SOC Blogs
Tutorials
Security Bulletins
About Me
Contact Me!
Tutorials
Tutorials/
🧃
Basic Cryptography Tutorials/
🧃
Asymmetric Encryption And Decryption
Search
🧃

Asymmetric Encryption And Decryption

 

Asymmetric Encryption Algorithm

 
  • There are 2 keys instead of 1 key like in Symmetric Key Encryption
    • Public Key
    • Private Key
  • Both of them together is called a keypair
  • Slower than Symmetric ciphers
  • Let’s imagine Alice wants to send a message to Bob
    • Bob generates a keypair and sends his public key to Alice
    • Alice encrypts the message with Bob’s public key and sends the encrypted message to Bob
    • Bob decrypts the message with his private key
    • If an attacker eavesdrop and gets Bob’s public key, he will still not be able decrypt the message. Only Bob’s private key can decrypt the message and Bob will need to keep this private.
  • By itself Asymmetric Encryption is still not safe. A MITM between Alice and Bob can intercept Bob’s public key and the attacker can replace it with his public key. Then the attacker can intercept the message from Alice and use his own private key to decrypt. So there is a need to trust public keys. How do you verify that the public key you have is the correct one?
    • The most popular solution is to use a trusted third-party. Used in PKI and PGP’s Web Of Trust
 

Asymmetric Encryption Options In OpenSSL

 
OpenSSL library has several asymmetric crypto algorithms, but only one of those allows you to directly encrypt data.
  • RSA
 
Other available asymmetric crypto algorithms
  • Algorithms for Digital Signatures
    • DSA (Digital Signature Algorithm)
    • Elliptic Curve Digital Signature Algorithm (ECDSA)
  • Key Exchange in TLS
    • Diffie-Hellman (DH)
    • Elliptic Curve Diffie-Hellman (ECDH)
 
Asymmetric algorithm use structured keys, meaning that a key can have several components and a component may have certain requirements. Each asymmetric algorithm has it’s own structure.
 
  • RSA Algorithm alone is enough for encryption
  • ELGamal algorithm can use DH algorithm with DSA keys
  • or ECDH algorithm with ECDSA keys
 
Sometimes a symmetric encryption key, used along with an asymmetric algorithm is called a session key.
 

Understanding Session Key

 
Asymmetric ciphers such as RSA are much slower than symmetric ciphers such as AES.
Therefore usually the actual data that sender wants to send is not encrypted by RSA, instead the sender generates a symmetric key.
The actual data is encrypted by a symmetric algorithm, such as AES, with the session key, which is encrypted by RSA.
When decrypting, the recipient first decrypts the session key by RSA and then decrypts the actual data by AES with the session key. Such encryption schemes are reffered to as a Hybrid Encryption Scheme.
 
In secure network protocols such as TLS, SSH, IPSec, communication session begins with handshaking operation, part of which is the key echange operation.
 
In older versions of the protocol, key exchange operation involved the generation of the session key by one party of the communication, encrypting it by RSA and sending it encrypted to the other party.
 
In current versions of the protocols, communicating parties use the DH or ECDH key exchange methods, where both communication parties derive the same session key, which they then use for encryption of the useful data.
 

Understanding RSA Security

 
The security of RSA relies on the difficulty of integer factorization problem.
Factorization operation is breaking a positive integer number into it’s prime factors.
Currentyl, there is no polynomial-time algorithm for integer factorization that can be run by classical computer.
A typical integer number used in RSA is tens of thousands of decimal digits.
 
The C language doesn’t have integer types large enough to perform mathematics on big numbers used in RSA. OpenSSL includes a big number sub library. Normally they use the BN_ prefix.
 
An RSA key consists of several big or small integer numbers called a modulus, an exponent and optionally primes and coefficients. RSA key size is also equivalent to the size of the modulus. An RSA key of 2048-bit modulus, then the size of that RSA key is also 2048 bits.
 
RSA key size in bits
Security level in bits
1024
80
2048
112
3072
128
4096
152
7680
192
8192
200
15360
256
 
So we can see to reach speeds of AES-256 we need to use 15,360 bits. In RSA the decryption operation is very slow compared to the encryption operation.
 
NIST recommends using the following sizes for RSA keys:
  • At least 2048 bits until 2030
  • At least 3072 bits after 2030
 
Recommended optimum key size is 4096 bits.
 
Keypairs are save in Privacy Enhanced Mail (PEM) format. PEM is the default format used by OpenSSL for storing keys and certificates.
PEM is base64 wrapping around binary data.
Text Header = BEGIN line
Text Footer = END line
 
The eypair is in the Distinguished Encoding Rules (DER) format.
 
The openssl tools provides 2 sub-commands for generating RSA keypairs - genrsa and genpkey
 
genrsa is declared deprecated since openSSL 3.0
 
⚠️
OpenSSL and OKCS standards usually defines a private key as a data structure, holding information sufficient for constructing both private and public keys. For simplicity, when OpenSSL documentation says keypair it means a private key and when it says a public key, it means just a public key.
 

Generate RSA Keypair (private key)

 
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out rsa_keypair.pem
 
notion image
 

Inspect Structure Of Generated Keypair

 
openssl pkey -in rsa_keypair.pem -noout -text
 
~/opensslcodes/asymm:openssl pkey -in rsa_keypair.pem -noout -text
Private-Key: (4096 bit, 2 primes)
modulus:
    00:99:60:5f:11:68:0f:7f:90:ce:fd:11:bd:74:fc:
    8a:00:e4:d5:10:30:28:a2:e4:fa:69:fb:17:a9:db:
    72:e4:5f:c3:79:35:a2:c8:2c:32:55:f5:f9:66:64:
    c0:32:24:10:ab:6f:44:52:07:e2:7f:1e:80:a2:e9:
    15:58:d2:ec:65:8a:be:25:1a:a5:6c:ed:fe:dc:3f:
    36:f7:d1:a5:c4:90:58:8a:0b:eb:cb:ce:11:c4:a8:
    92:a6:ca:ff:79:6c:4e:39:e3:9a:cb:56:ba:2a:62:
    b1:10:ab:1d:85:85:3c:9c:e4:70:c3:7e:fa:5f:1d:
    18:3e:9a:00:17:1d:8e:17:51:27:d7:4a:d7:85:63:
    6e:6e:67:92:8f:b1:45:9e:03:da:97:c9:bd:fc:7b:
    7d:37:22:0a:8a:1d:0c:72:8d:95:42:d8:57:06:11:
    16:5a:8d:89:67:25:dc:f1:29:64:f8:e7:3b:72:e8:
    c5:d5:42:82:2b:c0:a5:41:46:be:6a:37:86:65:fc:
    8e:09:4b:78:8c:b9:96:8d:18:91:3d:fb:af:58:c6:
    fb:e4:cd:99:f1:be:be:39:04:6a:6b:7d:24:a2:44:
    b5:7c:61:e7:e0:dd:57:1a:e8:c7:a6:6d:11:c5:13:
    87:c6:e8:cd:a0:17:d8:fd:a3:ca:c8:de:4f:5a:ee:
    90:b7:0f:97:f4:d7:99:15:fd:2d:27:98:94:87:a3:
    b0:d0:5b:e1:62:7c:22:2e:3f:40:ce:62:23:cf:82:
    1a:fc:01:66:fd:6e:3c:71:cb:8a:35:40:d0:09:ce:
    24:0c:26:e4:3e:ae:1a:38:ad:67:ff:44:82:19:57:
    5c:0b:da:a3:c7:38:b2:d3:de:46:78:4e:47:d9:76:
    04:14:1a:3d:46:99:e6:e5:53:1b:29:04:24:50:88:
    a2:c4:1a:65:4e:3d:c5:7f:77:90:2a:6a:d7:38:37:
    21:ea:66:49:b1:a4:49:b1:81:95:84:ce:0e:7c:fa:
    fa:21:10:86:86:dd:c1:81:ef:e5:01:9c:9f:84:5b:
    7c:be:a8:39:23:e6:1d:f5:27:bb:9e:8f:f6:61:0e:
    8b:00:a4:09:8a:ce:f3:e3:59:bc:d1:cf:c0:55:ae:
    37:20:f2:ef:13:01:1a:5e:d5:13:1f:fb:e1:95:fb:
    94:ad:ed:38:f3:44:0f:49:9d:7a:de:49:c9:44:63:
    ae:2d:f3:68:48:45:f6:08:82:50:96:a5:22:7c:18:
    c4:63:d1:d1:a3:a7:5d:91:b8:3f:2c:e7:05:5b:34:
    d9:dd:4e:11:6e:87:f5:13:5b:69:2d:8a:2c:a5:d4:
    b7:52:1a:92:28:d8:a1:86:e9:1d:9f:c1:34:ca:1e:
    2d:77:2f
publicExponent: 65537 (0x10001)
privateExponent:
    17:32:5a:9e:7f:7e:5c:92:3c:f9:4c:63:65:86:98:
    f9:4d:4d:50:c4:9f:d8:bc:73:32:6f:d8:8d:31:7f:
    47:bd:43:60:99:1f:e9:fb:63:e4:d9:58:a3:72:58:
    6e:72:42:ed:28:07:b8:0a:5b:93:53:3c:81:a7:13:
    e4:9a:5d:f3:76:3a:3a:28:0a:08:96:ae:d0:31:10:
    07:5c:b7:4a:aa:74:21:9e:1a:46:f9:7f:24:1e:ef:
    5d:cc:df:8f:9b:35:9c:e4:13:5c:c3:dc:a5:c8:1b:
    09:da:2a:13:05:6a:d1:e5:c0:e2:3d:ae:f0:8f:58:
    c3:db:0c:69:72:93:08:c1:6c:44:fa:46:41:f5:1f:
    00:bb:fc:65:6c:1a:60:82:d5:09:80:e8:66:d5:11:
    c3:dd:60:fa:5b:83:59:98:97:e5:ae:0c:ec:ac:cd:
    3f:31:1f:2c:b1:04:20:9b:31:f0:c2:74:1c:cb:1f:
    64:98:c9:a6:d9:5c:da:54:5b:3c:7a:f2:57:89:62:
    12:a8:cd:ee:26:ac:22:37:2a:d1:aa:37:99:0b:30:
    91:fd:c0:80:83:3d:dc:d2:11:fa:f8:c8:7f:71:8f:
    2b:3a:84:29:df:aa:aa:b6:0b:15:5c:c8:99:10:52:
    48:34:9c:7e:25:2d:30:75:ed:c2:57:26:69:aa:76:
    cb:65:08:b4:fe:17:1c:2f:75:d5:70:dc:8a:fe:85:
    37:c6:26:94:67:ad:70:f5:6b:6d:db:6a:db:19:0e:
    5c:b9:35:e9:0f:2d:5e:20:61:a3:bc:12:7c:8c:77:
    b2:85:c0:82:1e:ba:89:30:eb:e4:e7:24:fd:ad:f1:
    e8:8c:e4:b7:02:99:e4:20:92:5c:74:70:4f:db:02:
    2f:00:3d:5a:13:c3:c6:59:17:ae:a0:c0:0c:2d:2c:
    b5:20:69:11:4a:73:d4:00:f8:30:2c:dd:70:a5:78:
    b7:92:d5:64:d2:09:c6:89:18:7b:af:05:32:d0:27:
    4c:f0:6c:75:fa:eb:b6:e1:8f:2c:61:3e:7d:52:f3:
    61:e8:6d:d7:71:7b:9e:0a:42:b2:c6:bf:da:10:9a:
    9b:9d:d7:34:2f:69:c4:38:33:dd:69:5f:5b:a6:7a:
    09:5b:b2:31:97:16:1f:22:0f:b4:ff:a5:89:d3:a2:
    70:97:9d:ba:bb:b9:47:5b:eb:40:cc:35:a9:a1:b4:
    b8:7d:5a:d4:26:9b:f7:9d:07:53:47:d5:23:fb:95:
    e2:bf:23:e4:25:41:d3:39:41:6a:ab:fd:de:c9:ff:
    03:b8:3c:60:be:c8:2d:fb:1a:6e:43:a3:48:e7:b2:
    4e:bc:97:d9:0d:4a:bc:d6:a4:5c:cc:c1:3e:e2:76:
    4d:51
prime1:
    00:c8:68:c8:df:31:47:ce:f1:6a:b4:35:3e:a7:6d:
    7f:ba:bc:89:5b:ca:4d:3e:85:0b:35:28:ff:30:5f:
    0d:02:0e:9b:61:64:9b:22:5e:5f:50:92:e7:00:5f:
    49:06:09:73:04:57:cf:bc:ca:40:be:7a:31:43:fa:
    4a:ca:70:d4:97:7c:a4:b9:21:d8:6d:4e:d0:0a:fa:
    5c:3a:2c:0f:a9:80:bc:fd:8c:0c:ea:11:f7:55:d9:
    72:58:f6:c9:1a:e9:70:d8:b4:27:1e:f2:ef:86:00:
    e2:6e:9c:eb:a2:a2:96:17:e4:b3:fb:85:31:1b:e1:
    11:e8:8f:73:86:83:d6:57:ec:67:eb:fc:25:5a:ee:
    fe:2d:9e:fc:2b:b0:c3:cd:83:25:ce:cb:94:ca:fe:
    c8:b6:fa:31:18:2e:d1:76:57:d8:f8:32:51:6b:6e:
    8f:7f:08:53:32:b1:8d:b4:f0:42:8f:76:42:60:7c:
    f4:e9:ea:be:4f:f4:46:c7:3f:f0:09:75:90:69:e8:
    be:24:bc:b5:5d:62:64:64:64:8e:3b:15:08:70:7f:
    2c:d9:e6:e5:70:bd:cc:19:4a:1c:89:bd:61:63:df:
    90:b0:d5:61:ae:79:fb:d7:db:97:78:a5:13:8d:5c:
    dc:f7:46:f8:42:24:e3:91:9c:39:9c:32:e1:03:74:
    43:1f
prime2:
    00:c3:eb:bf:71:76:2e:14:d5:ea:26:6d:50:32:c4:
    51:19:06:ec:e0:be:00:a3:05:3e:64:09:f7:32:51:
    ed:ee:ac:9f:2a:36:0b:be:46:32:d0:50:79:36:2a:
    9e:4d:ba:c2:74:27:7e:39:19:76:a9:47:a4:17:18:
    2f:1c:96:e7:4c:e8:82:90:b5:0a:1d:05:07:cc:c7:
    12:eb:81:0d:a7:9d:b6:e0:61:d8:66:89:e8:25:0d:
    a9:0a:a7:0f:72:86:c3:20:86:dd:20:42:ed:e7:cd:
    1c:85:4e:6a:a2:51:f7:ea:7e:36:46:09:5e:0d:bf:
    98:0a:a0:9f:c2:b1:2c:32:17:9e:fa:6b:1c:be:21:
    e6:23:fd:b8:53:2d:bd:fa:97:74:db:1d:cd:81:36:
    13:cc:76:1f:5f:ed:fe:a9:0b:0a:92:27:2c:a5:92:
    ee:bd:a1:29:78:05:ef:23:0c:dc:cb:65:39:2b:c6:
    e5:ca:db:fc:d8:12:d2:51:94:99:51:5b:68:78:c3:
    ff:8d:c6:2f:53:b9:68:8a:83:0c:52:b5:ec:10:88:
    19:94:82:da:2e:53:58:0c:8f:ea:75:d4:4d:b0:e3:
    37:75:8a:06:49:00:a6:16:a6:03:97:eb:23:f3:aa:
    83:25:cd:16:27:63:dc:92:0e:56:89:8b:83:41:8b:
    d9:f1
exponent1:
    61:dc:59:0a:33:c4:3e:d7:40:25:93:42:6e:fb:57:
    3d:d6:46:b4:9d:ca:ae:56:c5:2c:46:42:a6:5a:23:
    bd:f7:68:04:5c:de:2c:20:2d:26:e9:35:07:c7:7f:
    9f:05:0a:36:fa:b2:24:1c:17:15:6c:11:96:82:27:
    f7:46:b5:68:eb:a2:7c:0c:7c:e4:93:71:9f:8a:b5:
    72:6a:85:93:5d:9b:eb:ab:71:ba:f2:de:f5:fa:e2:
    8d:72:a4:ad:11:84:db:2c:cd:55:9d:87:3c:c6:3d:
    cb:89:b0:be:8f:e9:fe:ec:dc:be:5b:41:a9:bd:73:
    c3:3e:19:49:7c:23:34:77:ea:1f:1f:d7:15:da:52:
    1f:f0:dc:6e:71:38:8b:a8:18:d4:2c:31:12:16:eb:
    e7:fd:af:ef:81:1d:23:4e:ae:52:34:2f:f1:e7:e1:
    06:45:08:6b:5e:ac:35:c8:84:98:0d:45:48:5c:7c:
    33:a5:3f:1d:47:c9:30:0e:96:a5:e7:d4:87:02:f1:
    a6:7a:c7:8d:3c:38:8d:95:54:a6:a1:14:a7:ea:51:
    fa:6d:77:68:60:25:c3:cb:9e:b7:db:d4:2c:b2:c4:
    b2:b4:df:a8:15:44:d7:19:11:94:05:f7:d0:35:a2:
    68:d5:2c:f1:0f:96:58:4a:13:0f:a5:00:9f:71:2c:
    3d
exponent2:
    00:a7:8b:7a:bb:5f:f2:46:75:2c:f9:51:b0:2c:ca:
    00:04:64:0c:bc:a1:1f:d0:49:92:b2:60:67:5a:4c:
    00:2a:84:ca:d4:81:45:87:a1:66:a1:08:c0:af:96:
    c0:ab:fe:53:7e:9b:ab:70:cf:1a:cf:e6:e9:27:aa:
    d1:d7:24:21:87:7e:aa:f1:6f:30:c7:e2:5e:6a:3b:
    b0:2d:5f:be:ba:a1:c0:1b:a0:f1:3b:b7:21:a4:56:
    4b:42:45:dd:8a:f6:3d:f6:19:ff:0e:30:ce:5c:d5:
    e6:57:05:d9:61:18:b1:e7:81:a9:8e:39:42:8a:85:
    57:53:77:4b:48:66:d5:41:bd:3b:82:31:89:71:fb:
    71:61:43:ff:96:7a:5e:a5:e7:51:d2:74:69:22:df:
    89:0c:e7:d3:2a:e9:4f:47:66:9e:d2:9f:d7:a9:7c:
    be:d7:c1:f3:c1:a5:69:7c:d2:ea:1a:b2:64:b2:d0:
    34:01:48:21:b0:f2:5f:93:ce:7d:52:ba:d5:db:b8:
    d9:59:77:ab:4f:71:16:3a:a5:99:2b:3e:52:33:4d:
    00:7b:25:6f:ca:00:12:23:24:0b:c0:5a:1f:5a:6e:
    e5:25:8a:34:97:c7:8b:41:81:15:3f:9c:a1:b1:26:
    17:63:83:40:37:cd:49:7a:49:f2:ad:4b:76:a2:de:
    23:31
coefficient:
    75:85:4c:40:ef:7a:4f:e1:1e:25:3c:15:94:7c:d4:
    c1:4e:1f:95:90:e8:5b:d4:07:a8:15:65:e4:b5:d3:
    3e:9a:dd:b0:b5:9a:c1:a3:f6:0a:3f:18:74:90:72:
    3a:5a:d8:08:da:3f:f8:44:d9:3c:75:fe:b7:f3:53:
    b4:39:d5:09:49:35:0a:dd:de:a2:b9:81:24:67:82:
    de:d7:06:66:b3:83:71:e3:a9:33:b4:98:3a:27:f4:
    72:bb:07:8f:a2:df:e8:c6:3c:41:73:64:ea:31:d7:
    ed:eb:b2:e4:72:1b:bb:0f:79:42:a7:fc:2f:75:b8:
    a2:14:0d:3b:66:7f:d5:9f:7b:8c:35:9c:b9:91:af:
    61:f7:04:dc:2c:5b:db:99:a1:26:44:a4:45:6b:64:
    9f:58:4c:f8:4a:b4:21:53:69:b0:6c:71:89:36:a6:
    f2:c4:2e:dc:b9:6e:13:f6:a5:2e:29:ee:d4:2e:46:
    b3:5e:0d:a8:10:f4:79:32:70:2a:1d:23:d9:6e:c9:
    d5:2b:b7:f0:14:2e:06:a6:d7:69:cd:b4:38:8a:b2:
    39:53:80:61:77:7b:4f:8a:a5:0d:59:77:61:25:14:
    65:26:54:5c:5d:70:33:2e:5f:ca:7a:6f:5d:3f:36:
    f5:56:d5:a6:3c:f6:99:e6:95:9f:c5:9a:b7:b6:da:
    eb
 

Extracting Public Key From Keypair

 
openssl pkey -in rsa_keypair.pem -pubout -out rsa_public_key.pem
 
~/opensslcodes/asymm:openssl pkey -in rsa_keypair.pem -pubout -out rsa_public_key.pem
~/opensslcodes/asymm:ls -lh
total 8.0K
-rw------- 1 root root 3.2K Jun  7 05:13 rsa_keypair.pem
-rw-r--r-- 1 root root  800 Jun  7 13:40 rsa_public_key.pem
~/opensslcodes/asymm:
~/opensslcodes/asymm:cat rsa_public_key.pem
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmWBfEWgPf5DO/RG9dPyK
AOTVEDAoouT6afsXqdty5F/DeTWiyCwyVfX5ZmTAMiQQq29EUgfifx6AoukVWNLs
ZYq+JRqlbO3+3D8299GlxJBYigvry84RxKiSpsr/eWxOOeOay1a6KmKxEKsdhYU8
nORww376Xx0YPpoAFx2OF1En10rXhWNubmeSj7FFngPal8m9/Ht9NyIKih0Mco2V
QthXBhEWWo2JZyXc8Slk+Oc7cujF1UKCK8ClQUa+ajeGZfyOCUt4jLmWjRiRPfuv
WMb75M2Z8b6+OQRqa30kokS1fGHn4N1XGujHpm0RxROHxujNoBfY/aPKyN5PWu6Q
tw+X9NeZFf0tJ5iUh6Ow0FvhYnwiLj9AzmIjz4Ia/AFm/W48ccuKNUDQCc4kDCbk
Pq4aOK1n/0SCGVdcC9qjxziy095GeE5H2XYEFBo9Rpnm5VMbKQQkUIiixBplTj3F
f3eQKmrXODch6mZJsaRJsYGVhM4OfPr6IRCGht3Bge/lAZyfhFt8vqg5I+Yd9Se7
no/2YQ6LAKQJis7z41m80c/AVa43IPLvEwEaXtUTH/vhlfuUre0480QPSZ163knJ
RGOuLfNoSEX2CIJQlqUifBjEY9HRo6ddkbg/LOcFWzTZ3U4Rbof1E1tpLYospdS3
UhqSKNihhukdn8E0yh4tdy8CAwEAAQ==
-----END PUBLIC KEY-----
 

Inspect Structure Of Generated Public Key

 
openssl pkey -pubin -in rsa_public_key.pem -noout -text
 
~/opensslcodes/asymm:openssl pkey -pubin -in rsa_public_key.pem  -noout -text
Public-Key: (4096 bit)
Modulus:
    00:99:60:5f:11:68:0f:7f:90:ce:fd:11:bd:74:fc:
    8a:00:e4:d5:10:30:28:a2:e4:fa:69:fb:17:a9:db:
    72:e4:5f:c3:79:35:a2:c8:2c:32:55:f5:f9:66:64:
    c0:32:24:10:ab:6f:44:52:07:e2:7f:1e:80:a2:e9:
    15:58:d2:ec:65:8a:be:25:1a:a5:6c:ed:fe:dc:3f:
    36:f7:d1:a5:c4:90:58:8a:0b:eb:cb:ce:11:c4:a8:
    92:a6:ca:ff:79:6c:4e:39:e3:9a:cb:56:ba:2a:62:
    b1:10:ab:1d:85:85:3c:9c:e4:70:c3:7e:fa:5f:1d:
    18:3e:9a:00:17:1d:8e:17:51:27:d7:4a:d7:85:63:
    6e:6e:67:92:8f:b1:45:9e:03:da:97:c9:bd:fc:7b:
    7d:37:22:0a:8a:1d:0c:72:8d:95:42:d8:57:06:11:
    16:5a:8d:89:67:25:dc:f1:29:64:f8:e7:3b:72:e8:
    c5:d5:42:82:2b:c0:a5:41:46:be:6a:37:86:65:fc:
    8e:09:4b:78:8c:b9:96:8d:18:91:3d:fb:af:58:c6:
    fb:e4:cd:99:f1:be:be:39:04:6a:6b:7d:24:a2:44:
    b5:7c:61:e7:e0:dd:57:1a:e8:c7:a6:6d:11:c5:13:
    87:c6:e8:cd:a0:17:d8:fd:a3:ca:c8:de:4f:5a:ee:
    90:b7:0f:97:f4:d7:99:15:fd:2d:27:98:94:87:a3:
    b0:d0:5b:e1:62:7c:22:2e:3f:40:ce:62:23:cf:82:
    1a:fc:01:66:fd:6e:3c:71:cb:8a:35:40:d0:09:ce:
    24:0c:26:e4:3e:ae:1a:38:ad:67:ff:44:82:19:57:
    5c:0b:da:a3:c7:38:b2:d3:de:46:78:4e:47:d9:76:
    04:14:1a:3d:46:99:e6:e5:53:1b:29:04:24:50:88:
    a2:c4:1a:65:4e:3d:c5:7f:77:90:2a:6a:d7:38:37:
    21:ea:66:49:b1:a4:49:b1:81:95:84:ce:0e:7c:fa:
    fa:21:10:86:86:dd:c1:81:ef:e5:01:9c:9f:84:5b:
    7c:be:a8:39:23:e6:1d:f5:27:bb:9e:8f:f6:61:0e:
    8b:00:a4:09:8a:ce:f3:e3:59:bc:d1:cf:c0:55:ae:
    37:20:f2:ef:13:01:1a:5e:d5:13:1f:fb:e1:95:fb:
    94:ad:ed:38:f3:44:0f:49:9d:7a:de:49:c9:44:63:
    ae:2d:f3:68:48:45:f6:08:82:50:96:a5:22:7c:18:
    c4:63:d1:d1:a3:a7:5d:91:b8:3f:2c:e7:05:5b:34:
    d9:dd:4e:11:6e:87:f5:13:5b:69:2d:8a:2c:a5:d4:
    b7:52:1a:92:28:d8:a1:86:e9:1d:9f:c1:34:ca:1e:
    2d:77:2f
Exponent: 65537 (0x10001)
 

Encrypt Session Key with public key

 
# Let's generate 256-bit session Key

openssl rand -out session_key.bin 32

# Encrypt Session Key

openssl pkeyutl -encrypt -in session_key.bin -out session_key.bin.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep
 
~/opensslcodes/asymm:ls -lh
total 8.0K
-rw------- 1 root root 3.2K Jun  7 05:13 rsa_keypair.pem
-rw-r--r-- 1 root root  800 Jun  7 13:40 rsa_public_key.pem
~/opensslcodes/asymm:openssl rand -out session_key.bin 32
~/opensslcodes/asymm:cat session_key.bin
#1~x
=THR~/opensslcodes/asymm:
~/opensslcodes/asymm:openssl pkeyutl -encrypt -in session_key.bin -out session_key.bin.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep
~/opensslcodes/asymm:ls -lha
total 24K
drwxr-xr-x 2 root root 4.0K Jun  7 13:48 .
drwxr-xr-x 5 root root 4.0K Jun  7 05:07 ..
-rw------- 1 root root 3.2K Jun  7 05:13 rsa_keypair.pem
-rw-r--r-- 1 root root  800 Jun  7 13:40 rsa_public_key.pem
-rw-r--r-- 1 root root   32 Jun  7 13:46 session_key.bin
-rw-r--r-- 1 root root  512 Jun  7 13:48 session_key.bin.encrypted
~/opensslcodes/asymm:cat session_key.bin.encrypted
23n\O5[#ΪQaI}eMyYFx\9w,3I̠9x
                           Oa3ݵ%|ϟ"е0#`nGScG5ޫ`^EJe7W RKe/>\R`   M"~h11
B(Z]%v!
{x<n4.߲
3E7LB_XA<UN3A]( jo4GgKR|oh2_]
 
-pkeyopt rsa_padding_mode:oaep → Instructs openssl to use PKCS V2.0 Optimal Asymmetric Encryption Padding (OAEP) padding type for RSA Encryption.
 
~/opensslcodes/asymm:cksum session_key.bin*
190170457 32 session_key.bin
583170061 512 session_key.bin.encrypted
 
Note that the input session key file is only 32 bytes long, but it’s encrypted version is 512 bytes. This is because RSA’s output ciphertext block is the same size as the RSA key size used.
 
Encrypting the same file different times will give the same size but a different checksum everytime. This is because even though RSA encryption is deterministic the padding algorithm used is non-deterministic.
 

Decrypting The Session Key

 
	openssl pkeyutl -decrypt -in session_key.bin.encrypted -out session_key.bin.decrypted -inkey rsa_keypair.pem -pkeyopt rsa_padding_mode:oaep
 
~/opensslcodes/asymm:ls -lh
total 124K
-rw------- 1 root root 3.2K Jun  7 05:13 rsa_keypair.pem
-rw-r--r-- 1 root root  800 Jun  7 13:40 rsa_public_key.pem
-rw-r--r-- 1 root root   32 Jun  7 13:46 session_key.bin
-rw-r--r-- 1 root root  512 Jun  7 13:48 session_key.bin.encrypted
-rw-r--r-- 1 root root 107K Jun  7 13:55 somefile.txt
-rw-r--r-- 1 root root    0 Jun  7 13:56 somefile.txt.encrypted
~/opensslcodes/asymm:
~/opensslcodes/asymm:openssl pkeyutl -decrypt -in session_key.bin.encrypted -out session_key.bin.decrypted -inkey rsa_keypair.pem -pkeyopt rsa_padding_mode:oaep
~/opensslcodes/asymm:
~/opensslcodes/asymm:cksum session_key.bin*
190170457 32 session_key.bin
190170457 32 session_key.bin.decrypted
583170061 512 session_key.bin.encrypted

Encrypting File Larger Than Key Length

 
# Generate 100 KB File

seq 20000 > somefile.txt

# Encryption

openssl pkeyutl -encrypt -in somefile.txt -out somefile.txt.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep
 
~/opensslcodes/asymm:ls -lh
total 16K
-rw------- 1 root root 3.2K Jun  7 05:13 rsa_keypair.pem
-rw-r--r-- 1 root root  800 Jun  7 13:40 rsa_public_key.pem
-rw-r--r-- 1 root root   32 Jun  7 13:46 session_key.bin
-rw-r--r-- 1 root root  512 Jun  7 13:48 session_key.bin.encrypted
~/opensslcodes/asymm:
~/opensslcodes/asymm:
~/opensslcodes/asymm:seq 20000 > somefile.txt
~/opensslcodes/asymm:
~/opensslcodes/asymm:
~/opensslcodes/asymm:ls -lh
total 124K
-rw------- 1 root root 3.2K Jun  7 05:13 rsa_keypair.pem
-rw-r--r-- 1 root root  800 Jun  7 13:40 rsa_public_key.pem
-rw-r--r-- 1 root root   32 Jun  7 13:46 session_key.bin
-rw-r--r-- 1 root root  512 Jun  7 13:48 session_key.bin.encrypted
-rw-r--r-- 1 root root 107K Jun  7 13:55 somefile.txt
~/opensslcodes/asymm:
~/opensslcodes/asymm:
~/opensslcodes/asymm:openssl pkeyutl -encrypt -in somefile.txt -out somefile.txt.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep
Public Key operation error
40F7946400700000:error:0200006E:rsa routines:ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex:data too large for key size:../crypto/rsa/rsa_oaep.c:87:
~/opensslcodes/asymm:
 
We get an error. This is because RSA cannot encrypt anything anylonger than its key length during one operation. If you use padding than it becomes even shorter.