I created a custom RSA key pair just for test purposes in python. I want to add the private key and public key to a .pem file but I didnt find anything in my research. All i found is people generating a RSA key pair from a library.
I have the e, d and n variables for the public key[e, n] and private key[d, n].
Most major crypto libraries support this, e.g. PyCryptodome (via construct() and exportKey()) or Cryptography (as described in the Numbers and Key Serialization sections), e.g.
PyCryptodome:
from Crypto.PublicKey import RSA
n = int("b83b...529b", 16);
d = int("4eea...a721", 16);
e = int("010001", 16);
privateKey = RSA.construct((n, e, d))
privateKeyPem = privateKey.exportKey(pkcs=8) # export in PKCS#8 format
publicKey = RSA.construct((n, e))
publicKeyPem = publicKey.exportKey() # export in X.509/SPKI format
print(privateKeyPem.decode('utf8'))
print(publicKeyPem.decode('utf8'))
or Cryptography:
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
n = int("b83b...529b", 16);
d = int("4eea...a721", 16);
e = int("010001", 16);
(q, p) = rsa.rsa_recover_prime_factors(n, e, d)
dmq1 = rsa.rsa_crt_dmq1(d, q)
dmp1 = rsa.rsa_crt_dmp1(d, p)
iqmp = rsa.rsa_crt_iqmp(p, q)
publicNumbers = rsa.RSAPublicNumbers(e, n)
privateNumbers = rsa.RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, publicNumbers)
privateKey = privateNumbers.private_key();
publicKey = publicNumbers.public_key();
privateKeyPem = privateKey.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
)
publicKeyPem = publicKey.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(privateKeyPem.decode('utf8'))
print(publicKeyPem.decode('utf8'))
Note that the raw key is symmetric in p and q, so swapping p and q changes the PEM or DER encoded key, but not the raw key (n, e, d).
Related
I need to have a python code and a swift code exchange encrypted message.
Here's what I tried:
Fernet
After a review of the options, I thought that a symetric key algorithm could work well.
In python (as usual), it is straightforward to encrypt and decrypt:
Fernet(key).encrypt(b"mdg") # encrypt
Fernet(key).decrypt(encryptedMsg) # decrypt
In swift, it seemed initially straightforward with something along the lines of:
func encrypt(key: String, msg: String) throws -> String {
let data = Data(base64URL: key)!
let symetricKey = try! SymmetricKey(data: d)
let msgUtf8 = msg.data(using: .utf8)!
let sealBox = try! AES.GCM.seal(msgUtf8, using: symetricKey, nonce: nil)
return sealBox.combined.base64EncodedString();
}
However, I have been unable to find the algorithm in swift matching python's Fernet.
ChaCha
While searching for the problem, I landed on this amazing answer from Bram. Very unfortunately it only solves one side of my problem : encrypting messages in python and decoding them in swift. I also need the reverse process.
How to solve this?
To start, we first need a way to create secure random values to generate the IV and keys. You can also generate the keys using CryptoKit's SymmetricKey and extract the data from them, but for now, I'll use this function.
extension Data {
static func secureRandom(ofSize size: Int) -> Data {
var output = [UInt8](repeating: 0, count: size)
_ = SecRandomCopyBytes(kSecRandomDefault, size, &output)
return Data(output)
}
}
We then require the possibility to compute the AES CBC ciphertext, which can be done using CommonCrypto.
func encrypt(plaintext: Data, key: Data, iv: Data) -> Data {
var encryptor: CCCryptorRef?
defer {
CCCryptorRelease(encryptor)
}
var key = Array(key)
var iv = Array(iv)
var plaintext = Array(plaintext)
CCCryptorCreate(CCOperation(kCCEncrypt), CCAlgorithm(kCCAlgorithmAES), CCOperation(kCCOptionPKCS7Padding), &key, key.count, &iv, &encryptor)
var outputBytes = [UInt8](repeating: 0, count: CCCryptorGetOutputLength(encryptor, plaintext.count, false))
CCCryptorUpdate(encryptor, &plaintext, plaintext.count, &outputBytes, outputBytes.count, nil)
var movedBytes = 0
var finalBytes = [UInt8](repeating: 0, count: CCCryptorGetOutputLength(encryptor, 0, true))
CCCryptorFinal(encryptor, &finalBytes, finalBytes.count, &movedBytes)
return Data(outputBytes + finalBytes[0 ..< movedBytes])
}
and the HMAC with the SHA-256 hash function. I recommend using CryptoKit's HMAC implementation here, but to keep things simple, I went with the CommonCrypto implementation.
func computeHMAC(_ data: Data, using key: Data) -> Data {
var data = Array(data)
var key = Array(key)
var macOut = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH))
CCHmac(CCHmacAlgorithm(kCCHmacAlgSHA256), &key, key.count, &data, data.count, &macOut)
return Data(macOut)
}
This brings all of this together into the following
let plaintext = Data("Hello world!".utf8)
let signingKey = Data.secureRandom(ofSize: kCCKeySizeAES128)
let cryptoKey = Data.secureRandom(ofSize: kCCKeySizeAES128)
let fernetKey = (signingKey + cryptoKey).base64EncodedString()
let version: [UInt8] = [0x80]
let timestamp: [UInt8] = {
let timestamp = Int(Date().timeIntervalSince1970).bigEndian
return withUnsafeBytes(of: timestamp, Array.init)
}()
let iv = Data.secureRandom(ofSize: kCCBlockSizeAES128)
let ciphertext = encrypt(plaintext: plaintext, key: cryptoKey, iv: iv)
let hmac = computeHMAC(version + timestamp + iv + ciphertext, using: signingKey)
let fernetToken = (version + timestamp + iv + ciphertext + hmac).base64EncodedString()
print("Fernet key: \(fernetKey)")
print("Fernet token: \(fernetToken)")
An example output can be
Fernet key: 7EwFlYNKTGfj+2fSgL3AUqtrRqRs4D1TWNK7t2XbGJQ=
Fernet token: gAAAAABivCLM0y0poDtGOohT1yK4XTDJppYPJdu4fuDTZ5tb9P9KP5ACgX8aJq4imsSdbzOCcvY3Tueo4FYbwyG+ZugozILL+Q==
We can use this in python using cryptography.io's implementation
from cryptography.fernet import Fernet
key = b'7EwFlYNKTGfj+2fSgL3AUqtrRqRs4D1TWNK7t2XbGJQ='
token = b'gAAAAABivCLM0y0poDtGOohT1yK4XTDJppYPJdu4fuDTZ5tb9P9KP5ACgX8aJq4imsSdbzOCcvY3Tueo4FYbwyG+ZugozILL+Q=='
Fernet(key).decrypt(token)
# b'Hello world!'
I'm trying to sign message with RSA in Python and then verifying data in C#, but getting fail still after hours of testing/fighting.
Python code for signing:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import serialization
message = b"Test string"
with open("id_rsa", "rb") as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(),
password=None,
)
signature = private_key.sign(
message,
padding.PKCS1v15(),
hashes.SHA256()
)
signaturefile = open('signed.dat', 'wb')
signaturefile.write(signature)
signaturefile.close()
datafile = open('message.dat', 'wb')
datafile.write(message)
datafile.close()
And C# code for verifying:
private void button_Click(object sender, EventArgs e)
{
byte[] data = File.ReadAllBytes("message.dat");
byte[] signature = File.ReadAllBytes("signed.dat");
try
{
using (var reader = File.OpenText("id_rsa.pub"))
{
var pem = new PemReader(reader);
var o = (RsaKeyParameters)pem.ReadObject();
using (var rsa = new RSACryptoServiceProvider())
{
var parameters = new RSAParameters();
parameters.Modulus = o.Modulus.ToByteArray();
parameters.Exponent = o.Exponent.ToByteArray();
rsa.ImportParameters(parameters);
bool ok = rsa.VerifyData(data, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
if (ok) Console.WriteLine("Verified");
}
}
}
catch (CryptographicException exc)
{
Console.WriteLine(exc.Message);
}
}
I'm getting always fail from rsa.VerifyData. Could someone point me what is the problem?
Same files can be verified well in Python.
RSAParameters#Modulus and RSAParameters#Exponent expect modulus and exponent unsigned, so Org.BouncyCastle.Math.BigInteger#ToByteArrayUnsigned() must be used instead of Org.BouncyCastle.Math.BigInteger#ToByteArray(). With this change, verification is successful.
Also, the big endian byte order is required, but this applies to both methods.
Note that System.Numerics.BigInteger#ToByteArray() returns the data signed with little endian order.
Your current approach uses BC for key import and built-in .NET methods for verification. Alternatively, BC classes can also be used for verification, making for a slightly more efficient implementation overall.
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Security;
...
ISigner signer = SignerUtilities.GetSigner("SHA256withRSA");
signer.Init(false, o);
signer.BlockUpdate(data, 0, data.Length);
bool verified = signer.VerifySignature(signature);
Using the PyCrypto library, the following code prints 127:
from Crypto.PublicKey import RSA
import base64
# Private key in tuple form (obscured for privacy)
key = [1, 1, 1]
bk = "zJuG60z9Iv..." # (obscured for privacy)
privatekey = RSA.construct(key)
result = privatekey.decrypt(base64.b64decode(bk))
print(len(result))
To the best of my knowledge, this would be the equivalent using PyCryptodome. However, the resulting value only has a length of 16, indicating a possible decryption error.
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
import base64
# Private key in tuple form (obscured for privacy)
key = [1, 1, 1]
bk = "zJuG60z9Iv..." # (obscured for privacy)
privatekey = RSA.construct(key)
cipher = PKCS1_v1_5.new(privatekey)
result = cipher.decrypt(base64.b64decode(bk), None)
print(len(result))
I believe this is because my ciphertext uses textbook unpadded RSA. Does anyone know how I can decrypt this value with PyCryptodome or another maintained library?
PyCryptodome doesn't provide a built-in method to decrypt textbook RSA, but can be decrypted using modular exponentiation from the standard library.
from Crypto.PublicKey import RSA
import base64
# Private key in tuple form (obscured for privacy)
key = [1, 1, 1]
bk = "zJuG60z9Iv..." # (obscured for privacy)
privatekey = RSA.construct(key)
ciphertext = base64.b64decode(bk)
ct_int = int.from_bytes(ciphertext, 'big')
pt_int = pow(ct_int, privatekey.d, privatekey.n)
plaintext = pt_int.to_bytes(privatekey.size_in_bytes(), 'big').lstrip(b'\x00')
print(len(plaintext))
I'm trying to use ChaCha20-Poly1305 cipher from the cryptography module,
but there is only ChaCha20 cipher and Poly1305 MAC available.
This is the way I tried to combine them at first:
from cryptography.hazmat.primitives.poly1305 import Poly1305
from cryptography.hazmat.primitives.ciphers import (
Cipher,
algorithms as algo,
)
from cryptography.hazmat.backends import default_backend as defb
class ChaCha20Poly1305:
def __init__(self, locking, key, nonce):
self._locking = locking
# only accepts 16 bytes nonce
cipher = Cipher(algo.ChaCha20(key, nonce), None, defb())
if locking:
self._cipher = cipher.encryptor()
else:
self._cipher = cipher.decryptor()
self._auth = Poly1305(key)
self._auth.update(nonce)
def update(self, data):
ctxt = self._cipher.update(data)
self._auth.update(ctxt)
return ctxt
def finalize(self, tag=None):
if not self._locking
if tag is None:
raise ValueError('tag required')
self._auth.verify(tag)
def calculate_tag(self):
return self._auth.calculate_tag()
Is this the correct way to use this cipher with Poly1305?
Edit: Although cryptography provides ChaCha20Poly1305,
it does NOT support encrypting data continuously.
It simply takes a piece of data, encrypts it and returns the ciphertext
with appended MAC. And that is not what I want.
It's possible to implement a streaming authenticated encryption / decryption with the Cryptography implementations ChaCha20 and Poly1305 analogous to the PyCryptodome implementation ChaCha20_Poly1305. The posted code already does this essentially, whereby the following points are missing or buggy:
The cryptography implementation ChaCha20 expects the complete 16 bytes IV, i.e. nonce (12 bytes) and counter (4 bytes), in little endian format, s. RFC 7539 sec 2.3.
The counter value 0 is used to generate the Poly1305 key, the counter values from and including 1 for encryption, s. RFC 7539 sec 2.4 and sec 2.6.
The Poly1305 key does not simply correspond to the encryption key, but must be derived from this and the nonce with the counter 0, s. RFC 7539 sec 2.6.
Apart from the derivation of the Poly1305 key, the nonce is not further involved in the calculation of the tag.
The additional authenticated data (AAD) must be taken into account, s. RFC 7539 sec 2.8.
Before the tag is calculated, the data (AAD, if present, and ciphertext) are formatted in a defined way, using Zero padding for AAD and ciphertext and appending the lengths of AAD and ciphertext each as an 8 byte integer in little endian byte order, s. RFC 7539 sec 2.8.
The following code takes these points into account, should illustrate the fundamentals and must / can be adapted to individual needs:
from cryptography.hazmat.backends import default_backend as defb
from cryptography.hazmat.primitives.poly1305 import Poly1305
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import algorithms as algo
class ChaCha20Poly1305:
def __init__(self, encrypt, key, nonce):
self._encrypt = encrypt
self._dataLength = 0;
self._aadLength = 0;
self._nonceCounter = (0).to_bytes(4, byteorder='little') + nonce # Create 16 bytes IV for Poly1305 key derivation
self._nonceEncrypt = (1).to_bytes(4, byteorder='little') + nonce # Create 16 bytes IV for encryption / decryption
cipher = Cipher(algo.ChaCha20(key, self._nonceEncrypt), None, defb())
if encrypt:
self._cipher = cipher.encryptor()
else:
self._cipher = cipher.decryptor()
polyKey = self.__getPolyKey(key) # Get Poly1305 key
self._auth = Poly1305(polyKey)
# Add AAD and zero pad if nnecessary (optional, may only be called once and before first 'update' call)
def updateAAD(self, aad):
self._auth.update(aad)
self._aadLength = len(aad)
self._auth.update(self.__getZeroBytes(self._aadLength))
# Add ciphertext / plaintext for encryption / decryption and actualize tag
def update(self, data):
ctxt = self._cipher.update(data)
self._dataLength += len(ctxt)
if self._encrypt:
self._auth.update(ctxt)
else:
self._auth.update(data)
return ctxt
# Complete padding and verify tag (only decryption)
def verify_tag(self, tag=None):
if not self._encrypt:
self.__pad()
if tag is None:
raise ValueError('tag required')
self._auth.verify(tag)
else:
raise ValueError('Tag verification only during decryption')
# Complete padding and calculate tag (only encryption)
def calculate_tag(self):
if self._encrypt:
self.__pad()
return self._auth.finalize()
else:
raise ValueError('Tag calculation only during encryption')
# Complete formatting: zero pad ciphertext, append AAD and ciphertext lengths
def __pad(self):
self._auth.update(self.__getZeroBytes(self._dataLength))
self._auth.update(self._aadLength.to_bytes(8, byteorder='little'))
self._auth.update(self._dataLength.to_bytes(8, byteorder='little'))
# Zero pad data (AAD or ciphertext)
def __getZeroBytes(self, len):
spareBytes = len % 16
if (spareBytes != 0):
length = 16 - spareBytes
return bytes([0]) * length
return b''
# Derive Poly1305 key
def __getPolyKey(self, key):
cipher = Cipher(algo.ChaCha20(key, self._nonceCounter), None, defb())
cipher = cipher.encryptor()
key = cipher.update(b"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
return key
The implementation satisfies the test vector from RFC 7539, sec 2.8.2:
# Test vector from RFC 7539, sec 2.8.2
plaintext1 = b"Ladies and Gentlemen of the class "
plaintext2 = b"of '99: If I could offer you only one"
plaintext3 = b" tip for the future, sunscreen would be it."
nonce = bytes.fromhex("070000004041424344454647")
key = bytes.fromhex("808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f")
# Encryption
ccEnc = ChaCha20Poly1305(True, key, nonce)
ccEnc.updateAAD(bytes.fromhex('50515253c0c1c2c3c4c5c6c7'))
ct1 = ccEnc.update(plaintext1)
ct2 = ccEnc.update(plaintext2)
ct3 = ccEnc.update(plaintext3)
tag = ccEnc.calculate_tag()
print("Ciphertext:\n%s\n" % (ct1 + ct2 + ct3).hex())
print("Tag:\n%s\n" % tag.hex())
# Decryption
ccDec = ChaCha20Poly1305(False, key, nonce)
ccDec.updateAAD(bytes.fromhex('50515253c0c1c2c3c4c5c6c7'))
dt1 = ccDec.update(ct1)
dt2 = ccDec.update(ct2)
dt3 = ccDec.update(ct3)
ccDec.verify_tag(tag)
print("Decrypted:\n%s\n" % (dt1 + dt2 + dt3))
Note: It's of course important not to trust the decrypted data until it has been successfully authenticated! Just like the PyCryptodome implementation, the construct tempts to work with unauthenticated (and possibly corrupted) data. This problem has already been pointed out in detail in the comments and more reliable alternatives have also been suggested (see also the linked post in the other answer).
It simply takes a piece of data, encrypts it and returns the ciphertext with appended MAC. And that is not what I want.
I think this is what you really want. This is how the popular AE (and AEAD) works.
BTW, have you seen this?
I have a cipher message in base64 and a pubkey.pem with the public key information. So because the key is small(576) I have recovered all the needed information to reconstruct the private key : p,q and d.
Now I want to decipher the message but I don't know how to do it. Indeed if I want to use the decrypt function I need an priv_key object but I don't know how to generate it from (n,e,d)
from Crypto.PublicKey import RSA
from base64 import b64decode
#message I want to decipher
msg="e8oQDihsmkvjT3sZe+EE8lwNvBEsFegYF6+OOFOiR6gMtMZxxba/bIgLUD8pV3yEf0gOOfHuB5bC3vQmo7bE4PcIKfpFGZBA"
pub_key64 = 'MGQwDQYJKoZIhvcNAQEBBQADUwAwUAJJAMLLsk/b+SO2Emjj8Ro4lt5FdLO6WHMMvWUpOIZOIiPu63BKF8/QjRa0aJGmFHR1mTnG5Jqv5/JZVUjHTB1/uNJM0VyyO0zQowIDAQAB'
pub_keyDER = b64decode(pub_key64)
pub_key_obj = RSA.importKey(pub_keyDER) #my weak public key
... # how to generate priv_key_obj ???
dsmg=priv_key_obj.decrypt(msg)
You can construct a private from components in the following way (documentation):
from Crypto.PublicKey import RSA
# assume d was correctly calculated
n = 1234....L
e = 65537L
d = 43434...L
private_key = RSA.construct((n, e, d))
dsmg = private_key.decrypt(msg)