|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
RSA Decryption with public key?application knows the private key in a public key, private key pair. The verification protocol developed by manufacturer of the external application involves sending the external application known data, allowing the external application to encrypt the data using the private key, and then verifying that the returned cipher text matches the original data once decrypted by our application with the public key. Note: The returned data is encrypted by the private key -not signed! From our research, the RSACryptoServiceProvider in the Framework does not directly support this type of protocol. For reference: http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/7fd9ab50-40c7-47c2-ae80-04e5ccad839d/ http://www.eggheadcafe.com/software/aspnet/31582085/no-way-to-encrypt-with-pr.aspx Has anyone found a suitable workaround for this? We have had some success with Bouncy Castle. (http://www.bouncycastle.org/) However, we would prefer not to include additional third party libraries due to legal concerns and additional product requirements. Thanks in advance! Encrypting with the private key is a violation of how RSA is intended to be
used. As such, the MS crypto stack attempts to prevent you from doing this, so this is why you see the results you see. If you can find another library that allows you to work around this, then that is likely your best option although ideally the producer of the other application would fix their crypto usage. It sounds like they have a typical use case for signing, so why not just do it right? Of course, that isn't really up to you... -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "Rob Cooke" <Rob Co***@discussions.microsoft.com> wrote in message news:1F898FF1-4B59-4155-9BCF-ABD7509D5F4D@microsoft.com... > We have an .NET 2.0 application that requires verifying that an external > application knows the private key in a public key, private key pair. > > The verification protocol developed by manufacturer of the external > application involves sending the external application known data, allowing > the external application to encrypt the data using the private key, and > then > verifying that the returned cipher text matches the original data once > decrypted by our application with the public key. > > Note: The returned data is encrypted by the private key -not signed! > > From our research, the RSACryptoServiceProvider in the Framework does not > directly support this type of protocol. For reference: > > http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/7fd9ab50-40c7-47c2-ae80-04e5ccad839d/ > > http://www.eggheadcafe.com/software/aspnet/31582085/no-way-to-encrypt-with-pr.aspx > > Has anyone found a suitable workaround for this? We have had some success > with Bouncy Castle. (http://www.bouncycastle.org/) However, we would > prefer > not to include additional third party libraries due to legal concerns and > additional product requirements. > > Thanks in advance! > > Hi Rob,
unfortunately the .net framework not allowing this option :-( with my library 'goliath .net mupal' i have provided an example (strong-name encryption) how you use rsa in...reverse mode! standard usage: encrypt -> c = m^e mod n decyrpt -> m = c^d mod n reverse mode usage: encrypt -> c = m^d mod n decyrpt -> m = c^e mod n by using the private-key and public-key from strong-name file (.snk) :-ooo for to crack a program you need to remove the strong-name...but eliminating the strong-name false data decryption! :-DDD best regards On Jan 15, 8:13 pm, "Marcello Cantelmo"
<marcello___AT___cantelmosoftware___DOT___com> wrote: > Completely wrong, totally insecure, grossly inefficient.> standard usage: > > encrypt -> c = m^e mod n > decyrpt -> m = c^d mod n > > reverse mode usage: > > encrypt -> c = m^d mod n > decyrpt -> m = c^e mod n > Hope you only use it for your own exercises sake. -Valery. hi,
and thanks for your opinion >Completely wrong, totally insecure, grossly inefficient. - I do not think wrong: why i want signing my data. with .net you can, also, retrieve the data parameters from strong-name ;-) - perhaps insecure but still better than retrieve a trivial check: true/false or using symmetric algorithms - grossly inefficient if you dont use the chinese remainder theorem ;-) always ihmo! >Hope you only use it for your own exercises sake. i just protect my software :-IMarcello Cantelmo www.cantelmosoftware.com On Jan 20, 11:59 am, "Marcello Cantelmo"
<marcello___AT___cantelmosoftware___DOT___com> wrote: Show quoteHide quote > hi, Yes, it is completely wrong! As for starters - you don't map your data> > and thanks for your opinion > > >Completely wrong, totally insecure, grossly inefficient. > > - I do not think wrong: why i want signing my data. with .net you can, also, > retrieve the data parameters from strong-name ;-) > - perhaps insecure but still better than retrieve a trivial check: > true/false or using symmetric algorithms > - grossly inefficient if you dont use the chinese remainder theorem ;-) > > always ihmo! > > >Hope you only use it for your own exercises sake. > > i just protect my software :-I > > Marcello Cantelmowww.cantelmosoftware.com to the full domain before applying RSA prototype (taking power mod N). Just for example: you give me public key and your "private key encryption" of 2 and I can provide you with "private key encryption" of any number that is power of 2 without having private key simply by multiplying signature of 2 with itself mod N (due to RSA multiplicative property). If I have signature of other numbers with your scheme - it is trivial to get signature of any other number that is factored by these numbers that I already have. Having signatures of first couple of hundreds of prime numbers (2, 3, 5, 7, 11 ....) gives significant chance to forge signature for an arbitrary message - simply check that message has only factors from the table, if not, modify message slightly without modifying its meaning significantly (add some spaces, dots or carriage returns) and try again... There are hundreds of known attack on RSA that is used subtly wrong. Plain said - textbook RSA primitive is completely different than RSA encryption. So, if you think that you understand RSA - think again. -Valery. On Jan 14, 5:19 pm, Rob Cooke <Rob Co***@discussions.microsoft.com>
wrote: Show quoteHide quote > We have an .NET 2.0 application that requires verifying that an external Hi,> application knows the private key in a public key, private key pair. > > The verification protocol developed by manufacturer of the external > application involves sending the external application known data, allowing > the external application to encrypt the data using the private key, and then > verifying that the returned cipher text matches the original data once > decrypted by our application with the public key. > > Note: The returned data is encrypted by the private key -not signed! > > From our research, the RSACryptoServiceProvider in the Framework does not > directly support this type of protocol. For reference: > > http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/7fd9ab5... > > http://www.eggheadcafe.com/software/aspnet/31582085/no-way-to-encrypt... > > Has anyone found a suitable workaround for this? We have had some success > with Bouncy Castle. (http://www.bouncycastle.org/) However, we would prefer > not to include additional third party libraries due to legal concerns and > additional product requirements. > > Thanks in advance! "Decryption with public key" is a misnomer (or nonsense) that have actually caused lots of confusion and as result - lots of badly designed systems. The thingy that with RSA often referred as "Decryption with public key" is actually a *Signature Verification With Message Recovery*. Asymmetric algorithms are what they are - asymmetric. It is not only concern use of two different keys (one for encryption, other for decryption/ one for signature generation, other for signature verification). They also have different security requirements for encryption vs signature. As result they require different proofs of security for any padding schemes that is used for encryption and entirely different proofs of security for padding schemes used for signatures. Now, if we talk RSA here: RSA problem is believed to be hard, but when we talk about RSA problem being hard we talk about RSA problem on *full domain* (any value between 0 and mod M must be equally probable). But when you start doing real life use of RSA, you encode your message to an integer value between 0 and mod M, but do you really achieve uniformity of distribution with your message encoding scheme? If you have used a fixed encoding - then what you do is actually jumping from "RSA is considered to be hard on full domain" to the naive "I hope RSA is equally hard on a tiny-itsy-bitsy subset of the domain", which is generally non true. Examples - there are numbers of attacks on fixed encoding used with RSA, such as for example fault analysis attacks (see Bleichenbacher for encryption, Bellcore for signatures, etc). Secure use of RSA requires special use of encoding which makes message distribution computationally indistinguishable from random. For encryption - it is RSA OAEP, for signature it is RSA PSS. or for even tighter security : for key transform (encryption) use RSA- KEM; for signatures use "Full Domain Hash". There are also different security requirements for public and private exponents. And there are hundreds of known attacks on RSA when something is used subtly incorrectly. If you want secure RSA - use what is proven to be secure, and don't try to invent something new - everything that could have been invented with RSA was already invented and most probably broken before... -Valery. hi,
Bleichenbacher method is good against keys with exponent of 3 (...says the same author). many developers using e=3 for speed execution is recommended instead to use a exponent: e=65537 and for speed execution the chinese remainder theorem algo implementation what you say is true...but RSA >=512 bit is not duable for people without a "large cluster" to factorize (for now!) On Jan 20, 11:46 am, "Marcello Cantelmo"
<marcello___AT___cantelmosoftware___DOT___com> wrote: > hi, CRT is only useful for private key operation because having> > Bleichenbacher method is good against keys with exponent of 3 (...says the > same author). many developers using e=3 for speed execution > > is recommended instead to use a exponent: e=65537 and for speed execution > the chinese remainder theorem algo implementation > > what you say is true...but RSA >=512 bit is not duable for people without a > "large cluster" to factorize (for now!) > > -- > Marcello Cantelmowww.cantelmosoftware.com multiplicative inverses required for CRT trivially allows recovering factors of N. public key operations are using square and multiply, therefore - the less 1s you have in binary representation of you public exponent - the faster it will be. -Valery >CRT is only useful for private key operation because having exactly! I have continued to respond to: "grossly inefficient". it is >multiplicative inverses required for CRT trivially allows recovering >factors of N. >public key operations are using square and multiply, therefore - the >less 1s you have in binary representation of you public exponent - the >faster it will be. >-Valery possible 'speed up' rsa with: CRT and/or Montgomery multiplication eliminates then mod n reduction step --- Marcello Cantelmo www.cantelmosoftware.com On Jan 20, 5:18 pm, "Marcello Cantelmo"
<marcello___AT___cantelmosoftware___DOT___com> wrote: Show quoteHide quote > >CRT is only useful for private key operation because having One should use optimized multiplication algorithm regardless whether> >multiplicative inverses required for CRT trivially allows recovering > >factors of N. > >public key operations are using square and multiply, therefore - the > >less 1s you have in binary representation of you public exponent - the > >faster it will be. > >-Valery > > exactly! I have continued to respond to: "grossly inefficient". it is > possible 'speed up' rsa with: > > CRT and/or Montgomery multiplication eliminates then mod n reduction step > > --- > Marcello Cantelmowww.cantelmosoftware.com or not you use CRT (such as for example Montgomery or Karatsuba, or if you doing FPGA programming you may also think of FFT for that matter). Since private exponent is much bigger than public exponent (some schemes use public/private of approximate equal size, but there are known attacks in case if it is used subtly wrong (not even speaking that you loose possibility to optimize public key operations) CRT on private exponent of big size gives about 4 times better performance than straight forward exponentiation... But inefficient is one of the last worries about the scheme that you have described. For understanding that you may probably recheck my previous answers to that thread. The Bottom line: There is no such thing as decryption with public key. There are signature schemes with message recovery (such as RSA) and they should be referred as such. Signature schemes have different security requirements, and different security proofs than encryption. And when it concerns to encryption, here is quite close rephrase of what Odedd Goldregh wrote in his "Foundation of Cryptography" (rephrase only because I don't have his book at my hands right now) "Any encryption at the absolute minimum requires a presence of a secret decryption key. Without a secret decryption key, encryption is simply impossible!" Period Public key is public. Applying public key RSA prototype for purpose different than encryption/(key transfer) is a *Signature Verification with Message Recovery*. And textbook RSA is *insecure*. -Valery The difficulty here is...
We do not have a digital signature. The owner of the third party application expects us to pass their application some data then they prove that their application knows the private key by encrypting our data with the private key and giving us back the cipher text. If we can decrypt the cipher text using the public key provided on via their X509 certificate, we consider the application verified. Regardless of the merits and security (or lack there of) of this protocol, it is the only one that we can use with this third party. While, by convention, this backwards method is discouraged due to its limited use cases and clear potential for confusion, it is, nevertheless, technically possible. In our case, the third party (for whatever reason) decided to employ this technicality and, as a result, we have been placed into a position where we are required to complete our end of this backwards protocol -but without any direct support from BCL classes. Show quoteHide quote "Valery Pryamikov" wrote: > On Jan 14, 5:19 pm, Rob Cooke <Rob Co***@discussions.microsoft.com> > wrote: > > We have an .NET 2.0 application that requires verifying that an external > > application knows the private key in a public key, private key pair. > > > > The verification protocol developed by manufacturer of the external > > application involves sending the external application known data, allowing > > the external application to encrypt the data using the private key, and then > > verifying that the returned cipher text matches the original data once > > decrypted by our application with the public key. > > > > Note: The returned data is encrypted by the private key -not signed! > > > > From our research, the RSACryptoServiceProvider in the Framework does not > > directly support this type of protocol. For reference: > > > > http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/7fd9ab5... > > > > http://www.eggheadcafe.com/software/aspnet/31582085/no-way-to-encrypt... > > > > Has anyone found a suitable workaround for this? We have had some success > > with Bouncy Castle. (http://www.bouncycastle.org/) However, we would prefer > > not to include additional third party libraries due to legal concerns and > > additional product requirements. > > > > Thanks in advance! > > Hi, > "Decryption with public key" is a misnomer (or nonsense) that have > actually caused lots of confusion and as result - lots of badly > designed systems. The thingy that with RSA often referred as > "Decryption with public key" is actually a *Signature Verification > With Message Recovery*. > Asymmetric algorithms are what they are - asymmetric. It is not only > concern use of two different keys (one for encryption, other for > decryption/ one for signature generation, other for signature > verification). They also have different security requirements for > encryption vs signature. As result they require different proofs of > security for any padding schemes that is used for encryption and > entirely different proofs of security for padding schemes used for > signatures. > Now, if we talk RSA here: > RSA problem is believed to be hard, but when we talk about RSA problem > being hard we talk about RSA problem on *full domain* (any value > between 0 and mod M must be equally probable). But when you start > doing real life use of RSA, you encode your message to an integer > value between 0 and mod M, but do you really achieve uniformity of > distribution with your message encoding scheme? If you have used a > fixed encoding - then what you do is actually jumping from "RSA is > considered to be hard on full domain" to the naive "I hope RSA is > equally hard on a tiny-itsy-bitsy subset of the domain", which is > generally non true. Examples - there are numbers of attacks on fixed > encoding used with RSA, such as for example fault analysis attacks > (see Bleichenbacher for encryption, Bellcore for signatures, etc). > > Secure use of RSA requires special use of encoding which makes message > distribution computationally indistinguishable from random. For > encryption - it is RSA OAEP, for signature it is RSA PSS. > or for even tighter security : for key transform (encryption) use RSA- > KEM; for signatures use "Full Domain Hash". > > There are also different security requirements for public and private > exponents. And there are hundreds of known attacks on RSA when > something is used subtly incorrectly. If you want secure RSA - use > what is proven to be secure, and don't try to invent something new - > everything that could have been invented with RSA was already invented > and most probably broken before... > > -Valery. > As I previously stated, you are hung out to dry here because the entity you
must interact with has created a protocol that is cryptographically unsound. They would have been much better served to use something standards-based like SSL. Regular SSL server authentication sounds like exactly the type of thing they attempted to implement, especially given that X509 certs are involved. That's too bad. Hopefully this won't come back to haunt them in other ways. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "Rob Cooke" <RobCo***@discussions.microsoft.com> wrote in message news:E5B61011-6D3A-41F3-8B5C-6DE39456265F@microsoft.com... > The difficulty here is... > > We do not have a digital signature. > The owner of the third party application expects us to pass their > application some data then they prove that their application knows the > private key by encrypting our data with the private key and giving us back > the cipher text. > > If we can decrypt the cipher text using the public key provided on via > their > X509 certificate, we consider the application verified. > > Regardless of the merits and security (or lack there of) of this protocol, > it is the only one that we can use with this third party. > > While, by convention, this backwards method is discouraged due to its > limited use cases and clear potential for confusion, it is, nevertheless, > technically possible. In our case, the third party (for whatever reason) > decided to employ this technicality and, as a result, we have been placed > into a position where we are required to complete our end of this > backwards > protocol -but without any direct support from BCL classes. > > > > "Valery Pryamikov" wrote: > >> On Jan 14, 5:19 pm, Rob Cooke <Rob Co***@discussions.microsoft.com> >> wrote: >> > We have an .NET 2.0 application that requires verifying that an >> > external >> > application knows the private key in a public key, private key pair. >> > >> > The verification protocol developed by manufacturer of the external >> > application involves sending the external application known data, >> > allowing >> > the external application to encrypt the data using the private key, and >> > then >> > verifying that the returned cipher text matches the original data once >> > decrypted by our application with the public key. >> > >> > Note: The returned data is encrypted by the private key -not signed! >> > >> > From our research, the RSACryptoServiceProvider in the Framework does >> > not >> > directly support this type of protocol. For reference: >> > >> > http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/7fd9ab5... >> > >> > http://www.eggheadcafe.com/software/aspnet/31582085/no-way-to-encrypt... >> > >> > Has anyone found a suitable workaround for this? We have had some >> > success >> > with Bouncy Castle. (http://www.bouncycastle.org/) However, we would >> > prefer >> > not to include additional third party libraries due to legal concerns >> > and >> > additional product requirements. >> > >> > Thanks in advance! >> >> Hi, >> "Decryption with public key" is a misnomer (or nonsense) that have >> actually caused lots of confusion and as result - lots of badly >> designed systems. The thingy that with RSA often referred as >> "Decryption with public key" is actually a *Signature Verification >> With Message Recovery*. >> Asymmetric algorithms are what they are - asymmetric. It is not only >> concern use of two different keys (one for encryption, other for >> decryption/ one for signature generation, other for signature >> verification). They also have different security requirements for >> encryption vs signature. As result they require different proofs of >> security for any padding schemes that is used for encryption and >> entirely different proofs of security for padding schemes used for >> signatures. >> Now, if we talk RSA here: >> RSA problem is believed to be hard, but when we talk about RSA problem >> being hard we talk about RSA problem on *full domain* (any value >> between 0 and mod M must be equally probable). But when you start >> doing real life use of RSA, you encode your message to an integer >> value between 0 and mod M, but do you really achieve uniformity of >> distribution with your message encoding scheme? If you have used a >> fixed encoding - then what you do is actually jumping from "RSA is >> considered to be hard on full domain" to the naive "I hope RSA is >> equally hard on a tiny-itsy-bitsy subset of the domain", which is >> generally non true. Examples - there are numbers of attacks on fixed >> encoding used with RSA, such as for example fault analysis attacks >> (see Bleichenbacher for encryption, Bellcore for signatures, etc). >> >> Secure use of RSA requires special use of encoding which makes message >> distribution computationally indistinguishable from random. For >> encryption - it is RSA OAEP, for signature it is RSA PSS. >> or for even tighter security : for key transform (encryption) use RSA- >> KEM; for signatures use "Full Domain Hash". >> >> There are also different security requirements for public and private >> exponents. And there are hundreds of known attacks on RSA when >> something is used subtly incorrectly. If you want secure RSA - use >> what is proven to be secure, and don't try to invent something new - >> everything that could have been invented with RSA was already invented >> and most probably broken before... >> >> -Valery. >>  
Other interesting topics
Thread security
encrypting app.config with RSA Mail merge with an MD5 hash. Having problem with Encryption using CryptoAPI Kerberos S4U problem COM and Windows control on webpage security issue with with windows service account Publisher Security use CAS demand or not? web service security that is interoperable |
|||||||||||||||||||||||
