RSA Rust lib for key generation and encryption

Hi there

I am looking for a good crate for RSA encryption and key derivation. Context: backend, Rust.

Had a look at RSA, ring, etc.

I need a library able to derive keys based on a random seed (which can be obtained from the mgmt. canister), because random generators like rand do not work on the IC.

Maybe there is a way to go like:

seed → pseudo random number generator → rsa private key generation → …

Any good hints?

1 Like

Hi there

the way I had tried a couple of months ago, and it failed.
because the rust random library can not be compiled on IC.

Exactly. that’s why i get the random seed from the mgmt canister. but still stuck on the way forward.

there is only one interface to get Vec random bytes in the mgmt.
Personally, I think it can do nothing.
And now I’m writing a random library based on rust that can be compiled on IC.

At one point I was verifying Http Method Signatures in a canister and did some hoop-jumping to get ring working: Use c2rust implementation when targeting Wasm by paulyoung · Pull Request #2 · betrusted-io/ring-xous · GitHub

I’m no longer using it, and people will need to make their own assessment on the security implications of doing so.

I went that route because http-sig depended on ring. I thought about trying to add support for RustCrypto but I didn’t want to do anything that came close to rolling my own cryptography. In the end I think RustCrypto didn’t have an implementation of the necessary signature schemes anyway.

(FWIW the necessary changes the the http-sig crate can be found here: GitHub - codebase-labs/http-signatures: Implementation of the IETF draft 'Signing HTTP Messages')

Since I had to introduce client-side code to sign HTTP messages, and there was a lot of overhead/risk on the canister side, I decided to do away with HTTP Message Signatures altogether and use the IC’s native authentication mechanism instead.

Instructions for key generation: GitHub - codebase-labs/git-remote-icp: A Git remote helper for the Internet Computer Protocol.

Code for identity: git-remote-icp/ at 8d07a720fded4b7b7e6da7c9d43656c738f583cc · codebase-labs/git-remote-icp · GitHub

Code for agent: git-remote-icp/ at 8d07a720fded4b7b7e6da7c9d43656c738f583cc · codebase-labs/git-remote-icp · GitHub

Code for public key verification: Unable to verify a caller based on a public key · Issue #395 · dfinity/agent-rs · GitHub

If all you need is a random number generator then you can do this: ic-auth-tokens/ at 76113cbaa8b788b1989a9d5ef0868cdb12ee46af · codebase-labs/ic-auth-tokens · GitHub


Also, depending on your use case you might be able to use Threshold Key Derivation:

1 Like