I am new to Swift Language . I wanted a swift code for decrypting a message using RSA Public key.
Padding used is "PKCS1". (I am not talking about Signature , I want the code for decryption of message itself using Public Key) .
Thanks in Advance
I wanted a swift code for decrypting a message using RSA Public key.
What you are asking for is not possible.
With RSA public keys are used to encrypt messages, while the private key is used to decrypt encrypted messages. It's the other way around with signatures, and probably the reason why you are confused. Signatures are created using the private key and can be verified by public keys.
I need to write a method in Swift which uses a particular PRIVATE KEY to encrypt a timestamp using RSA. This is NOT used for authentication (rather it validates the client app to the server), I know that you would normally encrypt with a public key to ensure security.
I have a key:
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDIg+wteSjhalc1hSHEiUnz9X1pkrObCjaXMHqeSdfFQ/h5Q1Uh
...
o7wjoqFNxFnQMAYvkLzQZ7Y2jjfSJkaTVnhzJIZOfQ0=
-----END RSA PRIVATE KEY-----
And I need to encrypt a string using this particular key. I have written the Android application version of this app, but if I need to re-generate the keys specifically for iOS it's not a problem, but I would need this file for the Android version as well.
I have looked at the following web sites:
http://jslim.net/blog/2013/01/05/rsa-encryption-in-ios-and-decrypt-it-using-php/ Seems useful but it insists that the key be in a .der format - plus it's in Objective-C. Is it possible to generate a Key pair in both DER and PEM format, or convert between the two (using something like https://www.sslshopper.com/ssl-converter.html)?
https://github.com/henrinormak/Heimdall - but you cannot import a custom private key
https://github.com/ideawu/Objective-C-RSA/blob/master/RSA.m - seems long winded and is also in objective-c
One requirement is that all apps use the SAME key - it cannot be generated by each installation of the app. Also my Android app must be able to use the key as well (I am open to rethinking the Android version as leaving the key as a RAW file is not preferred for me).
Any help will be appreciated.
Other references checked:
How to encrypt a string with private key and decrypt with public key?
Using RSA public key to encrypt a string
I could susscessfuly genearte pkcs7 signature using PEM(private key)file in Openssl.
But, how do I convert a RAWsignature generated using security.framework to pkcs7 using Openssl.
Edit:
load data > load PEM(private key)file > generate pkcs7 data using Openssl ....this is successfull
but
Load private key (SecKeyRef) from keychian > (how to pass this key to OPenssl to generate Pkcs7)?
IOS doesnt have feature to generate PKCS#7 Signature. We have to use OpenSSL with no other Alternative I suppose.
And IOS protects the keys using KEYCHAIN it provides. So the SecKeyRef is only a readable and not transferable. Better dont ever try to write to some file or transport it.
IOS features can generate only PKCS#1 Singnatures.
And if the RAWSignature is genereated using a PKCS#12 file, PKCS#7 singature can be generated out of it, using Bouncy Castle...server side....
did it... and it works... :)
If we make the private key exportable (using -pe option in makecert), then in theory we have both an exportable private key and the public key (public key in certificate) -- which can be transferred or imported to another machine.
So, my question is, why do we still need to create the .pfx file (key exchange file, which contains private and public keys) -- making the private key exportable in certificate could do anything we want? Any scenarios pfx file could cover which making private key exportable in certificate could not achieve?
thanks in advance,
George
Is there a makecert command line you have found that will generate a certificate file that includes a private key? I never have. I have seen someone allude to the fact that there is a version of makecert that can produce .pfx files but also have never seen that.
That means at the very best you can create TWO files with makecert if you want a private key file. One for the certificate and one for the private key. You can copy both those files to another computer and import them using makecert.
The advantage of the .pfx certificate format is that you can combine the two files with the certificate and private key into one. This is more convenient and also means you can use the file with the .Net X509Certificate2 class for use with an SslStream.
Your pfx file can be password protected, that would add a layer of protection
The problem is, the X509 Certificate standard (the certificate) does not include the private key. The certificate contains the subject public key info (aka, the public key) and information about the holder of the private key, but the standard does not support including the private key. This is the basic idea of PKI - the certificate is the public info you share with the world, the private key is something you hold very securely.
Making a private key exportable in any mechanism (for example, makecert), means you are telling that product that the key can be exported. It doesn't specify the file format that you would use to store it. A pfx file is one way of storing the private key - it uses the PKCS 12 standard. Java Key Stores (*.jks) are another way to do the same thing. Most commerically supported standards have similar common features - they protect the private key by encrypting it. The encryption can be unlocked using a password. They couple the private key with the certificate that decribes it.
If you want to build a PFX file, you should have both x509 cert public key and private key file which you can generate using makecert command. PFX can be generated using PVk2PFX command which you can find Microsoft SDK installation directiory.
We're developing a service that will accept a POST request. Some of the POST data will need to be encrypted before the POST as it will be stored in hidden fields on a form.
The application is written in C#, but we want third party clients to be able to easily integrate with it. We find that most clients use PHP, Classic ASP or VB.Net.
The third parties should only be doing the encryption. We'd do the decryption. There is no two-way communication.
What are the most compatible combinations of encryption algorithm, padding mode and other options?
Assuming that you have a safe way of sharing a key (whether RSA encryption of it, retrieval over an SSH or HTTPS link, or callling the other developer on a secured phone line), any of the major modern encryptions (like AES, as mentioned by #Ed Haber) would be suitable. I would second his suggestion of AES. There should be libraries for PHP, VB, Ruby, etc.
However, remember that with "no two-way communication" you will have to find an out-of-channel method for securely getting the symmetric key to the encrypting party.
If you mean that it should be impossible for third-parties to decrypt data, then you will want to use an asymmetric encryption algorithm such as RSA. This will the third-party to encrypt data with your public key, and then only you can decrypt the data with your private key, which you do not disclose. There should be implementations of RSA available for all the languages you mentioned.
If you don't care if the third-party can decrypt the data, then AES is the way to go. You will have one key which you share with the third-parties. This key is used both for encryption and decryption.
I would use AES for the bulk data encryption and RSA for encrypting the AES Key.
If the data is small enough then just encrypt the whole thing with RSA.
Ed Haber said
I would use AES for the bulk data
encryption and RSA for encrypting the
AES Key. If the data is small enough
then just encrypt the whole thing with
RSA.
I think this is a good solution. What I would do is have your application publish an API for getting a public RSA key. When I third party wants to send you something it gets the public key. It then generates a session key to do the actual encryption using a block cipher, (ie AES), and sends the key to you by encrypting with your public key. You decrypt the session key with your private key. The third party then encrypts the data it wants to send you with AES (using a padding scheme that you also publish) and sends it to you. You decrypt it using the session key.
There are some problems with the method above. Since you are not sending any information (other than publishing your public key, you cannot control how the session key is generated. This means that third parties can use very insecure ways to of generating the session key and you will never know. A second problem is everyone who wants to send you data has to pad data for AES in the same way you do. So you will have to make sure every one co-ordinates. The second issue isn't to big, but the first could be a problem especially if you don't trust the third parties all that much to generate really good session keys from a good cryptographically secure random number generator
You could very easily implement your own XOR key-based bit encryption. With a little thought and ingenuity, you can come up with something that's more than suitable for you application.
Here's a PHP example:
function XOREncryption($InputString, $KeyPhrase){
$KeyPhraseLength = strlen($KeyPhrase);
for ($i = 0; $i < strlen($InputString); $i++){
$rPos = $i % $KeyPhraseLength;
$r = ord($InputString[$i]) ^ ord($KeyPhrase[$rPos]);
$InputString[$i] = chr($r);
}
return $InputString;
}
ColdFusion has the encrypt and decrypt functions capable of handling a range of algorithms and encodings, including the AES recommended above.
Information at: http://www.cfquickdocs.com/cf8/?getDoc=encrypt#Encrypt
Quick example code:
Key = generateSecretKey( 'AES' , 128 )
EncryptedText = encrypt( Text , Key , 'AES' , 'Hex' )
Text = decrypt( EncryptedText , Key, 'AES' , 'Hex' )
Similar functionality is available with this library for PHP:
http://www.chilkatsoft.com/p/php_aes.asp
...and Java, Python, Ruby, and others...
http://www.example-code.com/java/crypt2_aes_matchPhp.asp
http://www.example-code.com/python/aes_stringEncryption.asp
Sounds like RSA is the algorithm for you.
Why not have your server exposed over HTTPS? That way, any client which can handle HTTPS can consume the service securely.