Linux openssl

From John Freier
Revision as of 10:40, 17 March 2016 by Jfreier (Talk | contribs)

Jump to: navigation, search

Description

The way public/private keys work, is a public key is used to encrypt data and only a private key is capable of decrypting it.

Public Key -> Encrypt.

Private Key -> Decrypt.

Example

This is a real example of public private key.

Create a public & private key and or x.509 cert.

Create a private key.

 openssl genrsa -out mykey.pem 1024


Create a public key.

 openssl rsa -in key.pem -pubout -out pubkey.pem

or

 openssl rsa -in mykey.pem -pubout > mykey.pub

This will calculate the public key from the private key.

Below will create a public cer file.

openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 365

Encrypt a text file with a public key

 cat plain.txt | openssl rsautl -encrypt -pubin -inkey ./is_rsa.pub.pem > cipher.txt

Decrypt a text file with a private key

 cat cipher.txt | openssl rsautl -decrypt -inkey ~/id_rsa.private.pem

Encrypt a binary file with a public key

This should encrypt a binary file with a public key.

 openssl smime -encrypt -binary -aes256 -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem 

The options mean: - smime - ssl command for S/MIME utility (smime(1)) - encrypt - chosen method for file process - binary - use safe file process. Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives). - aes-256-cbc - chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers) - in plainfile.zip - input file name - out encrypted.zip.enc - output file name - outform DER - encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%. - yourSslCertificate.pem - file name of your certificate's. That should be in PEM format.

Known issue with files over 600MB, you need to split them.

Decrypt a binary file with a private key

 openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password

The options mean: -inform DER - same as -outform above -inkey private.key - file name of your private key. That should be in PEM format and can be encrypted by password. -passin pass:your_password - your password for private key encrypt.

Encrypt a file with a password

The -salt option should ALWAYS be used if the key is being derived from a password.

Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key.

When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

This way will prompt you for a password

 openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

This way will not

 openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

Decrypt a file with a password

This way will prompt you for a password

 openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt

This way will not

 openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -k PASS


Base 64 Encode and Decode

Base64 encoding will converting 8-bit binary information into a ASCII characters.

This is nice for sending something by email, IRC, etc. you have to save encrypted file in Base64-encode.

To encrypt file in Base64-encode, you should add -a option :

Encode:

 openssl enc -aes-256-cbc -salt -a -in file.txt -out file.txt.enc

Decode

 openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt