Hi there
I am looking for a good crate for RSA encryption and key derivation. Context: backend, Rust.
Had a look at RSA, ring, etc.
I need a library able to derive keys based on a random seed (which can be obtained from the mgmt. canister), because random generators like rand do not work on the IC.
Maybe there is a way to go like:
seed → pseudo random number generator → rsa private key generation → …
Any good hints?
Hi there
the way I had tried a couple of months ago, and it failed.
because the rust random library can not be compiled on IC.
Exactly. that’s why i get the random seed from the mgmt canister. but still stuck on the way forward.
there is only one interface to get Vec random bytes in the mgmt.
Personally, I think it can do nothing.
And now I’m writing a random library based on rust that can be compiled on IC.
At one point I was verifying Http Method Signatures in a canister and did some hoop-jumping to get ring working: Use c2rust implementation when targeting Wasm by paulyoung · Pull Request #2 · betrusted-io/ring-xous · GitHub
I’m no longer using it, and people will need to make their own assessment on the security implications of doing so.
I went that route because http-sig depended on ring. I thought about trying to add support for RustCrypto but I didn’t want to do anything that came close to rolling my own cryptography. In the end I think RustCrypto didn’t have an implementation of the necessary signature schemes anyway.
(FWIW the necessary changes the the http-sig crate can be found here: GitHub - codebase-labs/http-signatures: Implementation of the IETF draft 'Signing HTTP Messages')
Since I had to introduce client-side code to sign HTTP messages, and there was a lot of overhead/risk on the canister side, I decided to do away with HTTP Message Signatures altogether and use the IC’s native authentication mechanism instead.
Instructions for key generation: GitHub - codebase-labs/git-remote-icp: A Git remote helper for the Internet Computer Protocol.
Code for identity: git-remote-icp/main.rs at 8d07a720fded4b7b7e6da7c9d43656c738f583cc · codebase-labs/git-remote-icp · GitHub
Code for agent: git-remote-icp/connect.rs at 8d07a720fded4b7b7e6da7c9d43656c738f583cc · codebase-labs/git-remote-icp · GitHub
Code for public key verification: Unable to verify a caller based on a public key · Issue #395 · dfinity/agent-rs · GitHub
If all you need is a random number generator then you can do this: ic-auth-tokens/lib.rs at 76113cbaa8b788b1989a9d5ef0868cdb12ee46af · codebase-labs/ic-auth-tokens · GitHub
Also, depending on your use case you might be able to use Threshold Key Derivation: