 02/24/2011 05:21 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: RSA_private_decrypt without e and d Thanks Mounir and Marek, I will try to recover these parameters. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: Thursday, February 24, 2011 2:27 AM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt without e and d Hi Shaheed, The OpenSSL error you are getting means that OpenSSL decrypted the ciphered text but couldn't find the PKCS1 padding byte. This means that the wrong CRT parameters were supplied. Usually this comes from the fact that the parameters p and q (and the corresponding dmp1, dmq1) must be swapped : p instead of q and q instead of p (same thing for dmp1 and dmq1). In order to check this, you can use a tool I have written and that enables you to recover e and d from these 5 parameters. You can get it from sourceForge using the following link : http://rsaconverter.sourceforge.net/ . Thanks to it, you can check that these 5 parameters give you the correct d and e. In your case, I'm sure you'll get the wrong d and e. Swap the parameters and see if you get the correct d this time. I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/24/2011 4:03 AM, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would **like** to be able to do (or something close). *From:*owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Shaheed Bacchus (sbacchus) *Sent:* Wednesday, February 23, 2011 9:47 PM *To:* openssl-users@openssl.org *Subject:* RSA_private_decrypt without e and d Hi, I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). I'm trying to do something like: If (!(new_key = RSA_new())) return -1; new_key-n = BN_bin2bn(n_data, n_data_len, NULL); new_key-p = BN_bin2bn(p_data, p_data_len, NULL); new_key-q = BN_bin2bn(q_data, q_data_len, NULL); new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL); new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL); new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL); resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, decrypted, new_key, RSA_PKCS1_PADDING); This decrypt fails with error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 Supplying the correct e and d component causes it work properly, but I will not have those under normal circumstances. Is there any way to do this without d and e? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: RSA_private_decrypt without e and d
Hi Marek, My understanding was that while it's mathematically possible, from an OpenSSL API perspective there is no way to do it. Did I misunderstand? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of marek.marc...@malkom.pl Sent: Thursday, February 24, 2011 11:23 AM To: openssl-users@openssl.org Cc: openssl-users@openssl.org; owner-openssl-us...@openssl.org Subject: RE: RSA_private_decrypt without e and d Hello, Remember, you do not need to recover this parameters to decrypt message. Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 02/24/2011 05:19:30 PM: Shaheed Bacchus (sbacchus) sbacc...@cisco.com Sent by: owner-openssl-us...@openssl.org 02/24/2011 05:21 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: RSA_private_decrypt without e and d Thanks Mounir and Marek, I will try to recover these parameters. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: Thursday, February 24, 2011 2:27 AM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt without e and d Hi Shaheed, The OpenSSL error you are getting means that OpenSSL decrypted the ciphered text but couldn't find the PKCS1 padding byte. This means that the wrong CRT parameters were supplied. Usually this comes from the fact that the parameters p and q (and the corresponding dmp1, dmq1) must be swapped : p instead of q and q instead of p (same thing for dmp1 and dmq1). In order to check this, you can use a tool I have written and that enables you to recover e and d from these 5 parameters. You can get it from sourceForge using the following link : http://rsaconverter.sourceforge.net/ . Thanks to it, you can check that these 5 parameters give you the correct d and e. In your case, I'm sure you'll get the wrong d and e. Swap the parameters and see if you get the correct d this time. I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/24/2011 4:03 AM, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would **like** to be able to do (or something close). *From:*owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Shaheed Bacchus (sbacchus) *Sent:* Wednesday, February 23, 2011 9:47 PM *To:* openssl-users@openssl.org *Subject:* RSA_private_decrypt without e and d Hi, I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). I'm trying to do something like: If (!(new_key = RSA_new())) return -1; new_key-n = BN_bin2bn(n_data, n_data_len, NULL); new_key-p = BN_bin2bn(p_data, p_data_len, NULL); new_key-q = BN_bin2bn(q_data, q_data_len, NULL); new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL); new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL); new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL); resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, decrypted, new_key, RSA_PKCS1_PADDING); This decrypt fails with error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 Supplying the correct e and d component causes it work properly, but I will not have those under normal circumstances. Is there any way to do this without d and e? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: RSA_private_decrypt without e and d
Just to be clear, below is not the actual code, but what I would *like* to be able to do (or something close). From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Shaheed Bacchus (sbacchus) Sent: Wednesday, February 23, 2011 9:47 PM To: openssl-users@openssl.org Subject: RSA_private_decrypt without e and d Hi, I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). I'm trying to do something like: If (!(new_key = RSA_new())) return -1; new_key-n = BN_bin2bn(n_data, n_data_len, NULL); new_key-p = BN_bin2bn(p_data, p_data_len, NULL); new_key-q = BN_bin2bn(q_data, q_data_len, NULL); new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL); new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL); new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL); resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, decrypted, new_key, RSA_PKCS1_PADDING); This decrypt fails with error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 Supplying the correct e and d component causes it work properly, but I will not have those under normal circumstances. Is there any way to do this without d and e?
Re: RSA_private_decrypt without e and d
On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would *like* to be able to do (or something close). What you are asking to do is not possible, not because of API limitations, but as a matter of principle (mathematical property of RSA). I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). The RSA algorithm computes a ciphertext M' from a plaintext M via M' = (M)^e mod n (i.e. mod pq). decryption is possible when p, q (and implicitly e) are known because M = (M')^d mod n provided: - M n (e.g. the message is shorter than the key bit length), thus computing the result mod n loses no information. - d*e = 1 mod phi(n) = (p-1)(q-1) http://en.wikipedia.org/wiki/Euler%27s_totient_function when e, p and q are known, d can be computed via Euclid's algorithm for finding the multiplicative inverse of a mod b, when a is co-prime to b. When e is unknown, any M'' obtained from M via some exponent e' is as a good a plaintext as M since, if e'*d' = 1 mod phi(n), we have: M' = (M^e) = ((M^e')^d')^e = (M'')^(d'*e) therefore if the public exponent were (d'*e) instead of e, the same message M' decrypts to M' instead of M. There is no well-defined inverse to RSA without e, since e is fundamental parameter of the operation you want to invert. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_private_decrypt without e and d
Hello, If you have on the receiving site n, p, q, dmp1, dmq1, and iqmp components then you may decrypt message M from ciphertext C with CRT: Cp = C mod p Cq = C mod q Mp = Cp^dmp1 mod p Mq = Cq^dmq1 mod q h = (Mp?Mq) * iqmp mod p M = Mq + qh where: dmp1= d mod (p?1) dmq1= d mod (q?1) iqmp = q^?1 mod p you have recomputed. You do not need d on the receiving site if you have this parameters. Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 02/24/2011 05:48:19 AM: Victor Duchovni victor.ducho...@morganstanley.com Sent by: owner-openssl-us...@openssl.org 02/24/2011 05:50 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: RSA_private_decrypt without e and d On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would *like* to be able to do (or something close). What you are asking to do is not possible, not because of API limitations, but as a matter of principle (mathematical property of RSA). I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). The RSA algorithm computes a ciphertext M' from a plaintext M via M' = (M)^e mod n (i.e. mod pq). decryption is possible when p, q (and implicitly e) are known because M = (M')^d mod n provided: - M n (e.g. the message is shorter than the key bit length), thus computing the result mod n loses no information. - d*e = 1 mod phi(n) = (p-1)(q-1) http://en.wikipedia.org/wiki/Euler%27s_totient_function when e, p and q are known, d can be computed via Euclid's algorithm for finding the multiplicative inverse of a mod b, when a is co-prime to b. When e is unknown, any M'' obtained from M via some exponent e' is as a good a plaintext as M since, if e'*d' = 1 mod phi(n), we have: M' = (M^e) = ((M^e')^d')^e = (M'')^(d'*e) therefore if the public exponent were (d'*e) instead of e, the same message M' decrypts to M' instead of M. There is no well-defined inverse to RSA without e, since e is fundamental parameter of the operation you want to invert. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_private_decrypt without e and d
Hello,
Try to disable RSA blinding with:
RSA_blinding_off(new_key);
before RSA_private_decrypt().
Best regards,
--
Marek Marcola marek.marc...@malkom.pl
owner-openssl-us...@openssl.org wrote on 02/24/2011 03:46:53 AM:
Shaheed Bacchus (sbacchus) sbacc...@cisco.com
Sent by: owner-openssl-us...@openssl.org
02/24/2011 03:52 AM
Please respond to
openssl-users@openssl.org
To
openssl-users@openssl.org
cc
Subject
RSA_private_decrypt without e and d
Hi,
I have a situation where I have a message that has been encrypted via
RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1,
dmq1, and iqmp
components (I know it might sound odd that I don’t have the e and d
components but that
is the case). I’m trying to do something like:
If (!(new_key = RSA_new()))
return -1;
new_key-n = BN_bin2bn(n_data, n_data_len, NULL);
new_key-p = BN_bin2bn(p_data, p_data_len, NULL);
new_key-q = BN_bin2bn(q_data, q_data_len, NULL);
new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL);
new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL);
new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL);
resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted,
decrypted, new_key,
RSA_PKCS1_PADDING);
This decrypt fails with
error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is
not 02
Supplying the correct e and d component causes it work properly, but I
will not have
those under normal circumstances. Is there any way to do this without d
and e?
:��IϮ��r�m
(Z+�K
�+1���x
��h[�z�(Z+�
��f�y��
�f���h��)z{,���
Re: RSA_private_decrypt without e and d
Hi Victor, Your analysis is not true because the original poster says he has dmp1, dmq1 and iqmp, not only p and q. With these 5 parameters, it is possible to recover the plain text from the ciphered text thanks to the Chinese Reminder Transformation (CRT). Moreover, it is possible to recover the pubic exponent e and the private exponent d from these 5 parameters using a mathematical transformation. I have implemented such a transformation in an open source tool that I put on SourceForge : you can get it along with the mathematics behind it from the following link : http://rsaconverter.sourceforge.net/ . Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/24/2011 5:48 AM, Victor Duchovni wrote: On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would *like* to be able to do (or something close). What you are asking to do is not possible, not because of API limitations, but as a matter of principle (mathematical property of RSA). I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). The RSA algorithm computes a ciphertext M' from a plaintext M via M' = (M)^e mod n (i.e. mod pq). decryption is possible when p, q (and implicitly e) are known because M = (M')^d mod n provided: - M n (e.g. the message is shorter than the key bit length), thus computing the result mod n loses no information. - d*e = 1 mod phi(n) = (p-1)(q-1) http://en.wikipedia.org/wiki/Euler%27s_totient_function when e, p and q are known, d can be computed via Euclid's algorithm for finding the multiplicative inverse of a mod b, when a is co-prime to b. When e is unknown, any M'' obtained from M via some exponent e' is as a good a plaintext as M since, if e'*d' = 1 mod phi(n), we have: M' = (M^e) = ((M^e')^d')^e = (M'')^(d'*e) therefore if the public exponent were (d'*e) instead of e, the same message M' decrypts to M' instead of M. There is no well-defined inverse to RSA without e, since e is fundamental parameter of the operation you want to invert. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
