Can I use private key to encrypt data using SecKeyCreateEncryptedData()

Question

Created Feb ’22

Replies 2

Boosts 0

Views 1.8k

Participants 2

I want to perform RSA encryption&Decryption using SecKeyCreateEncryptedData() Method allows public key as SecKey, My back end Java code has been set as encryption using private key & decryption using public key. Here is a java code... @SuppressLint("NewApi") public static String encryptSecretKeyByPrivateKey(String data, String privatekeyPath) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException { byte[] plaintext = data.getBytes(); PrivateKey privateKey = getPrivatekey(privatekeyPath); Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); cipher.init(Cipher.ENCRYPT_MODE, privateKey); byte[] encryptedByte = cipher.doFinal(plaintext); return Base64.getEncoder().encodeToString(encryptedByte); }

public static PrivateKey getPrivatekey(String key) throws NoSuchAlgorithmException, InvalidKeySpecException {
    PrivateKey privateKey = null;
    KeyFactory keyFactory = null;
    byte[] encoded = DatatypeConverter.parseBase64Binary(key);
    PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
    keyFactory = KeyFactory.getInstance("RSA");
    privateKey = keyFactory.generatePrivate(keySpec);
    return privateKey;
}

Can I achieve the same in swift with the help of SecKeyEncrypt() or SecKeyCreateEncryptedData() ?

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’22

Can I use private key to encrypt data using SecKeyCreateEncryptedData

No.

Lemme explain…

In public key cryptography you always encrypt with the public key and decrypt with the private key. Doing things the other way around is nonsensical.

Now, in RSA specifically it’s possible to do things the other way around but my understanding — and keep in mind that I’m not a cryptographer, I just support these APIs — is that cryptographers strongly recommend against doing that. And that’s why Apple’s crypto APIs do not support it.

A lot of the time folks asking for this are not actually encrypting but rather signing. In signing you always sign with the private key and verify with the public one, and that model is supported by our APIs.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Feb ’22

If I sign plain text using private key then what will be the opposite of it to decrypt … ?

This question makes no sense.

In asymmetric crypto there are four operations:

| Operation | Key     | Example API                 |
| --------- | ---     | -----------                 |
| encrypt   | public  | `SecKeyCreateEncryptedData` |
| decrypt   | private | `SecKeyCreateDecryptedData` |
| sign      | private | `SecKeyCreateSignature`     |
| verify    | public  | `SecKeyVerifySignature`     |

With RSA keys the sign operation does an encrypt internally and the verify operation does a decrypt internally, but there’s no way to get at the decrypted data created internally by the verify operation. That’s because, as I mentioned previously, cryptographers strongly recommend against crossing these streams and so Apple’s crypto APIs do not allow for it.

You have two choices here:

Fix your cryptographic architecture so that it uses a recommended approach.
Write or acquire your own crypto library that supports this approach even though it’s recommended against.

You know which one I’m going to suggest (-:

And while you’re at it, you might think about switching to EC keys. These are smaller and safer. They also prevent you from making the mistake you’ve made with RSA keys, because with EC keys the encrypt/decrypt and sign/verify operations use very different techniques.

Finally, as I mentioned in my previous post, I’m not a cryptographer. If you’re having problems with this, I encourage you to consult with an expert in this field.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0