OpenSSL, C program, passing a Public RSA to a remote peer.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you need to transfer the public key to a peer why don't you write your public key on disk (PEM_write_bio_RSAPublicKey) and use scp?
I agree. PEM-files are a very standard way to conveniently exchange key material with a peer. Arrange your software so that it generates such a file. And, on the client side, it reads such a file at an agreed-upon location. "Exactly like everybody else does!"
Be sure that you have designed your system to use OpenSSL properly: to use the RSA-key to negotiate a private per-conversation session key.
Use libraries like OpenSSL only at the surface layers: "don't dive down into the guts of the thing, even though you can." There's a surface-layer API that's intended to be "the thing that you're supposed to use," along with lower-level routines that are intended for special cases. But ... "your case, whatever it is, is not 'special!'"
In matters of cryptography, key management is the Achilles heel.
Last edited by sundialsvcs; 03-13-2017 at 09:24 AM.
Now I need to be able to send the public RSA to a remote peer. Which means I need to send the key, n, e, d, p and q.
I'm not familiar with the API you're using, but assuming standard terminology, d, p, and q are part of the private key, don't send them to anyone else! Only n and e should be shared.
I'm not familiar with the API you're using, but assuming standard terminology, d, p, and q are part of the private key, don't send them to anyone else! Only n and e should be shared.
I agree. PEM-files are a very standard way to conveniently exchange key material with a peer. Arrange your software so that it generates such a file. And, on the client side, it reads such a file at an agreed-upon location. "Exactly like everybody else does!"
Be sure that you have designed your system to use OpenSSL properly: to use the RSA-key to negotiate a private per-conversation session key.
Use libraries like OpenSSL only at the surface layers: "don't dive down into the guts of the thing, even though you can." There's a surface-layer API that's intended to be "the thing that you're supposed to use," along with lower-level routines that are intended for special cases. But ... "your case, whatever it is, is not 'special!'"
In matters of cryptography, key management is the Achilles heel.
I agree completely. But I could not find out what the proper way to send a public RSA to the peer. If you could point me to an example written in C, I would be very great full.
I agree completely. But I could not find out what the proper way to send a public RSA to the peer. If you could point me to an example written in C, I would be very great full.
One way would be to write the file to disk and just scp or rsync it over to its destination.
Another way would be to copy the content of the file into memory and send it by means of your existing socket connection with the peer. (This exchange does not have to be encrypted.)
The peer expects to find its certificate-file at an agreed-upon location in its own filesystem.
Since certificates are uniquely identifiable, the host maintains a list of certificates that it will recognize. (Or, that have been revoked.) Again, use the full OpenSSL standard and "do exactly what everyone else does."
One way would be to write the file to disk and just scp or rsync it over to its destination.
Another way would be to copy the content of the file into memory and send it by means of your existing socket connection with the peer. (This exchange does not have to be encrypted.)
Transferring files is not a problem. The problem is which files to move?
Quote:
Since certificates are uniquely identifiable, the host maintains a list of certificates that it will recognize. (Or, that have been revoked.) Again, use the full OpenSSL standard and "do exactly what everyone else does."
May be I am missing something? I thought the only way to encrypt a packet was to use RSA_public_encrypt()? Which requires a public RSA. If I use certificates can I use them to encrypt a packet?
Use .pem files at an agreed-upon location to contain the public-key material that is required by the client.
Build these files to contain the necessary public-key material, then transfer them to the client. Arrange for the client software to require the file to be at some agreed-upon location. The client reads the public key from the file and uses it to perform the initial session-key negotiations.
Remember that public-key techniques are not used to final-encrypt the traffic: they are used to securely negotiate a (symmetric ...) session key which is then used to do so. All of which OpenSSL can handle for you.
[i]Use the highest-level functions within the (vast ...) OpenSSL library, and do not dive down into the "primitive functions" which are also available.
I highly encourage you to spend some time, say, at "github.com," to review how applications that you can find there employ the SSL libraries. You will find both "best practices" and "code that you can steal" in those places. Avoid wasted time spent "blundering through how-to-do-it, as though no one before you had ever done it before," because they have, and they provided their source code on places like github.
Last edited by sundialsvcs; 03-14-2017 at 04:38 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.