Thanks for your reply, first of all. I'm by no means an expert in
cryptography (and obviously not on OpenSSL), and I'd appreciate any
insight you can provide.
On 24-Jul-09, at 7:14 PM, David Schwartz wrote:
Jeremy R. wrote:
I'm writing a client application that needs to verify some content
from a server. I've generated an RSA key pair: the private key for
the
server and the public key for the client.
Okay.
I also would like the data to be encrypted, so I'm trying to use
EVP_OpenInit on the receiving end to do my decryption. I'm reading a
public key in from DER format in memory (using d2i_PUBKEY), which is
working fine for signature verification. However, the key in memory
is
only a public key (by design), and OpenSSL seems to be expecting a
private key to be in the EVP_PKEY I send to EVP_OpenInit.
Think about it. For encryption to work, the intended recipient must
know
something that no attacker can possibly know. That will allow them,
and
only, to decrypt it.
Yes, but what I have neglected to mention is that this information
will be broadcast
from my server to all instances of the client application.
Therefore, anyone with access
to a copy of the client application will be able to decrypt the
message, period.
How can I get OpenSSL to look at the public key in the EVP_PKEY and
use it? From what I know of RSA, there's no reason this public key
can't be used in a role a private key normally would be. I'd rather
not have to create a second key pair, which seems redundant.
It's not redundant. The second key pair would provide the intended
recipient, the client, with something nobody else could know. It's not
possible for encryption to work without that. Using the server's RSA
key "in
reverse" would produce something that was "encrypted" such that only
public
information was needed to decrypt it. What wold the point of that be?
I think you misunderstand. My message format works like this: my
application's data is already signed by the server's private key. As a
result, it has a copy of the public key. The public and private keys
are part of a key pair. From what I understand, RSA makes no
distinction between which key is public and which is private, only
that data encrypted with one can only be decrypted with the other.
So I already have a key pair established, and the client is only aware
of one key, which is currently used only for signature verification.
Could I not also use that key to decrypt the symmetric message key?
The corresponding key, which only the server has, and is currently
termed the "private key", is not known to the client. It is my
understanding, then, that I should be able to use this key to encrypt
my message, and that message will only be able to be decrypted by the
client's key.
Why should I need to create a second RSA key pair, when I already have
a perfectly good 4096-bit key pair between the client and server
applications?
I know it's not that hard to extract the key from the client
executable, but I'm more concerned about eavesdropping third parties
who will not have access to the client executable.
Can you prove that access to the client executable is the only way
to get
the server's public key? Is it really easier to do a full analysis
on the
security of your protocol to ensure that the server's public key is
not
revealed in any way? Because most existing protocols take no efforts
whatsoever to protect public keys.
The public key (the client's key) will only be distributed with the
client application.
In the event that the client's key is compromised, I may implement a
re-keying
mechanism that allows the server to give the clients a new key.
But since this application will be broadcasting to all the clients and
the overhead
of key distribution and individually encrypting messages is
unnecessary for my application,
I don't need to be able to ensure that only one particular client can
read it.
I strongly advise you not to do something different from the way
everyone
else does it. That's very unlikely to produce a solution that is
actually
secure.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
