Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
:-) Well, the 'funny' bit in your original message is that it's not about 'padding' (what the others talk about) as 'padding' always ends up FOLLOWING (after) your content/data, while you specifically mention you have to _precede_ your data with 16 bytes of... what? Which makes it kinda weird, because the only byte sequence I know that can precede your content/data, is the so-called IV (Init Vector), but then you can't just plunk it in there and do nothing with it -- which is what I read from your messages (twice): you apparently have to PREpend your content with 16 bytes. Any specific 16 bytes or just random gunk? And then the wicked bit is that your parent company's web service actually tolerates that _and_ from your message I understand they only accept your *actual* data only then. The OAEP stuff is all valid and valuable, but that's when you *design* these kind of exchanges, not when you're faced with a 'fait accomplit' like you seem to be in: I take it you don't have access to the parent corp. developers nor the clout to change _their_ side of things. For a real answer, we're a bit short on detail here (like: (1) What do you drop into those preceding 16 bytes? (2) How long is your message content itself? (3) What's the code look like?) but my guess right now is this is something IV-ish done by your parent corp. when they concocted this one. (Simplified explanation of IV: IV's are used to help make the crypted data look like a 'real mess' as an IV is just a series of random data at the start of a message, which prevent cryptanalysts from having an easier job at guessing your content -- compare this to email, where you always start with 'Hi name,', then if you're a cryptanalyst, you can assume the first few crypted bytes are 'Hi ...' and that's makes your life way easier when you have to break the encryption. Now starting each message with some random gunk instead (= IV), before you send some actual data, causes such kind of assumptions to go striaght down the toilet and life more hard for the code breaker.) We lost you, but back again a bit now? Ger On Thu, Sep 18, 2008 at 10:56 AM, Peter Walker [EMAIL PROTECTED] wrote: Sorry if this sounds ultra noobish but you guys lost me, even though you probably did answer my question ;) The purpose of my application is to send a credit card number in encrypted format. So the parent companies webservice issues me a X509 certificate which contains their public RSA key. I extract the RSA public key from the X509 certificate and use that to encrypt the credit card number using RSA_public_encrypt with RSA_PKCS1_PADDING. I thought that would be the end of it but it turns out that I needed to add 16 bytes to the beginning of the raw data before encryption. Then it all works. So as a noob, I just wanted to know if that is the correct requirement of RSA or a requirement of my parent companies web service only? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sierchio Sent: 17 September 2008 22:48 To: openssl-users@openssl.org Subject: Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption Kenneth Goldman wrote: What padding are you specifying? I suspect that you are specifying no padding, in which case the size of the input must be the same as the size of the key. No. The input is the same size as the *modulus*. When used in encryption the recommended approach for RSA is to pad every block, and not to encrypt MODULUS-SIZE bytes of plaintext. There are very good reasons for this which will not be obvious to all readers of this thread, but you would want to use OAEP (Optimal Asymmetric Encryption Padding) if you are doing something other than signing (e.g. using RSA for to encrypt a session key). If the OP means what he says, which is *signing* a public key (the purpose of which is entirely unclear to me), then the plaintext will be the hash of the pubkey, right? In which case the padding will have to be sufficient to fill the remaining RSA block size, whatever that is. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978
RE: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
Yep that explains it perfectly, thanks. The data I pre-pend is 16 bytes of random data right at the very start and the original data length is anywhere between 13 and 21 bytes. I'm using a combination of the openSSL RAND functions and seeding from /dev/urandom, which is working perfectly. Myself and a colleague, that is interfacing his own project to the same webservice thought that this would be the case but just wanted to know the reason why so that we could complete our own education :D Lol, it would have just been nice if they actually stated this in their API manual so that we did not have to stumble in to it. My colleague eventually got the answer from one of our parent company developers via email. They are a great bunch of guys but like the rest of us in our industry, rarely get the luxury of time to finalise all documentation and then again who actually likes writing the stuff anyway ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ger Hobbelt Sent: 18 September 2008 10:21 To: openssl-users@openssl.org Subject: Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption :-) Well, the 'funny' bit in your original message is that it's not about 'padding' (what the others talk about) as 'padding' always ends up FOLLOWING (after) your content/data, while you specifically mention you have to _precede_ your data with 16 bytes of... what? Which makes it kinda weird, because the only byte sequence I know that can precede your content/data, is the so-called IV (Init Vector), but then you can't just plunk it in there and do nothing with it -- which is what I read from your messages (twice): you apparently have to PREpend your content with 16 bytes. Any specific 16 bytes or just random gunk? And then the wicked bit is that your parent company's web service actually tolerates that _and_ from your message I understand they only accept your *actual* data only then. The OAEP stuff is all valid and valuable, but that's when you *design* these kind of exchanges, not when you're faced with a 'fait accomplit' like you seem to be in: I take it you don't have access to the parent corp. developers nor the clout to change _their_ side of things. For a real answer, we're a bit short on detail here (like: (1) What do you drop into those preceding 16 bytes? (2) How long is your message content itself? (3) What's the code look like?) but my guess right now is this is something IV-ish done by your parent corp. when they concocted this one. (Simplified explanation of IV: IV's are used to help make the crypted data look like a 'real mess' as an IV is just a series of random data at the start of a message, which prevent cryptanalysts from having an easier job at guessing your content -- compare this to email, where you always start with 'Hi name,', then if you're a cryptanalyst, you can assume the first few crypted bytes are 'Hi ...' and that's makes your life way easier when you have to break the encryption. Now starting each message with some random gunk instead (= IV), before you send some actual data, causes such kind of assumptions to go striaght down the toilet and life more hard for the code breaker.) We lost you, but back again a bit now? Ger On Thu, Sep 18, 2008 at 10:56 AM, Peter Walker [EMAIL PROTECTED] wrote: Sorry if this sounds ultra noobish but you guys lost me, even though you probably did answer my question ;) The purpose of my application is to send a credit card number in encrypted format. So the parent companies webservice issues me a X509 certificate which contains their public RSA key. I extract the RSA public key from the X509 certificate and use that to encrypt the credit card number using RSA_public_encrypt with RSA_PKCS1_PADDING. I thought that would be the end of it but it turns out that I needed to add 16 bytes to the beginning of the raw data before encryption. Then it all works. So as a noob, I just wanted to know if that is the correct requirement of RSA or a requirement of my parent companies web service only? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sierchio Sent: 17 September 2008 22:48 To: openssl-users@openssl.org Subject: Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption Kenneth Goldman wrote: What padding are you specifying? I suspect that you are specifying no padding, in which case the size of the input must be the same as the size of the key. No. The input is the same size as the *modulus*. When used in encryption the recommended approach for RSA is to pad every block, and not to encrypt MODULUS-SIZE bytes of plaintext. There are very good reasons for this which will not be obvious to all readers of this thread, but you would want to use OAEP (Optimal Asymmetric Encryption Padding) if you are doing something other than signing (e.g. using RSA for to encrypt a session key). If the OP
RE: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
Sorry if this sounds ultra noobish but you guys lost me, even though you probably did answer my question ;) The purpose of my application is to send a credit card number in encrypted format. So the parent companies webservice issues me a X509 certificate which contains their public RSA key. I extract the RSA public key from the X509 certificate and use that to encrypt the credit card number using RSA_public_encrypt with RSA_PKCS1_PADDING. I thought that would be the end of it but it turns out that I needed to add 16 bytes to the beginning of the raw data before encryption. Then it all works. So as a noob, I just wanted to know if that is the correct requirement of RSA or a requirement of my parent companies web service only? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sierchio Sent: 17 September 2008 22:48 To: openssl-users@openssl.org Subject: Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption Kenneth Goldman wrote: What padding are you specifying? I suspect that you are specifying no padding, in which case the size of the input must be the same as the size of the key. No. The input is the same size as the *modulus*. When used in encryption the recommended approach for RSA is to pad every block, and not to encrypt MODULUS-SIZE bytes of plaintext. There are very good reasons for this which will not be obvious to all readers of this thread, but you would want to use OAEP (Optimal Asymmetric Encryption Padding) if you are doing something other than signing (e.g. using RSA for to encrypt a session key). If the OP means what he says, which is *signing* a public key (the purpose of which is entirely unclear to me), then the plaintext will be the hash of the pubkey, right? In which case the padding will have to be sufficient to fill the remaining RSA block size, whatever that is. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
Peter Walker wrote: The purpose of my application is to send a credit card number in encrypted format. Then use OAEP. - M __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
But the peer uses RSA_PKCS1_PADDING. Is this interchangeable with OAEP? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sierchio Sent: 18 September 2008 10:02 To: openssl-users@openssl.org Subject: Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption Peter Walker wrote: The purpose of my application is to send a credit card number in encrypted format. Then use OAEP. - M __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Walker wrote: | But the peer uses RSA_PKCS1_PADDING. Is this interchangeable with OAEP? No, it is not. Without further information it is impossible to tell what these 16 bytes are. It could be some kind of ASN1 coding indicating that the following data is a credit card information. You need to ask the people doing the upstream server what these 16 bytes are... | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sierchio | Sent: 18 September 2008 10:02 | To: openssl-users@openssl.org | Subject: Re: Do you have to pre-pend 16 bytes to a raw value before RSA | encryption | | Peter Walker wrote: | | The purpose of my application is to send a credit card number in | encrypted format. | | Then use OAEP. For that the upstream server must also use OAEP. Since it obviously doesn't, OAEP may theoretically be the better solution but not usable in the situation at hand... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI0oGZ2iGqZUF3qPYRAkR/AJ4np39sWs0Vgcs4Ljn7jD1hCHCqqQCbBD0p 1bwPYklaVQ94VnxqhixyQfA= =VTKQ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
Peter Walker wrote: Sorry if this sounds ultra noobish but you guys lost me, even though you probably did answer my question ;) The purpose of my application is to send a credit card number in encrypted format. So the parent companies webservice issues me a X509 certificate which contains their public RSA key. I extract the RSA public key from the X509 certificate and use that to encrypt the credit card number using RSA_public_encrypt with RSA_PKCS1_PADDING. I thought that would be the end of it but it turns out that I needed to add 16 bytes to the beginning of the raw data before encryption. Then it all works. So as a noob, I just wanted to know if that is the correct requirement of RSA or a requirement of my parent companies web service only? You should be following the requirements the company sends you. Even if, by chance and luck, find something that happens to work, there is no reason to believe it will also be *secure*. My bet is the company knows the limitations of PKCS1 padding and so specified that you put 16 bytes of *random* data before the credit card number. But I'm just guessing. (I've seen this done when the other end uses hardware crypto solutions that don't support OAEP. They are trying to work around known weaknesses in deterministic padding.) You need to follow their specification, and if you can't get the specification to work, you can only use trial and error to figure out what questions to ask them. You don't get a secure implementation by trying to see what works. Plenty of insecure things work. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
Thanks for the reply. I have no problem in following what they specified, just wanting to understand why for my own knowledge and now I do thanks to your explanation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: 18 September 2008 19:25 To: openssl-users@openssl.org Subject: RE: Do you have to pre-pend 16 bytes to a raw value before RSA encryption Peter Walker wrote: Sorry if this sounds ultra noobish but you guys lost me, even though you probably did answer my question ;) The purpose of my application is to send a credit card number in encrypted format. So the parent companies webservice issues me a X509 certificate which contains their public RSA key. I extract the RSA public key from the X509 certificate and use that to encrypt the credit card number using RSA_public_encrypt with RSA_PKCS1_PADDING. I thought that would be the end of it but it turns out that I needed to add 16 bytes to the beginning of the raw data before encryption. Then it all works. So as a noob, I just wanted to know if that is the correct requirement of RSA or a requirement of my parent companies web service only? You should be following the requirements the company sends you. Even if, by chance and luck, find something that happens to work, there is no reason to believe it will also be *secure*. My bet is the company knows the limitations of PKCS1 padding and so specified that you put 16 bytes of *random* data before the credit card number. But I'm just guessing. (I've seen this done when the other end uses hardware crypto solutions that don't support OAEP. They are trying to work around known weaknesses in deterministic padding.) You need to follow their specification, and if you can't get the specification to work, you can only use trial and error to figure out what questions to ask them. You don't get a secure implementation by trying to see what works. Plenty of insecure things work. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
[EMAIL PROTECTED] wrote on 09/17/2008 08:10:09 AM: I just completed writing my first program using libcrypto to handle RSA encryption sing a public key extracted from a X509 certificate. This program communicates with a service created by our parent company. The first attempts that I made to run my program against the service, resulted in an error back from it stating that an encrypted field was required. After much brow beating, I spoke to a colleague of mine that works on another system and had to interface that system in to parent company service as well. He said that he had to pre-pend 16 byte sof data to the raw field prior to encrypting through RSA. Sure enough, having pre-pended 16 bytes to my raw field before encrypting through RSA_public_encrypt() and sent the result to service, I got success! So my question is, is it required to pre-pend 16 bytes to the raw field or is this something my parent company are doing for their own reasons? What padding are you specifying? I suspect that you are specifying no padding, in which case the size of the input must be the same as the size of the key. Use one of the standard paddings. Roll your own after consulting with a many competent cryptographers. (If they're competent, they'll tell you not to roll your own.)
RE: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
My parent company specified the use of RSA_PKCS1_PADDING and being a complete noob at cryptography I do not know if that is a good or bad choice but it is the one that is forced upon me? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Goldman Sent: 17 September 2008 15:47 To: openssl-users@openssl.org Subject: Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption [EMAIL PROTECTED] wrote on 09/17/2008 08:10:09 AM: I just completed writing my first program using libcrypto to handle RSA encryption sing a public key extracted from a X509 certificate. This program communicates with a service created by our parent company. The first attempts that I made to run my program against the service, resulted in an error back from it stating that an encrypted field was required. After much brow beating, I spoke to a colleague of mine that works on another system and had to interface that system in to parent company service as well. He said that he had to pre-pend 16 byte sof data to the raw field prior to encrypting through RSA. Sure enough, having pre-pended 16 bytes to my raw field before encrypting through RSA_public_encrypt() and sent the result to service, I got success! So my question is, is it required to pre-pend 16 bytes to the raw field or is this something my parent company are doing for their own reasons? What padding are you specifying? I suspect that you are specifying no padding, in which case the size of the input must be the same as the size of the key. Use one of the standard paddings. Roll your own after consulting with a many competent cryptographers. (If they're competent, they'll tell you not to roll your own.)
Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption
Kenneth Goldman wrote: What padding are you specifying? I suspect that you are specifying no padding, in which case the size of the input must be the same as the size of the key. No. The input is the same size as the *modulus*. When used in encryption the recommended approach for RSA is to pad every block, and not to encrypt MODULUS-SIZE bytes of plaintext. There are very good reasons for this which will not be obvious to all readers of this thread, but you would want to use OAEP (Optimal Asymmetric Encryption Padding) if you are doing something other than signing (e.g. using RSA for to encrypt a session key). If the OP means what he says, which is *signing* a public key (the purpose of which is entirely unclear to me), then the plaintext will be the hash of the pubkey, right? In which case the padding will have to be sufficient to fill the remaining RSA block size, whatever that is. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]