[Botan-devel] Decrypt signature

Stefan Misslinger stefan.misslinger at informatik.tu-muenchen.de
Tue Feb 13 08:05:13 EST 2007 

Hi Jack,

thank you very much for your reply.
Actually I didn't think about the thread of just swapping the key, so
we now settled on the method you suggested.

The laptop leaves the appartement last... :)

Thanks again for your help,
Stefan


On 2/12/07, Jack Lloyd <lloyd at randombit.net> wrote:
> On Mon, Feb 12, 2007 at 02:57:28PM +0100, Stefan Misslinger wrote:
>
> > Is it possible to decrypt the signature and therefore reconstruct the
> > encrypted(signed) AES key?
>
> At a purely technical level, yes, one can recover the signed message
> with RSA (depending on the padding scheme). However I would argue for
> a different solution (see below).
>
> > As far as I've seen its only possible to verify if the signature is
> > correct. I didn't find any example how to recover the message as well.
>
> This is not at all a normal mechanism, so you'll have to write some
> code to call to the RSA objects directly. If you examine
> src/pubkey.cpp you'll see the basic methods, especially you'll want to
> look at PK_Encryptor_MR_with_EME::enc and
> PK_Decryptor_MR_with_EME::dec
>
> > For the application to decrypt the files, we had to integrate the
> > private key also into the source code.
> > In the case someone would manage to extract the key from the source,
> > we want to prevent the attacker from being able to create his own
> > encrypted files.
>
> I take it you are not worried about an attacker being able to generate
> a new encrypted key for a modified binary (since no matter how you
> transfer the key, the attacker could always swap out the RSA key and
> generate files that the particular binary in question would accept).
>
> So why not both encrypt the key (with the private key remaining
> embedded in the binary) and in addition sign the encrypted key (with a
> private key that is not stored in the binary, but only some safe
> place). An attacker will not be able to generate a valid signature for
> the encrypted key packet, so an unmodified binary won't accept it. A
> modified binary (changed the key, or simply NOP out the signature
> check) might, but it seems infeasible to stop that without hardware
> support no matter what system you use.
>
> I haven't had much time to think this through, I'm in the middle of a
> move and am currently typing this on laptop sitting on the floor of an
> entirely empty apartment. It may take me a while to reply to any
> further questions you have but I will get to them as soon as I can.
>
> Thanks,
>  Jack
>
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://www.randombit.net/mailman/listinfo/botan-devel
>

More information about the botan-devel mailing list