Asymetric crypto and OpenSSL 3.0 deprecated functions

Dr Paul Dale paul.dale at
Mon May 25 12:20:56 UTC 2020

I’ll note that encryption is _not_ an integrity check.  Depending on how the AES encryption is done, this could be a significant hole.

Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia

> On 25 May 2020, at 10:12 pm, Tomas Mraz <tmraz at> wrote:
> On Mon, 2020-05-25 at 13:20 +0200, Emmanuel Deloget wrote:
>> Hello everybody,
>> I'm pretty sure this has already been discussed somewhere but
>> grepping
>> through the whole openssl-user list does not gave me the answer I'm
>> searching for, so here am I.
>> In my development I'm using a idiom that's not as widely used as I
>> thought (as I get it after multiple days of searching out there). In
>> order to securely distribute a binary, I encrypt it using an AES key
>> and the AES key itself is encrypted using a /private/ RSA key I own.
>> Only owners of the /public/ key (which, as it is a publilc key, may
>> leak) can decrypt the AES key, and therefore the binary. The reason
>> why I do this is that I cannot encrypt using the recipient public key
>> because I don't know how many different recipient I have when I
>> generate the encrypted binary ; and generate the binary on request is
>> not feasible.
>> With this idiom, recipient can check that I crypted the binary, and
>> the binary itself cannot be decrypted unless you're a recipient (i.e.
>> you have the public key). This has worked well for a few years.
>> Of course, in order to do this I rely on RSA_private_encrypt() and
>> RSA_public_decrypt() because EVP_PKEY_encrypt() / EVP_PKEY_decrypt()
>> cannot be used(*).
>> So, after that long introduction, here is my question : is there any
>> OpenSSL 3.0 sanctionned, EVP_PKEY-based way to crypt using a private
>> key and decrypt using a public key?
>> While I fully understand the need to streamline the library interface
>> and to remove the low-level RSA functions, it seems to me that not
>> allowing this is going to be problematic for those who, like me, rely
>> on public key decryption in their process. I also fully understand
>> that it's not the prefered way to do it but I (and some others, I
>> guess) deal with a use case which is not ideal here, and the
>> possibility to use asymetric crypto in this way really saves me.
>> Best regards,
>> -- Emmanuel Deloget
>> (*) tests on OpenSSL 1.0.2 (Ubuntu 16.04) and OpenSSL 1.1.1c (Ubuntu
>> 19.04) shows that it segfaults in EVP_PKEY_decrypt() when feeded with
>> a public key. In OpenSSL 3.0, EVP_PKEY_decrypt() does not appear to
>> be
>> able to decrypt using a RSA public key (it calls
>> RSA_private_decrypt()
>> internally, via rsa_decrypt()).
> The proper protocol would be to just sign the binary by your private
> RSA key and encrypt it with a symmetric key, that you directly pre-
> distribute to your recipients via the same channel that you now use to
> distribute your public RSA key.
> It would have practically the same properties and would not use the RSA
> private encryption directly.
> -- 
> Tomáš Mráz
> No matter how far down the wrong road you've gone, turn back.
>                                              Turkish proverb
> [You'll know whether the road is wrong if you carefully listen to your
> conscience.]

More information about the openssl-users mailing list