Prove control over a private key using Openssl
You can cryptographically prove that you possess a private key, without disclosing it, using Openssl and a base64 encoder/decoder.Terminology
These terms will be consistently used to limit any risk of ambiguity.- Requester: the person asking for proof
- Demonstrator: the person proving they possess the private key
Procedure
Step 1: The requested generates a random message
It is very important that it is the requester that generates the message, not the demonstrator, to limit "cheating" risks, for instance by proof repetition.
It is also important that the message have a sufficient size, in this example: 512 bytes.
openssl rand -base64 512 > messagetbs
Step 2: the demonstrator signs
The demonstrator uses the messagetbs message and its private key proofCert.pkey to generate the signature messagetbs.sig.
base64 -d messagetbs | openssl dgst -sha256 -sign proofCert.pkey | base64 > messagetbs.sig
Step 3: the requester checks the signature
base64 -d messagetbs.sig > messagetbs.sig.bin openssl x509 -in proofCert.cer -pubkey -noout > proofCert.pubkey base64 -d messagetbs | openssl dgst -sha256 -verify proofCert.pubkey -signature messagetbs.sig.bin
Openssl will then indicate if the signature was valid.
Verified OK
Last edited on 04/06/2018 13:08:50 --- [search]