From 693c8906638d3dfae49b889e8056408c1117a702 Mon Sep 17 00:00:00 2001 From: Pol Henarejos <55573252+polhenarejos@users.noreply.github.com> Date: Wed, 16 Mar 2022 15:13:23 +0100 Subject: [PATCH] Update asymmetric-ciphering.md Added OAEP encryption and decryption examples. --- doc/asymmetric-ciphering.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/asymmetric-ciphering.md b/doc/asymmetric-ciphering.md index b7a4f39..344b09b 100644 --- a/doc/asymmetric-ciphering.md +++ b/doc/asymmetric-ciphering.md @@ -3,6 +3,7 @@ Pico HSM supports in place decryption with the following algorithms: * RSA-PKCS * RSA-X-509 +* RSA-PKCS-OAEP First, we generate the data: ``` @@ -18,16 +19,17 @@ $ openssl rsa -inform DER -outform PEM -in 1.der -pubin > 1.pub At this moment, you are able to verify with the public key in `1.pub`. The signature is computed inside the Pico HSM with the private key. It never leaves the device. ## RSA-PKCS +This algorithm uses the PKCSv1.5 padding. It is considered deprecated and insecure. First, we encrypt the data with the public key: ``` -$ openssl rsautl -encrypt -inkey 1.pub -in data -pubin -out data.crypt +$ openssl rsautl -encrypt -inkey 1.pub -in data -pubin -out data.crypt ``` Then, we decrypt with the private key inside the Pico HSM: ``` -$ cat data.crypt | pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS +$ pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS -i data.crypt Using slot 0 with a present token (0x0) Using decrypt algorithm RSA-PKCS This is a test string. Be safe, be secure. @@ -56,3 +58,21 @@ Using slot 0 with a present token (0x0) Using decrypt algorithm RSA-X-509 This is a test string. Be safe, be secure. ``` + +## RSA-PKCS-OAEP +This algorithm is defined as PKCSv2.1 and it includes a padding mechanism to avoid garbage. Currently it only supports SHA256. + +To encrypt the data: +``` +$ openssl pkeyutl -encrypt -inkey 1.pub -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in data -out data.crypt +``` + +To decrypt with the private key inside the Pico HSM: +``` +$ pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS-OAEP -i data.crypt +Using slot 0 with a present token (0x0) +Using decrypt algorithm RSA-PKCS-OAEP +OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=0x0, source_len=0 +This is a test string. Be safe, be secure. +``` +