Re: [openssl-users] RES: RES: Testing OpenSSL based solution

[Jakob Bohm]

On 12/05/2015 22:50, Marcus Vinicius do Nascimento wrote:

I did some quick research and found this: http://en.wikipedia.org/wiki/Digital_Signature_Algorithm

If my understanding is correct, the public key is (p, q, g, y).

The private key would be x, such that y = g^x mod p.

Is there some way to generate both public and private keys using OpenSSL, based on p, q, g and y?

Not without finding a way to breaking DSA.
The whole point is you cannot get x from y.

However for your library to be any use at all,
it needs to already support that the
computer/user that runs it to verify
signatures don't know the private key
either.

So somewhere you should already have a way
to input ((p, q, g), y) and use that to
verify a signature.

*De:*openssl-users [mailto:openssl-users-boun...@openssl.org] *Em nome de *Marcus Vinicius do Nascimento

*Enviada em:* terça-feira, 12 de maio de 2015 17:06
*Para:* openssl-users@openssl.org
*Assunto:* [openssl-users] RES: Testing OpenSSL based solution

Thanks for both answers.

I tried using Y as the public key, but ssl seems not to accept that.

Here is the error scenario:

From the FIP file:

[mod = 1024]

P = fda5442483ccf7a12399d6c13d56ff882d689524f1885fcb7424e26da2d200a1657b631dcc74c73ecbd89fe42cc554b7062835c73d7203161e09742392b2b7c75253eea04a0b55d511646fbe2e81a9d80463e956527f8d6d42f4193984d5dcc6a8dadff80f31e44405840828581f013e074859b885908aaab30d87660bbaf8cb

Q = dc678f95c673538f74dcbf67a80454c843937795

G = efd89f2dcf6e6a6a77cf18f238b2419de127864218eb4550c9e1a73085f97d7988322d7eea91590646373aa66f7a3d0994cb5ac741a19874eb9e79862b000e5978f3305bb70be4f987a12a686167316e663f4de995b36e74062e39a79a4b30e4d36977276e3d33c5165911d303d5682f8e0a96c510e1d9606d09b5573a675362

Msg = 58b7b3639a8d99babfe57f814024c5e7a0893bcf47b692768e6c11561796894b5f898bf5968ad85dae9019dbb24cd13759678f0edb0b687703a4a4e785e8b85293157593ab797e0eb338ff94474a9c8752c3a83edb5798aa221db73aec931bfd1be3d70781647215f6649874a825101eb325ee27f2a20a57145eb019f2a09993

Y = 808998aecbc5ab4679bf215e2166b371d249bb6e4bfc3404f2bcd2aaf61770851d236668252a11f061fb54067ddaa97ed7bf5a5c836db02e5b1f9f1a627ac1eb2dcfa484ed5fef383f4bae7aa18a3ef9ea94bab83439ccf261ec52529f298050b27df185eecccf8caa44b529c8fcbd88c6a33cc42b5b17244ea9e1099686a92b

R = 33bf9a15b6823e7c5583f94bcea2f0439a881f8c

S = 48feaff1ec4803fb88fdc70773d9ac7b84905d3a

Result = P

So I tried reformatting Y to pass it to PEM_read_bio_DSAPrivateKey.

Converting Y to Base64 = "gImYrsvFq0Z5vyFeIWazcdJJu25L/DQE8rzSqvYXcIUdI2ZoJSoR8GH7VAZ92ql+179aXINtsC5bH58aYnrB6y3PpITtX+84P0uueqGKPvnqlLq4NDnM8mHsUlKfKYBQsn3xhe7Mz4yqRLUpyPy9iMajPMQrWxckTqnhCZaGqSs="

Reformatting in PEM format = "-----BEGIN DSA PRIVATE KEY-----

gImYrsvFq0Z5vyFeIWazcdJJu25L/DQE8rzSqvYXcIUdI2ZoJSoR8GH7VAZ92ql+

179aXINtsC5bH58aYnrB6y3PpITtX+84P0uueqGKPvnqlLq4NDnM8mHsUlKfKYBQ

sn3xhe7Mz4yqRLUpyPy9iMajPMQrWxckTqnhCZaGqSs=

-----END DSA PRIVATE KEY-----

"

Code that matters:

BIO * keybio = BIO_new_mem_buf(const_cast<char *>(key.c_str()), -1);

if (keybio == NULL)

{

errormsg = "Can not create DSA key";

return 0;

}

DSA *dsa = PEM_read_bio_DSAPrivateKey(keybio, &dsa, NULL, NULL);

if (dsa == NULL)

{

errormsg = "Can not read DSA key";

}

return dsa;

PEM_read_bio_DSAPrivateKey fails.

Am I missing something here?

*De:*openssl-users [mailto:openssl-users-boun...@openssl.org] *Em nome de *Jakob Bohm

*Enviada em:* terça-feira, 12 de maio de 2015 15:42
*Para:* openssl-users@openssl.org
*Assunto:* Re: [openssl-users] Testing OpenSSL based solution

On 12/05/2015 20:10, Salz, Rich wrote:

    You can't easily have test vectors for DSA signatures since they include a random.  
Any test vector would have to include the random, and any API would have to be able to 
accept the random as part of the "sign" API.  Verification should be okay.

What Mr. Salz refers to by "Verification should be okay"
is probably this:

You can have test vectors in the form of known good
signatures with public keys listed in the test vector.
For DSA, those would be the (message, y, r, s) quads
mentioned by the OP (y is the public key, (r, s) is the
signature), depending on his class library, it might be
possible to reformat those vectors to the format used
by his code for real messages.

The importance of such test vectors is to detect if an
implementation is accidentally implementing a different
signature algorithm (such as accidentally appending a 0
byte to each message both during signing and
verification).  This would not be detected by signing
and verifying sample messages with random parameters.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users