IT4510 @ utahtech
Make a few directories:
CA
mkdir bob alice CA
Generate a private key for alice:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 -out alice/privkey-A.pem
Generate a corresponding public key:
openssl pkey -pubout -inform pem -outform pem -in alice/privkey-A.pem -out alice/pubkey.pem
View private key in plaintext:
openssl pkey -in alice/privkey-A.pem -text -noout
Now, do generate a public and private key for Bob, in his directory. I would probably change the key identifier above from A to B so you can keep track of whose key is whose.
You need to sign Alices public key to prove that it really is hers. Generate a certificate signing request:
openssl req -new -key privkey-A.pem -out alice/A-req.csr
Or if you are sick of answering the wizard questions, modify the lines below and use it:
openssl req -new -key alice/privkey-A.pem -nodes -out alice/A-req.csr -subj "/C=AO/ST=ut/L=saint george/O=d/OU=dd/CN=dsaf"
View info about CSR:
openssl req -in alice/A-req.csr -noout -subject
You could send this CSR to a certificate authority like Digicert to have them digitally sign it, but we will set up our own CA.
In the CA directory Generate a private key for the CA. THe answers to the wizard should NOT match what you have above.
openssl genrsa -aes256 -out CA/cakey.pem 4096
Create a public certificate for the previous key (A self-signed cert)
openssl req -new -x509 -key cakey.pem -out CA/cacert.pem -days 3650
Sign the csr for alice:
openssl x509 -req -in alice/A-req.csr -CA CA/cacert.pem -CAkey CA/cakey.pem -CAcreateserial -out alice/A.crt -days 500 -sha256
View cert as text
openssl x509 -in alice/A.crt -text -noout
Verify a cert
openssl verify -CAfile CA/cacert.pem alice/A.crt
Extract public key from cert
openssl x509 -in alice/A.crt -pubkey -noout -out alice/pubkeyb.pem
You could then compare the original public key with the one you just extracted. diff pubkey.pem pubkeyb.pem. They should be the same (no output).
diff alice/pubkey.pem alice/pubkeyb.pem
Try to encrypt a large file with a public key
wget http://websites.umich.edu/~umfandsf/other/ebooks/alice30.txt
openssl pkeyutl -encrypt -in alice30.txt -pubin -inkey alice/pubkey.pem -out alice/ciphertext.bin
You will find an error. (Asymmetric key isn’t for encrypting large files, so do symmetric)
To create a symmetric key for Alice:
openssl rand -base64 32 > alice/symkey.pem
rand gives us random bytes, then encodes base64 32 random bytes
Encrypt the symmetric key with bob’s public key:
openssl pkeyutl -encrypt -in alice/symkey.pem -pubin -inkey bob/pubkey.pem -out alice/symkey.enc
This really would be done by analyzing Bob’s crt, so you would need to generate a CSR and sign it with the CA, then extract it. (All these commands we did above with Alice, you don’t need to do them but that is really what would happen).
Create hash of symkey and encrypt using alice private key:
openssl dgst -sha1 -sign alice/privkey-A.pem -out alice/signature.bin alice/symkey.pem
Send to bob:
cp alice/symkey.enc bob
cp alice/signature.bin bob
Bob decrypt using private key
openssl pkeyutl -decrypt -in bob/symkey.enc -inkey bob/privkey-B.pem -out bob/symkey.pem
Bob verifies Alice’s cert and extracts her public key:
openssl dgst -sha1 -verify alice/pubkey.pem -signature bob/signature.bin bob/symkey.pem
The output should be Verified OK.
Again, we could extract her public key from the crt file, but in the command above I am just giving the path to her public key.
Now encrypt the large file using the shared key:
wget http://websites.umich.edu/~umfandsf/other/ebooks/alice30.txt
openssl enc -aes-256-cbc -pass file:alice/symkey.pem -p -md sha256 -in alice30.txt -out alice/ciphertext.bin
Ignore the error that you get. The file is now encrypted and is in the alice directory. Send it to bob (use the mv command) and decrypt it.
mv alice/ciphertext.bin bob/
openssl enc -aes-256-cbc -d -pass file:bob/symkey.pem -p -md sha256 -out bob/alicedecrypted.txt -in bob/ciphertext.bin
Copy your public key to scratch and put it in the /tmp directory.
Something like: scp mypublickey.pem scratch:/tmp.
On scratch, your public key must be found in /tmp and it MUST be named your dnumber.pem (d00002134.pem).
Then run do_encrypt.sh. It will encrypt my symmetric key with your public key. The encrypted symmetric key will be found in /tmp/$USER.enc (whatever your dnumber is).
It will also encrypt a file with the symmetric key, located in /tmp/$USER-ciphertext.bin. (like /tmp/d00002134-ciphertext.bin).
You will have to copy both generated files back to wherever you are running your openssl commands and see if you can first decrypt the symmetric key, then use that to decrypt theh ciphertext.
Note to self: I have a script that does all of this in the resources directory.