I'm trying to write an encryption decryption program using Openssl-RSA. There are only two operations. User stores the data and retrieves it whenever he needs.
To decrypt something, we need the keypair that was generated during the encryption. Where and how do I store this keypair so that I can access it whenever the user requests decryption of something (which was already encrypted by the user).
Generate keypair with 4096 bit private key and store it to private_key.pem
openssl genpkey -algorithm RSA -out private_key.pem 4096
Extract public key from your private key
openssl rsa -pubout -in private_key.pem -out public_key.pem
In fact, when you're doing coding, you can have only the private_key.pem, because you can extract the public key manually in the runtime, to encrypt data. Of course provided, that you encrypt this only for yourself, which doesn't make much sense with asymmetric cryptography.
Related
I'm practicing the RSA asymmetric cryptography and found something really strange:changing part of the private key could still decrypted the message!
Here is my steps: (on ubuntu 16.04)
generate private key: openssl genrsa -out private.key
generate public key: openssl rsa -in private.key -pubout -out pub.key
encrypt a message like "hello world" with pubKey and decrypt with private key.
by now everything works fine, the encrypted message could be decoded.
then I changed some of the letters in private key(e,g., A->B, i->I, just replace, no append or delete), and try to decrypt the msg again, it passed! but i think it should failed...
I then tried to change some other different letters, while, some changes may failed the decode but some not. (I tried the encrypt/decrypt with both nodejs and Java, showing the same result...)
I then try to analyze the structure of the private key to see if I changed some meaningless fields:
get detail fields with the commands openssl rsa -in faked_private.key -text -out faked_private.txt
compared private.txt with the faked one faked_private.txt.
there are fields as follows:
Private-Key: (2048 bit), modulus, publicExponent, privateExponent, prime1, prime2, exponent1, exponent2, coefficient
I found that when i changed values of coefficient/privateExponent/prime2, the private key still worked
But when I changed values of modulus, it failed.
I'm not quite understand the theory inside RSA, but from the basic prime number formula n=p*q, I think at least prime should not be changed.
is there someone who can assist on this issue, and with a simpler answer? (really don't want to go deep into maths...)
thanks.
Suppose I would like to encrypt a file with my private key for whatever reason so that only people with my public key can have access to the file. How would I do this?
gpg --sign --armor file
does not work because if you omit the --armor and use
gpg --sign --compress-level 0 file
the plaintext appears in the file.gpg.
gpg --encrypt file
will also not work because that uses public keys. Does anybody know how to do this?
You unfortunately have got some fundamental misconceptions about the cryptography you want use. By definition if you want to asymmetrically encrypt some data you need to use the public key and the encrypted data can only be decrypted with the private key.
If you want to encrypt a message so that only a certain group of people can access it you can asymmetrically encrypt it with all the public keys of each individual in the group or encrypt it symmetrically with a random key and share that key with each individual in the group.
You can encrypt your file symmetrically using your public key, so that everybody with access to your public key can decrypt your file.
We were using the "RSA Protected Configuration provider" to encrypt sensitive information in our config files. More info about this on MSDN at - http://msdn.microsoft.com/en-us/library/ms998283.aspx.
In the generated config file there is a triple-DES encrypted key. So that means the config section is actually encrypted/decrypted using this symmetric key.
But this symmetric DES key is actually encrypted/decrypted using the RSA private/public key in the RSA key container. The question I have is whether the public/private RSA keys in the container are also encrypted? If yes, then where is the key for that stored?
If the keys in the container are not encrypted, then why do we need to export the keys to a XML file and them import them in another machine? Why not just copy-paste the RSA container key to all nodes in a web cluster/farm?
They are encrypted using DPAPI.
I have asked a similar question in post Encrypting a file with RSA in Python , but this question has a different connotation.
I am encrypting a file with AES, using RSA to encrypt the AES password.
The only difference is that i really DON'T want to store the AES password. The user must give both the path to his RSA key, and the password.
So what do you think about this scheme?
path_to_RSA_key = ... # Given by the user
pwd = ... # This will be used to encrypt the file. Also given by user.
rsa_enc = RSA.importKey(path_to_RSA_key)
# Encrypt the Password with RSA, keep the last 32 characters
rsa_pwd = rsa_enc.encrypt(pwd)[-32:]
# Aes, with the encrypted password
aes_enc = AES.new(rsa_pwd, AES.MODE_CBC)
# Encrypt the file with AES...
# Store only the encrypted file
# Don't store the password in any way, don't store the path to RSA key
The alternative would be the classic scheme, when you generate a random password, encrypt the file with AES using the random pass, encrypt the random pwd with RSA and store only the encrypted results.
If you really need to know why i need this, it's a project of mine, http://code.google.com/p/scrambled-egg
What do you think about the scheme ? Thank you in advance !
There seems to be some confusion. You mention that you don't want to store the 'password', but you're working with RSA and not a symmetric algorithm. The term 'password' strongly implies a shared secret as used in symmetric encryption, and it appears that you're trying really hard to fit RSA into the mould you've created.
The issue I see is that this functionality may not fit into your planned use very well. Your plan seems focused on symmetric ciphers. Further, using asymmetric keys this way may be a problem. I think asymmetric encryption is used to encrypt nonces for a reason; it may not be robust to attacks that can be waged against a scheme like the one you propose.
Asymmetric keys are often used as follows:
Generate a purely random 32-'character' key and call it "nonce".
Encrypt the message with the "nonce" and call it ciphertext.
Encrypt the "nonce" with your asymmetric key (presumably the public key, but you should specify).
The result consists of the ciphertext and the asymmetrically encrypted "nonce".
Decrypting requires only the paired opposite of the asymmetric key used to encrypt.
If you're hardcore, you could encrypt (using AES + a password or similar) the public or private key that can be used to decrypt the nonce and send it along for a ride too. Sadly that isn't really increasing security over AES+password, and you are increasing the bloat in your message by a lot.
Is it possible to encrypt data, such that it can be decrypted with several different keys?
Example:
I've encrypted data with key1, but I want to be able to decrypt with keys 2, 3, and 4.
Is this possible?
GnuPG does multi-key encryption in standard.
The following command will encrypt doc.txt using the public key for Alice and the public key for Bob. Alice can decrypt using her private key. Bob can also decrypt using his private key.
gpg --encrypt --recipient alice#example.com \
--recipient bob#example.com doc.txt
This feature is detailed in the user guide section entitled "Encrypting and decrypting documents"
Yes it's possible
Yes encryption for multiple recipients is possible. Also it seems logical when you think that you might want to be able to read what you've sent to someone and to do so you need to be in the recipients list.
Command line
Here is how to do it through gpg command line (as described in David Segonds' answer):
gpg --encrypt \
--recipient alice#example.com \
--recipient bob#example.com \
clear-message.txt
GUI client
Your GUI must provide a way to encrypt for several people
Mechanism
There is a question on Information Security, GPG File size with multiple recipients?, that explain the encryption mechanism:
GPG encrypts the file once with a symmetric key, then places a header
identifying the target keypair and an encrypted version of the
symmetric key.
[...] When encrypted to multiple recipients, this
header is placed multiple times providing a uniquely encrypted version
of the same symmetric key for each recipient.
GnuPG and PGP clients in general usually encrypt the actual data with a symmetric key called a "session key". The session key is then encrypted with each "recipient key" (i.e. the ones you specify with -r/--recipient). This is sometimes referred to as a hybrid cipher. Right now, I believe GnuPG by default uses an 256 bit session keys and AES to encrypt the plaintext data to that AES-256 session key, and your recipient keys are your RSA/DSA/ECDSA/etc. assymetric key in this case.
One reason for doing it this way is that symmetric cryptographic algorithms like AES are generally a lot faster than asymmetric ones like RSA. GnuPG thus only has to encrypt ~256 bits (the session key) with RSA, and can use AES to encrypt the data (as large as you want it to be!) with that session key. Intel machines even have a built in instruction, AES-NI, to do some steps of the algorithm in hardware, which makes GnuPG extra snappy at encrypting/decrypting data.
Another reason for doing it this way is that it allows PGP-encrypted documents to be encrypted to multiple parties without having to double the size of the document. Notice that when you specify multiple recipients for an encrypted document (e.g. gpg -ea -r Alice -r Bob -o ciphertext.asc), the encrypted document that gets stored (ciphertext.asc) is not 2x as large as if you had just encrypted it to Alice.
See also the --show-session-key parameter in the gpg man page to be able to decrypt just the session key, for example to allow a third party to decrypt a document that is encrypted to you without having to transfer to them your private key or the plaintext data.
Yes, it's possible. Google "multiparty encryption" for a start.
AFAIK, there are no drop 'em in and use 'em packages for it though.
-- MarkusQ
P.S. For a sketch of how it could be done, consider this. The encrypted message consists of:
the payload, encrypted with a one-time pad
the one time pad, encrypted with key1
the one time pad, encrypted with key2
...
the one time pad, encrypted with keyN
The recipient who hold key i just decrypts their copy of the pad with their key, and then decrypts the payload.
However, this is just a proof that it could be done and would suck as an actual implementation. If at all possible, you should avoid rolling your own encryption. If you don't understand why, you should definitely avoid rolling your own encryption.
-----Edit ------------
If I'm wrong and the Gnu tools do that, use them. But I can't seem to find any information on how to do it.
Multiple (more than two) key RSA is maybe like this - well i'm not a mathematician, so this algorithm is not necessarily secure, i just want to give an idea with it.
m=p*q*r; p,q,r are big prime numbers
fi(m)=(p-1)(q-1)(r-1)
d==(e1*e2*e3*...*ei)^(-1) (mod fi(m)); e1...ei are arbitrary numbers, d is calculated to fulfill the equation
y1==x^e1 (mod m)
y2==y1^e2 (mod m)
y3==y2^e3 (mod m)
...
x==yi^d (mod m)
This algorithm could be used for example to increase the speed of The Onion Router.