Develop Reference

What does it mean to encrypt from a key to a key?

I'm trying to understand the key exchange happening with CurveMQ described here.
http://curvezmq.org/page:read-the-docs
My understanding of public key cryptography is you use a public key to encrypt data that can then be decrypted by the corresponding private key. In the CurveMQ specification it describes encrypting data from a key to a key. See the excerpts below they reference 2 keys. What does this mean in layman's terms?
The signature box (80 octets). This SHALL contain 64 zero octets,
encrypted from the client's transient key C' to the server's permanent
key S.
and
A welcome box (144 octets) that encrypts the server public transient
key S' (32 octets) and the server cookie (96 octets), from the server
permanent key S to the client's transient key C'.

How to ensure that keys are created inside TPM?

I need to
run .exe on client machine, which will create key pair within TPM.
And then I will create CSR with public key part of key pair generated by TPM.
My concerns are how do i ensure that keys are created inside TPM , and not by spoofed TPM. Which would enable private key to be migrated and copied.
I heard that is what AIKs are for , but i don't understand how can this prevent TPM for being spoofed?
One solution that i can think of is : I go to client, boot from USB with trusted OS, and then obtain EKpub.

The process of proving that a key originates from a TPM is known as:
For TPM 2.0: Credential activation, enforced with TPM2_ActivateCredential
For TPM 1.2: Identity activation, enforced with TPM_ActivateIdentity
This technique accomplishes many things, but one of them is proving that the key generated after issuing a request to the TPM actually originates from a trusted TPM and was not spoofed. For TPM 1.2, since that's what the question is about, identity activation is an 8-step process that goes like this (what follows is an excerpt from TCG's AIK Certificate Enrollment):
Step 1: Platform asks the TPM to create the AIK key pair.
(a) The platform (or application software on the platform) issues to the TSS the CollateIdentityRequest command. In turn the TSS
issues the MakeIdentity command to the TPM. This results in the TPM
generating a fresh AIK public key pair.
(b) Within the MakeIdentity function the TPM creates the IDENTITY_CONTENTS structure containing the following items: (i) The
structure version, (ii) TPM command ordinal, (iii) PrivCADigest
label and (iv) AIK_pub_key.
(c) The TPM signs IDENTITY_CONTENTS structure using the AIK_priv_key, with the resulting signature portion being referred to
as the identityBinding.
(d) The TPM outputs two (2) items as a result of the MakeIdentity command: AIK_pub_key and the identityBinding.
Step 2: TSS produces proof structure concerning the AIK
(a) Following from the previous step, the TSS creates the IDENTITY_PROOF structure. This structure consists of the following
items: (i) The identityBinding structure from Step 1(d). (Note: The
identityBinding structure is the signature portion only over the
IDENTITY_CONTENTS structure). Note: It must be noted that the
identityBinding structure is NOT cryptographic proof that the AIK is
a TPM-resident key and that the AIK has been certified using the EK.
It only demonstrates that some key pair exists. (ii) The TPM spec
version (iii) The SubjectPublicKeyInfo (i.e. the AIK_pub_key) (iv)
The IdentityLabel (v) EK certificate (vi) Platform certificate
(b) The TSS then generates a symmetric key K1 (local random number from the TPM) and encrypts the IDENTITY_PROOF structure using
this symmetric key K1.
(c) The TSS then encrypts key K1 using the public key of the ACA. This encryption using public-key of the Attestation CA is
intended to limit disclosure of K1 to the ACA only. The results of
this step are two items: the encrypted IDENTITY_PROOF structure and
the encrypted symmetric key K1. Encrypted IDENTITY_PROOF and
encrypted K1 are bundled into an IDENTITY_REQ structure that
includes identifiers for the symmetric and asymmetric algorithms used
to encrypt the structures plus sizes of the encrypted structures.
Step 3: Platform sends AIK certificate request to the ACA. The platform (or application software on the platform) takes the
IDENTITY_REQ resulting from the previous step, encrypts it, and
sends it to the ACA.
Step 4: ACA verifies certificate request. Upon receiving the certificate request, the ACA must perform a number of verifications.
(a) To get access to the AIK certificate request structure, ACA must first decrypt the key K1 using its ACA private key.
(b) The ACA then uses K1 to decrypt the IDENTITY_PROOF structure.
(c) The ACA must then recreate the IDENTITY_CONTENTS structure and verify that the signature (as represented by the received
identityBinding) is correct. The ACA can perform the verification
because it now has the items listed in Step 2 above and can assemble
the same PrivCADigestLabel as was provided to the TPM. As part of
the verification, the ACA is expected to validate the received
certificates (ie. EK and Platform Certificates). It is expected that
the ACA will use standard X.509 certificate validation techniques,
such as CRL checking [14] and/or querying the appropriate OCSP
responders [15] to the issuer of the EK certificate (e.g. TPM
manufacturer site).
Step 5: ACA issues a new AIK certificate. The ACA then creates a new AIK certificate, using (as the public key) the received AIK public
key in the previous step. The ACA issues (signs) the new AIK
certificate using its own AIK signing key.
Step 6: ACA encrypts the new AIK certificate. In this phase, the ACA must prepare the newly issued AIK certificate in a form
recognizable by the TPM. As part of the TPM_ActivateIdentity command
(Section 15.2 of [5]), the TPM expects input in the TPM_EK_BLOB or
the (older spec version) ASYM_CA_CONTENTS structure. The ACA
performs the following tasks:
(a) The ACA generates a random symmetric encryption key K2. This random K2 is unique for each AIK certificate request.
(b) The ACA encrypts the new AIK certificate using key K2.
(c) The ACA then creates either a TPM_EK_BLOB or ASYM_CA_CONTENTS (depending on the TPM version) structure which
contains the following: (i) The hash of the AIK public key (namely the
AIK public key as found in the original request). (ii) The symmetric
key K2. (iii) Optional PCR information – for TPM_EK_BLOB only. The
TPM checks to ensure that the TPM PCR’s and locality are in the
correct state as anticipated by the ACA to unlock K2.
(d) The ACA encrypts the TPM_EK_BLOB or ASYM_CA_CONTENTS structure using the EK public key (as found in the EK certificate in
the original request). The purpose of the last step is to ensure that
only the same requesting TPM will be the sole entity that can decrypt
the newly issued AIK certificate, since only that TPM possesses the EK
private key (which is a TPM-resident key).
Step 7: ACA delivers the new AIK certificate to the TPM on the Platform. The ACA then delivers the encrypted result (encrypted AIK
certificate + either the blob or ASYM struct) to the requestor
platform/TPM.
Step 8: Decryption of new AIK certificate by the TPM. Upon receiving the (encrypted) AIK certificate from the ACA, the platform
must input the structure (either the blob or ASYM struct) (into the
TPM and activate it using the TSS Tspi_TPM_ActivateIdentity command.
This command decrypts the (encrypted) symmetric key K2 from the ACA
using the EK-private-key (which resides only in the TPM) after
ensuring an AIK with a matching pub key resides in the TPM. It then
uses the symmetric key K2 to decrypt the AIK certificate.
The crucial part here is the next-to-last sentence:
This command decrypts the (encrypted) symmetric key K2 from the ACA
using the EK-private-key (which resides only in the TPM) after
ensuring an AIK with a matching pub key resides in the TPM.
It is enforced by the spec that the EK will not decrypt the TPM_EK_BLOB object unless the private key that the activation is requested for is found within the TPM. And because the object was encrypted by the TSS without using the TPM secrets, and you have already verified the EK public key up the manufacturer's CA cert chain, it is ensured that the key that identity activation is requested for has originated within a TPM manufactured by a trusted entity.

How to query version of an OpenPGP public key

While reading RFC 4880 for OpenPGP, I read about version 3 and version 4 of OpenPGP keys. I do not understand what these versions mean other than specifying the packet format.
How can I find out a version of a key? I know for code we can use Bounce Castle's PGPPublicKey's getVersion(), but is there any command like keytool which I can use?

There is not a lot of difference between version 3 and 4 OpenPGP key packets, even the format is very similar. In version 4, the validity period was moved to special signatures, and fingerprint calculation changed. In detail, the changes (and formats) are described in OpenPGP, RFC 4880, 5.5.2. Public-Key Packet Formats. For signature packets, the differences are more significant.
To find the package version with readily-build tools, use gpg --list-packets or pgpdump, for example:
$ gpg --export a4ff2279 | gpg --list-packets
:public key packet:
version 4, algo 1, created 1356475387, expires 0
pkey[0]: [8192 bits]
pkey[1]: [17 bits]
keyid: 4E1F799AA4FF2279
[snip]
OpenPGP version 3 keys are deprecated for quite a while now, and rarely seen in usage.

How to decrease passphrase length for snmp?

We got this error when running this command :
[cacti ~]$ snmpwalk -v 3 -a MD5 -u super -x AES -X AAAAAA 10.X.X.X
2011-01-20 16:58:12 Error: passphrase chosen is below the length requirements of the USM (min=8).
2011-01-20 16:58:12 snmpwalk: (The supplied password length is too short.)
Error generating a key (Ku) from the supplied privacy pass phrase.
Do you have any idea how to decrease the USM's length parameter? We can't change the password that is under 8 characters..

You are fighting the IETF RFC if you insist using a short passphrase,
https://www.rfc-editor.org/rfc/rfc3414
If the Appendix A algorithm is used, SNMP implementations (and SNMP
configuration applications) must ensure that passwords are at least 8
characters in length.
This is a standard, so your only choice is to use a long enough passphrase.
For AES, the recommended passphrase length is 12,
http://www.ietf.org/rfc/rfc3826.txt
The following are recommended in regard to user passwords:
Password length SHOULD be at least 12 octets.
Password sharing SHOULD be prohibited so that passwords are not
shared among multiple SNMP users.
Implementations SHOULD support the use of randomly generated
passwords as a stronger form of security.

How to simulate keypress in script? [GPG expert key generation]

How do I make a Batch (or C/C++) script (running a gpg command hundreds of times) that is able to simulate the following keyboard input (and being intelligent enough to wait for input to be asked)?
8↵
S↵E↵Q↵
4096↵
0↵y↵
Jean Dupont↵
↵
born 1970-01-01 in Paris, France↵
O↵
correct horse battery staple↵
correct horse battery staple↵
I would like to generate myself a PGP keypair (for private communication), but I wish for the key's short id to be easy to remember, like FFFFFFFE for example.
The short id of a PGP key is the last 8 characters of its fingerprint. For your information, the fingerprint of a PGP key is a checksum (historically, SHA-1).
My wishes for the generated PGP key are the following:
Its short id (see above) must be easy to remember.
I want my key to be “unusual” so I have to use --expert mode.
By default, a generated key can both encrypt (E) and sign other people’s keys (C, “cert”), but I want mine to only sign other people’s keys.
Okay. So, I guess my solution for getting a “custom” key id is to generate lots of them (beware, I believe global entropy gets very diminished if you do that), and choose the one that I like most (like when your phone provider allows you to choose your future phone number in a list).
What I tried
By reading that page in the doc, I thought I could use gpg --batch --expert --gen-key gpg-keygen-settings.txt, with the following settings file:
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Name-Real: Jean Dupont
Name-Comment: born 1970-01-01 in Paris, France
Expire-Date: 0
Passphrase: correct horse battery staple
%commit
%echo Done.
BUT it will not let me create a key whose usage is only to sign other people’s keys (cert). Indeed, the documentation says (for Key-Usage) that “Allowed values are ‘encrypt’, ‘sign’, and ‘auth’”. cert is the default, but using a blank Key-Usage field doesn’t work either.
What I believe I must do
I think the only way for me to generate all those keys with the settings I want, there is no solution but simulating key generation as if a real person was interactively running GPG’ shell.
Here is an excerpt of what must be done:
C:\> gpg --gen-key --expert
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection?
[…]
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh#duesseldorf.de>"
Real name: […]
[…]
So, uh.
Thank you very much.
Weird request, I know. Chuckles

Well, I didn’t find the solution I was looking for (something I could make run in background, not buggy, etc.)—and I am still open, for my personal culture, to better solutions and answers.
Anyway, here is the AutoHotkey script I came up with. Very dirty. I coded a bit, then gave up and used the AutoScriptWriter tool to record a macro, and adapted the code to suit my needs (haha). The most annoying thing was to learn how to interact with GPG-Agent (pinentry).
Loop 100
{
Run, cmd.exe /k "gpg --expert --gen-key"
WinWait, C:\Windows\SYSTEM32\cmd.exe - gpg --expert --gen-key,
IfWinNotActive, C:\Windows\SYSTEM32\cmd.exe - gpg --expert --gen-key, , WinActivate, C:\Windows\SYSTEM32\cmd.exe - gpg --expert --gen-key,
WinWaitActive, C:\Windows\SYSTEM32\cmd.exe - gpg --expert --gen-key,
Sleep 1500
Send +8{Enter}
Send S{Enter}C{Enter}Q{Enter}
Send +4+0+9+6{Enter}
Send +0{Enter}o{Enter}
Send Jean Dupont{Enter}
Send {Enter}
Send born {Shift Down}1970{Shift Up}6{Shift Down}01{Shift Up}6{Shift Down}01{Shift Up} in Paris, France{Enter}O{Enter}
; The "6" keypress above is to make a - on French AZERTY keyboards.
WinWait, pinentry,
IfWinNotActive, pinentry, , WinActivate, pinentry,
WinWaitActive, pinentry,
Send, correct horse battery staple{ENTER}
Sleep 1500
Send, correct horse battery staple{ENTER}
Sleep 10000
;Send exit{Enter}
}
This little script allowed me to get a bucketload of keys, one of which having a short id I like.