> From: owner-openssl-us...@openssl.org On Behalf Of Alex Chen
> Sent: Thursday, 03 May, 2012 13:47
> Thanks for the reply Erwin. Let me clarify the goal: the client
> wants to send an encrypted message to the server for security reason
> and the connection ... can be SSL [but] the application [isn't sure].
> That's way Diffie-Hellman is an option. But it requires extra calls
> to do key agreement handshake. Since both client and server have a pair
> of certificate and private key, so the user can configure SSL connections,
> therefore PKI seems to be more straightforward.
That's a false opposite. PKI can be used for any type of
public-key cryptography, including DH, DSA, EC{DH,DSA}, and more.
Hence the name "Public-Key Infrastructure". What you apparently
mean is that the parties already have RSA keys "in" (certified by)
PKI (and communicated and verified), so it's easier to use those
RSA keys instead of creating new keys of any type, DH or other.
If so, yes, although it may not be best practice. Over history
many cryptosystems that used the same key(s) for multiple purposes
have been attacked and broken because of that multiple use, so that
today many (most?) authorities adopt a blanket rule against reuse.
This is why X.509 certificates support two(!) extensions that
(if enforced correctly) restrict the usage of the certified key.
You're kind of borderline here; using one RSA key for key-wrap
for SSL sessions, and also key-wrap or data-wrap (below) for your
other messages, is more or less but not exactly the same purpose.
I don't think there's any actual risk here, but if this is an
application whose security matters enough to be analyzed or audited,
you may have to defend this decision.
> I am thinking of using the client's private key to encrypt
> the message, i.e. RSA_private_encrypt(), and let the server
> use the client public key to decrypt it, RSA_public_decrypt().
That's backwards; it provides integrity not confidentiality, and
in fact is exactly how standard RSA _signing_ works. To get
confidentiality with RSA, the sender (here client) RSA-encrypts
with the receiver's (here server's) public key, and the receiver
(server) RSA-decrypts with its own private key.
However the common practice if the data can be large (and if
user-supplied it usually can be) is to encrypt the data with
a symmetric cipher (like AES) and a nonce key called DEK which
is limited-size depending on the symmetric cipher (128, 192, or
256 bits for AES) (and IV if applicable), and RSA-encrypt only
the DEK to the recipient. The recipient first RSA-decrypts
the DEK, and then uses it to symmetric-decrypt the data.
(Similarly, for signing data the common practice is to
RSA-sign, or DSA-sign or ECDSA-sign, a limited-size hash
of the actual data which may be very large. Or going further
some standards like PKCS#7 below actually RSA-sign a hash of
specified metadata that *includes* the hash of the data.)
There are several standards for doing this you can use,
notably PKCS#7/CMS/SMIME which OpenSSL already implements,
although if you prefer you can define and implement your own
as long as this data doesn't have to go to or come from
other people who are using different program(s) than yours.
(These are basically the same thing: CMS is the IETF adoption
with minor changes/enhancements of PKCS#7 from then-RSA Labs;
SMIME aka S/MIME is mostly a MIME wrapping of CMS.)
PKCS#7 actually covers several cases including sign-only,
encrypt-only called enveloped, and both together; you would use
the enveloped option. It does usually use X.509-certified keys,
though it has other options as well.
See man -s1 smime (older), man -s1 cms (newer and more complete),
man -s3 PKCS7_{en,de}crypt, man -s3 CMS_{en,de}crypt. (But not
man -s1 pkcs7, which actually does only the 'degenerate' PKCS#7
blobs often used to transmit certificates and/or CRLs.)
> But I am not familiar with the API . How do I get the RSA data from a PEM
file?
Which data and what PEM file? If you use PKCS#7/etc. data,
there are OpenSSL routines to read and write that, either
DER or PEM. If you mean the RSA cert (of the receiver, on
the sender side) or the RSA privatekey (at the receiver),
OpenSSL has routines for those too, either DER or PEM.
If you mean something else, it depends on what it is.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
