Asymetric crypto and OpenSSL 3.0 deprecated functions
Emmanuel Deloget
logout at free.fr
Wed May 27 21:29:35 UTC 2020
Hello Uri,
On Tue, May 26, 2020 at 7:59 PM Blumenthal, Uri - 0553 - MITLL
<uri at ll.mit.edu> wrote:
>
> Emmanuel,
>
> Would you mind explaining why you choose to continue encrypting the AES key, which - admittedly - is an unnecessary overkill? Is it merely to preserve the established process itself?
I'm afraid that's the only reason: this is part of an automatic update
process that I'm not willing to break; changing it at version N would
means that version N+1 might be incompatible with version N-1 and I
cannot make sure that I am able to update every recipient each time
(some may skip a few updates for various reasons).
Fortunately the process errs on the side of caution and does not
reduce it's overall security is not impacted, so let's say that it's a
case of "if it's not broken, don't touch it". Of course, there is a
small processing penalty but removing the penalty would be quite a
headache -- and I already have tons of headaches :)
Best regards,
-- Emmanuel Deloget
> On 5/26/20, 04:26, "openssl-users on behalf of Emmanuel Deloget" <openssl-users-bounces at openssl.org on behalf of logout at free.fr> wrote:
>
> Hello Richard and everybody,
>
> First, thanks all for your valuable responses ; be sure that I heard
> you and I fully understand your remarks (for the record, I do generate
> a signature on the binary using yet another key pair and I fully get
> that encrypting the AES key in my case is a bit overkill given the
> fact that it does not provide any added security).
>
> On Mon, May 25, 2020 at 6:14 PM Richard Levitte <levitte at openssl.org> wrote:
> >
> > On Mon, 25 May 2020 13:20:28 +0200,
> > Emmanuel Deloget wrote:
> > > In my development I'm using a idiom that's not as widely used as I
> > > thought (as I get it after multiple days of searching out there). In
> > > order to securely distribute a binary, I encrypt it using an AES key
> > > and the AES key itself is encrypted using a /private/ RSA key I own.
> >
> > That's a perfectly viable thing to do, and is usually called "signing",
> > and what you're signing here is the AES key.
> >
> > > Only owners of the /public/ key (which, as it is a publilc key, may
> > > leak) can decrypt the AES key, and therefore the binary.
> >
> > Which is usually called "verifying the signature".
> >
> > This looks like object signing to me.
>
> It definitely looks like this, yes.
>
> > > Of course, in order to do this I rely on RSA_private_encrypt() and
> > > RSA_public_decrypt() because EVP_PKEY_encrypt() / EVP_PKEY_decrypt()
> > > cannot be used(*).
> >
> > EVP_PKEY_encrypt() and EVP_PKEY_decrypt() are the wrong functions to
> > use. However, there are EVP_PKEY_sign() and EVP_PKEY_verify_recover()
> > (if I read you correctly, that's the function you need, rather than a
> > mere EVP_PKEY_verify()).
> >
> > > So, after that long introduction, here is my question : is there any
> > > OpenSSL 3.0 sanctionned, EVP_PKEY-based way to crypt using a private
> > > key and decrypt using a public key?
> >
> > Yes, see above. Those functions have been around for a while, I think
> > you can start playing with them in any current OpenSSL version.
>
> The _recover() function was the missing piece in my understanding of
> the library. I'll check that as soon as possible. Thanks a lot !
>
> BTW, maybe this information should be made more easily available (on
> the man page for RSA_private_encrypt()/RSA_public_decrypt() maybe ?)
>
> > Cheers,
> > Richard
> >
> > --
> > Richard Levitte levitte at openssl.org
> > OpenSSL Project http://www.openssl.org/~levitte/
>
> Best regards,
>
> -- Emmanuel Deloget
More information about the openssl-users
mailing list