What's the purpose of a private key passphrase? - security

Sometimes, I see users use a private key and passphrase to log in.
So, does it mean the public key is stored on the log in server?
What's the purpose of the pass phrase?

Yes, the server stores the public key, and the client stores the private key. A security feature to prevent stolen private keys from being useful to the thief is to encrypt them. The passphrase allows you to decrypt the private key to use it. Without the passphrase, the key is useless.
You know whether a key is encrypted generally by looking at the PEM header surrounding it. For example, a DSA private key encrypted with 3DES in PEM format might look like this:
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BF6892D860EC969F
<encrypted key data here>
-----END DSA PRIVATE KEY-----
Whereas an unencrypted DSA private key in PEM format would not have a header saying it's encrypted:
-----BEGIN DSA PRIVATE KEY-----
<unencrypted key data here>
-----END DSA PRIVATE KEY-----

Related

JWT with RSA public and private key

I don't understand why I should use the public key in signing JWT. The private key is there so that the JWT token cannot be forged, yes? But why additionally sign it with a public key? Are there any benefits? Because I don't understand it at all. After all, a JWT signed with a private key can be read without the public key. What is this public key for?
Signing a JWT means you take the cleartext, signing it with a key - either the private key from an RSA pair or a symmetric key, then add the signature to the JWT. The JWT itself is still readable without decrtypting the signature. But someone with the key can decrypt the signature and confirm the contents match the cleartext.
The advantage of using RSA over symmetric key is that anyone can verify the signature without them having to have a secret key. You can either pass the public key to the JWT recipient over a side channel, or if using OAuth2 it provides a URL to access public keys.
You would use the public key for encrypting, not signing. You encrypt with the recipient's public key so that only the recipient can decrypt it.

In hyperledger fabric how to use user's key-pair for encryption and decription?

By using Hyperledger fabric 1.4 SDK I have created one user, a set of public and private key is generated for that user. Now I want to use this key pair for encrypting and decrypting the data.
I aware hyperledger uses elliptic curve cryptography for signing the data, but I don't know in background how they are signing the data. I tried several method in nodejs but didn't get success.
following are my keys generated while registering the user
public key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBWLnhsBfNE+hF1uDuDb/Z87KAPvF
6RCQLtgZIxdU4x5qcTdEWQPOfF2fUSrecmHAfgMW1cMiun0B9KAaMY7dFg==
-----END PUBLIC KEY-----
private key:
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmQndljBNeyPyvEDM
lPtXtibQ8yYwK05RfLhkl/sCJ5WhRANCAAQFYueGwF80T6EXW4O4Nv9nzsoA+8Xp
EJAu2BkjF1TjHmpxN0RZA858XZ9RKt5yYcB+AxbVwyK6fQH0oBoxjt0W
-----END PRIVATE KEY-----
by using following method I'm able to sign by using public key but for verifying I'm getting Unknown point format error
var EC = require("elliptic").ec;
var ec = new EC("secp256k1");
var mySign = ec.sign(msg, public_key);
var res = ec.verify(private_key, msg, mySign)
Can any one suggest the suitable method for signing the data by using hyperledger key pair.

Azure B2C RSA Public Key to PEM Certificate

A software system from a collaborating company needs to connect to one of our systems and authenticate against our Azure-B2C Directory. They would like to verify the signature in our JWT Token returned.
I have created a RSA Public Key using the approach described in this topic:
Azure AD B2C - Token validation does not work
This has resulted in the following RSA Public Key:
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA959e/O3gE574tAdjfjE6
+6OgTBsTGGbDTHBn/w137OTKoH3MnbOX16rrfumVZOr2GisCtIwxJM8ziiqvG1Fj
*more key*
-----END RSA PUBLIC KEY-----
I've used this RSA Public Key to verify the signature of my token in jwt.io, and it works.
The collaborating company however needs a PEM certificate like this:
-----BEGIN CERTIFICATE-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA959e/O3gE574tAdjfjE6
+6OgTBsTGGbDTHBn/w137OTKoH3MnbOX16rrfumVZOr2GisCtIwxJM8ziiqvG1Fj
*more key*
-----END CERTIFICATE-----
Modifying the PEM Header of my RSA Public Key does not work.
So now my question is: Is it possible to convert my RSA Public Key to the appropriate Certificate format? If yes, how?

How to generate certificate request and private key files (.pem extension) from certificate file (.crt extension)

I have a .crt file. Opening up that file, I see that it starts with
-----BEGIN CERTIFICATE-----
From this file, how do I generate these 2 files?:
Certificate request file that starts with -----BEGIN CERTIFICATE REQUEST-----
Key file that starts with -----BEGIN PRIVATE KEY-----
You can not.
You have the process backwards.
The order is:
Generate a key, that is in fact a public and private part. So that would create the "PRIVATE KEY" file
Generate a CSR, that is a certificate signing request. This is computed based on the private key, without including it. But it includes your public key and other metadata
Give this CSR to a Certificate Authority, that will in turn give you back a certificate, that is something that includes your public key but that is also signed by the CA private key.
After which the CSR could be discarded.
If anyone could derive the private key from the certificate (which is basically the public key) then X.509 certificates would create no security by authentication as anyone would be able to impersonate any host/user/application.

Asymmetric Encryption

If a public key is used to encrypt the private key, and the public key is known to everyone, what is stopping a hacker from intercepting the private key, then using the public key to decrypt it and then using the private key to decrypt and encoded message?
The way public/private key crypto works is that anyone can use the public key to encrypt a piece of data, but you need the private key (which the owner does not distribute) in order to decrypt that data.
It doesn't matter that the data being encrypted is the private key itself.

Resources