Problem with Asymetric, two-key encryption and Certificate Requests.

Viktor Dukhovni openssl-users at dukhovni.org
Sat Sep 17 16:31:46 UTC 2022


On Thu, Sep 08, 2022 at 02:08:40AM +0000, A Z wrote:

> I have wanted to get into public/private two key encryption, of
> computer files of any type and any size and type.  I am working on
> Windows 10 64 bit.I found the ensuing approach by my own
> experimenting, but it has a key disadvantage.

What threat model requires you to obscure all traces of cleartext
metadata in the encrypted message?  In most common formats, in order to
facilitate algorithm agility, at least the encryption algorithm
identifier (often an ASN.1 OID) is included in the clear.

> In order for the encryption step to work by means of the public key,
> I have found the following approach with relies on the generation of a
> Certificate Request.  The problem is however, that by doing things like this,
> 
> A#) openssl req -x509 -nodes -newkey rsa:16384 -keyout private.key -out public.key

This actually generates a self-signed X.509 certificate.  You can the
    
    -subj / -days 3650

options to set empty subject and issuer DNs and (given self-signed cert)
a 10-year or longer validity.  Use of RSA 16384 is ludicrous.  Anything
longer than 4096 bits is just posturing and even that is overkill,
once/if 2048-bit RSA is broken, the rest will surely follow in quick
succession...

> B#) openssl smime -encrypt -binary -aes-256-cbc -in message.txt -out encrypted.dat -outform DER public.key

In S/MIME (or its more modern incarnation as CMS) each recipient's
wrapped key carries a suitable recipient identifier:

    https://www.rfc-editor.org/rfc/rfc5652#section-6.2

      KeyTransRecipientInfo ::= SEQUENCE {
        version CMSVersion,  -- always set to 0 or 2
        rid RecipientIdentifier,
        keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
        encryptedKey EncryptedKey }

      RecipientIdentifier ::= CHOICE {
        issuerAndSerialNumber IssuerAndSerialNumber,
        subjectKeyIdentifier [0] SubjectKeyIdentifier }

If you want to use a key identifier instead of (issuerDN + serial), you
can use the "-keyid" option of the cms(1) command, having first made
sure that the certificate you generate carries a subject key identifier.

> I can get plain text injected into the encrypted text, which I want to
> totally avoid every part of.

Your aversion to "plaintext" here looks poorly motivated.  It is just
CMS (S/MIME) recipient metadata.  CMS is not deniable encryption, the
outer layers of encapsulation are not encryption.

> How can I complete step A#), so that step B#)  will work, without involving a Certificate Request, which requires
> a non-blank two digit nation code,

You can set an empty issuer/subject DN, or use "-keyid" to avoid copying
these into the CMS message.

-- 
    Viktor.


More information about the openssl-users mailing list