Asymetric crypto and OpenSSL 3.0 deprecated functions

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Tue May 26 17:59:02 UTC 2020


Emmanuel,

Would you mind explaining why you choose to continue encrypting the AES key, which - admittedly - is an unnecessary overkill? Is it merely to preserve the established process itself?



On 5/26/20, 04:26, "openssl-users on behalf of Emmanuel Deloget" <openssl-users-bounces at openssl.org on behalf of logout at free.fr> wrote:

    Hello Richard and everybody,

    First, thanks all for your valuable responses ; be sure that I heard
    you and I fully understand your remarks (for the record, I do generate
    a signature on the binary using yet another key pair and I fully get
    that encrypting the AES key in my case is a bit overkill given the
    fact that it does not provide any added security).

    On Mon, May 25, 2020 at 6:14 PM Richard Levitte <levitte at openssl.org> wrote:
    >
    > On Mon, 25 May 2020 13:20:28 +0200,
    > Emmanuel Deloget wrote:
    > > In my development I'm using a idiom that's not as widely used as I
    > > thought (as I get it after multiple days of searching out there). In
    > > order to securely distribute a binary, I encrypt it using an AES key
    > > and the AES key itself is encrypted using a /private/ RSA key I own.
    >
    > That's a perfectly viable thing to do, and is usually called "signing",
    > and what you're signing here is the AES key.
    >
    > > Only owners of the /public/ key (which, as it is a publilc key, may
    > > leak) can decrypt the AES key, and therefore the binary.
    >
    > Which is usually called "verifying the signature".
    >
    > This looks like object signing to me.

    It definitely looks like this, yes.

    > > Of course, in order to do this I rely on RSA_private_encrypt() and
    > > RSA_public_decrypt() because EVP_PKEY_encrypt() / EVP_PKEY_decrypt()
    > > cannot be used(*).
    >
    > EVP_PKEY_encrypt() and EVP_PKEY_decrypt() are the wrong functions to
    > use.  However, there are EVP_PKEY_sign() and EVP_PKEY_verify_recover()
    > (if I read you correctly, that's the function you need, rather than a
    > mere EVP_PKEY_verify()).
    >
    > > So, after that long introduction, here is my question : is there any
    > > OpenSSL 3.0 sanctionned, EVP_PKEY-based way to crypt using a private
    > > key and decrypt using a public key?
    >
    > Yes, see above.  Those functions have been around for a while, I think
    > you can start playing with them in any current OpenSSL version.

    The _recover() function was the missing piece in  my understanding of
    the library. I'll check that as soon as possible. Thanks a lot !

    BTW, maybe this information should be made more easily available (on
    the man page for RSA_private_encrypt()/RSA_public_decrypt() maybe ?)

    > Cheers,
    > Richard
    >
    > --
    > Richard Levitte         levitte at openssl.org
    > OpenSSL Project         http://www.openssl.org/~levitte/

    Best regards,

    -- Emmanuel Deloget
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200526/1529d432/attachment.bin>


More information about the openssl-users mailing list