I am looking for ASN1 grammar file for DER ASN1 encoding of RSA keys
I am looking for grammar file so that i can compile it using ASN1C compiler and subsequently write my own 'c' code using GMP to extract public key out of a given RSA key file.
It will be of grt help if some one can guide me how to generate grammar file for RSA key using the following info about DER / ASN1 format for RSA keys
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e
}
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER, -- (inverse of q) mod p
otherPrimeInfos OtherPrimeInfos OPTIONAL
}
Thanks for the suggestions .... there was a minor header info that was to be added. following are the Grammar lines that have worked finally
RSAPRIVATEKEY DEFINITIONS ::= BEGIN
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e
}
Version ::= INTEGER
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER} -- (inverse of q) mod p
-- otherPrimeInfos OtherPrimeInfos OPTIONAL
END
You can find the full grammar specification in Appendix C of the RFC that contains the PKCS#1 RSA specification (v2.1).
Related
If I have only n and m(message), how can I find decryption of the message modulo p and q (to be merged by CRT)?
I have been trying to get a TPM's EK's public key using two methods:
using Hyper-V's Get-PlatformIdentifier I get the following result:
3082010a0282010100<EKPUBLICKEY>0203010001
Using Urchin's C Library:
<EKPUBLICKEY>
Can anyone explain what do 3082010a0282010100 and 0203010001 mean/encode?
It is DER Encoding of format for ASN.1 Types.
For example, 3082010A0282010100<KEY>0203010001
30: said SEQUENCE type
82010A: Said SEQUENCE of length 010A (82 of which more than 80, indicates the length information of 2 bytes.)
02: Integer type
820101: An integer representing the length of 0101 (decimal 257)
00<KEY>: The integer is modulus, 00 used to denote a positive integer, deduct 00 and 256 bytes, so the modulus is 256 bytes
Finally Exponent
0203010001: 02 integer representing the length of 3010001 Exponent, 03
I have a question regarding this question:
L= empty where the alphabet is {a,b}
how to create a grammar for this ? how can be the production rule ?
thanks in advance
A grammar G is an ordered 4-tuple {S, N, E, e, P} where:
N is a set of non-terminal symbols
E is a set of terminal symbols
N and E are disjoint
E is a superset of the alphabet of L(G)
e is the empty string
P is a set of ordered pairs of elements of (N U E U e); that is, P is a subset of (N U E U e) X (N U E U e)*.
S, the start symbol, is in N
A derivation in G is a sequence of elements of (N U E U e)* such that:
The first element is S
Adjacent elements w[i] and w[i+1] can be written as w[i] = uxv and w[i+1] = uyv such that (x, y) is in P
If there is a derivation in G whose last element is a string w[n] over (E U e)*, we say G generates w[n]; that is, w[n] is in L(G).
Now, we want to define a grammar G such that L(G) is the empty set. We fix the alphabet E = {a, b}. We must still define:
N, the set of nonterminals
S, the start symbol
P, the productions
We might as well take S as our start symbol. So N contains at least S; N is a superset of {S}. We will only add more nonterminals if we determine we need them. Let us turn our attention to the condition that L(G) is empty.
If L(G) is empty, that means there is no derivation in G that leads to a string of only terminal symbols. We can accomplish this easily be ensuring all our productions produce at least one nonterminal with any terminal. Or produce no terminals at all. So the following grammars would all work:
S := S
or
S := aSb
or
S := aXb | XXSSX
X := aabbXbbaaS
etc. All of these grammars have L(G) empty since none of them can derive a string of nonterminals.
Just wondering why does the security of RSA depend on the non-factorability of the modulus n?
Cheers!
well ... the non-factorability of the modulus n is not the whole story ...
as vlad already pointed out, you can easily calculate the private exponent if you know the factors of n ...
(p-1)(q-1) ... or more in general... if you know the prime factors P[i] of a number n, then you can calculate the product of all (P[i] - 1)... that is eulers PHI function ... to know the number of invertible multiplicative elements mod n
if you can factorize n, that calculation becomes trivial ... if n consists of only 2 large primes, and that factorization is hard, that isn't really trivial ...
however ... if you come up with another idea of calculating PHI(n) ... the number of elements mod n that have a multiplicative inverse ... factorization would probably no longer be your problem ...
currently there is no other public known way of calculating phi, than eulers way ... prod(P[i] - 1)
so either finding a way to factorize, or calculating PHI(n) a different way, would probably lead to breaking RSA
The public data in RSA is n - the public modulus, and e - the public exponent. The secret is d - the private exponent.
When creating the parameters you first generate two random primes p and q and then compute the public modulus n = p*q. So p and q are the factorization of n. Actually you could use more primes, but most use just two.
Then you choose the public exponent e, which is usually a small prime such as 65537 or 17 or even 3.
Your secret exponent d would then be d = 1/e mod (p-1)(q-1).
So clearly anyone could compute d if they knew p and q, which is the factorization.
Does anybody have a DSA worked example with simple values on how to calculate r,s and verify v == r. As this standard has been around awhile and is implemented in librarys e.g. the Java Cryptography Extension I'm finding it very hard to find an example of how the algorithm works.
Compute r=(gk mod p) mod q
Compute s=(k-1 * (x * r + i)) mod q
Verifying a signature; again i is the input, and (r,s) is the signature.
u1 = (s-1 * i) mod q
u2 = (s-1 * r) mod q
v = ((gu1 * yu2) mod p) mod q
If v equals r, the signature is valid.
Thanks,
There's a worked example at the end of the standard that defines DSA, FIPS 186.