RSA Public/Private Key Encryption

LiveCode is the premier environment for creating multi-platform solutions for all major operating systems - Windows, Mac OS X, Linux, the Web, Server environments and Mobile platforms. Brand new to LiveCode? Welcome!

Moderators: Klaus, FourthWorld, heatherlaine, robinmiller, kevinmiller

Post Reply
townsend
Livecode Opensource Backer
Livecode Opensource Backer
Posts: 430
Joined: Sun Feb 13, 2011 8:43 pm
Location: Seattle, USA

RSA Public/Private Key Encryption

Post by townsend » Wed Apr 25, 2012 3:39 pm

The only documentation I can find on this, is in the 4.6 Release Notes, which I've quoted below,
in it's entirety. Anyone know of any additional documentation, lessons or examples on this?

The part that confuses me most is where it says the maximum encryptable messages size is 53 bytes.
That's not very long. It might be long enough for a digital certificate, but not for a real message.
Public key encryption support (4.6)
The encrypt and decrypt commands now support RSA public key encryption. The new forms
supporting this are:
encrypt message using rsa with ( public | private ) key key [ and passphrase passphrase ]
decrypt message using rsa with ( public | private ) key key [ and passphrase passphrase ]
Here key should be in PEM format, optionally protected by passphrase.
The maximum length of a message that can be encrypted using RSA is the size of the key in bytes –
11. So, for a 512-bit key pair, the maximum encryptable message size is 53 bytes.
Generating key pairs
Public-private key pairs can be generated using the OpenSSL suite of command-line tools.
For example:
openssl genrsa -out private_key.pem 512
openssl rsa -pubout -in private_key.pem -out public_key.pem
Will generate a key pair of size 512-bits, placing the private key in private_key.pem and the public
key in public_key.pem.
For more information on these utilities see
http://www.openssl.org/docs/apps/rsa.html and
http://www.openssl.org/docs/apps/genrsa.html.
Note: RSA Public/Private Encryption algorithm defined.

igorBUSvRhc
Posts: 37
Joined: Thu Apr 19, 2012 8:12 am

Re: RSA Public/Private Key Encryption

Post by igorBUSvRhc » Sun May 06, 2012 1:14 pm

Apologies for the long post, but I hope that it will answer you question.

-----------------------------------------------------
ENCRYPTING DATA WITH AES
-----------------------------------------------------
There are many ways to encrypt data, using mathematical methods called 'ciphers'. As clever as the ciphers are, so are the code breakers, and eventually they come up with mathematics that render the cipher useless - ie., it becomes relatively easy to guess the password/passphrase used to encode the data.

At the moment, the 'AES-256' cipher is considered to be 'safe'. One particularly good thing about it, is that it is quite quick to encode data with, even for large amounts of data. One bad thing about it, is that it is what is called a 'symmetrical' encryption cipher, meaning that the same 'key' (a password or passphrase) is used to both encrypt and decrypt the data. In order to increase the security of the encryption, you can also use a 'salt' - a small, random sequence of characters - that will further 'scramble' the encrypted data. But that means that in order to decrypt it, you will need both the password and the salt at the other end.

To encrypt any data with AES-256 in LiveCode:

1) put the data to be encrypted into a variable, like 'tData'
2) put the password or passphrase into a variable, like tPassword
3) put 8 random characters into a variable, like tSalt
4) encrypt the data with:

Code: Select all

encrypt tData using "aes256" with password tPassword and salt tSalt
To decrypt the same data:

1) put the encrypted data into a variable - tData
2) put the password or passphrase into a variable - like tPassword
3) put the same salt characters into tSalt
4) decrypt the data with:

Code: Select all

decrypt tData using "aes256" with password tPassword and salt tSalt
-----------------------------------------------------
THE PASSWORD PROBLEM
-----------------------------------------------------
The problem with symmetrical encryption, however, is that the key must be known in order for you to encode and decode the message. This means, that if you want to use this to send/receive information in your programs, both the sender and receiver will have to know the key. If you hard-code the key into your program, a hacker can try to decompile your code and retrieve the key from it. The fact that you have to know or keep the password at hand, is just not safe.

So, the problem is: I *do* want to send my encrypted data using AES-256, as it is quite safe. But I don't want to have the sender or the receiver know the password beforehand, or have to keep it in the system - all of which cause major security holes.

-----------------------------------------------------
ENCRYPTING PASSWORDS WITH RSA
-----------------------------------------------------
Another method of encrypting data is using private and public keys. In this kind of encryption, the public key can be distributed publicly and seen by everyone, because you cannot guess the private key by the public key alone. The public key is used to encrypt data that you want to be seen only by the holder of the private key. The private key can then be used to decrypt the data - the public key cannot do that. The private key can also be used to 'sign' data, so that people with the public key can confirm that the data really came from the private key holder.

The problem with public-private key encryption is that, due to the mathematics involved, you can only encrypt a relatively small amount of data - an amount smaller than the size of your key. Although you could, in theory, 'break down' the data to be encrypted into encodable chunks, you would not do this for two reasons: this kind of encryption is slow, and doing this makes it much easier for hackers to guess your private key. So, you should only really encrypt a small amount of data with this kind of encryption - like, for instance, a password...

LiveCode uses RSA for public-private key encryption. You need to generate a public and private key pair, first. The LiveCode dictionary has instructions on how to do that using the command line. The instructions are easy to follow, but I would recommend that you create a key that is 4096 bits, not 512 - a key that small is considered insecure nowadays.

In order to encrypt a password/passphrase with RSA in LiveCode:

1) put the password/passphrase into a variable, like tPassword
2) put the public key into a variable, such as tPublicKey
3) encrypt the password with:

Code: Select all

encrypt tPassword using rsa with public key tPublicKey
In order to decrypt the password/passphrase using the private key:

1) put the encrypted password into a variable - tPassword
2) put the private key into a variable, like tPrivateKey
3) decrypt the password:

Code: Select all

decrypt tPassword using rsa with private key tPrivateKey
-----------------------------------------------------
PUTTING IT ALL TOGETHER
-----------------------------------------------------
Using both encryption methods together, we can now send any amount of data with security.

Let's say that Alice wants to send a document securely to Bob. She can do it like this:

1) Alice creates a random password - it really doesn't matter what it is - and a random salt.
2) Using the random password and salt, Alice encrypts her document using AES-256.
3) Alice has Bob's public key. Using RSA, she then encodes the *password* and *salt* with his public key.
4) Alice sends Bob the data containing: the RSA-encrypted password+salt and the AES-encrypted document.

In order for Bob to receive it, he does this:

1) Bob separates the RSA-encrypted data (encrypted password+salt) from the AES-encrypted one (document).
2) Bob decrypts the password and salt using his RSA private key.
3) Using the decrypted password and salt, Bob now decrypts the document using AES.

Note that neither Alice nor Bob need to even *know* what the password and salt are, and these values can be disposed of right after they are used. This ensures that there are new passwords and salts being used all the time, which makes it more difficult for hackers to break your security.

-----------------------------------------------------
FINAL CONCERNS
-----------------------------------------------------
All encryption functions produce BINARY data, which is not safe to transmit over the internet - the data may get 'misinterpreted' or corrupted by servers along the way. In order to make binary data safe to include in your 'net transmissions, you need to encode it first. LiveCode has 'base64Encode' and 'base64Decode' functions, which are great for that.

Data in base64 format is wrapped at 72 characters, which mean that your data may end up having several return characters. This may or may not cause issues, depending on your application - you may need to further encode your data to get rid of these returns - ie., by using the URLEncode and URLDecode functions.

I hope this helps.

bangkok
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 833
Joined: Fri Aug 15, 2008 7:15 am

Re: RSA Public/Private Key Encryption

Post by bangkok » Wed Nov 14, 2012 1:16 pm

igorBUSvRhc wrote: PUTTING IT ALL TOGETHER
-----------------------------------------------------
Using both encryption methods together, we can now send any amount of data with security.
I'm no expert in encryption. This dual scheme asymmetric / symmetric is all over the place.

I try to figure out how i can use it.

Let's say : my LC Desktop application sends SQL queries to my LiveCode Server.

Using the dual method
-client has the public key of server, generates a temporary password,
-client encrypts the SQL query using the temporary password
-client encrypts the whole message (temporary password + query) with public key of the server

-server decrypts the whole message with its private key
-server takes the temporary password, uses it to decrypt the SQL query
-runs the query
-encrypt the results with the temporary password

-clients receives, and decrypt with the temporary password

... start again.

OK. Sounds nice.

But, anybody could get the public key... and starts the same process with the server too ? Where is the security ?

Am I wrong ? Do i miss something ?

gpb01
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 281
Joined: Sat Jun 04, 2011 5:41 pm
Location: Switzerland

Re: RSA Public/Private Key Encryption

Post by gpb01 » Wed Nov 14, 2012 2:48 pm

bangkok wrote: I'm no expert in encryption. This dual scheme asymmetric / symmetric is all over the place.

I try to figure out how i can use it.
.......
This can help you : http://techblog.rosedu.org/from-0-to-cryptography.html ;)

Guglielmo

makeshyft
Posts: 187
Joined: Mon Apr 15, 2013 4:41 am
Contact:

(solved) RSA Public/Private Key Encryption

Post by makeshyft » Fri Sep 30, 2016 5:25 pm

very helpful thread..igor's answer was quite complete.
Tom @
http://www.makeshyft.com
---------------------------------
Changing the Future, Today!

Post Reply

Return to “Getting Started with LiveCode - Experienced Developers”