From dcae71a4e8bfd6fc06a7596409a039fa23c9ecaf Mon Sep 17 00:00:00 2001
From: Pol Henarejos <55573252+polhenarejos@users.noreply.github.com>
Date: Tue, 15 Mar 2022 01:04:27 +0100
Subject: [PATCH] Create asymmetric-ciphering.md

---
 doc/asymmetric-ciphering.md | 58 +++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 doc/asymmetric-ciphering.md

diff --git a/doc/asymmetric-ciphering.md b/doc/asymmetric-ciphering.md
new file mode 100644
index 0000000..b7a4f39
--- /dev/null
+++ b/doc/asymmetric-ciphering.md
@@ -0,0 +1,58 @@
+# Asymmetric encryption and decryption
+
+Pico HSM supports in place decryption with the following algorithms:
+* RSA-PKCS
+* RSA-X-509
+
+First, we generate the data:
+```
+$ echo "This is a test string. Be safe, be secure." > data
+```
+
+Obtain the public key and convert it to PEM format:
+```
+$ pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der
+$ openssl rsa -inform DER -outform PEM -in 1.der -pubin > 1.pub
+```
+
+At this moment, you are able to verify with the public key in `1.pub`. The signature is computed inside the Pico HSM with the private key. It never leaves the device.
+
+## RSA-PKCS
+First, we encrypt the data with the public key:
+
+```
+$ openssl rsautl -encrypt -inkey 1.pub -in data -pubin -out data.crypt
+```
+
+Then, we decrypt with the private key inside the Pico HSM:
+
+``` 
+$ cat data.crypt | pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS
+Using slot 0 with a present token (0x0)
+Using decrypt algorithm RSA-PKCS
+This is a test string. Be safe, be secure.
+```
+
+## RSA-X-509
+In this algorithm, the data must be padded with a length equal to the size of private key (128, 256, 512 bytes for RSA-1024, RSA-2048 and RSA-4096, respectively).
+
+First, we pad the data. The original data file occupies 29 bytes. Thus, for a 2048 bits key, a padding of 227 bytes is needed:
+
+```
+$ cp data data_pad
+$ dd if=/dev/zero bs=1 count=227 >> data_pad
+```
+
+we encrypt the data with the public key:
+
+```
+$ openssl rsautl -encrypt -inkey 1.pub -in data_pad -pubin -out data.crypt -raw
+```
+
+Then, we decrypt with the private key inside the Pico HSM:
+```
+$ cat data.crypt|pkcs11-tool --id 4 --pin 648219 --decrypt --mechanism RSA-X-509 
+Using slot 0 with a present token (0x0)
+Using decrypt algorithm RSA-X-509
+This is a test string. Be safe, be secure.
+```