On Thu, Apr 13, 2006, Simon de Hartog wrote: > Hi, > > I have a rather complicated situation in the sense that I need to > realize licensing checks of software. This is done through a config file > that is signed through a USB smartcard (crypto-token). Next to that, I > have a symmetric blowfish key that I need for that. This key has been > encrypted (yes, an encrypted encryptionkey :-)) by an RSA-private key. > However, when I try to use openssl to decrypt using the corresponding > RSA-public key, I get: > > A private key is needed for this operation > > The command used is: > > openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc > > The blowfish.enc file was generated through: > > dd if=/dev/random of=blowfishkey bs=16 count=1 > openssl rsautl -encrypt -in blowfishkey -out blowfishkey.enc \ > -inkey myrsakey.key > > I use: > OpenSSL 0.9.7g 11 Apr 2005 > > I know RSA encryption and decryption can only be used for very small > pieces of data. I need to encrypt more data, so I use a symmetric key to > encrypt and decrypt data and I make sure the key used to encrypt stuff > was encrypted by myself. > > So in short: why can't I decrypt data with an RSA public key that has > been encrypted with the corresponding RSA private key? > > BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I > can't use the RSA_public_decrypt() subroutine which, judging from > internet comments, *can* actually decrypt data with an RSA public key... >
You can't because that isn't what the operation is doing. If you perform an "encrypt" operation with RSA it is encrypting the data using a *public* key. It accepts a private key but only uses the public key portion of it. That's what the decrypt operation fails: it needs a private key. It seems a bit odd to do what you are suggesting. Symmetric keys are normally secret and doing that would make it readable to anyone with access to the public key. If you really want to do that then you probably want the sign/verify operations instead which call RSA_private_encrypt() and RSA_public_decrypt(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
