µTasker Private Key Generation

This part project involves generating private keys using both OpenSLL and mbed TLS in an attempt to get to know some of the basic components involved and also compare the capabilities of both libraries in small embedded systems.

mbed TLS Private Key Test

For a Windows user the mbed TLS package makes starting easy due to the fact that it includes a number of demonstration projects that can be built and executed with VisualStudio. The library itself can also be simply built in this VisualStudio environment. The project "key_gen" looked suitable and so was used to make first experiences.

The first thing that is noted is that when generating a private key there are a number of options and the following are the options given by the demonstartion project, which will be assumed to represent the breadth of support in this library:
Key Types:

• POLARSSL_PK_RSA
• POLARSSL_PK_ECKEY
• POLARSSL_PK_ECKEY_DH
• POLARSSL_PK_ECDSA
• POLARSSL_PK_RSA_ALT
• POLARSSL_PK_RSASSA_PSS

It is understood that RSA (Rivest-Shamir-Adleman) is used almost exclusively for SSL and so the first was chosen for testing.

Key length: It is understood that a length of 512 is too small and a length of minimum 768 was recommended (in 2002). 1024 bits was therefore chosen to supposedly be adequately secure today and for some time in to the future.

Eliptical curves: These are however not used for RSA key generation.

Key Format: PEM (Privately Enhanced Mail) or DER (Distinguished Encoding Rules) formats. It is known that PEM is used a lot since it is suitable for storage in ASCII files so this one is chosen. Often the key if protected in the file using a pass phrase but this is not offered as an option in this demonstration and so it remains to be seen whether embed TLS natively supports a pass phrase encryptin option.

Executing the demonstration in VisualStudio quickly results in a private key being generated in a file, whose content looks something like this:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQC5hePDyPF2ppWRy/kLRHFqRH7EBg0cqxNKzeZJqjpgXneyOtFl
fIRxr507IvGXSgHMAGD5fwxbq2fyZGS0O9anwDk+tA96vrBrV6sVgqrwiVkhIZQ5
v0T7c0X/dtH6XkCmCdZpPi0xf4Xnz4inlUUECHaZiL0jTdJd2VDzr7EfRQIDAQAB
AoGBAKvw1fYHTxq7K1Xzp/30UfS+RIpiXVabiwbCK1NMjEvyYZbygk0/iPRgYSWE
rkmb0myCUV4KjKaNBoqU1uxfpQE+RK1hn1FpdnJhjTBuslU+41jVC1oIzLgMNWBn
oYU43Fw2uXmDaCOeJDX+nvCbTBxngr8wzFFrCVmeXaoUx7NFAkEA+SqmL3gVb2Ut
zO7NigRpJOM3Ms3gubhFux3ZfFd3nuKLOHKB9kIjsetBrWEH1iXezhQyGna6rX8n
7hZ1OEBK5wJBAL6caT51idkvNoMA0lEfl/9keoFuPf777e+iRK7R3t4pkDT5PESL
Kws+4FXu7i2Nu8Fi9i2RZqKqSwpKQEe7CvMCQGq9LYIKVExrMKqo5l4os4481Ams
joeg/CZDjEarBbCH5hIhY7FF9hqi6HjIp13CzWbE2g3iLOhkH4vsDP0y9aMCQQCr
vm6tkmZURFAPlavq4FaqDTS8bkJ5/zESG9la00rGThjbQj5lXCe6iDrF8vS0IuKr
iqlZwYsCwgG/Ecv9VbC1AkEAiV02ZYAHd0ZzGLhAcfBNeDgo5S/B8ymtzfyWy7rz
uDyoVYR8V02PZzDbytdG/h3IYP4MbBMD3HbSVONxqUWp3g==
-----END RSA PRIVATE KEY-----

        

OpenSSL 1.0.2 TLS Private Key Test

Building OpenSSL tests with Windows proved to be much more complicated due to the fact that it isn't supplied by VisualStudio projects. However it does have many test programs and a pre-built shell environment can be used by downloading the latest version from pre-built Windows versions. Once extracted, there is an executable called "openssl.exe" and two DLLs that it uses called "libeay32.dll and "ssleay32.dll". Executing the exe in a DOS shells results in a shell interface with many commands, including "genrsa" whose usage is described at genrsa. The complete OpenSSL code contains the shell interface and so it is also possible to review the operation of the interface and identify which OpenSSL library functions are being used.

It is seen from the description that it supports encrypting the key in the file using a pass phrase (with a number of encryption algorithm options). There is an additional option to specify the public exponent (3 or 65537, where the default is 65537, which is not specifically included in the mbed TLS project). Note here that this command is specifically for RSA key generation and there is a further command called genpkey that allows the RSA algorithm or several others to be selected as well as various options. In fact the manual recommends using this general private key generation command over the algorithm specific one since it allows more options to be used (so it will be used).

The following shows a key generated by commanding "genpkey -algorithm RSA -out key.pem" which defaults to the same 1024 bit key length and PEM output format:

-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALVlJ7UGu6OjtSx6
ZdK3MIDWf31OlISijKNevk/NhfXTAapTa1/6w/+7V1NLtsM4x/m+lZlqxvHZhdr5
U/3hMNGUuLBELS4rQ/qnLOpvqoY0P3B7Lon44sNNa6KUTTjBcRBdF8lx6n88XTFb
5LvumY3C3hyXA0xBTRW+7x2dzSMVAgMBAAECgYBwZKfwu6ZB42qbj49Nu6H7Amzm
GG1frVQU2dxzl/W79i0e+ycZxkfxSYP3IX+xgJovvY32DDoOmmgc4MXRFdnnxvTu
CeCLjjuaU0TnKbtIfEcnk9/od5yQ1cyqb0OXs/TOSSAnS+wii5lMlxx8yvRLvng+
dkoewKp2JdTKN0yLlQJBANvGgC1TALRUKa0YTx4u6Q5MpnsS3YRdvwgjDTSv6k+F
AbIvUkt4J3skdbZSlEQdEdyRjBnbbeE7u7jxWvP+N7sCQQDTSy+mMK7TF65vrhh2
KjrY+Yq63vEeYIMEVUkFrTzYndANrN4wDT5bNlLUDv5yCWZ6nWfA1D3OJxV334MN
UttvAkBRlu265debGqumMSIeKHgo8NfVVPmbzFnBIZIjfzNTdiNdDShWEDNICg8R
MrMMXmZlJjuG1emC9nQIgsGrVzNFAkEAyFrDFBOVsxUBk2TCTUo+AwCdTBWbDfL2
SWWVmIxs5fq/Djidd3MXbeZVJEATho7jXeFkQLUA5jqpYMHQwxGOgQJBAK8xkJaG
E5H9ol9jzOt0QcwY8pXTXr1ZumVtAC3hszZNPz9GtLIYzhjHQae0x8FkAC6EzXQZ
/pCQRL+vbUV7+9c=
-----END PRIVATE KEY-----

Private Key Verification

Although it is expected that the generated keys are valid it is generally necessary to have the capability to verify that this is indeed the case, especially when porting the code to different environments where mistakes could be made that result in the key perhaps looking OK but in reality being corrupted, or indequate, in some way.

TO DO - add verification technique.

Private Key Generation Expense

Since random numbers are involved, as well as time consuming searches for long prime numbers, the actual execution time varies, as do the private keys that are generated. On a PC the generation of a private key of 1024 bits is achieved quickly although it is known to be an "expensive" cryptographic operation; the expense is due to the amount of processing time that it takes to complete.

The question is however what load (code size, RAM requirements and processing time) this task puts on a small embedded processor?

In order to determine this quantitively it is necessary to have a method of measuring these parameters in this standard test case and the code needs to run on the same processor and/or in the same environment (specifcally VisualStudio and the µTasker simulator to make analysis of memory operations as comfortable as possible).

This meant that it was necessary to be able to run the involved parts of the generation code in a Kinetis based project on a device with encryption hardware acceleration (which may aid in performance improvements) with the ability to save the output to a file that can be readily verified for accuracy.

Including mbed TLS code in the Kinetis project

In progress.

Including OpenSSL code in the Kinetis project

In progress.

Comparison of difficulty of port, resource utilisation and performance

To follow.