verifying rsa signatures
Chandrasekhar I.V.
ivshekar@netcontinuum.com
Wed Apr 17 19:15:02 2002
Steve Butler wrote:
> I'd never show my private key. Note, I did try to import BOTH your public
> and private keys!! Lucky for you that they are not in the OpenPG format.
> But somebody else may have openssl. So, you should consider your private
> key compromised at this point.
>
-- well that was a temporary private/public pair that i generated specifically for
experimental purpose, more specifically to check out if gpg does infact verify
rsa digital signatures.
So any hacker out there hoping to get sth out of this private key.. well bad luck ;)
> Here is an export of a public RSA key. Note: Since this isn't my public
> key I have modified it in a few places so it will not be loadable. But, you
> can see that the format is different.
>
-- how did you generate this key? And is there any utility that converts RSA keys
obtained frm openssl genrsa to the PGP versions?
Also my "gpg --genkey" throws up the following options for key...
gpg: Warning: using insecure memory!
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection?
Theres no RSA option!
and my doubt still remains.. can we verify rsa digital signatures(obtained by RSA private key encryption
of SHA1 hased messages in pkcs#1 format) using gpg tools?!
Thanks
sekhar.
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.6-2 (MingW32)
>
> mQENAzdAOQMAAAEIANQO/87tx+TG9ycFor672tB1LCGfuV4zziOBVoaD4E1SoDtH
> sD4wGSCTMObxoL7MsWjWb4WLCSJcKoHsATkrXuqBMD1gO1MFFYfEPubC3bpzFczz
> VCrUys3b0W//zysRyRI0fwqIxbdNewnDK2ZZJcIGUxtZVTGYqUC2+LuOUVOQgEGG
> Cx5zS2+5Ll2snQuu8FMYwpoE8AT/ZNaAR7aZAQ7nGZp+0THkxgMjaLcAi1krPACM
> A3wwFg6Rm9UebUyRoXitVM9i6Ym/3DRJ6WkwTSkaCyJ2izT60nJoLcOCASDKpStY
> YBLa/hRn+qr9E8/Sd/8QwmDs95UM+Qtp6cy9bjMABRG0JUhhbGluZnQxIENsaWVu
> dCA8aGFsaW5mdDFAaGV3aXR0LmNvbTFJARUDBRA3QDkD+Qtp6cy9bjMBAW4qCACf
> Dh8eNze3tTJ3gJG/DaamQHFGwQ5KKwIcm4lRaMo9jxTCp0onLm500KP62+GjKFXJ
> NdNxkJiH8MuRdrY7W+cgXsGzwcUnc/mFocYWCplV+swRdoKxKOnmw4ix9HU/ZBwg
> 4vqFXTSbEmGwOr3anNtQeMTrxzlOwEMaY6GX3cY9ScWa5FwCYiPUmo2zuV+6ycuv
> x0XGz3jd98nK3YS353ckgSyki1fxDd0f9xhpyuaK2ggiYfX/7FJAhsfjTf8sfRAY
> q4BTv80lD9LAFVM3ZBg2F/bzs9M-bsIwaJmqqwhIyvtA9jlHfB7SoRIE+0o/DZWD
> YBwUVkqlgidlZeT8hhS0
> =TOUR
> -----END PGP PUBLIC KEY BLOCK-----
>
> -----Original Message-----
> From: Chandrasekhar I.V. [mailto:ivshekar@netcontinuum.com]
> Sent: Wednesday, April 17, 2002 9:50 AM
> To: Steve Butler
> Cc: gnupg-users@gnupg.org
> Subject: Re: verifying rsa signatures
>
> Steve Butler wrote:
>
> > I'm not familiar with openssl. Can it export a public key into OpenPGP
> > format? It sounds like the pub.pem is not in the correct format. Can you
> > paste this to a public keyserver and have it downloadable?
> >
>
> - i guess openssl doesnt know the pgp format. I couldnt find any openssl's
> rsa utility to convert the rsa public key to OpenPGP format. Since i
> noticed in the gpg faq and my "gpg --version" that gpg has RSA support, i
> thought we should be able to verify the signatures generated by RSA algo
> using the rsa public key (i guess this is pkcs#1 format).
> Thats when i stumbled upon this that gpg doesnt allow me to import anything
> other than a key which is in open pgp format. So can we at all verify the
> rsa digital signature by using gpg -verify??!
>
> btw heres my pub.pem
> -----BEGIN PUBLIC KEY-----
> MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALUH5iVmecS7Rob2749Rj9A5guCepRoY
> 56ifd3pO8qpAPFGc9MrMQfwK9wLcFOJrTU4NB/K6U4W7SC6tOt9br1kCAwEAAQ==
> -----END PUBLIC KEY-----
>
> and the corresponding RSA private key
>
> [snip]
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.