just a side note: RSA private keys can be used to encrypt data that can be decrypted with the public key.
RSA public keys can be used to encrypt data that can be decrypted with the private key. The speed of the operation is 3 to 4 orders of magnitude slower than the equivalent encryption/decryption with a symmetric key. However, the fact that the RSA function is invertible is what allows it to be used for secure asymmetric authentication. On 4/13/06, David Schwartz <[EMAIL PROTECTED]> wrote: > > > However, when I try to use openssl to decrypt using the corresponding > > RSA-public key, I get: > > > > A private key is needed for this operation > > That is how RSA encryption works: > > 1) There is a public key that you can distribute. > > 2) There is a private key from which the public key can be derived. > > 3) The private key cannot be derived from the public key. > > 4) You can sign with the private key and verify that signature with > the > public key. > > 5) You can encrypt with the public key and the private key is > necessary to > decrypt. > > It sounds like you're not doing any of these five things. What > sensible > algorithm permits decryption with the public key? > > > The command used is: > > > > openssl rsautl -decrypt -pubin -inkey myrsakey.pub -in blowfish.enc > > You cannot decrypt with the public key, otherwise you would have a > piece of > encrypted data that anyone could decrypt. If your goal is to make sure that > the information was somehow processed with the private key, you want a > signature, not an encryption. > > > I know RSA encryption and decryption can only be used for very small > > pieces of data. I need to encrypt more data, so I use a symmetric key to > > encrypt and decrypt data and I make sure the key used to encrypt stuff > > was encrypted by myself. > > Sounds like you need to both encrypt and sign the key. > > > So in short: why can't I decrypt data with an RSA public key that has > > been encrypted with the corresponding RSA private key? > > Because you actually encrypted with the public key, which can be > trivially > derived from the private key. > > > BTW: I have to do this in Python (sorry, wasn't my choice :-( ), so I > > can't use the RSA_public_decrypt() subroutine which, judging from > > internet comments, *can* actually decrypt data with an RSA public key... > > It's hard to tell you what to do without understanding your security > and > threat model. But the reason what you're trying to do won't work is that RSA > decryption requires the private key so that only the owner of the key can > decrypt. The standard RSA routines don't imagine a situation where only one > person should be allowed to encrypt but anyone can decrypt, other than a > digital signature. > > >What I want to do is the following: I want to restrict use of software > >by specifying limits such as number of CPU's and validity until a > >certain date. This data will be put in an .xml file. But, I want to be > >able to make sure that the software has to use a Smartcard (with public > >and private key) to check the integrity of this .xml file so nobody can > >alter it, but I *also* want to make sure that the .xml file was made and > >certified by the company that owns the software. > > That is not easy to do. You are trying to give the information to and > keep > the information from the same entity. > > >The easy solution would be to just use certificates and use the validity > >periods therein. I could use the company's CA cert and store the > >software user's cert in the smartcard. However, this would imply having > >to update the smartcard every time they pay license fees and this is not > >what desirable. So I just want to use public/private keys, no > >certificates for this. > > I don't follow at all. When someone pays license fees, you need to > somehow > track the information that their validity period was extended. If not by > updating the smartcard, how do you want to do that? > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
