Thank's for your kind answer.
Gregory Stark wrote:
> Seriously, first you should document your problem better!
Ok, that I can do :-)
Our bank's in Estonia have very good internet payment systems.
Not so recently they introduced a system called I-Pizza, which
works in the following way. I can link the bank's payment
screen directly into my webpage. Very nice when I use
frames....
I create a usual form, fill
the neccessary hidden values (all the usual payment data)
in specifed format, as example field no 8: vk_name, length
30 characters, means sender's name. When user presses
submit button, all the data is posted to bank address,
specified in form action. Thank's to this user needs only
to fill the nessesary password fields and the transaction
screen is filled already, just press the button and voila,
money is transferred and user is put back on our screen.
Bank needs to know for sure that
we are the senders (because bank also generates same kind
of answers to us). For that reason 3 different security
systems ( or digital signatures) are available. This digital
signature is also posted to the bank with form's hidden variable.
For input all those signature calculation algoritms take
all the payment arguments converted into strings and concatenated.
First and second use md5 and sha-1 + secret key in the end
of the concatenated string and are usable mainly for testing
Third needs RSA. Bank suggested to use openssl tool to create
key pair, i did and it worked. But I must mention that without
the link to TinyWeb page I couldn't haven't do this, becuase
the only help I find for openssl tool is just the listing of available
commands :-(
As a mentioned, the algoritm is the following
output = RSA( SHA-1 (input), d?, n). And now I'm in trouble.
I write the pages in PHP3 and I do hate C-language, but .....
I must have some simple functions for this kind of job..
One is to have some small command-line tool, the other is
to write add-in function for php. Although my hateness,
I can do both. I need only 4 functions: to read and write
RSA keys from pem files and enc/dec my strings
WITHOUT to be an expert in cryptography or even
in terminology. I thought this would be possible, but
now I'm not sure.......
> The format of the signature is
> critical, for example does the bank expect the signature to be in PKCS#1
> format?
I don't know, but I may (and will ask).
> Also, you should realize that you sign things with your private key,
> not your public key. In RSA, this is typically labelled 'd', whereas your
> example uses 'e'.
Good point, on bank's internet pages (where technical description is
published)
is e. Unfortunately this is in estonian, because whole system is
intended
for local use of course.
> You have to be careful when implementing cryptography. You can easily
> manage to create code which runs just fine but has absolutely zero security.
Not exactly, if my digital signature is wrong bank will reject my
attempt
and will not let me to go further. Actually all the payment data is not
secured at all, the purpose of crypto is to be sure that the sender is
what expected, not to protect the data (this can be done with usual
ssl techique)
> You might want to hire an information security consultant (but not me,
> Estonia is too far from home ;).
I hope not! I can use an md5 or TripleDes crypto functions not
beeing an expert, why I need one for rsa ? It's just another algoritm,
isn't it :-)
Priit
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
