Re: [pkcs11] CKA_PUBLIC_KEY_INFO

[Robert Relyea <rrelyea@redhat.com>]

On 04/12/2013 01:41 PM, Michael StJohns wrote:
> On 4/12/2013 1:23 AM, Peter Gutmann wrote:
> > There's really no need for this since the implementation can pretty 
> > trivially
> > generate the CKA_PUBLIC_KEY_INFO from information it already has 
> > CKA_VALUE for
> > DSA, CKA_MODULUS etc for RSA, and so on.
>
> Actually - no.
>
> Both the public and private keys for RSA are derived from two randomly 
> generated primes p and q.  There are three common models for storing 
> private key info - { n, d } modulus and private exponent, { n, d, p, q 
> } modulus, private exponent, generator primes, and finally the Chinese 
> Remainder Theorem form (which also contains the generator primes).  As 
> far as I can tell from perusing the math, you can't get from a { n, d} 
> private key to the public key as you need p-1 and q-1 to generate 
> it.   [Not a crypto mathematician, but the math seems simple enough to 
> follow].

You can't get p and q from just {n, d}, or RSA would be basically 
broken. That is why most storage of RSA keys include {e} the public 
exponent, with the public key. Even if you don't store {e}, the 
likelihood that e is one of the (5) known Fermat primes is pretty high, 
and it's pretty easy to check if you are right. If e isn't stored and 
it's not one of the (5) Fermat primes, I think it's probably OK to punt.

> So I added this to the C_CreateObject stuff to support pushing a key 
> pair where you only have the { n, d } values.  The FIPS guidance 
> requires verifying correspondence between public and private keys and 
> I think it makes sense to enforce this here.
>
> EC doesn't have this problem as the public key is { k * G } where k is 
> the private key and G is the generator point on the curve.
>
> I haven't looked at DH, DSA or KEA as of yet. (Or GOST for that matter).
These are the same as EC except they are y = g^x mod p, x is the private 
key g and p are the domain parameters and y is the public key.
> Mike
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that 
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature