Re: Loading raw EC and RSA keys with OpenSSL 3
Tomas Mraz wrote: > Jonathan Wernberg wrote: >> Hi openssl-users mailing list. >> >> We are having some troubles converting some code from OpenSSL 1.x to >> OpenSSL 3.x APIs, to get rid of deprecation warnings, and hope >> someone may be able to give us some hints in the right direction. >> >> One thing we want to do is to convert an EC private key from raw >> format into a EVP_PKEY. Today we do as below (error checking, freeing >> and secure memory context things removed for brevity, private key is >> in "privkey" and curve in "nid"): >> >> BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL); >> EC_KEY *eckey = EC_KEY_new_by_curve_name(nid); >> const EC_GROUP *group = EC_KEY_get0_group(eckey); >> EC_POINT *pubkey_point = EC_POINT_new(group); >> EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL); >> EC_KEY_set_private_key(eckey, privkey_bn); >> EC_KEY_set_public_key(eckey, pubkey_point); >> EVP_PKEY *pkey = EVP_PKEY_new(); >> EVP_PKEY_assign_EC_KEY(pkey, eckey); >> >> Basically we chained a lot of operations because we could not find >> any single function that did it for us. Some of these operations are >> now deprecated, such as the EC_KEY ones. We tried experimenting with >> the OSSL fromdata() function instead (omitted the mapping from "nid" >> to "sn" for brevity): >> >> BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL); >> EC_GROUP *group = EC_GROUP_new_by_curve_name(nid); >> EC_POINT *pubkey_point = EC_POINT_new(group); >> EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL); >> unsigned char pubkey_buf[65]; // size just an example >> EC_POINT_point2oct(grp, pubkey_point, POINT_CONVERSION_UNCOMPRESSED, >> pubkey_buf, sizeof(pubkey_buf), NULL); >> OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new(); >> OSSL_PARAM_BLD_push_utf8_string(param_bld, >> OSSL_PKEY_PARAM_GROUP_NAME, sn, 0); >> OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, >> privkey_bn); >> OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_PKEY_PARAM_PUB_KEY, >> pubkey_buf, sizeof(pubkey_buf)); >> OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld); >> EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); >> EVP_PKEY_fromdata_init(ctx); >> EVP_PKEY *pkey = NULL; >> EVP_PKEY_fromdata(ctx, , EVP_PKEY_KEYPAIR, params); >> EVP_PKEY_CTX_free(ctx); >> ctx = EVP_PKEY_CTX_new(pkey, NULL); >> EVP_PKEY_check(ctx); >> >> Although it works, it does not feel right. We ended up chaining many >> more operations than before. Our understanding was that the new >> OpenSSL 3.x API was redesigned partially to remove low-level >> manipulations like these. We have looked though both the migration >> document and the reference API without finding anything that does our >> job better. OSSL_DECODERs as frequently suggested in the migration >> documentation do not seem to support raw EC key formats at all. The >> EVP_PKEY_new_raw_private_key() functions mentioned in the reference >> API does not appear to support NIST P curves, according to the >> documentation. The OSSL fromdata() way above does not calculate the >> public key from the private one itself, nor does it verify that the >> points are on the curve, and we are uncertain if there are anything >> else it does not do that we need to do to not compromise security. We >> could use d2i_PrivateKey() or d2i_AutoPrivateKey(), which both seem >> to read in the key data in a secure way and derive the public part >> automatically. But that way would require us to implement custom >> logic in our code to manually put together DER data from the raw key >> data, for multiple curve types. >> >> What is the recommended and safe way to read in an EC private key >> from raw format into an EVP_PKEY object ready to be used? >> >> Another thing we want to do is to convert an RSA public key from raw >> modulus and exponent components into proper DER encoded >> SubjectPublicKeyInfo data. Today we piggyback on OpenSSL to >> accomplish this like this: >> >> BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL); >> BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL); >> RSA *rsa = RSA_new(); >> RSA_set0_key(rsa, n, e, NULL); >> int data_len = i2d_RSA_PUBKEY(rsa, NULL); >> uint8_t *data_buf = malloc((size_t)data_len); >> uint8_t *pdata = data_buf; >> data_len = i2d_RSA_PUBKEY(rsa, ); >> >> However, some of those functions are now deprecated. Unfortunately >> our best attempt with OpenSSL 3.x compatible APIs ended up being this >> comparably long sequence of operations: >> >> BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL); >> BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL); >> EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); >> OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new(); >> OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n); >> OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e); >> OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld); >> EVP_PKEY_fromdata_init(ctx); >> EVP_PKEY *pkey =
Re: Loading raw EC and RSA keys with OpenSSL 3
On Tue, 2022-08-23 at 12:09 +, Jonathan Wernberg wrote: > TL;DR: With OpenSSL 3.x API, what is the recommended and safe way to > read in an EC private key from raw format into an EVP_PKEY object > ready to be used? What is the easiest way to convert an RSA public > key from raw modulus and exponent components to proper DER encoded > SubjectPublicKeyInfo data? > > Hi openssl-users mailing list. > > We are having some troubles converting some code from OpenSSL 1.x to > OpenSSL 3.x APIs, to get rid of deprecation warnings, and hope > someone may be able to give us some hints in the right direction. > > One thing we want to do is to convert an EC private key from raw > format into a EVP_PKEY. Today we do as below (error checking, freeing > and secure memory context things removed for brevity, private key is > in "privkey" and curve in "nid"): > > BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL); > EC_KEY *eckey = EC_KEY_new_by_curve_name(nid); > const EC_GROUP *group = EC_KEY_get0_group(eckey); > EC_POINT *pubkey_point = EC_POINT_new(group); > EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL); > EC_KEY_set_private_key(eckey, privkey_bn); > EC_KEY_set_public_key(eckey, pubkey_point); > EVP_PKEY *pkey = EVP_PKEY_new(); > EVP_PKEY_assign_EC_KEY(pkey, eckey); > > Basically we chained a lot of operations because we could not find > any single function that did it for us. Some of these operations are > now deprecated, such as the EC_KEY ones. We tried experimenting with > the OSSL fromdata() function instead (omitted the mapping from "nid" > to "sn" for brevity): > > BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL); > EC_GROUP *group = EC_GROUP_new_by_curve_name(nid); > EC_POINT *pubkey_point = EC_POINT_new(group); > EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL); > unsigned char pubkey_buf[65]; // size just an example > EC_POINT_point2oct(grp, pubkey_point, POINT_CONVERSION_UNCOMPRESSED, > pubkey_buf, sizeof(pubkey_buf), NULL); > OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new(); > OSSL_PARAM_BLD_push_utf8_string(param_bld, > OSSL_PKEY_PARAM_GROUP_NAME, sn, 0); > OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, > privkey_bn); > OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_PKEY_PARAM_PUB_KEY, > pubkey_buf, sizeof(pubkey_buf)); > OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld); > EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); > EVP_PKEY_fromdata_init(ctx); > EVP_PKEY *pkey = NULL; > EVP_PKEY_fromdata(ctx, , EVP_PKEY_KEYPAIR, params); > EVP_PKEY_CTX_free(ctx); > ctx = EVP_PKEY_CTX_new(pkey, NULL); > EVP_PKEY_check(ctx); > > Although it works, it does not feel right. We ended up chaining many > more operations than before. Our understanding was that the new > OpenSSL 3.x API was redesigned partially to remove low-level > manipulations like these. We have looked though both the migration > document and the reference API without finding anything that does our > job better. OSSL_DECODERs as frequently suggested in the migration > documentation do not seem to support raw EC key formats at all. The > EVP_PKEY_new_raw_private_key() functions mentioned in the reference > API does not appear to support NIST P curves, according to the > documentation. The OSSL fromdata() way above does not calculate the > public key from the private one itself, nor does it verify that the > points are on the curve, and we are uncertain if there are anything > else it does not do that we need to do to not compromise security. We > could use d2i_PrivateKey() or d2i_AutoPrivateKey(), which both seem > to read in the key data in a secure way and derive the public part > automatically. But that way would require us to implement custom > logic in our code to manually put together DER data from the raw key > data, for multiple curve types. > > What is the recommended and safe way to read in an EC private key > from raw format into an EVP_PKEY object ready to be used? > > Another thing we want to do is to convert an RSA public key from raw > modulus and exponent components into proper DER encoded > SubjectPublicKeyInfo data. Today we piggyback on OpenSSL to > accomplish this like this: > > BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL); > BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL); > RSA *rsa = RSA_new(); > RSA_set0_key(rsa, n, e, NULL); > int data_len = i2d_RSA_PUBKEY(rsa, NULL); > uint8_t *data_buf = malloc((size_t)data_len); > uint8_t *pdata = data_buf; > data_len = i2d_RSA_PUBKEY(rsa, ); > > However, some of those functions are now deprecated. Unfortunately > our best attempt with OpenSSL 3.x compatible APIs ended up being this > comparably long sequence of operations: > > BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL); > BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL); > EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); > OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new(); >
Loading raw EC and RSA keys with OpenSSL 3
TL;DR: With OpenSSL 3.x API, what is the recommended and safe way to read in an EC private key from raw format into an EVP_PKEY object ready to be used? What is the easiest way to convert an RSA public key from raw modulus and exponent components to proper DER encoded SubjectPublicKeyInfo data? Hi openssl-users mailing list. We are having some troubles converting some code from OpenSSL 1.x to OpenSSL 3.x APIs, to get rid of deprecation warnings, and hope someone may be able to give us some hints in the right direction. One thing we want to do is to convert an EC private key from raw format into a EVP_PKEY. Today we do as below (error checking, freeing and secure memory context things removed for brevity, private key is in "privkey" and curve in "nid"): BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL); EC_KEY *eckey = EC_KEY_new_by_curve_name(nid); const EC_GROUP *group = EC_KEY_get0_group(eckey); EC_POINT *pubkey_point = EC_POINT_new(group); EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL); EC_KEY_set_private_key(eckey, privkey_bn); EC_KEY_set_public_key(eckey, pubkey_point); EVP_PKEY *pkey = EVP_PKEY_new(); EVP_PKEY_assign_EC_KEY(pkey, eckey); Basically we chained a lot of operations because we could not find any single function that did it for us. Some of these operations are now deprecated, such as the EC_KEY ones. We tried experimenting with the OSSL fromdata() function instead (omitted the mapping from "nid" to "sn" for brevity): BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL); EC_GROUP *group = EC_GROUP_new_by_curve_name(nid); EC_POINT *pubkey_point = EC_POINT_new(group); EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL); unsigned char pubkey_buf[65]; // size just an example EC_POINT_point2oct(grp, pubkey_point, POINT_CONVERSION_UNCOMPRESSED, pubkey_buf, sizeof(pubkey_buf), NULL); OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new(); OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_PKEY_PARAM_GROUP_NAME, sn, 0); OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, privkey_bn); OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubkey_buf, sizeof(pubkey_buf)); OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld); EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); EVP_PKEY_fromdata_init(ctx); EVP_PKEY *pkey = NULL; EVP_PKEY_fromdata(ctx, , EVP_PKEY_KEYPAIR, params); EVP_PKEY_CTX_free(ctx); ctx = EVP_PKEY_CTX_new(pkey, NULL); EVP_PKEY_check(ctx); Although it works, it does not feel right. We ended up chaining many more operations than before. Our understanding was that the new OpenSSL 3.x API was redesigned partially to remove low-level manipulations like these. We have looked though both the migration document and the reference API without finding anything that does our job better. OSSL_DECODERs as frequently suggested in the migration documentation do not seem to support raw EC key formats at all. The EVP_PKEY_new_raw_private_key() functions mentioned in the reference API does not appear to support NIST P curves, according to the documentation. The OSSL fromdata() way above does not calculate the public key from the private one itself, nor does it verify that the points are on the curve, and we are uncertain if there are anything else it does not do that we need to do to not compromise security. We could use d2i_PrivateKey() or d2i_AutoPrivateKey(), which both seem to read in the key data in a secure way and derive the public part automatically. But that way would require us to implement custom logic in our code to manually put together DER data from the raw key data, for multiple curve types. What is the recommended and safe way to read in an EC private key from raw format into an EVP_PKEY object ready to be used? Another thing we want to do is to convert an RSA public key from raw modulus and exponent components into proper DER encoded SubjectPublicKeyInfo data. Today we piggyback on OpenSSL to accomplish this like this: BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL); BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL); RSA *rsa = RSA_new(); RSA_set0_key(rsa, n, e, NULL); int data_len = i2d_RSA_PUBKEY(rsa, NULL); uint8_t *data_buf = malloc((size_t)data_len); uint8_t *pdata = data_buf; data_len = i2d_RSA_PUBKEY(rsa, ); However, some of those functions are now deprecated. Unfortunately our best attempt with OpenSSL 3.x compatible APIs ended up being this comparably long sequence of operations: BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL); BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL); EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new(); OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n); OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e); OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld); EVP_PKEY_fromdata_init(ctx); EVP_PKEY *pkey = NULL;
Re: Larger RSA keys (Modulus bits > 16384)
The RSA algorithm will work with keys of any length and longer is stronger. But less than 2048 is not acceptably secure by today's standards and the sad part is that going beyond 2048 bits doesn't improve it by very much. Add one bit to the key size of a symmetric cipher like AES and you double the work factor. Go from 128 bits to 192 and your work factor increases by 2^64 times. That is really big. Add one bit to an RSA key size and the result is barely noticeable. And the longer the keys get, the less effect extra bits have. 2024 is considered equivalent to a 2^112 work factor 3072 gets you to roughly 2^128 So 50% more bits, 10424 of them buys you a measly 2^16 improvement. To get to a 2^256 bit work factor you need 15360 bits. Your computation times go up with the square of the number of bits and bignum libraries tend to be limited to 16K bits. There really isn't a good reason to go beyond 16K and a lot of stuff is going to break. On Sun, Dec 26, 2021 at 10:22 AM Grégory Widmer via openssl-users < openssl-users@openssl.org> wrote: > Dear OpenSSL users, > > I have a question about OpenSSL. Recently, I asked myself if there was a > maximum bit length for the modulus of a RSA key. > > I tried to type : > > user@host:~$ openssl genrsa 32768 > Warning: It is not recommended to use more than 16384 bit for RSA keys. > Your key size is 32768! Larger key size may behave not as > expected. > Generating RSA private key, 32768 bit long modulus (2 primes) > > I got this warning, and I wonder why a larger key size may behave not as > expected. > > Could anyone explain or give resources on why this doesn't work ? > > My guess is that, having the following : (M = message, C = Ciphered) > > If M^e is < n, we could easily compute the original message ? > > Also, I want to apologize if my question is redundant, I tried to search > on GitHub and through the mailing list, but there is no search feature in > the mailing list. > > Have a nice day ! > > Grégory Widmer > > > PS : This question is for knowledge purpose only, I don't use RSA keys > anymore (except with GPG), I prefer ECC :) >
Re: Larger RSA keys (Modulus bits > 16384)
On 26/12/2021 16:21, Grégory Widmer via openssl-users wrote: Dear OpenSSL users, I have a question about OpenSSL. Recently, I asked myself if there was a maximum bit length for the modulus of a RSA key. I tried to type : user@host:~$ openssl genrsa 32768 Warning: It is not recommended to use more than 16384 bit for RSA keys. Your key size is 32768! Larger key size may behave not as expected. Generating RSA private key, 32768 bit long modulus (2 primes) I got this warning, and I wonder why a larger key size may behave not as expected. I don't know, but maybe it is a reference to other RSA libraries not working with keys larger than 2 Kibibytes. In particular the GPG documentation warns that using larger RSA or DH keys is much less efficient in terms of security overhead that they recommend ECC instead. However only the author of that warning message can answer why they wrote it. Could anyone explain or give resources on why this doesn't work ? My guess is that, having the following : (M = message, C = Ciphered) > C = M^e ≡ n > > e = 65537 > > n = p X q If M^e is < n, we could easily compute the original message ? In general the formula is C = (M^e % n) also written as C ≡ M^e (mod n), I am not sure why you used the ≡ congruence symbol as a modulus operator (% in C, C++ etc. mod in many textbooks). Also, many systems for using RSA pad M to enough bits that M^e > n, thus ensuring that the modulo operation affects the result. In particular, both versions of PKCS#1 do that in different ways. There was an unfortunate ISO standard that forgot to do that and it was found to be insecure. For signing, the keys are swapped so S = (M^d % n) or S ≡ M^d (mod n), where d is the secret key, while the recipient checks that M ≡ S^e (mod n) or that M2 = (S^e % n) can be securely unpadded back to the actual M. Also, I want to apologize if my question is redundant, I tried to search on GitHub and through the mailing list, but there is no search feature in the mailing list. Have a nice day ! Grégory Widmer PS : This question is for knowledge purpose only, I don't use RSA keys anymore (except with GPG), I prefer ECC :) -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
Larger RSA keys (Modulus bits > 16384)
Dear OpenSSL users, I have a question about OpenSSL. Recently, I asked myself if there was a maximum bit length for the modulus of a RSA key. I tried to type : user@host:~$ openssl genrsa 32768 Warning: It is not recommended to use more than 16384 bit for RSA keys. Your key size is 32768! Larger key size may behave not as expected. Generating RSA private key, 32768 bit long modulus (2 primes) I got this warning, and I wonder why a larger key size may behave not as expected. Could anyone explain or give resources on why this doesn't work ? My guess is that, having the following : (M = message, C = Ciphered) If M^e is < n, we could easily compute the original message ? Also, I want to apologize if my question is redundant, I tried to search on GitHub and through the mailing list, but there is no search feature in the mailing list. Have a nice day ! Grégory Widmer PS : This question is for knowledge purpose only, I don't use RSA keys anymore (except with GPG), I prefer ECC :)
Re: [openssl-users] DTLS Server with support for both EC and RSA keys
On 04/02/17 22:23, Suman Paul wrote: > Hi, > > I have a server that implements DTLS using OpenSSL 1.0.1 but supports > only RSA keys as of today. I want to add support to this server to > accept EC keys to be able to implement the newer ECDHE-ECDSA cipher > suites while retaining support for RSA. Any pointers as to how to go > about this? > > What I believe is that each kind of key would need a different > SSL_CTX object. So I want to switch to the correct context for the > SSL session as per the cipher supported by the client (maybe from the > cipher list advertised in the ClientHello). Is that the best way of > implementing this? No. You can add both the RSA certificate and the ECDSA certificate to the same SSL_CTX. Just call one of the SSL_CTX_use_certificate*() functions twice - once for each certificate type. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] DTLS Server with support for both EC and RSA keys
Hi, I have a server that implements DTLS using OpenSSL 1.0.1 but supports only RSA keys as of today. I want to add support to this server to accept EC keys to be able to implement the newer ECDHE-ECDSA cipher suites while retaining support for RSA. Any pointers as to how to go about this? What I believe is that each kind of key would need a different SSL_CTX object. So I want to switch to the correct context for the SSL session as per the cipher supported by the client (maybe from the cipher list advertised in the ClientHello). Is that the best way of implementing this? Thanks Suman -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Protecting RSA keys
Hi everybody, I'm new with OpenSSL and I have some questions. The thing is that several RSA key pairs (each one for a different user) will be stored in a shared secured location (Safenet HSM). As the key pairs will be stored in the same place, we are looking for a way to ensure that one user is able to use only its own key pair, and not the key pair of another user. In this way, I'm thinking on a passphrase to protect the private key, so when the user needs to use its key pair for signing or encrypting, he must provide the passphrase. As he knows its passphrase and not the passphrase of the other key pairs, he is able to use only its own key pair. Until now, the theory. I don't know if I'm right. Supposing that I'm right, I tried to generate protected key pairs, but when using them, I'm never prompted for the passphrase. So, I'm able to use any of the keys created, instead of using only my own key. Can you help me with this issue? Thanks in advance Best regards Sergio Magra ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Protecting RSA keys
Hi everybody, I'm new with OpenSSL and I have some questions. The thing is that several RSA key pairs (each one for a different user) will be stored in a shared secured location. As the key pairs will be stored in the same place, we are looking for a way to ensure that one user is able to use only its own key pair, and not the key pair of another user. In this way, I'm thinking on a passphrase to protect the private key, so when the user needs to use its key pair for signing or encrypting, he must provide the passphrase. As he knows its passphrase and not the passphrase of the other key pairs, he is able to use only its own key pair. Until now, the theory. I don't know if I'm right. If yes, I tried to generate protected key pairs, but when using them, I'm never prompted for the passphrase. So, I'm able to use any of the keys created. Can you help me with this issue? Thanks in advance Best regards Sergio Magra ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Secure storage of private (RSA) keys
Akamai Technologies is pleased to offer the following patch to OpenSSL. It adds a secure arena that is used to store RSA private keys. This arena is mmap'd, with guard pages before and after so pointer over- and under-runs won't wander into it. It's also locked into memory so it doesn't appear on disk, and when possible it's also kept out of core files. This patch is a variant of what we've been using to help protect customer keys for a decade. This should really be considered more of a proof of concept than something that you want to put directly into production. It slides into the ASN1 code rather than adding a new API (OPENSSL_secure_allocate et al), the overall code isn't portable, and so on. If there is community interest, we would be happy to help work on addressing those issues. Let me restate that: *do not just take this patch and put it into production without careful review.* OpenSSL is important to us, and this is the first of what we hope will be several significant contributions in the near future. Thanks. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA diff -uNr -x'*.[oas]' openssl-1.0.1g.orig/crypto/Makefile openssl-1.0.1g/crypto/Makefile --- openssl-1.0.1g.orig/crypto/Makefile 2014-04-10 13:11:56.0 -0400 +++ openssl-1.0.1g/crypto/Makefile 2014-04-10 13:02:39.0 -0400 @@ -35,14 +35,16 @@ LIB= $(TOP)/libcrypto.a SHARED_LIB= libcrypto$(SHLIB_EXT) LIBSRC=cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ - ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c + ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c \ + secure_malloc.c buddy_allocator.c LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \ - uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) + uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) \ + secure_malloc.o buddy_allocator.o SRC= $(LIBSRC) EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ - ossl_typ.h + ossl_typ.h secure_malloc.h HEADER=cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) ALL=$(GENERAL) $(SRC) $(HEADER) diff -uNr -x'*.[oas]' openssl-1.0.1g.orig/crypto/asn1/tasn_dec.c openssl-1.0.1g/crypto/asn1/tasn_dec.c --- openssl-1.0.1g.orig/crypto/asn1/tasn_dec.c 2014-03-17 12:14:20.0 -0400 +++ openssl-1.0.1g/crypto/asn1/tasn_dec.c 2014-04-10 16:32:23.0 -0400 @@ -169,6 +169,11 @@ int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + +int ak_is_rsa_key = 0; /* Are we parsing an RSA key? */ +int ak_is_secure_field = 0; /* should this field be allocated from the secure arena? */ +int ak_is_arena_active = 0; /* was the secure arena already activated? */ + if (!pval) return 0; if (aux aux-asn1_cb) @@ -407,6 +412,11 @@ if (asn1_cb !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; +/* Watch out for this when OpenSSL is upgraded! */ +/* We have to be sure that it-sname will still be RSA */ +if (it-sname[0] == 'R' it-sname[1] == 'S' it-sname[2] == 'A' it-sname[3] == 0) +ak_is_rsa_key = 1; + /* Get each field entry */ for (i = 0, tt = it-templates; i it-tcount; i++, tt++) { @@ -445,8 +455,30 @@ /* attempt to read in field, allowing each to be * OPTIONAL */ + +/* Watch out for this when OpenSSL is upgraded! */ +/* We have to be sure that seqtt-field_name will still be */ +/* d, p, and q */ +ak_is_secure_field = 0; +ak_is_arena_active = 0; +if (ak_is_rsa_key) +{ +/* ak_is_rsa_key is set for public keys too */ +/* however those don't have these variables */ +const char *f = seqtt-field_name; +if ((f[0] == 'd' || f[0] == 'p' || f[0] == 'q') f[1] == 0) +{ +ak_is_secure_field = 1; +ak_is_arena_active = start_secure_allocation(); +} +} + ret = asn1_template_ex_d2i(pseqval, p, len, seqtt, isopt, ctx); + +if (ak_is_secure_field !ak_is_arena_active) +stop_secure_allocation(); + if (!ret)
Re: Secure storage of private (RSA) keys
Hello! On Fri, Apr 11, 2014 at 01:22:21PM -0400, Salz, Rich wrote: Akamai Technologies is pleased to offer the following patch to OpenSSL. It adds a secure arena that is used to store RSA private keys. This arena is mmap'd, with guard pages before and after so pointer over- and under-runs won't wander into it. It's also locked into memory so it doesn't appear on disk, and when possible it's also kept out of core files. This patch is a variant of what we've been using to help protect customer keys for a decade. Have you thought about mprotecting the guard pages with mprotect(PROT_NONE) so the application crashes in case of a stray memory access? Thanks, Hannes __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Secure storage of private (RSA) keys
Have you thought about mprotecting the guard pages with mprotect(PROT_NONE) so the application crashes in case of a stray memory access? Yes, rats. My message implied that we do that. And I then posted the wrong version of the code. :( Here's the right version of cmm_init. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA void * cmm_init(int size, int mem_min_unit, int overrun_bytes) { int i; size_t pgsize = (size_t)sysconf(_SC_PAGE_SIZE); size_t aligned = (pgsize + size + (pgsize - 1)) ~(pgsize - 1); mem_arena_size = size; Mem_min_unit = mem_min_unit, Overrun_bytes = overrun_bytes; /* make sure mem_arena_size and Mem_min_unit are powers of 2 */ assert(mem_arena_size 0); assert(mem_min_unit 0); assert(0 == ((mem_arena_size-1)mem_arena_size)); assert(0 == ((Mem_min_unit-1)Mem_min_unit)); cmm_bittable_size = (mem_arena_size/Mem_min_unit) * 2; i = cmm_bittable_size; cmm_max_free_lists = -1; while(i) { i=1; cmm_max_free_lists++; } cmm_free_list = malloc(cmm_max_free_lists * sizeof(void *)); assert(cmm_free_list); memset(cmm_free_list, 0, cmm_max_free_lists*sizeof(void *)); cmm_bittable = malloc(cmm_bittable_size3); assert(cmm_bittable); memset(cmm_bittable, 0, cmm_bittable_size3); cmm_bitmalloc = malloc(cmm_bittable_size3); assert(cmm_bitmalloc); memset(cmm_bitmalloc, 0, cmm_bittable_size3); cmm_arena = mmap(NULL, pgsize + mem_arena_size + pgsize, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, 0, 0); assert(MAP_FAILED != cmm_arena); mprotect(cmm_arena, pgsize, PROT_NONE); mprotect(cmm_arena + aligned, pgsize, PROT_NONE); set_bit(cmm_arena, 0, cmm_bittable); cmm_add_to_list(cmm_free_list[0], cmm_arena); /* first bit means that table is in use, multi-arena management */ /* SETBIT(cmm_bittable, 0); */ return cmm_arena; }
RE: AES encryption using RSA keys
From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy santhanam Sent: Friday, 26 August, 2011 16:11 Thanks for your detailed Explanation Dave. I am going to encrypt using AES in server side using EVP , EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key,iv)) EVP_EncryptUpdate(x, outbuf, outlen, (const unsigned char*) intext, strlen(intext))) EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen)) client will be using JAVE to decrypt the same. should i use the above same funtion to encrypt the or i must use AES_cbc_encrypt(); It's your choice. You can use EVP and select AES (or other); or you can use AES directly, but you can't just call AES_cbc_encrypt: you have to set the key schedule first, and you have to add padding on encrypt and remove it on decrypt. These are the sort of details that EVP handles for you (exact details vary by algorithm). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: AES encryption using RSA keys
Thanks for your detailed Explanation Dave. I am going to encrypt using AES in server side using EVP , EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key,iv)) EVP_EncryptUpdate(x, outbuf, outlen, (const unsigned char*) intext, strlen(intext))) EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen)) client will be using JAVE to decrypt the same. should i use the above same funtion to encrypt the or i must use AES_cbc_encrypt(); to encrypt the same. Thanks for your time, Krishnamurthy On Fri, Aug 26, 2011 at 5:20 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy santhanam Sent: Wednesday, 24 August, 2011 02:32 Basically when we encrypt something using an RSA key (whether public or private), the encrypted value must be smaller than the key (due to the maths used to do the actual encryption). So if you have a 1024-bit key, in theory we could encrypt any 1023-bit value (or a 1024-bit value smaller than the key) with that key. More precisely, smaller than the modulus 'N' but large enough not to be subject to a trivial break. An RSA public key is the pair (e,n) where e is usually small, and the private key is in principle the pair (d,n) where d is usually a substantial fraction of n. RSA private keys may and in OpenSSL do also include additional 'Chinese Remainder Theorem' aka CRT information to make computation faster. Plus, most actual RSA encryption schemes add padding. In particular simply RSA-encrypting raw user data allows an adversary to determine if a guessed plaintext is correct, which in general is considered an unacceptable weakness. Thus the value size you can encrypt is somewhat less than the RSA modulus size because of this padding; the commonly used PKCS#1 v1.5 'classic' and v2 OAEP are 11 and 41 bytes. If used certain ways v1.5 has weakness (see Bleichenbacher's attack on early SSL) which is why OAEP was created. below is the code snippet i am trying to do AES Encryption. it works fine. if i see some example in openssl they are using KEY value EVP_MAX_KEY_LENGTH(32 bytes). can i use RSA public key(1024 bit) to encrypt the same value and use private to decrypt the value. It's not entirely 'fine', see below. EVP_MAX_KEY_LENGTH is the maximum length for *any* (supported) *symmetric* algorithm. It is useful if you want to write generic code that works for various algorithms selectable at runtime, as many common systems like SSL/TLS SMIME/CMS/PKCS7 PGP do. If you are using only a specific cipher you can use the key length for that cipher which might be smaller. However, the key lengths for *asymmetric* algorithms, including RSA, are all separate. You need to use the correct one for each. unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; unsigned char iv[] = {1,2,3,4,5,6,7,8}; char intext[] = string to make the random number generator think it has entropy; // Straight encrypt EVP_CIPHER_CTX x; EVP_CIPHER_CTX_init(x); if(!EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key, iv)) printf(\n ERROR!! \n); The key for AES-256 is 32 bytes, and IV for AES-anything 16 bytes. You are using partly unknown possibly garbage values, which means you may be unable to decrypt the result in any other program. (Of course in any real use the IV should be random or at least unique and unpredictable, and the key should be random or at least secret.) if(!EVP_EncryptUpdate(x, outbuf, outlen, (const unsigned char*) intext, strlen(intext))) printf(\n ERROR!! \n); if(!EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen)) printf(\n ERROR!! \n); outlen+=tmplen; In general when any OpenSSL call returns an error, you should look at the error stack: http://www.openssl.org/support/faq.html#PROG6 For these particular calls (symm encrypt without engine) it's not vital, but if and when you start doing other things it becomes valuable. } EVP_CIPHER_CTX_cleanup(x); This should be within the routine (before the closing brace). Now to your actual question: Yes in abstract you can encrypt and decrypt data directly with RSA. In practice people usually don't, because of the limitations. Most widespread systems like SSL/TLS and SMIME and PGP are 'hybrid', where for encryption the data is encrypted with a symmetric algorithm and a random 'working' or 'session' key, and public-key algorithms like RSA DH or ECDH are used to transfer or share that working key; in the simplest case, the working key is just RSA-encrypted. Similarly for signing people don't actually RSA-sign their data; instead a hash like SHA1 is computed from the data, and that hash (plus limited overhead like an OID) is signed by RSA or [EC]DSA. These
RE: AES encryption using RSA keys
From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy santhanam Sent: Wednesday, 24 August, 2011 02:32 Basically when we encrypt something using an RSA key (whether public or private), the encrypted value must be smaller than the key (due to the maths used to do the actual encryption). So if you have a 1024-bit key, in theory we could encrypt any 1023-bit value (or a 1024-bit value smaller than the key) with that key. More precisely, smaller than the modulus 'N' but large enough not to be subject to a trivial break. An RSA public key is the pair (e,n) where e is usually small, and the private key is in principle the pair (d,n) where d is usually a substantial fraction of n. RSA private keys may and in OpenSSL do also include additional 'Chinese Remainder Theorem' aka CRT information to make computation faster. Plus, most actual RSA encryption schemes add padding. In particular simply RSA-encrypting raw user data allows an adversary to determine if a guessed plaintext is correct, which in general is considered an unacceptable weakness. Thus the value size you can encrypt is somewhat less than the RSA modulus size because of this padding; the commonly used PKCS#1 v1.5 'classic' and v2 OAEP are 11 and 41 bytes. If used certain ways v1.5 has weakness (see Bleichenbacher's attack on early SSL) which is why OAEP was created. below is the code snippet i am trying to do AES Encryption. it works fine. if i see some example in openssl they are using KEY value EVP_MAX_KEY_LENGTH(32 bytes). can i use RSA public key(1024 bit) to encrypt the same value and use private to decrypt the value. It's not entirely 'fine', see below. EVP_MAX_KEY_LENGTH is the maximum length for *any* (supported) *symmetric* algorithm. It is useful if you want to write generic code that works for various algorithms selectable at runtime, as many common systems like SSL/TLS SMIME/CMS/PKCS7 PGP do. If you are using only a specific cipher you can use the key length for that cipher which might be smaller. However, the key lengths for *asymmetric* algorithms, including RSA, are all separate. You need to use the correct one for each. unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; unsigned char iv[] = {1,2,3,4,5,6,7,8}; char intext[] = string to make the random number generator think it has entropy; // Straight encrypt EVP_CIPHER_CTX x; EVP_CIPHER_CTX_init(x); if(!EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key, iv)) printf(\n ERROR!! \n); The key for AES-256 is 32 bytes, and IV for AES-anything 16 bytes. You are using partly unknown possibly garbage values, which means you may be unable to decrypt the result in any other program. (Of course in any real use the IV should be random or at least unique and unpredictable, and the key should be random or at least secret.) if(!EVP_EncryptUpdate(x, outbuf, outlen, (const unsigned char*) intext, strlen(intext))) printf(\n ERROR!! \n); if(!EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen)) printf(\n ERROR!! \n); outlen+=tmplen; In general when any OpenSSL call returns an error, you should look at the error stack: http://www.openssl.org/support/faq.html#PROG6 For these particular calls (symm encrypt without engine) it's not vital, but if and when you start doing other things it becomes valuable. } EVP_CIPHER_CTX_cleanup(x); This should be within the routine (before the closing brace). Now to your actual question: Yes in abstract you can encrypt and decrypt data directly with RSA. In practice people usually don't, because of the limitations. Most widespread systems like SSL/TLS and SMIME and PGP are 'hybrid', where for encryption the data is encrypted with a symmetric algorithm and a random 'working' or 'session' key, and public-key algorithms like RSA DH or ECDH are used to transfer or share that working key; in the simplest case, the working key is just RSA-encrypted. Similarly for signing people don't actually RSA-sign their data; instead a hash like SHA1 is computed from the data, and that hash (plus limited overhead like an OID) is signed by RSA or [EC]DSA. These hybrids are what EVP_{Seal,Open}* and EVP_{Sign,Verify}* do. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AES encryption using RSA keys
Basically when we encrypt something using an RSA key (whether public or private), the encrypted value must be smaller than the key (due to the maths used to do the actual encryption). So if you have a 1024-bit key, in theory we could encrypt any 1023-bit value (or a 1024-bit value smaller than the key) with that key. below is the code snippet i am trying to do AES Encryption. it works fine. if i see some example in openssl they are using KEY value EVP_MAX_KEY_LENGTH(32 bytes). can i use RSA public key(1024 bit) to encrypt the same value and use private to decrypt the value. int main(int argc, char* argv[]) { unsigned char outbuf2[1024]; unsigned char outbuf[1024]; int outlen, outlen2, tmplen; unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; unsigned char iv[] = {1,2,3,4,5,6,7,8}; char intext[] = string to make the random number generator think it has entropy; // Straight encrypt EVP_CIPHER_CTX x; EVP_CIPHER_CTX_init(x); if(!EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key, iv)) printf(\n ERROR!! \n); if(!EVP_EncryptUpdate(x, outbuf, outlen,(const unsigned char*) intext, strlen(intext))) printf(\n ERROR!! \n); if(!EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen)) printf(\n ERROR!! \n); outlen+=tmplen; } EVP_CIPHER_CTX_cleanup(x); Thanks, Krishnamurthy
components of RSA keys?
Good afternoon, When generating an RSA key, several components are described in the output file. Per the RSA specification on wikipedia, I can identify the following values: prime1: p prime2: q modulus: N = p * q publicExponent: e privateExponent: d What I'm not clear about is what function these values play: exponent1: ?? exponent2: ?? coefficient: ?? Can someone explain? Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: components of RSA keys?
Take a look at : http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm exponent1 = dp exponent2 = dq coefficient = qInv -- Mounir IDRASSI IDRIX http://www.idrix.fr On 12/23/2010 9:48 PM, Mike Mohr wrote: Good afternoon, When generating an RSA key, several components are described in the output file. Per the RSA specification on wikipedia, I can identify the following values: prime1: p prime2: q modulus: N = p * q publicExponent: e privateExponent: d What I'm not clear about is what function these values play: exponent1: ?? exponent2: ?? coefficient: ?? Can someone explain? Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: components of RSA keys?
On Thu, Dec 23, 2010 at 3:48 PM, Mike Mohr akih...@gmail.com wrote: Good afternoon, When generating an RSA key, several components are described in the output file. Per the RSA specification on wikipedia, You should question anything on Wiki since it is generally unedited. Don't make the mistake of the fellow posting on sci.crypt who claimed Dr. Adler's reference implementation of ADLER-32 was wrong because there was a discrepancy in Wiki. From Need peer review: May have found mistake in Adler-32!: This is going out the Mr. Adler, his friends at zlib, the related newsgroups comp.compression and sci.crypt, and the newsgroups sci.math and sci.math.num-analysis... This post relates to suspec calculations... [1] I can identify the following values: prime1: p prime2: q modulus: N = p * q publicExponent: e privateExponent: d What I'm not clear about is what function these values play: exponent1: ?? exponent2: ?? coefficient: ?? See Handbook of Applied Cryptography. All chapters are avialable online. http://www.cacr.math.uwaterloo.ca/hac/. Jeff [1] http://groups.google.com/group/comp.compression/browse_thread/thread/5a37a9fcd32786fd/9859a0c61a3fb333 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: components of RSA keys?
Thanks much for the clarification. I'm interested in re-implementing RSA for my own education; can someone point me to the location in the openssl sources where the RSA keys are actually generated (so I can see how the BIGNUMs are manipulated)? Thanks, Mike On Thu, Dec 23, 2010 at 1:17 PM, Mounir IDRASSI mounir.idra...@idrix.net wrote: Take a look at : http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm exponent1 = dp exponent2 = dq coefficient = qInv -- Mounir IDRASSI IDRIX http://www.idrix.fr On 12/23/2010 9:48 PM, Mike Mohr wrote: Good afternoon, When generating an RSA key, several components are described in the output file. Per the RSA specification on wikipedia, I can identify the following values: prime1: p prime2: q modulus: N = p * q publicExponent: e privateExponent: d What I'm not clear about is what function these values play: exponent1: ?? exponent2: ?? coefficient: ?? Can someone explain? Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: components of RSA keys?
Start at function rsa_builtin_keygen in file crypto/rsa/rsa_gen.c. Good hack, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 12/24/2010 12:35 AM, Mike Mohr wrote: Thanks much for the clarification. I'm interested in re-implementing RSA for my own education; can someone point me to the location in the openssl sources where the RSA keys are actually generated (so I can see how the BIGNUMs are manipulated)? Thanks, Mike On Thu, Dec 23, 2010 at 1:17 PM, Mounir IDRASSI mounir.idra...@idrix.net wrote: Take a look at : http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm exponent1 = dp exponent2 = dq coefficient = qInv -- Mounir IDRASSI IDRIX http://www.idrix.fr On 12/23/2010 9:48 PM, Mike Mohr wrote: Good afternoon, When generating an RSA key, several components are described in the output file. Per the RSA specification on wikipedia, I can identify the following values: prime1: p prime2: q modulus: N = p * q publicExponent: e privateExponent: d What I'm not clear about is what function these values play: exponent1: ?? exponent2: ?? coefficient: ?? Can someone explain? Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Skipping the OID and BIT string prefix in DER formatted RSA keys
Hi guys, I am using the following command to output the public key for a given RSA private key: openssl rsa -in keyfile.private.pem -pubout -outform DER The output includes a SEQ with an OID, followed by a BIT string containing the DER formatted public key I need. Deleting the first 22 bytes (leaving everything after the BIT string header) worked in the target application. Is there a trick to getting openssl not to output the OID and BIT string wrapper? Thanks, Nick __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Skipping the OID and BIT string prefix in DER formatted RSA keys
From: owner-openssl-us...@openssl.org On Behalf Of Nick Kelsey Sent: Thursday, 01 July, 2010 02:00 I am using the following command to output the public key for a given RSA private key: openssl rsa -in keyfile.private.pem -pubout -outform DER The output includes a SEQ with an OID, followed by a BIT string containing the DER formatted public key I need. Right-ish. That's the 'SubjectPublicKeyInfo' format defined by X.509 and used by lots of other things including OpenSSL. It's SEQ of - the Algorithm ID (actually a sub-SEQ of an OID plus a 'parameters' object; for RSA the parameters are ASN.1 NULL encoded as 05 00; for some algorithms e.g. DSA the parameters contain real info) - plus the algorithm-dependent keyinfo wrapped in a BITSTRING; for RSA this is the PKCS#1 RSAPublicKey (SEQ of N and E). Deleting the first 22 bytes (leaving everything after the BIT string header) worked in the target application. Note it won't always be the same. The length of the ASN.1 headers (for DER) varies depending on the length of the data being encoded. For RSAPublicKey with conventional small E (so N takes most of the space) N larger than about 1900 bits will make the headers bigger. If you want to do this reliably, you should parse the 3 TLV's. Is there a trick to getting openssl not to output the OID and BIT string wrapper? I believe not with the commandline. In code you should be able to get the RSA* internal object (out of a generic EVP if appropriate) and call i2d_RSAPublicKey or PEM_write[_bio]_RSAPublicKey . (Not _RSA_PUBKEY which does the X.509-wrapped version.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Prevent RSA keys from being paged out?
Greetings community, Can anyone tell me if the crypto libraries perform any sort of locking on private key structures to prevent them from being paged out of memory? Or is it required to call mlock/munlock or the equivalent on other platforms explicitly? Thank you in advance for your replies. Conor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: read rsa keys
Dr. Stephen Henson wrote: On Mon, Jul 27, 2009, Neil Dugan wrote: Hi, I have been trying to read the keys generated by openssl genrsa ... and openssl rsa -pubout ... commands. I successfully (according to the return code) read the private key with if (in = BIO_new_file(rsakey.pem, r)) { int ok; printf (Created private BIO\n); ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to work. Use PEM_read_bio_RSA_PUBKEY() instead. Steve. Thanks that seemed to work. But the PEM_write_RSAPublicKey(stdout, rsa); call doesn't output the same data as what is in the key file. So did it get read properly? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: read rsa keys
On Mon, Jul 27, 2009, Neil Dugan wrote: Dr. Stephen Henson wrote: On Mon, Jul 27, 2009, Neil Dugan wrote: Hi, I have been trying to read the keys generated by openssl genrsa ... and openssl rsa -pubout ... commands. I successfully (according to the return code) read the private key with if (in = BIO_new_file(rsakey.pem, r)) { int ok; printf (Created private BIO\n); ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to work. Use PEM_read_bio_RSA_PUBKEY() instead. Steve. Thanks that seemed to work. But the PEM_write_RSAPublicKey(stdout, rsa); call doesn't output the same data as what is in the key file. So did it get read properly? Well that's a different format so you wont get the same. Use PEM_write_RSA_PUBKEY() as well and they should be the same. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: read rsa keys segmentation fault
Neil Dugan wrote: Dr. Stephen Henson wrote: On Mon, Jul 27, 2009, Neil Dugan wrote: Hi, I have been trying to read the keys generated by openssl genrsa ... and openssl rsa -pubout ... commands. I successfully (according to the return code) read the private key with if (in = BIO_new_file(rsakey.pem, r)) { int ok; printf (Created private BIO\n); ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to work. Use PEM_read_bio_RSA_PUBKEY() instead. Steve. Thanks that seemed to work. But the PEM_write_RSAPublicKey(stdout, rsa); call doesn't output the same data as what is in the key file. So did it get read properly? I found that PEM_write_RSA_PUBKEY(stdout, rsa); does print the correct key. Why the two very similar functions? and why aren't they outputing the same data? Now I have updated the code, to try and encrypt/decrypt some test data. Why is it causing a segmentation fault at line 39 the RSA_private_decrypt(size, from, to, rsa, RSA_NO_PADDING); call? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: read rsa keys segmentation fault
Neil Dugan wrote: Dr. Stephen Henson wrote: On Mon, Jul 27, 2009, Neil Dugan wrote: Hi, I have been trying to read the keys generated by openssl genrsa ... and openssl rsa -pubout ... commands. I successfully (according to the return code) read the private key with if (in = BIO_new_file(rsakey.pem, r)) { int ok; printf (Created private BIO\n); ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to work. Use PEM_read_bio_RSA_PUBKEY() instead. Steve. Thanks that seemed to work. But the PEM_write_RSAPublicKey(stdout, rsa); call doesn't output the same data as what is in the key file. So did it get read properly? I found that PEM_write_RSA_PUBKEY(stdout, rsa); does print the correct key. Now I have updated the code, to try and encrypt/decrypt some test data. Why is it causing a segmentation fault at line 39 the RSA_private_decrypt(size, from, to, rsa, RSA_NO_PADDING); call? #include openssl/ssl.h #include openssl/rsa.h #include stdio.h BIO *bio_err=0; void print_data(unsigned char *data, int size) { int x; printf ( : ); for (x = 0; x size; x++) { if ((x 0) (x % 16 == 0)) printf (\n%04x : , x); printf (%02x , data[x]); } printf (\n--\n); } unsigned char * public_encrypt(RSA *rsa, unsigned char *from) { int size = RSA_size(rsa); unsigned char *to; if (to = malloc(size)) { int x; RSA_public_encrypt(size, from, to, rsa, RSA_NO_PADDING); return (to); } else { printf(memory allocation error\n); return (NULL); } } unsigned char * private_decrypt(RSA *rsa, unsigned char *from) { int size = RSA_size(rsa); unsigned char *to; if (to = malloc(size)) { int x; RSA_private_decrypt(size, from, to, rsa, RSA_NO_PADDING); return (to); } else { printf(memory allocation error\n); return (NULL); } } int main (int argc, char**argv) { RSA *rsa; int size; if ((rsa = RSA_new()) != NULL) { printf (Allocated new RSA structure\n); BIO *in; if (in = BIO_new_file(rsakey.pem, r)) { int ok; printf (Created private BIO\n); ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } if (in = BIO_new_file(pubkey.pem, r)) { int ok; printf (Created public BIO\n); ok = (PEM_read_bio_RSA_PUBKEY(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } //PEM_write_RSAPublicKey(stdout, rsa); PEM_write_RSA_PUBKEY(stdout, rsa); size = RSA_size(rsa); if (size 0) { unsigned char *encrypted; unsigned char *plain; int x; // generate and print the plain text plain = malloc(size); for (x = 0; x size; x++) plain[x] = x 0xFF; print_data(plain,size); // encrypt and print encrypted = public_encrypt(rsa,plain); print_data(encrypted,size); free (plain); // decrypt and print plain = private_decrypt(rsa,encrypted); print_data(plain,size); // cleanup free(encrypted); free(plain); } RSA_free(rsa); } }
read rsa keys
Hi, I have been trying to read the keys generated by openssl genrsa ... and openssl rsa -pubout ... commands. I successfully (according to the return code) read the private key with if (in = BIO_new_file(rsakey.pem, r)) { int ok; printf (Created private BIO\n); ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to work. Can someone help with ether some example code, or some idea what I am doing wrong? I want to be able to encript/decrypt a string with both the private and public keys. Hopefully Neil. #include openssl/ssl.h #include openssl/rsa.h #include stdio.h BIO *bio_err=0; int main (int argc, char**argv) { SSL_CTX *ctx; SSL *ssl; BIO *sbio; RSA *rsa; #if 0 if ((rsa = RSA_new()) != NULL) { printf (Allocated new RSA structure\n); if (RSA_print(bio_err, rsa, 0) == 0) printf (Failed to print\n); printf (size = %d bytes\n, RSA_size(rsa)); RSA_free(rsa); } #endif #if 0 if ((rsa = RSA_generate_key(2048, 17, NULL, NULL)) != NULL) { int ok; printf (Allocated new RSA structure\n); ok = PEM_write_RSAPublicKey(stdout, rsa); RSA_free(rsa); } #endif if ((rsa = RSA_new()) != NULL) { printf (Allocated new RSA structure\n); BIO *in; if (in = BIO_new_file(rsakey.pem, r)) { int ok; printf (Created private BIO\n); ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } if (in = BIO_new_file(pubkey.pem, r)) { int ok; printf (Created public BIO\n); ok = (PEM_read_bio_RSAPublicKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } PEM_write_RSAPublicKey(stdout, rsa); RSA_free(rsa); } }
Re: read rsa keys
On Mon, Jul 27, 2009, Neil Dugan wrote: Hi, I have been trying to read the keys generated by openssl genrsa ... and openssl rsa -pubout ... commands. I successfully (according to the return code) read the private key with if (in = BIO_new_file(rsakey.pem, r)) { int ok; printf (Created private BIO\n); ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL); printf (ok = %s\n, (ok != 0) ? true:false); BIO_free(in); } but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to work. Use PEM_read_bio_RSA_PUBKEY() instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Device with both 1024-bit and 2048-bit RSA keys --- OpenSSL support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | (sorry that previous one looked so terrible. Here it is with plain text) | | Can a single OpenSSL context support both 1024-bit and 2048-bit RSA at | the same time? For example, if a client device has both 1024-bit and | 2048-bit RSA keys, will the SSL/TLS handshake allow the server to pick | whether 1024 or 2048-bit RSA should be used? The client certificate has no influence on the selected ciphers. It is only used for client authentication. The server certificate (and with that the server key) have influence on the used ciphers in a session. And while an SSL_CTX can have more than one cert/key pair, you can only set one cert/key for every key type (one RSA key/cert, one EC key/cert, ...) It might be possible to twist the TLS hostname extension to select between a 2048 and a 1024 cert/key, but that would be something client and server would have to cooperate on... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIogNv2iGqZUF3qPYRAjw3AJsGvI1rp+6Da4yNf0TGPgh+v+GwZACfdl5w /tbqtRMB3ovEpRvSkzV9rts= =1wHC -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Device with both 1024-bit and 2048-bit RSA keys --- OpenSSL support?
Can a single OpenSSL context support both 1024-bit and 2048-bit RSA at the same time? For example, if a client device has both 1024-bit and 2048-bit RSA keys, will the SSL/TLS handshake allow the server to pick whether 1024 or 2048-bit RSA should be used? I do not believe this works but would appreciate any input from others. My understanding is that the client provides a list of supported ciphersuites during the Client Hello process. However, the ciphersuites enumeration does not indica te the bit length of the RSA key, only that RSA can be used. For example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA doesn’t indicate if 1024-bit or 2048-bit RSA is required. It seems that the server needs to look at the client’s certificate to determine the number of bits used by the RSA key --- but even if the server requests the client’s certificate, this happens after the cipher has been chosen. I appreciate any input on this, whether it’s “you got it all wrong”, “you got it all right”, or anything in the middle. Thanks ... Altan
Re: Device with both 1024-bit and 2048-bit RSA keys --- OpenSSL support?
(sorry that previous one looked so terrible. Here it is with plain text) Can a single OpenSSL context support both 1024-bit and 2048-bit RSA at the same time? For example, if a client device has both 1024-bit and 2048-bit RSA keys, will the SSL/TLS handshake allow the server to pick whether 1024 or 2048-bit RSA should be used? I do not believe this works but would appreciate any input from others. My understanding is that the client provides a list of supported ciphersuites during the Client Hello process. However, the ciphersuites enumeration does not indica te the bit length of the RSA key, only that RSA can be used. For example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA doesn’t indicate if 1024-bit or 2048-bit RSA is required. It seems that the server needs to look at the client’s certificate to determine the number of bits used by the RSA key --- but even if the server requests the client’s certificate, this happens after the cipher has been chosen. I appreciate any input on this, whether it’s “you got it all wrong”, “you got it all right”, or anything in the middle. Thanks ... Altan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Strategy for freeing EVP and RSA keys
I'd like confirmation that I understand how to free RSA keys. I create an RSA *key. I then use it to create an EVP_PKEY using EVP_PKEY_new() and EVP_PKEY_assign_RSA(). Later, want to free everything. I _think_ that EVP_PKEY_free() will free both the EVP_PKEY and the RSA objects. Is that correct - that there's an implied free of the RSA object? If so, is this the correct strategy: If the EVP_PKEY was created correctly free the EVP_KEY else if the RSA key created correctly free the RSA key -- Ken Goldman [EMAIL PROTECTED] 914-784-7646 (863-7646) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RSA keys
Hi all, Someone of you can tell me how can I extract public and private keys from RSA structure returned by the function RSA_generate_key? I'm using openssl in my c++ simulation work and I must exchange public keys between simulated server and client, I cannot exchange the whole RSA structure!? Thanks in advance, Timo -- Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom http://infostrada.it __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA keys
Hello, Someone of you can tell me how can I extract public and private keys from RSA structure returned by the function RSA_generate_key? I'm using openssl in my c++ simulation work and I must exchange public keys between simulated server and client, I cannot exchange the whole RSA structure!? #include stdio.h #include openssl/bn.h #include openssl/rsa.h int main() { RSA *r; r = RSA_generate_key(32,656537,NULL,NULL); if( r==NULL ) { printf(Key failed); exit(1); } else { printf(public modulus (n):\n); printf( %s\n,BN_bn2hex(r-n)); printf(public exponent (e):\n); printf( %s\n,BN_bn2hex(r-e)); printf(private exponent (d):\n); printf( %s\n,BN_bn2hex(r-d)); printf(secret prime factor (p):\n); printf( %s\n,BN_bn2hex(r-p)); printf(secret prime factor (q):\n); printf( %s\n,BN_bn2hex(r-q)); printf(dmp1 [ d mod (p-1) ]:\n); printf( %s\n,BN_bn2hex(r-dmp1)); printf(dmq1 [ d mod (q-1) ]:\n); printf( %s\n,BN_bn2hex(r-dmq1)); printf(iqmp [ q^-1 mod p ]:\n); printf( %s\n,BN_bn2hex(r-iqmp)); } printf(RSA SIZE: %d\n, RSA_size(r)); return(0); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem with d2i functions and RSA keys in C
Hi, I'm trying to encrypt and decrypt data using RSA. In order to test, I generated a key pair using openssl rsa -outform DER and I transformed it into a C array getting this : unsigned char clepriv_der[] = { 0x30, 0x81, 0xab, 0x02, 0x01, 0x00, 0x02, 0x21, 0x00, 0xdb, 0x46, 0x81, 0xdc, 0x1c, 0xc4, 0x6a, 0x7d, 0xa3, 0xcc, 0xc1, 0x60, 0x91, 0x5e, 0x5a, 0xf1, 0x79, 0x75, 0x76, 0x33, 0x73, 0x4c, 0x4d, 0xa0, 0x8e, 0x25, 0x17, 0xa7, 0xfb, 0x46, 0x15, 0x57, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x20, 0x1e, 0xa9, 0x41, 0x47, 0x52, 0x0e, 0x75, 0x05, 0x94, 0x7d, 0xf1, 0x1c, 0x5b, 0xb7, 0x61, 0xe7, 0xd7, 0xd9, 0x1f, 0x1e, 0xd7, 0x36, 0xf8, 0xfe, 0xb5, 0xd3, 0xa9, 0x41, 0xc0, 0x9e, 0x48, 0xa1, 0x02, 0x11, 0x00, 0xf2, 0x5e, 0x7e, 0x7c, 0x81, 0xe3, 0x78, 0x93, 0x22, 0xa9, 0xd4, 0xb7, 0x36, 0xe6, 0x57, 0x83, 0x02, 0x11, 0x00, 0xe7, 0x9b, 0x85, 0xa0, 0xa4, 0x25, 0x39, 0x03, 0x9e, 0x97, 0xc7, 0xfc, 0x39, 0x5d, 0xce, 0x9d, 0x02, 0x11, 0x00, 0xe1, 0xe5, 0xb6, 0xe8, 0x9f, 0x3b, 0x7f, 0x97, 0x4b, 0xb8, 0x94, 0xdd, 0x8b, 0x1a, 0xd7, 0xb7, 0x02, 0x10, 0x6c, 0x45, 0x62, 0xf1, 0x96, 0xea, 0xa3, 0xbd, 0x92, 0x6d, 0x28, 0x1b, 0x3c, 0x02, 0x23, 0x6d, 0x02, 0x11, 0x00, 0xa4, 0x69, 0xd3, 0x20, 0x2c, 0xd4, 0x07, 0xd8, 0x3d, 0x7a, 0x50, 0x0f, 0xc4, 0xb3, 0x94, 0x91 }; unsigned char clepub_der[] = { 0x30, 0x3c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x2b, 0x00, 0x30, 0x28, 0x02, 0x21, 0x00, 0xdb, 0x46, 0x81, 0xdc, 0x1c, 0xc4, 0x6a, 0x7d, 0xa3, 0xcc, 0xc1, 0x60, 0x91, 0x5e, 0x5a, 0xf1, 0x79, 0x75, 0x76, 0x33, 0x73, 0x4c, 0x4d, 0xa0, 0x8e, 0x25, 0x17, 0xa7, 0xfb, 0x46, 0x15, 0x57, 0x02, 0x03, 0x01, 0x00, 0x01 }; When I try to use them, I use this code : RSA *clefpub; RSA *clefpriv; unsigned char *pub; unsigned char *priv; pub=clepub_der; priv=clepriv_der; clefpub=d2i_RSA_PUBKEY(NULL,(const unsigned char**)pub,62); clefpriv=d2i_RSAPrivateKey(NULL,(const unsigned char**)priv,230); puts(Chargement des clés terminé); if(RSA_check_key(clefpub)!=1) { puts(Erreur vérification de clé publique); exit(-1); } else puts(Clé publique valide); if(RSA_check_key(clefpriv)!=1) { puts(Erreur vérification de clé privée); exit(-1); } else puts(Clé privée valide); During execution, there is a segmentation fault in RSA_check_key. I tried by initialising the RSA pointers with RSA_new and got the same problem and also using d2i_RSAPublicKey instead of d2i_RSA_PUBKEY. Thank you for your replies. -- Florian Manach NUMLOG [EMAIL PROTECTED] (+33)0130791616 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with d2i functions and RSA keys in C
Hello, clefpub=d2i_RSA_PUBKEY(NULL,(const unsigned char**)pub,62); clefpriv=d2i_RSAPrivateKey(NULL,(const unsigned char**)priv,230); puts(Chargement des clés terminé); You should check return code of this two functions, probably first function returns NULL and in RSA_check you have crash. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with d2i functions and RSA keys in C
Hi Marek, thx for the answer This functions return : 804b298 and 804b0d0 That seems to be a pointer on a RSA object and that seems to mean that there is no error. Regards, -- Florian Manach NUMLOG [EMAIL PROTECTED] (+33)0130791616 Marek Marcola a écrit : Hello, clefpub=d2i_RSA_PUBKEY(NULL,(const unsigned char**)pub,62); clefpriv=d2i_RSAPrivateKey(NULL,(const unsigned char**)priv,230); puts(Chargement des clés terminé); You should check return code of this two functions, probably first function returns NULL and in RSA_check you have crash. Best regards, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with d2i functions and RSA keys in C
Hello, This functions return : 804b298 and 804b0d0 That seems to be a pointer on a RSA object and that seems to mean that there is no error. Yes, this looks good, but after looking at documentation for RSA_check_key() there is information that this function checks integrity of all private key components (p,q,d ...) and of course in public key we have only n and e so this checking can not be performed. But, should this function core dump in this situation ? Probably not. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with d2i functions and RSA keys in C
The RSA_check_key doesn't core dump with the private key if I remove the one with the public key. I'll try to continue in this way and I'll let you know. Thanks a lot, Best regards, Marek Marcola a écrit : Hello, This functions return : 804b298 and 804b0d0 That seems to be a pointer on a RSA object and that seems to mean that there is no error. Yes, this looks good, but after looking at documentation for RSA_check_key() there is information that this function checks integrity of all private key components (p,q,d ...) and of course in public key we have only n and e so this checking can not be performed. But, should this function core dump in this situation ? Probably not. Best regards, -- Florian Manach NUMLOG [EMAIL PROTECTED] (+33)0130791616 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with d2i functions and RSA keys in C
My soft is running well now... Thx a lot Marek, Best regards, Florian MANACH a écrit : The RSA_check_key doesn't core dump with the private key if I remove the one with the public key. I'll try to continue in this way and I'll let you know. Thanks a lot, Best regards, Marek Marcola a écrit : Hello, This functions return : 804b298 and 804b0d0 That seems to be a pointer on a RSA object and that seems to mean that there is no error. Yes, this looks good, but after looking at documentation for RSA_check_key() there is information that this function checks integrity of all private key components (p,q,d ...) and of course in public key we have only n and e so this checking can not be performed. But, should this function core dump in this situation ? Probably not. Best regards, -- Florian Manach NUMLOG [EMAIL PROTECTED] (+33)0130791616 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Generating RSA keys using the Openssl's Crypto API
Hi all, I want to generate an RSA key pair from a c/c++ program using Openssl's API. I saw that there is an RSA_generate_key() function, but it requires an initialization of the random generator. Could anyone explain me how to initialize the random generator (on Linux)? A short c sample of the generation would be of a great help! Thanks in advance. _ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating RSA keys using the Openssl's Crypto API
Hello, I want to generate an RSA key pair from a c/c++ program using Openssl's API. I saw that there is an RSA_generate_key() function, but it requires an initialization of the random generator. RSA_generate_key() when generating RSA p and q primes requires probably seeded RNG but all rand functions perform self seeding (if possible). If RSA_generate_key() returns no error than RNG was properly self seeded (if not seeded before). Could anyone explain me how to initialize the random generator (on Linux)? Something like: RAND_load_file(/dev/urandom, 1024); should be enough. A short c sample of the generation would be of a great help! Some simple example attached. Best regards, -- Marek Marcola [EMAIL PROTECTED] #include stdio.h #include openssl/bn.h #include openssl/rsa.h int main() { RSA *r; r = RSA_generate_key(32,656537,NULL,NULL); if( r==NULL ) { printf(Key failed); exit(1); } else { printf(public modulus (n):\n); printf( %s\n,BN_bn2hex(r-n)); printf(public exponent (e):\n); printf( %s\n,BN_bn2hex(r-e)); printf(private exponent (d):\n); printf( %s\n,BN_bn2hex(r-d)); printf(secret prime factor (p):\n); printf( %s\n,BN_bn2hex(r-p)); printf(secret prime factor (q):\n); printf( %s\n,BN_bn2hex(r-q)); printf(dmp1 [ d mod (p-1) ]:\n); printf( %s\n,BN_bn2hex(r-dmp1)); printf(dmq1 [ d mod (q-1) ]:\n); printf( %s\n,BN_bn2hex(r-dmq1)); printf(iqmp [ q^-1 mod p ]:\n); printf( %s\n,BN_bn2hex(r-iqmp)); } printf(RSA SIZE: %d\n, RSA_size(r)); return(0); }
Re: Generating RSA keys using the Openssl's Crypto API
Hello, A short c sample of the generation would be of a great help! Some simple example attached. Of course you should use something like: r = RSA_generate_key(1024,RSA_F4,NULL,NULL); There were some tests :-) Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems to sign data with encrypted RSA keys!
Hi!I'm having some problems to sign my data with encrypted RSA keys. I'm doing the following sequence:// Create the RSA key pair and write into PEM files RSA *pair = RSA_generate_key(1024, 3, NULL, NULL); EVP_PKEY *pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, pair); FILE *fp = fopen(rsaprivatekey.pem, w); const EVP_CIPHER *c = EVP_des_ede3_cbc(); // *encrypt with 3-des string password = abc123; int klen = password.length(); unsigned char *kstr = new unsigned char[klen]; memcpy(kstr, password.c_str(), klen); PEM_write_PrivateKey(fp,pkey, c, kstr, klen, NULL, NULL); // write the private key into a file fclose(fp); // Writes the public key into a file fp = fopen(rsapublickey.pem, w); PEM_write_RSAPublicKey(fp,pair); fclose(fp);// Read the PEM files string password = abc123; FILE *fp = fopen(rsaprivatekey.pem, r); int klen = password.length(); unsigned char *kstr = new unsigned char[klen]; memcpy(kstr, password.c_str(), klen); EVP_PKEY *pkey = PEM_read_PrivateKey(fp, NULL, NULL, kstr); fclose(fp);// Try to sign the data EVP_MD_CTX ctx; EVP_MD_CTX_init(ctx); const EVP_MD *digest_type = EVP_sha1(); // *** I must use SHA1 as digest algorithm EVP_SignInit_ex(ctx, digest_type, NULL); EVP_SignUpdate(ctx, data, data_len); //data has some content unsigned char sig[EVP_PKEY_size(pkey)]; unsigned int siglen = 0; // Sign the data with RSA-SHA1 EVP_SignFinal(ctx, sig, siglen, pkey) // ** HERE I HAVE AN ERROR: ERROR: (error:0606B06E:lib(6):func(107):reason(110)) = This means function SignFinal, reason EVP_R_WRONG_PUBLIC_KEY_TYPE. When I try with encrypted DSA keys it works, and with unencrypted RSA keys it works too What is the problem with my encrypted RSA keys above??Thanks for the help!
Re: Loading RSA keys from file.
Hello: I send you a function that read RSA public and private key from a file: RSA *RecuperaClavesRSA(int type, char *pemfile){ FILE *fp; RSA *key=NULL; switch (type){ case READPUB: if((fp = fopen(pemfile,"r")) == NULL) { fprintf(stderr,"Error: Public Key file doesn't exists.\n"); exit(EXIT_FAILURE); } if((key = PEM_read_RSAPublicKey(fp,NULL,NULL,NULL)) == NULL) { fprintf(stderr,"Error: problems while reading Public Key.\n"); exit(EXIT_FAILURE); } fclose(fp); printf("RSA size: %d", RSA_size(key)); return key; break; case READSEC: if((fp = fopen(pemfile,"r")) == NULL) { fprintf(stderr,"Error: Private Key file doesn't exists.\n"); exit(EXIT_FAILURE); } if((key = PEM_read_RSAPrivateKey(fp,NULL,NULL,NULL)) == NULL) { fprintf(stderr,"Error: problmes while reading Private Key. %d %s\n",type,pemfile); exit(EXIT_FAILURE); } fclose(fp); if(RSA_check_key(key) == -1) { fprintf(stderr,"Error: Problems while reading RSA Private Key in \ '%s' file.\n",pemfile); exit(EXIT_FAILURE); } else if(RSA_check_key(key) == 0) { fprintf(stderr,"Error: Bad RSA Private Key readed in '%s' \ file.\n",pemfile); exit(EXIT_FAILURE); } else return key; break; } return key;} If the parameter "type" is "READPUB" it read the public key from the file "pemfile", and if this parameter is "READSEC", it read the private key. Too, this function show RSA size correctly. I hope this function solve your problem. Regards. P.D.: Your name remember me a very famous song of Eric Clapton ... ;-) - Original Message - From: Layla To: openssl-users@openssl.org Sent: Tuesday, May 10, 2005 3:55 PM Subject: Re: Loading RSA keys from file. Hi Angel, Thank you for your response. I have changed my code with accordance to your suggestion but I'm still getting a runtime error when attempting to read the key from its file. So far I'm having trouble with 1- reading the key from file, and 2- RSA_size() , this function generates a runtime error when encountered as well. I can't think of anything since I'm initializing my RSA object. Suggestions ? Angel Martinez Gonzalez [EMAIL PROTECTED] wrote: Hello Layla: Maybe, your error disapear if you will change the following: apub = PEM_read_RSAPublicKey(f, NULL, NULL, NULL); Regards. - Original Message - From: Layla To: openssl-users@openssl.org Sent: Tuesday, May 10, 2005 9:30 AM Subject: Loading RSA keys from file. I'm still not able to load the key from its file and I'm still encountering an error when I use RSA_size();a run time error occured when I try to print the returned size. I'm including a segment of my code after modification: RSA *apub; FILE *f; seed_prng(); // my function for seeding PRNG //Allocating apub apub = RSA_new(); if ( apub == NULL) //print error mesage //open key file f= fopen ("a_rsa_public","r"); if (f == NULL) //print error message //Loading key apub = PEM_read_RSAPublicKey(f, apub, 0,0); //a run time error occurs here if (apub == NULL) { // print error message return -1; } /* if I try the following line after the allocation of the RSA object I get a runtime error as well*/ printf("RSA size: %d", RSA_size(apub); *** I'm thankful for any help I can get. Sebastian [EMAIL PROTECTED] wrote: Hmm,take a look at routines like RSA_new() to create RSA structures. As you coded 'sizeof apub', this will return the size of a _pointer_ - assuming a 32-bit architecture you will get round about four bytes ;-).See: http://www.openssl.org/docs/crypto/RSA_new.htmlThe runtime error is caused by calling RSA_size() with a null pointer - unfortnunfortunately RSA_size() doesn't like null pointers.See: http://www.openssl.org/docs/crypto/RSA_size.htmlGood luck,Sebastian Hi all, I'm trying to develop a C++ application to encrypt and decrypt data using RSA public key cryptography scheme. I have generated the public/private keys using OpenSSL command line tool. The following C++ code should read a public key, encrypt data, read private key and decrypt the data: #include #include #include #include #include
Loading RSA keys from file.
I'm still not able to load the key from its file and I'm still encountering an error when I use RSA_size();a run time error occured when I try to print the returned size. I'm including a segment of my code after modification: RSA *apub; FILE *f; seed_prng(); // my function for seeding PRNG //Allocating apub apub = RSA_new(); if ( apub == NULL) //print error mesage //open key file f= fopen ("a_rsa_public","r"); if (f == NULL) //print error message //Loading key apub = PEM_read_RSAPublicKey(f, apub, 0,0); //a run time error occurs here if (apub == NULL) { // print error message return -1; } /* if I try the following line after the allocation of the RSA object I get a runtime error as well*/ printf("RSA size: %d", RSA_size(apub); *** I'm thankful for any help I can get. Sebastian [EMAIL PROTECTED] wrote: Hmm,take a look at routines like RSA_new() to create RSA structures. As you coded 'sizeof apub', this will return the size of a _pointer_ - assuming a 32-bit architecture you will get round about four bytes ;-).See: http://www.openssl.org/docs/crypto/RSA_new.htmlThe runtime error is caused by calling RSA_size() with a null pointer - unfortnunfortunately RSA_size() doesn't like null pointers.See: http://www.openssl.org/docs/crypto/RSA_size.htmlGood luck,Sebastian Hi all, I'm trying to develop a C++ application to encrypt and decrypt data using RSA public key cryptography scheme. I have generated the public/private keys using OpenSSL command line tool. The following C++ code should read a public key, encrypt data, read private key and decrypt the data: #include #include #include #include #includeint main() { char *message ="Hello World!"; RSA *apub; RSA *aprivate; FILE *f; int ret; unsigned char *buf; unsigned char *e_data; unsigned char *clear_text; //Get key f= fopen("a_rsa_public","rb"); if(f == NULL) { printf("\nError opening public key file"); return -1; } else printf("\n Public key file opened"); //load the key if ( fread(apub,sizeof apub,1,f) != 1) { printf("\nError reading public key"); return -1; } else printf("\nPublic key read"); //close the key file fclose(f); buf = (unsigned char *) malloc(strlen(message)); memcpy(buf,message,strlen(message)); e_data = (unsigned char *) malloc(RSA_size(apub)); // THIS is where i get a run time error //encrypt data RSA_public_encrypt(strlen(message),buf, e_data, apub, RSA_PKCS1_OAEP_PADDING); //--decrypt //Get key f= fopen("a_rsa_private","rb"); if(f == NULL) { printf("\nError opening private key file"); return -1; } //load the key ret = fread(aprivate,sizeof(aprivate),1,f); //close the key file fclose(f); //make sure we loaded ok if(ret != 1) { printf("\nError reading private key"); return -1; } clear_text= (unsigned char *) malloc(strlen(message)); RSA_private_decrypt(strlen((char*)e _data), e_data, clear_text, aprivate, RSA_PKCS1_OAEP_PADDING); return 0; } *** At first I used to get a run time error in the RSA_public_encrypt(...); and I figured caused I had e_data initialized as: e_data = (unsigned char *) malloc(strlen(message)*4); So instead I used : e_data = (unsigned char *) malloc(RSA_size(apub)); and now I'm getting a run time as this line is encountered. I'm sure someone with experience would be able to spot my mistake. I thank you all in advance for your help. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone.
Re: Loading RSA keys from file.
Hello Layla: Maybe, your error disapear if you will change the following: apub = PEM_read_RSAPublicKey(f, NULL, NULL, NULL); Regards. - Original Message - From: Layla To: openssl-users@openssl.org Sent: Tuesday, May 10, 2005 9:30 AM Subject: Loading RSA keys from file. I'm still not able to load the key from its file and I'm still encountering an error when I use RSA_size();a run time error occured when I try to print the returned size. I'm including a segment of my code after modification: RSA *apub; FILE *f; seed_prng(); // my function for seeding PRNG //Allocating apub apub = RSA_new(); if ( apub == NULL) //print error mesage //open key file f= fopen ("a_rsa_public","r"); if (f == NULL) //print error message //Loading key apub = PEM_read_RSAPublicKey(f, apub, 0,0); //a run time error occurs here if (apub == NULL) { // print error message return -1; } /* if I try the following line after the allocation of the RSA object I get a runtime error as well*/ printf("RSA size: %d", RSA_size(apub); *** I'm thankful for any help I can get. Sebastian [EMAIL PROTECTED] wrote: Hmm,take a look at routines like RSA_new() to create RSA structures. As you coded 'sizeof apub', this will return the size of a _pointer_ - assuming a 32-bit architecture you will get round about four bytes ;-).See: http://www.openssl.org/docs/crypto/RSA_new.htmlThe runtime error is caused by calling RSA_size() with a null pointer - unfortnunfortunately RSA_size() doesn't like null pointers.See: http://www.openssl.org/docs/crypto/RSA_size.htmlGood luck,Sebastian Hi all, I'm trying to develop a C++ application to encrypt and decrypt data using RSA public key cryptography scheme. I have generated the public/private keys using OpenSSL command line tool. The following C++ code should read a public key, encrypt data, read private key and decrypt the data: #include #include #include #include #includeint main() { char *message ="Hello World!"; RSA *apub; RSA *aprivate; FILE *f; int ret; unsigned char *buf; unsigned char *e_data; unsigned char *clear_text; //Get key f= fopen("a_rsa_public","rb"); if(f == NULL) { printf("\nError opening public key file"); return -1; } else printf("\n Public key file opened"); //load the key if ( fread(apub,sizeof apub,1,f) != 1) { printf("\nError reading public key"); return -1; } else printf("\nPublic key read"); //close the key file fclose(f); buf = (unsigned char *) malloc(strlen(message)); memcpy(buf,message,strlen(message)); e_data = (unsigned char *) malloc(RSA_size(apub)); // THIS is where i get a run time error //encrypt data RSA_public_encrypt(strlen(message),buf, e_data, apub, RSA_PKCS1_OAEP_PADDING); //--decrypt //Get key f= fopen("a_rsa_private","rb"); if(f == NULL) { printf("\nError opening private key file"); return -1; } //load the key ret = fread(aprivate,sizeof(aprivate),1,f); //close the key file fclose(f); //make sure we loaded ok if(ret != 1) { printf("\nError reading private key"); return -1; } clear_text= (unsigned char *) malloc(strlen(message)); RSA_private_decrypt(strlen((char*)e _data), e_data, clear_text, aprivate, RSA_PKCS1_OAEP_PADDING); return 0; } *** At first I used to get a run time error in the RSA_public_encrypt(...); and I figured caused I had e_data initialized as: e_data = (unsigned char *) malloc(strlen(message)*4); So instead I used : e_data = (unsigned char *) malloc(RSA_size(apub)); and now I'm getting a run time as this line is encountered. I'm sure someone with experience would be able to spot my mistake. I thank you all in advance for your help. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail MobileTake Yahoo! Mail with you! Check email on your mobile phone.
Re: Loading RSA keys from file.
Hi Angel, Thank you for your response. I have changed my code with accordance to your suggestion but I'm still getting a runtime error when attempting to read the key from its file. So far I'm having trouble with 1- reading the key from file, and 2- RSA_size() , this function generates a runtime error when encountered as well. I can't think of anything since I'm initializing my RSA object. Suggestions ? Angel Martinez Gonzalez [EMAIL PROTECTED] wrote: Hello Layla: Maybe, your error disapear if you will change the following: apub = PEM_read_RSAPublicKey(f, NULL, NULL, NULL); Regards. - Original Message - From: Layla To: openssl-users@openssl.org Sent: Tuesday, May 10, 2005 9:30 AM Subject: Loading RSA keys from file. I'm still not able to load the key from its file and I'm still encountering an error when I use RSA_size();a run time error occured when I try to print the returned size. I'm including a segment of my code after modification: RSA *apub; FILE *f; seed_prng(); // my function for seeding PRNG //Allocating apub apub = RSA_new(); if ( apub == NULL) //print error mesage //open key file f= fopen ("a_rsa_public","r"); if (f == NULL) //print error message //Loading key apub = PEM_read_RSAPublicKey(f, apub, 0,0); //a run time error occurs here if (apub == NULL) { // print error message return -1; } /* if I try the following line after the allocation of the RSA object I get a runtime error as well*/ printf("RSA size: %d", RSA_size(apub); *** I'm thankful for any help I can get. Sebastian [EMAIL PROTECTED] wrote: Hmm,take a look at routines like RSA_new() to create RSA structures. As you coded 'sizeof apub', this will return the size of a _pointer_ - assuming a 32-bit architecture you will get round about four bytes ;-).See: http://www.openssl.org/docs/crypto/RSA_new.htmlThe runtime error is caused by calling RSA_size() with a null pointer - unfortnunfortunately RSA_size() doesn't like null pointers.See: http://www.openssl.org/docs/crypto/RSA_size.htmlGood luck,Sebastian Hi all, I'm trying to develop a C++ application to encrypt and decrypt data using RSA public key cryptography scheme. I have generated the public/private keys using OpenSSL command line tool. The following C++ code should read a public key, encrypt data, read private key and decrypt the data: #include #include #include #include #includeint main() { char *message ="Hello World!"; RSA *apub; RSA *aprivate; FILE *f; int ret; unsigned char *buf; unsigned char *e_data; unsigned char *clear_text; //Get key f= fopen("a_rsa_public","rb"); if(f == NULL) { printf("\nError opening public key file"); return -1; } else printf("\n Public key file opened"); //load the key if ( fread(apub,sizeof apub,1,f) != 1) { printf("\nError reading public key"); return -1; } else printf("\nPublic key read"); //close the key file fclose(f); buf = (unsigned char *) malloc(strlen(message)); memcpy(buf,message,strlen(message)); e_data = (unsigned char *) malloc(RSA_size(apub)); // THIS is where i get a run time error //encrypt data RSA_public_encrypt(strlen(message),buf, e_data, apub, RSA_PKCS1_OAEP_PADDING); //--decrypt //Get key f= fopen("a_rsa_private","rb"); if(f == NULL) { printf("\nError opening private key file"); return -1; } //load the key ret = fread(aprivate,sizeof(aprivate),1,f); //close the key file fclose(f); //make sure we loaded ok if(ret != 1) { printf("\nError reading private key"); return -1; } clear_text= (unsigned char *) malloc(strlen(message)); RSA_private_decrypt(strlen((char*)e _data), e_data, clear_text, aprivate, RSA_PKCS1_OAEP_PADDING); return 0; } *** At first I used to get a run time error in the RSA_public_encrypt(...); and I figured caused I had e_data initialized as: e_data = (unsigned char *) malloc(strlen(message)*4); So instead I used : e_data = (unsigned char *) malloc(RSA_size(apub)); and now I'm getting a run time as this line is encountered. I'm sure someone with experience would be able to spot my mistake. I thank you all in advance for your help. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail MobileTake Yahoo! Mail with you! Check email on your mobile phone. Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone.
Re: Loading RSA keys from file.
try pubKey=*PEM_read_RSA_PUBKEY(file, NULL,NULL,NULL); in the place of PEM_read_RSAPublicKey. if it doesn't work try to use the load_key function with a PEM format in apps.c , i didn't remember where you can find it , im not sure . good luck. Abdou, __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RSA keys file formats
Hello, Where can I get the description of private and public key file formats used by OpenSSL for RSA (SSH2) implementation? I need to parse those files. Thank you. -- http://www.nglogic.com Enter through the narrow gate! (Mt 7:13-14) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA keys file formats
On Mon, Apr 04, 2005, Stanislaw Findeisen wrote: Hello, Where can I get the description of private and public key file formats used by OpenSSL for RSA (SSH2) implementation? I need to parse those files. The manual pages. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RSA Keys Onto SmartCard ???
Hi ... I'm trying to write my OpenSSL generated RSA keys onto a cryptoki (smart card) using PKCS#11 ... PKCS#11 requires the individual key parameters (p, q, d, e, n, d mod q-1, d mod p-1) in 'unsigned char*' format, or a binary string in general ... I'm trying to use the BigNumber library function BN_bn2bin to convert the RSA key parameters to binary strings ... but calling the PKCS#11 function (which works fine with hard-coded data values) throws an invalid data error ... Can anybody help ? Peter. _ Get 10mb of inbox space with MSN Hotmail Extra Storage http://join.msn.com/?pgmarket=en-sg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Ephemeral RSA Keys
From what I understand Ephemeral Keys will keep someone who steals my private key from being able to decrypt my SSL communication. He can still use a man-in-the-middle attack of course. The SSL_CTX_set_options documentation says: SSL_OP_EPHEMERAL_RSA Always use ephemeral (temporary) RSA key when doing RSA operations (see SSL_CTX_set_tmp_rsa_callback(3)). According to the specifications this is only done, when a RSA key can only be used for signature operations (namely under export ciphers with restricted RSA keylength). By setting this option, ephemeral RSA keys are always used. This option breaks compatibility with the SSL/TLS specifications and may lead to interoperability problems with clients and should therefore never be used. Ciphers with EDH (ephemeral Diffie-Hellman) key exchange should be used instead. I however am developing both the client and the server, are there any reasons why I should use Ephemeral RSA vs. Ephemeral DH? Also are there any reasons why I should not use Ephemeral Keys period? - Joel Daniels __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Ephemeral RSA Keys
On Fri, May 24, 2002 at 10:14:40AM -0600, Joel Daniels wrote: From what I understand Ephemeral Keys will keep someone who steals my private key from being able to decrypt my SSL communication. He can still use a man-in-the-middle attack of course. The SSL_CTX_set_options documentation says: SSL_OP_EPHEMERAL_RSA Always use ephemeral (temporary) RSA key when doing RSA operations (see SSL_CTX_set_tmp_rsa_callback(3)). According to the specifications this is only done, when a RSA key can only be used for signature operations (namely under export ciphers with restricted RSA keylength). By setting this option, ephemeral RSA keys are always used. This option breaks compatibility with the SSL/TLS specifications and may lead to interoperability problems with clients and should therefore never be used. Ciphers with EDH (ephemeral Diffie-Hellman) key exchange should be used instead. I however am developing both the client and the server, are there any reasons why I should use Ephemeral RSA vs. Ephemeral DH? Also are there any reasons why I should not use Ephemeral Keys period? Ephemeral key improve your security due to the provided forward secrecy you already mention. It becomes impossible for an attacker to decrypt past communication. Future communication also stay secure as long as the attacker can only listen. Mounting a man-in-the-middle attack may not be too difficult, but the risk of being detected is far higher than it is when just eavesdropping. The price is a performance penalty. For a discussion of ephemeral RSA vs. ephemeral DH: I don't know. When switching from SSH-1 to SSH-2, RSA session keys were replaced with DH ones, but that may have been for patent reasons. Maybe somebody else can spread mor light on this point. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Ephemeral RSA Keys
For a discussion of ephemeral RSA vs. ephemeral DH: I don't know. When switching from SSH-1 to SSH-2, RSA session keys were replaced with DH ones, but that may have been for patent reasons. Maybe somebody else can spread mor light on this point. There's a bit of a discussion in _SSL and TLS_. As I understand the issues (I just skimmed the sections), with ephemeral DH you can generate a new key inexpensively. Probably something as simple as generating a very large random number X and computing g^x mod p (where g and p are specified in the DH parameter file). This means you can generate a new key for every session, providing maximum security (short of regenerating the DH *parameters* every time!) In contrast, RSA keys have to be regenerated every time. That's expensive, so implementations will typically cache the key and reuse it for a while. This puts all of those sessions into the same boat, securty-wise. There's are also some efficiency considerations since the private and public keys in RSA tend to be about the same size, while DH keys (I think) tend to have much smaller private keys, I think it's a fixed size of something like 80 or 128 bits. (I know this is the case with DSA, but I'm not 100% sure about DH.) This smaller private makes some operations more efficient without compromising security. Bear __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [offtopic] Importing openssl RSA keys to gnupg.
Hi, I've already done this with PGP for Windows. It works Ok and we can see the certificate common fields. I'd like to import X.509 certificates and private keys do gnupg also. But I think (not for sure) that gnupg doesn't support it. If anyone know how to do it and if it's possible, I also want to know. regards, Augusto Marcacini On 23 Apr 2002 at 23:34, Kalyan Varma wrote: I have a small issue. I have couple of RSA keys ( generated by openssl ). Now I want to import them and use them in gnupg. I know we cant do this directly, but does anyone have any idea ?? thanks, - kalyan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
BSafe RSA keys
Hi, I am working on putting OpenSSL into our app. However, we are required to use RSA keys that are produced with BSafe by another app. Does anybody know how to get BSafe RSA Private key to work with open ssl? I tried to use the output of B_GetKeyInfo(buffer, obj,KI_PKCS_RSAPrivateBER) However that does not work with d2i_RSAPrivatekey - it complains that header is too long. I guess that's because B_GetKeyInfo in this case returns PKCS#8 PrivateKeyInfo, which not what open ssl expects on the input. Could osmeone help me out? Thank you Alex __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: BSafe RSA keys
Alex, I guess B_GetKeyInfo(buffer, obj,KI_PKCS_RSAPrivateBER) returns a ASN1 of PrivateKeyInfo PDU. You have to extract RSAPrivateKey PDU from this PrivateKeyInfo PDU. Once you get RSAPrivateKey PDU you can then use SSL_CTX_use_PrivateKey_ASN1 API to set the private key. To do all these things I followed a very round about way. First I store the private key (I mean the PrivateKeyInfo PDU) in the BER ASN1 format (I don't apply B_SetKeyInfo to convert B_KEY_OBJ). Next, I decode the PrivateKeyInfo PDU to extract the RSAPrivateKey structure. Once I extract the RSAPrivateKey structure I encode this structure to generate RSAPrivateKey PDU. There should be a better way to do it!. Regards, Prashant. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, March 08, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: BSafe RSA keys Hi, I am working on putting OpenSSL into our app. However, we are required to use RSA keys that are produced with BSafe by another app. Does anybody know how to get BSafe RSA Private key to work with open ssl? I tried to use the output of B_GetKeyInfo(buffer, obj,KI_PKCS_RSAPrivateBER) However that does not work with d2i_RSAPrivatekey - it complains that header is too long. I guess that's because B_GetKeyInfo in this case returns PKCS#8 PrivateKeyInfo, which not what open ssl expects on the input. Could osmeone help me out? Thank you Alex __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: BSafe RSA keys
I have more questions regarding your response since I am relatively new to this stuff: What's PDU? how do you decode PrivateKeyInfo PDU to extract PrivateKeyInfo PDU struct? and how do you then encode it? THank you Alex Prashant Kumar prkumar@nortelnetwor To: [EMAIL PROTECTED] ks.com cc: Sent by:Subject: RE: BSafe RSA keys owner-openssl-users@o penssl.org 03/08/02 12:19 PM Please respond to openssl-users Alex, I guess B_GetKeyInfo(buffer, obj,KI_PKCS_RSAPrivateBER) returns a ASN1 of PrivateKeyInfo PDU. You have to extract RSAPrivateKey PDU from this PrivateKeyInfo PDU. Once you get RSAPrivateKey PDU you can then use SSL_CTX_use_PrivateKey_ASN1 API to set the private key. To do all these things I followed a very round about way. First I store the private key (I mean the PrivateKeyInfo PDU) in the BER ASN1 format (I don't apply B_SetKeyInfo to convert B_KEY_OBJ). Next, I decode the PrivateKeyInfo PDU to extract the RSAPrivateKey structure. Once I extract the RSAPrivateKey structure I encode this structure to generate RSAPrivateKey PDU. There should be a better way to do it!. Regards, Prashant. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, March 08, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: BSafe RSA keys Hi, I am working on putting OpenSSL into our app. However, we are required to use RSA keys that are produced with BSafe by another app. Does anybody know how to get BSafe RSA Private key to work with open ssl? I tried to use the output of B_GetKeyInfo(buffer, obj,KI_PKCS_RSAPrivateBER) However that does not work with d2i_RSAPrivatekey - it complains that header is too long. I guess that's because B_GetKeyInfo in this case returns PKCS#8 PrivateKeyInfo, which not what open ssl expects on the input. Could osmeone help me out? Thank you Alex __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Jeffrey Altman wrote: A passphrase consisting of human readable/typable text provides approximately 2 bits of entropy per character. English text contains approx. 3.5 bits of entropy per character. Password half password of password normal password English password text password is password not password the password 'password', password or password similar password text password. (I know, the, a, in, of, etc. But these extremely common English words are also extremely short, and are often eliminated from these entropy counts anyway as 'semantic glue.') __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Why not use simple challenge/response password authentication? -- David Schwartz [EMAIL PROTECTED] On Sun, 6 Jan 2002 00:36:22 -0800 (PST), Vadim Zaliva wrote: Hi! I am trying to use OpenSSL to build secure authenticated channel between client and server. I want server to allow connections only from certain clients, and I want client to be sure it is connected to the right server. I see how it could be done using certificates. However for my application generating certificates would be to complex for end user. The simplest way I see it would be to use RSA public/private keys: the way SSH does. So client and server each would have private/public key pairs generated. When, I would manually add server public key to client side and client public key to server side (server will possibly have more that one client key). If there is anything wrong with the way I am planning to do it? It seems to me that this should be pretty common usage. If somebody done this before I would appreciate any advice. I am new to openssl and still learning basics. Sincerely, Vadim -- La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever. (Antoine de Saint-Exupery) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
On Sun, Jan 06, 2002 at 12:36:22AM -0800, Vadim Zaliva wrote: Hi! I am trying to use OpenSSL to build secure authenticated channel between client and server. I want server to allow connections only from certain clients, and I want client to be sure it is connected to the right server. I see how it could be done using certificates. However for my application generating certificates would be to complex for end user. The simplest way I see it would be to use RSA public/private keys: the way SSH does. So client and server each would have private/public key pairs generated. When, I would manually add server public key to client side and client public key to server side (server will possibly have more that one client key). If there is anything wrong with the way I am planning to do it? It seems to me that this should be pretty common usage. If somebody done this before I would appreciate any advice. I am new to openssl and still learning basics. This seems fine. The only problem (and its a problem in ssh aswell) is the weak key binding. Its the warning you get in ssh when you change a host key. Warning Host key changed. Man in the Middle attack possible. blah blah blah. Most people just punch in yes and connect. How do you know its not a man in the middle attack? If you use certificates you can change the host key, and the client knows its a legitimate change because the key has been signed by a known CA. Thus you never have such a problem. If the certificate doesn't check out, then you know for *sure* that something is up. Of course if you use a strict check on your rsa host key, say that if the rsa host key doesn't match for that host you refuse a connection, then thats not a prob. The other weak key binding problem is when you first connect (unknown host key, blah blah, should I add it to known hosts?). What if someone has set up a man-in-the-middle before your first connect. There is no way of knowing. A certificate removes these problems because if both the client and server know in advance about the CA (even if the CA is you, not a real CA) then on the first connect, your client can determine for sure if the host key is legit, or forged. So the answer really depends on what you want to do, and how secure is secure? Kind Regards Crispin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Vadim Zaliva [EMAIL PROTECTED] writes: I am trying to use OpenSSL to build secure authenticated channel between client and server. I want server to allow connections only from certain clients, and I want client to be sure it is connected to the right server. I see how it could be done using certificates. However for my application generating certificates would be to complex for end user. The simplest way I see it would be to use RSA public/private keys: the way SSH does. So client and server each would have private/public key pairs generated. When, I would manually add server public key to client side and client public key to server side (server will possibly have more that one client key). If there is anything wrong with the way I am planning to do it? It seems to me that this should be pretty common usage. If somebody done this before I would appreciate any advice. I am new to openssl and still learning basics. This can't be done with SSL exactly the way you want to do it. The only way that SSL knows how to carry public keys is via certificates. Accordingly, what you need to do is use self-signed certificates. At this point you have two authentication options: (1) Hardwire in the certificate values (or public key values) on either side. It's conventional to use a digest of the certificate/key instead of the actual value. (2) Do what SSH does for the server. When the client first connects hope that there's no man-in-the-middle and assume that the certificate is genuine. Write it down and from that point on check the key the peer presents against the cached key. As Crispin points out, this has a few security problems, but it's better than nothing. Essentially, SSH trusts that the first time you connect you actually get to the right host. Given the frequency of actual attacks on the net, this isn't THAT bad an assumption. The traditional thing to do with SSH is for the client to get the server's public key the first time he connects. The client then authenticates to the server with a password. Once the client has authenticated he puts his own public key on the server. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Besides the fact that using raw public/private key pairs is in my mind a disaster waiting to happen to all SSH users: . they have no notion of identity associated with them . they have no notion of trust associated with them . they have no notion of usage associated with them . they have no ability to be expired . they have no ability to be revoked if compromised private keys are stored in most cases on the disks of insecure operating systems protected only by a passphrase chosen by a end user that knows nothing about security. An insecure OS is one that is either unmanageable or one that is not properly maintained from a security perspective. No OS maintained by the end user is secure. A passphrase consisting of human readable/typable text provides approximately 2 bits of entropy per character. Therefore, to provide an equivalent strength key to protect a 1024 bit private key would require a passphrase at least 64 characters long. Since most passphrases are significantly shorter, not more than an 8 character password, dictionary attacks to extract the private key are highly effective. I am simply waiting for the virus/worm that as part of its operation steals SSH identity and known_hosts files and sends them off to be dictionary attacked. The difference between raw public/private key pairs and X.509 certs is that the cert is a centrally managed object that can be revoked. Something that is revoked cannot be used again by the end user. In other words, the end user cannot simply copy re-use their previous generated key pair. If the user can generate a public/private key pair then they can with appropriate tools provided by you generate a Certificate Signing Request, send the CSR to your host, have it signed and installed. Its more work on your part not on the end users. - Jeff Hi! I am trying to use OpenSSL to build secure authenticated channel between client and server. I want server to allow connections only from certain clients, and I want client to be sure it is connected to the right server. I see how it could be done using certificates. However for my application generating certificates would be to complex for end user. The simplest way I see it would be to use RSA public/private keys: the way SSH does. So client and server each would have private/public key pairs generated. When, I would manually add server public key to client side and client public key to server side (server will possibly have more that one client key). If there is anything wrong with the way I am planning to do it? It seems to me that this should be pretty common usage. If somebody done this before I would appreciate any advice. I am new to openssl and still learning basics. Sincerely, Vadim -- La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever. (Antoine de Saint-Exupery) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Jeffrey Altman wrote: A passphrase consisting of human readable/typable text provides approximately 2 bits of entropy per character. English text contains approx. 3.5 bits of entropy per character. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Michael Sierchio [EMAIL PROTECTED] writes: Jeffrey Altman wrote: A passphrase consisting of human readable/typable text provides approximately 2 bits of entropy per character. English text contains approx. 3.5 bits of entropy per character. This seems high, considering that only 6 bits are required to render every alphanumeric message (and only a little over 5 bits is required if you use only one case). Schneier's estimate is even more conservative than Jeffrey's. Ordinary English text contains 1.0-1.5 bits per character. Schneier cites Shannon[0] and Cover[1] Michael, perhaps you're thinking of the REDUNDANCY of English, which is roughly 3.4 bits/character (4.7 bits is required to render all 26 letters, so if you subtract 1.3 from 4.7...) That said, it's not clear how these results apply to passwords. The entropy of short chunks of text is lower. Shannon claims about 2.3 bits/char for 8-letter chunks. OTOH, passwords which are specifically well chosen can have very high entropies. Memorizing strings of 8-16 random characters is quite practical [2] and such strings (even when limited to typed text) can have entropies as high as 6+ bits/character. -Ekr [0] Shannon, C.E., Predication and Entropy in Printed English [1] Cover, T.M., King, R.C., A Convergent Gambling Estimate of the Entropy of English, in IEEE Trans. Info. Theory., July 1978. [2] OTOH, most people aren't willing to do this, so this is a best case scenario for situations where users care about security. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Eric Rescorla wrote: That said, it's not clear how these results apply to passwords. The entropy of short chunks of text is lower. No. The entropy of short chunks of text, without syntax, is higher. Grammatical text is more redundant. Frequency vocabulary is different from dictionary vocabulary, too -- words people use in speech are shorter. Passphrases such as those used in S/Key BE SIR WITH EASY RUBY RUBY GAIL FOND FEE YANG FACE SLOG COT KEN WIRE DARE STAY EYED CHOU MOOD LOW ORR MAGI BILK BEEF OWN KERR ROSY UTAH VEAL LAIN ICON NECK HAST JEFF GRAY BEE HAUL TUNA TERM WELT BOO SOME PUT PEA SEEN GO TWIN FADE GUST TIN SOME FLAG OFF GLIB BOAR CASK SILL SIN ARTS etc. consist of six words chosen from a dictionary of 2048. 2048^6 = 2^66. It gets better, of course, if you use them as one-time passwords. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Michael Sierchio [EMAIL PROTECTED] writes: Eric Rescorla wrote: That said, it's not clear how these results apply to passwords. The entropy of short chunks of text is lower. No. The entropy of short chunks of text, without syntax, is higher. That's what I meant, higher :) That's why my next sentence was: Shannon claims about 2.3 bits/char for 8-letter chunks. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
On Sun, 6 Jan 2002, David Schwartz wrote: Why not use simple challenge/response password authentication? That is one of the options I am considering. I am not sure how to store password on server side and what would be exchange sequence. Vadim -- La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever. (Antoine de Saint-Exupery) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
On 6 Jan 2002, Eric Rescorla wrote: I would like to thank everybody who responded to my previous messages. This can't be done with SSL exactly the way you want to do it. The only way that SSL knows how to carry public keys is via certificates. I would love to use certificates, but my problem with them is the following: My client installs server and client. He should be able to set them up without requesting something from 3-rd party CA. If I understand correctly, the only solution in this case would be to generate his own CA and generate certificates with it. I am not sure how much secure it would be. Also I would like to make it not too complex for end user. After installing server and client he should not perform many complex steps to make it work. Another question is: where this CA would reside: it should be stored somewhere to generate more client certificates if needed. My application is firewall management tool (www.fwbuilder.org) and daemon would run on firewall and used to configure certain aspects of it. Keeping CA there does not sound like very good idea. So I see few variants implementing this: 1. Password Server have password and keeps either whole password of MD5 of it. Clients establishes SSL connection (w/o certificates) and sends password. This is not very secure from man-in-the-middle attack. 2. Challenge-Response I do not know yet how to implement this. Advice appreciated. 3. Certificates After server is installed, certificate authority is generated. When using this CA, server certificate is generated. For each client, new certificate is generated using same authority. While establishing SSL connection client and server certificates are exchanged. (The question I am not completely understand yet, is how to check if they are the right ones. Probably I need to keep copy of server certificate on client side and compare one received over the connection with it?) 4. RSA keys Similar to SSH. I understand that OpenSSL protocol does not have specific support for this, so it have to be written on top of it, after SSL connection is established. I guess server have to send some token signed with its key, which client have to send back signed with its. Checking signatures would ensure identity of both. I am new to this kind of application and would really appreciate any advice. Sincerely, Vadim -- La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever. (Antoine de Saint-Exupery) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Use SRP (http://srp.stanford.edu) over SSL for privacy. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
Vadim Zaliva [EMAIL PROTECTED] writes: On 6 Jan 2002, Eric Rescorla wrote: I would like to thank everybody who responded to my previous messages. This can't be done with SSL exactly the way you want to do it. The only way that SSL knows how to carry public keys is via certificates. I would love to use certificates, but my problem with them is the following: My client installs server and client. He should be able to set them up without requesting something from 3-rd party CA. If I understand correctly, the only solution in this case would be to generate his own CA and generate certificates with it. I am not sure how much secure it would be. Also I would like to make it not too complex for end user. After installing server and client he should not perform many complex steps to It's trivial to have your softare automatically generate self-signed certificates. OpenSSL knows how. 1. Password Server have password and keeps either whole password of MD5 of it. Clients establishes SSL connection (w/o certificates) and sends password. This is not very secure from man-in-the-middle attack. Right. You need certificates on the server side to protect against MITM. 2. Challenge-Response I do not know yet how to implement this. Advice appreciated. See (for instance) the mechanism in RFC 2095. 3. Certificates After server is installed, certificate authority is generated. When using this CA, server certificate is generated. For each client, new certificate is generated using same authority. While establishing SSL connection client and server certificates are exchanged. (The question I am not completely understand yet, is how to check if they are the right ones. Probably I need to keep copy of server certificate on client side and compare one received over the connection with it?) Not quite. You set the CA as the root on the both sides and tell OpenSSL to enforce certificate verification. The tricky bit is establishing the binding between clients and their public keys in order to issue the correct certificates. This is often done with passwords. 4. RSA keys Similar to SSH. I understand that OpenSSL protocol does not have specific support for this, so it have to be written on top of it, after SSL connection is established. I guess server have to send some token signed with its key, which client have to send back signed with its. Checking signatures would ensure identity of both. There's no point in doing this. Self-signed certificates are equally easy. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
2. Challenge-Response I do not know yet how to implement this. Advice appreciated. The short version of how you do this is that you use some sort of hashing scheme like MD5 or SHA1. During the installation process, you generate a random password (or ask the user to enter one) and you store the password on both the server and the client. The authentication can go many ways, but the idea is for the server and client to each assure themselves that the other has the password. Here's one possible way to do it: 1) The server generates a random challenge and sends it and the current time to the client. (Lets call the server's challenge Cs and the server's time Ts.) 2) The client generates a random challenge as well and sends it and the current time (as it sees it) to the server. (Let's call the client's challenge Cc and the client's time Tc.) 3) The server computes a response by appending Cs, Ts, the password, Tc, and Cc, and sends the MD5 or SHA1 hash of this response to the client. 4) The client computes a response by appending Cc, Tc, the password, Ts, and Cs, and sends the MD5 or SHA1 hash of this response to the server. 5) Each side verifies that the other side created the correct hash, thus proving that it knows the password. This is oversimplified, I'm afraid, and is not totally secure as stated. But it should give you the idea. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA keys auth.
On Sun, Jan 06, 2002 at 01:04:37PM -0800, Vadim Zaliva wrote: 2. Challenge-Response I do not know yet how to implement this. Advice appreciated. 4. RSA keys Similar to SSH. I understand that OpenSSL protocol does not have specific support for this, so it have to be written on top of it, after SSL connection is established. I guess server have to send some token signed with its key, which client have to send back signed with its. Checking signatures would ensure identity of both. I did something like this in openSSL, but had to write basic RSA enc/dec routines. Its quite straight forward with the power of OpenSSL. I used a BIO to feed my own RSA key into an RSA struct. from the ssh man pages When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The server checks if this key is permitted, and if so, sends the user (actually the ssh program running on behalf of the user) a challenge, a random number, encrypted by the user's public key. The challenge can only be decrypted using the proper private key. The user's client then decrypts the chal lenge using the private key, proving that he/she knows the private key but without disclosing it to the server. Kind Regards Crispin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA keys auth.
Hi! I am trying to use OpenSSL to build secure authenticated channel between client and server. I want server to allow connections only from certain clients, and I want client to be sure it is connected to the right server. I see how it could be done using certificates. However for my application generating certificates would be to complex for end user. The simplest way I see it would be to use RSA public/private keys: the way SSH does. So client and server each would have private/public key pairs generated. When, I would manually add server public key to client side and client public key to server side (server will possibly have more that one client key). If there is anything wrong with the way I am planning to do it? It seems to me that this should be pretty common usage. If somebody done this before I would appreciate any advice. I am new to openssl and still learning basics. Sincerely, Vadim -- La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever. (Antoine de Saint-Exupery) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RSA Keys
Alex, thanks for the responce. Here's a follow up question. d2i_PublicKey has a type as the first parameter. What are they refereing to? What do they want in this field? Hylton -Original Message- From: Alexander Kuit [mailto:[EMAIL PROTECTED]] Sent: 03 December 2001 05:21 To: [EMAIL PROTECTED] Subject: Re: RSA Keys On 03.12.2001 11:39:54 owner-openssl-users wrote: Hi Sorry for the resend. This is a resend with the complete encoding type. I am getting a file from a MS machine that contains an exported public key. This data appears to be binary data. It has been exported with the flag X509_ASN_ENCODING Trying to read the file with PEM_read_publickkey() does not appear to work. What is the correct function or other method to use to get this data into a RSA * struct or a EVP_PKEY structure. Preferably EVP_PKEY to add to a certificate. PEM is the ascii version of the binary ASN/DER encoding, so PEM functions won't work. To convert a binary (der) encoding into an internal OpenSSL structure, use the d2i_* functions. In your case, probably the d2i_PublicKey() or a similar function will do. See also the FAQ for more information about the d2i_* functions. Alex. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RSA Keys
Alex, thanks for the responce. Here's a follow up question. d2i_PublicKey has a type as the first parameter. What are they refereing to? What do they wnt in this field? Hylton -Original Message- From: Alexander Kuit [mailto:[EMAIL PROTECTED]] Sent: 03 December 2001 05:21 To: [EMAIL PROTECTED] Subject: Re: RSA Keys On 03.12.2001 11:39:54 owner-openssl-users wrote: Hi Sorry for the resend. This is a resend with the complete encoding type. I am getting a file from a MS machine that contains an exported public key. This data appears to be binary data. It has been exported with the flag X509_ASN_ENCODING Trying to read the file with PEM_read_publickkey() does not appear to work. What is the correct function or other method to use to get this data into a RSA * struct or a EVP_PKEY structure. Preferably EVP_PKEY to add to a certificate. PEM is the ascii version of the binary ASN/DER encoding, so PEM functions won't work. To convert a binary (der) encoding into an internal OpenSSL structure, use the d2i_* functions. In your case, probably the d2i_PublicKey() or a similar function will do. See also the FAQ for more information about the d2i_* functions. Alex. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Keys
On 03.12.2001 11:39:54 owner-openssl-users wrote: Hi Sorry for the resend. This is a resend with the complete encoding type. I am getting a file from a MS machine that contains an exported public key. This data appears to be binary data. It has been exported with the flag X509_ASN_ENCODING Trying to read the file with PEM_read_publickkey() does not appear to work. What is the correct function or other method to use to get this data into a RSA * struct or a EVP_PKEY structure. Preferably EVP_PKEY to add to a certificate. PEM is the ascii version of the binary ASN/DER encoding, so PEM functions won't work. To convert a binary (der) encoding into an internal OpenSSL structure, use the d2i_* functions. In your case, probably the d2i_PublicKey() or a similar function will do. See also the FAQ for more information about the d2i_* functions. Alex. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Reading RSA-keys over network
Hi! I'm doing a little hack reading RSA-keys from a network socket. I'm using openssl, (0.9.6a) and am some problems setting things up. What I want is just to listen to a port, read a key from it, and play with it then. I'm using a BIO, and if I use BIO_read, I get the key, but using PEM_read_RSAPrivateKey gives me BIO_gets: unsupported method. So, I though I'd add a buffer-bio (bio-next_bio = BIO_new (BIO_f_buffer())), but that made my program think it got a connection when it didn't... I'm at a loss as to what I'm suppose to do, and why. Minimal code for what I'm trying to achive would be nice. =) (Oh, and yes, I know I't not very bright sending private keys unencrypted over the network, but it's just for demo-purposes) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading RSA-keys over network
On Fri, Jul 20, 2001 at 11:05:55AM +0200, Ohrt, Anders wrote: I'm doing a little hack reading RSA-keys from a network socket. I'm using openssl, (0.9.6a) and am some problems setting things up. What I want is just to listen to a port, read a key from it, and play with it then. I'm using a BIO, and if I use BIO_read, I get the key, but using PEM_read_RSAPrivateKey gives me BIO_gets: unsupported method. So, I though I'd add a buffer-bio (bio-next_bio = BIO_new (BIO_f_buffer())), but that made my program think it got a connection when it didn't... Did you try BIO *io; io=BIO_new(BIO_f_buffer()); BIO_push(io,network_bio); and than read from io? It does a bit more than just setting next_bio. You may also consider to first connect to the network and only than add the buffering layer... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA keys (Repost)
Could anyone please help me? I think it's not difficult, but I just can't find it. Toni -Original Message- From: EXT [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 12. December 2000 13:35 To: [EMAIL PROTECTED] Subject: RSA keys Hi, could someone tell me how to create a pair ob public+private RSA keys using the openssl utilities? Thanks! Toni __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RSA keys (Repost)
"openssl genrsa 1024" creates a pair according to PKCS#1 Rene -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Montag, 18. Dezember 2000 08:28 To: [EMAIL PROTECTED] Subject: RSA keys (Repost) Could anyone please help me? I think it's not difficult, but I just can't find it. Toni -Original Message- From: EXT [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 12. December 2000 13:35 To: [EMAIL PROTECTED] Subject: RSA keys Hi, could someone tell me how to create a pair ob public+private RSA keys using the openssl utilities? Thanks! Toni __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA keys
Hi, could someone tell me how to create a pair ob public+private RSA keys using the openssl utilities? Thanks! Toni __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Extra : read and write RSA keys, help
Hi, I recently posted a question about reading and writing RSA keys. I want to write the public key to a seperate file because that file needs to be distributed. But when i read it, I first of all get "expecting public key" error from PEM_read_bio_PUBKEY(). Won't the original RSA structure be destroyed (so I lose the private key)?? or is it maybe possible to encrypt with an RSA key without the private key (I am ,obviously ,encrypting only with the given public key) inside. Just for clearing up why I want the above construction: I want an RSA keypair, The private and public keys should be stored to disk seperatly (maybe a private file with public inside, but public must also be alone in a file). The public key will be distributed and must be readable by another application to be used for encrypting data which has to be send back to the originator. Maybe anybody can help with the top problem, Thanks, Thijs Volders. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Extra : read and write RSA keys, help
Hi there, I think I follow your question. An RSA private key implicitly contains the public key already[1]. So if you have generated a key-pair and saved them to disk - you're already most of the way there. If you don't still have the private key in memory, load the private key back up. Either way, find your private key (an (RSA*) pointer) and use any function that outputs an RSAPublicKey and you'll have what you want (the public key functions simply ignore the private key components - you can test all this using "openssl asn1parse" to see for yourself once the files are created). As for which public key function, you have some choices; /* Writing an RSA's public key components to an opened file, in PEM format * (text-based and readable). */ PEM_write_RSAPublicKey(FILE *fp, RSA *rsa); /* Doing the same if you use BIOs to access files */ PEM_write_bio_RSAPublicKey(BIO *bio, RSA *rsa); /* Outputing the RSA's public key components in DER format (raw binary - * PEM takes this and textifies this, but if you don't need text * readability then this can do). You need to save the resulting output to * a file. * * NB: Call this with pp==NULL if you want to find out how large the * output will be before you allocate memory. * NB: After calling this function (*pp) will point to the first byte * *after* the last byte of the output - so pass a *copy* of the original * pointer.[2] */ int i2d_RSAPublicKey(const RSA *a, unsigned char **pp); And there's probably others too ... Hope that helps, Geoff [1] It's possible for this to not be the case but never happens in reality and would take a warped imagination to construct a reason why this should happen in any remotely normal situation. It won't happen to you unless you do it to yourself intentionally. [2] Eg. int len; unsigned char *ptr, *copied_ptr; FILE *fp = fopen("privatekey.der", "w"); /* Open output file */ len = i2d_RSAPublicKey(rsa, NULL); /* Figure out the length */ copied_ptr = ptr = OPENSSL_malloc(len); /* Make room */ if(i2d_RSAPublicKey(rsa, copied_ptr) != len) /* Generate output */ /* Go mad ... */ /* NB: Here we don't use copied_ptr because it was changed! */ if(fwrite(ptr, 1, len, fp) != len) /* Save output to an open file */ /* Go mad ... */ OPENSSL_free(ptr); /* Release the allocated memory */ fclose(fp); /* Close the private key file */ On Fri, 1 Dec 2000, Thijs Volders wrote: Hi, I recently posted a question about reading and writing RSA keys. I want to write the public key to a seperate file because that file needs to be distributed. But when i read it, I first of all get "expecting public key" error from PEM_read_bio_PUBKEY(). Won't the original RSA structure be destroyed (so I lose the private key)?? or is it maybe possible to encrypt with an RSA key without the private key (I am ,obviously ,encrypting only with the given public key) inside. Just for clearing up why I want the above construction: I want an RSA keypair, The private and public keys should be stored to disk seperatly (maybe a private file with public inside, but public must also be alone in a file). The public key will be distributed and must be readable by another application to be used for encrypting data which has to be send back to the originator. Maybe anybody can help with the top problem, Thanks, Thijs Volders. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Extra : read and write RSA keys, help
Geoff Thorpe wrote: Hi there, I think I follow your question. An RSA private key implicitly contains the public key already[1]. So if you have generated a key-pair and saved them to disk - you're already most of the way there. If you don't still have the private key in memory, load the private key back up. Either way, find your private key (an (RSA*) pointer) and use any function that outputs an RSAPublicKey and you'll have what you want (the public key functions simply ignore the private key components - you can test all this using "openssl asn1parse" to see for yourself once the files are created). As for which public key function, you have some choices; /* Writing an RSA's public key components to an opened file, in PEM format * (text-based and readable). */ PEM_write_RSAPublicKey(FILE *fp, RSA *rsa); /* Doing the same if you use BIOs to access files */ PEM_write_bio_RSAPublicKey(BIO *bio, RSA *rsa); /* Outputing the RSA's public key components in DER format (raw binary - * PEM takes this and textifies this, but if you don't need text * readability then this can do). You need to save the resulting output to * a file. * * NB: Call this with pp==NULL if you want to find out how large the * output will be before you allocate memory. * NB: After calling this function (*pp) will point to the first byte * *after* the last byte of the output - so pass a *copy* of the original * pointer.[2] */ int i2d_RSAPublicKey(const RSA *a, unsigned char **pp); And there's probably others too ... Yes there are a few other options :-) You can write directly in DER form with: int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa); There is also a second public key format which has RSA_PUBKEY in its name rather than RSAPublicKey. The two are *not* compatible. In case anyone is interested the difference between the two formats is that the RSAPublicKey format is an RSA specific format: it is a PKCS#1 RSAPublicKey structure. The second form is a SubjectPublicKeyInfo structure which is a generic public key wrapper which is the same form used to represent any public key in certificates, not just RSA. Using the RSA_PUBKEY functions uses this form. If the generic form is read using the RSA_PUBKEY functions and the public key is not RSA then an error occurs. The 'rsa' utility uses this second form and doesn't currently have an option to use the first form: maybe a future version of OpenSSL will have an option to do this. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ADD : read and write RSA keys
On Fri, Dec 01, 2000 at 09:05:23AM +0100, [EMAIL PROTECTED] wrote: first when I export the public key with PEM_write_RSAPublicKey() or PEM_write_PUBKEY() it is impossible to read it in via PEM_read_bio_RSAPublickey(). I get the error "EXPECTING PUBLIC KEY", why ?? If you write with PEM_write_bio_RSAPublicKey(), read with PEM_read_bio_RSAPublicKey(). If you write with PEM_write_bio_RSA_PUBKEY(), read with PEM_read_bio_RSA_PUBKEY(). Cheers. -- Ng Pheng Siong [EMAIL PROTECTED] * http://www.post1.com/home/ngps __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem generating RSA keys using 64-bit compile on IRIX
Hi Philip Just searched the archives and found your message. I had the same problem, and submitted a patch, not long ago. I also have another 64 bit related patch. Both are included below -- Karsten Spang Senior Software Developer, Ph.D. Belle Systems A/S Tel.: +45 59 44 25 00 Fax.: +45 59 44 25 88 E-mail: [EMAIL PROTECTED] Web:http://www.bellesystems.com/ Defining the Future of IP Services *** rsa_gen.c.dist Sat Feb 5 15:17:30 2000 --- rsa_gen.c Mon May 29 15:19:31 2000 *** *** 95,101 * unsigned long can be larger */ for (i=0; isizeof(unsigned long)*8; i++) { ! if (e_value (1i)) BN_set_bit(rsa-e,i); } #else --- 95,101 * unsigned long can be larger */ for (i=0; isizeof(unsigned long)*8; i++) { ! if (e_value (1ULi)) BN_set_bit(rsa-e,i); } #else *** s3_clnt.c.dist Mon Mar 27 23:28:27 2000 --- s3_clnt.c Thu May 25 13:36:57 2000 *** *** 466,472 p=s-s3-client_random; Time=time(NULL);/* Time */ l2n(Time,p); ! RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ d=p= (buf[4]); --- 466,472 p=s-s3-client_random; Time=time(NULL);/* Time */ l2n(Time,p); ! RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4); /* Do the message type and length last */ d=p= (buf[4]); *** s3_srvr.c.dist Mon Mar 27 23:28:28 2000 --- s3_srvr.c Thu May 25 13:36:04 2000 *** *** 837,843 p=s-s3-server_random; Time=time(NULL);/* Time */ l2n(Time,p); ! RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ d=p= (buf[4]); --- 837,843 p=s-s3-server_random; Time=time(NULL);/* Time */ l2n(Time,p); ! RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4); /* Do the message type and length last */ d=p= (buf[4]); __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]