> From: [email protected] On Behalf Of David Schwartz > Sent: Friday, 01 May, 2009 10:21
> > Now, from whatever I know about the public key > cryptography, it is not > > possible to generate private key from the public key and > vice versa. > > Both the keys can only be generated together through some algorithm. > > The depends on the algorithm and your precise definition of > "private key". > There is no reason what you are calling the private key > together with the public key could not also be referred to as > the "private key". > Information-theoretically the keys (must) determine each other, but it must be infeasible to compute the privatekey from the publickey. It is perfectly okay if the public can be computed from the private. > > And there is > > no fundamental difference between the two keys. Any key > from the pair > > can be designated as a public key and the counterpart as > the private > > key. > > That may be true for some algorithms, but it is not a general > property of asymmetric cryptography. > It is abstractly true for RSA; taking any x*y == 1 mod lambda(N), you can use either for public e and the other for private d IF BOTH ARE LARGE. But since (fairly) small e (but not d) is fine for security and more efficient, that's what people do (and openssl generates), and then they are NOT interchangeable. For log-based algorithms like DSA (and DH), as you say, it isn't even applicable. > > So what is happening here is that we are generating public key from > > the private key in command no (2). (Remember, public key is > stored in > > domainname.csr). So if that is the case, then we can also generate > > private key given a public key. > > > > This is bizarre. Obviously I am missing something here. My > only guess > > is that the file domainname.key as generated by command (1) stores > > BOTH public and private keys. That will make the whole game > logical. > > Of course openssl documentation doesn't say so. So can > somebody please > > explain the logic behind these commands. Or at least can somebody > > please confirm my observation? > > The file stores a structure from which the private key can be > extracted. If you choose not to call that the "private key" > for some reason, you are welcome to do so. But nothing in the > ordinary usage of those terms prevents a structure form which > the public key from being extracted being called the "private key". > > An RSA private key structure, for example, will typically > contains the modulus, public exponent, private exponent, > prime1, prime2, exponent1, exponent2, and coefficient. An RSA > public key contains the modulus and public exponent. It > should be clear that the public key is thus a subset of the > private key. > In particular the standard PKCS#1 representation, which openssl uses. The extra exponents and coefficient are used to implement privkey modexp as 'Chinese remainder' (half-size) which is more efficient. Since this depends on the factorization of the modulus, it allows you inherently to recover e, so we might as well just keep it (and do). And this offers the convenience that you can easily extract pubkey from privkey (given access) when needed, as already noted using 'rsa -pubout', thus you don't need to store it separately. Mathematically, it would work to store ONLY d,N for an RSA privatekey, and this would not by itself be sufficient to recover e (since you've discarded P,Q). But using fullsize modexp d is usually much too slow. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
