Asymmetric Encryption Algorithm
- There are 2 keys instead of 1 key like in Symmetric Key Encryption
- Public Key
- Private Key
- Both of them together is called a keypair
- Slower than Symmetric ciphers
- Let’s imagine Alice wants to send a message to Bob
- Bob generates a keypair and sends his public key to Alice
- Alice encrypts the message with Bob’s public key and sends the encrypted message to Bob
- Bob decrypts the message with his private key
- If an attacker eavesdrop and gets Bob’s public key, he will still not be able decrypt the message. Only Bob’s private key can decrypt the message and Bob will need to keep this private.
- By itself Asymmetric Encryption is still not safe. A MITM between Alice and Bob can intercept Bob’s public key and the attacker can replace it with his public key. Then the attacker can intercept the message from Alice and use his own private key to decrypt. So there is a need to trust public keys. How do you verify that the public key you have is the correct one?
- The most popular solution is to use a trusted third-party. Used in PKI and PGP’s Web Of Trust
Asymmetric Encryption Options In OpenSSL
OpenSSL library has several asymmetric crypto algorithms, but only one of those allows you to directly encrypt data.
- RSA
Other available asymmetric crypto algorithms
- Algorithms for Digital Signatures
- DSA (Digital Signature Algorithm)
- Elliptic Curve Digital Signature Algorithm (ECDSA)
- Key Exchange in TLS
- Diffie-Hellman (DH)
- Elliptic Curve Diffie-Hellman (ECDH)
Asymmetric algorithm use structured keys, meaning that a key can have several components and a component may have certain requirements. Each asymmetric algorithm has it’s own structure.
- RSA Algorithm alone is enough for encryption
- ELGamal algorithm can use DH algorithm with DSA keys
- or ECDH algorithm with ECDSA keys
Sometimes a symmetric encryption key, used along with an asymmetric algorithm is called a session key.
Understanding Session Key
Asymmetric ciphers such as RSA are much slower than symmetric ciphers such as AES.
Therefore usually the actual data that sender wants to send is not encrypted by RSA, instead the sender generates a symmetric key.
The actual data is encrypted by a symmetric algorithm, such as AES, with the session key, which is encrypted by RSA.
When decrypting, the recipient first decrypts the session key by RSA and then decrypts the actual data by AES with the session key. Such encryption schemes are reffered to as a Hybrid Encryption Scheme.
In secure network protocols such as TLS, SSH, IPSec, communication session begins with handshaking operation, part of which is the key echange operation.
In older versions of the protocol, key exchange operation involved the generation of the session key by one party of the communication, encrypting it by RSA and sending it encrypted to the other party.
In current versions of the protocols, communicating parties use the DH or ECDH key exchange methods, where both communication parties derive the same session key, which they then use for encryption of the useful data.
Understanding RSA Security
The security of RSA relies on the difficulty of integer factorization problem.
Factorization operation is breaking a positive integer number into it’s prime factors.
Currentyl, there is no polynomial-time algorithm for integer factorization that can be run by classical computer.
A typical integer number used in RSA is tens of thousands of decimal digits.
The C language doesn’t have integer types large enough to perform mathematics on big numbers used in RSA. OpenSSL includes a big number sub library. Normally they use the
BN_
prefix.An RSA key consists of several big or small integer numbers called a modulus, an exponent and optionally primes and coefficients. RSA key size is also equivalent to the size of the modulus. An RSA key of 2048-bit modulus, then the size of that RSA key is also 2048 bits.
RSA key size in bits | Security level in bits |
1024 | 80 |
2048 | 112 |
3072 | 128 |
4096 | 152 |
7680 | 192 |
8192 | 200 |
15360 | 256 |
So we can see to reach speeds of AES-256 we need to use 15,360 bits. In RSA the decryption operation is very slow compared to the encryption operation.
NIST recommends using the following sizes for RSA keys:
- At least 2048 bits until 2030
- At least 3072 bits after 2030
Recommended optimum key size is 4096 bits.
Keypairs are save in Privacy Enhanced Mail (PEM) format. PEM is the default format used by OpenSSL for storing keys and certificates.
PEM is base64 wrapping around binary data.
Text Header = BEGIN line
Text Footer = END line
The eypair is in the Distinguished Encoding Rules (DER) format.
The
openssl
tools provides 2 sub-commands for generating RSA keypairs - genrsa
and genpkey
genrsa
is declared deprecated since openSSL 3.0OpenSSL and OKCS standards usually defines a private key as a data structure, holding information sufficient for constructing both private and public keys.
For simplicity, when OpenSSL documentation says keypair it means a private key and when it says a public key, it means just a public key.
Generate RSA Keypair (private key)
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out rsa_keypair.pem
Inspect Structure Of Generated Keypair
openssl pkey -in rsa_keypair.pem -noout -text
~/opensslcodes/asymm:openssl pkey -in rsa_keypair.pem -noout -text Private-Key: (4096 bit, 2 primes) modulus: 00:99:60:5f:11:68:0f:7f:90:ce:fd:11:bd:74:fc: 8a:00:e4:d5:10:30:28:a2:e4:fa:69:fb:17:a9:db: 72:e4:5f:c3:79:35:a2:c8:2c:32:55:f5:f9:66:64: c0:32:24:10:ab:6f:44:52:07:e2:7f:1e:80:a2:e9: 15:58:d2:ec:65:8a:be:25:1a:a5:6c:ed:fe:dc:3f: 36:f7:d1:a5:c4:90:58:8a:0b:eb:cb:ce:11:c4:a8: 92:a6:ca:ff:79:6c:4e:39:e3:9a:cb:56:ba:2a:62: b1:10:ab:1d:85:85:3c:9c:e4:70:c3:7e:fa:5f:1d: 18:3e:9a:00:17:1d:8e:17:51:27:d7:4a:d7:85:63: 6e:6e:67:92:8f:b1:45:9e:03:da:97:c9:bd:fc:7b: 7d:37:22:0a:8a:1d:0c:72:8d:95:42:d8:57:06:11: 16:5a:8d:89:67:25:dc:f1:29:64:f8:e7:3b:72:e8: c5:d5:42:82:2b:c0:a5:41:46:be:6a:37:86:65:fc: 8e:09:4b:78:8c:b9:96:8d:18:91:3d:fb:af:58:c6: fb:e4:cd:99:f1:be:be:39:04:6a:6b:7d:24:a2:44: b5:7c:61:e7:e0:dd:57:1a:e8:c7:a6:6d:11:c5:13: 87:c6:e8:cd:a0:17:d8:fd:a3:ca:c8:de:4f:5a:ee: 90:b7:0f:97:f4:d7:99:15:fd:2d:27:98:94:87:a3: b0:d0:5b:e1:62:7c:22:2e:3f:40:ce:62:23:cf:82: 1a:fc:01:66:fd:6e:3c:71:cb:8a:35:40:d0:09:ce: 24:0c:26:e4:3e:ae:1a:38:ad:67:ff:44:82:19:57: 5c:0b:da:a3:c7:38:b2:d3:de:46:78:4e:47:d9:76: 04:14:1a:3d:46:99:e6:e5:53:1b:29:04:24:50:88: a2:c4:1a:65:4e:3d:c5:7f:77:90:2a:6a:d7:38:37: 21:ea:66:49:b1:a4:49:b1:81:95:84:ce:0e:7c:fa: fa:21:10:86:86:dd:c1:81:ef:e5:01:9c:9f:84:5b: 7c:be:a8:39:23:e6:1d:f5:27:bb:9e:8f:f6:61:0e: 8b:00:a4:09:8a:ce:f3:e3:59:bc:d1:cf:c0:55:ae: 37:20:f2:ef:13:01:1a:5e:d5:13:1f:fb:e1:95:fb: 94:ad:ed:38:f3:44:0f:49:9d:7a:de:49:c9:44:63: ae:2d:f3:68:48:45:f6:08:82:50:96:a5:22:7c:18: c4:63:d1:d1:a3:a7:5d:91:b8:3f:2c:e7:05:5b:34: d9:dd:4e:11:6e:87:f5:13:5b:69:2d:8a:2c:a5:d4: b7:52:1a:92:28:d8:a1:86:e9:1d:9f:c1:34:ca:1e: 2d:77:2f publicExponent: 65537 (0x10001) privateExponent: 17:32:5a:9e:7f:7e:5c:92:3c:f9:4c:63:65:86:98: f9:4d:4d:50:c4:9f:d8:bc:73:32:6f:d8:8d:31:7f: 47:bd:43:60:99:1f:e9:fb:63:e4:d9:58:a3:72:58: 6e:72:42:ed:28:07:b8:0a:5b:93:53:3c:81:a7:13: e4:9a:5d:f3:76:3a:3a:28:0a:08:96:ae:d0:31:10: 07:5c:b7:4a:aa:74:21:9e:1a:46:f9:7f:24:1e:ef: 5d:cc:df:8f:9b:35:9c:e4:13:5c:c3:dc:a5:c8:1b: 09:da:2a:13:05:6a:d1:e5:c0:e2:3d:ae:f0:8f:58: c3:db:0c:69:72:93:08:c1:6c:44:fa:46:41:f5:1f: 00:bb:fc:65:6c:1a:60:82:d5:09:80:e8:66:d5:11: c3:dd:60:fa:5b:83:59:98:97:e5:ae:0c:ec:ac:cd: 3f:31:1f:2c:b1:04:20:9b:31:f0:c2:74:1c:cb:1f: 64:98:c9:a6:d9:5c:da:54:5b:3c:7a:f2:57:89:62: 12:a8:cd:ee:26:ac:22:37:2a:d1:aa:37:99:0b:30: 91:fd:c0:80:83:3d:dc:d2:11:fa:f8:c8:7f:71:8f: 2b:3a:84:29:df:aa:aa:b6:0b:15:5c:c8:99:10:52: 48:34:9c:7e:25:2d:30:75:ed:c2:57:26:69:aa:76: cb:65:08:b4:fe:17:1c:2f:75:d5:70:dc:8a:fe:85: 37:c6:26:94:67:ad:70:f5:6b:6d:db:6a:db:19:0e: 5c:b9:35:e9:0f:2d:5e:20:61:a3:bc:12:7c:8c:77: b2:85:c0:82:1e:ba:89:30:eb:e4:e7:24:fd:ad:f1: e8:8c:e4:b7:02:99:e4:20:92:5c:74:70:4f:db:02: 2f:00:3d:5a:13:c3:c6:59:17:ae:a0:c0:0c:2d:2c: b5:20:69:11:4a:73:d4:00:f8:30:2c:dd:70:a5:78: b7:92:d5:64:d2:09:c6:89:18:7b:af:05:32:d0:27: 4c:f0:6c:75:fa:eb:b6:e1:8f:2c:61:3e:7d:52:f3: 61:e8:6d:d7:71:7b:9e:0a:42:b2:c6:bf:da:10:9a: 9b:9d:d7:34:2f:69:c4:38:33:dd:69:5f:5b:a6:7a: 09:5b:b2:31:97:16:1f:22:0f:b4:ff:a5:89:d3:a2: 70:97:9d:ba:bb:b9:47:5b:eb:40:cc:35:a9:a1:b4: b8:7d:5a:d4:26:9b:f7:9d:07:53:47:d5:23:fb:95: e2:bf:23:e4:25:41:d3:39:41:6a:ab:fd:de:c9:ff: 03:b8:3c:60:be:c8:2d:fb:1a:6e:43:a3:48:e7:b2: 4e:bc:97:d9:0d:4a:bc:d6:a4:5c:cc:c1:3e:e2:76: 4d:51 prime1: 00:c8:68:c8:df:31:47:ce:f1:6a:b4:35:3e:a7:6d: 7f:ba:bc:89:5b:ca:4d:3e:85:0b:35:28:ff:30:5f: 0d:02:0e:9b:61:64:9b:22:5e:5f:50:92:e7:00:5f: 49:06:09:73:04:57:cf:bc:ca:40:be:7a:31:43:fa: 4a:ca:70:d4:97:7c:a4:b9:21:d8:6d:4e:d0:0a:fa: 5c:3a:2c:0f:a9:80:bc:fd:8c:0c:ea:11:f7:55:d9: 72:58:f6:c9:1a:e9:70:d8:b4:27:1e:f2:ef:86:00: e2:6e:9c:eb:a2:a2:96:17:e4:b3:fb:85:31:1b:e1: 11:e8:8f:73:86:83:d6:57:ec:67:eb:fc:25:5a:ee: fe:2d:9e:fc:2b:b0:c3:cd:83:25:ce:cb:94:ca:fe: c8:b6:fa:31:18:2e:d1:76:57:d8:f8:32:51:6b:6e: 8f:7f:08:53:32:b1:8d:b4:f0:42:8f:76:42:60:7c: f4:e9:ea:be:4f:f4:46:c7:3f:f0:09:75:90:69:e8: be:24:bc:b5:5d:62:64:64:64:8e:3b:15:08:70:7f: 2c:d9:e6:e5:70:bd:cc:19:4a:1c:89:bd:61:63:df: 90:b0:d5:61:ae:79:fb:d7:db:97:78:a5:13:8d:5c: dc:f7:46:f8:42:24:e3:91:9c:39:9c:32:e1:03:74: 43:1f prime2: 00:c3:eb:bf:71:76:2e:14:d5:ea:26:6d:50:32:c4: 51:19:06:ec:e0:be:00:a3:05:3e:64:09:f7:32:51: ed:ee:ac:9f:2a:36:0b:be:46:32:d0:50:79:36:2a: 9e:4d:ba:c2:74:27:7e:39:19:76:a9:47:a4:17:18: 2f:1c:96:e7:4c:e8:82:90:b5:0a:1d:05:07:cc:c7: 12:eb:81:0d:a7:9d:b6:e0:61:d8:66:89:e8:25:0d: a9:0a:a7:0f:72:86:c3:20:86:dd:20:42:ed:e7:cd: 1c:85:4e:6a:a2:51:f7:ea:7e:36:46:09:5e:0d:bf: 98:0a:a0:9f:c2:b1:2c:32:17:9e:fa:6b:1c:be:21: e6:23:fd:b8:53:2d:bd:fa:97:74:db:1d:cd:81:36: 13:cc:76:1f:5f:ed:fe:a9:0b:0a:92:27:2c:a5:92: ee:bd:a1:29:78:05:ef:23:0c:dc:cb:65:39:2b:c6: e5:ca:db:fc:d8:12:d2:51:94:99:51:5b:68:78:c3: ff:8d:c6:2f:53:b9:68:8a:83:0c:52:b5:ec:10:88: 19:94:82:da:2e:53:58:0c:8f:ea:75:d4:4d:b0:e3: 37:75:8a:06:49:00:a6:16:a6:03:97:eb:23:f3:aa: 83:25:cd:16:27:63:dc:92:0e:56:89:8b:83:41:8b: d9:f1 exponent1: 61:dc:59:0a:33:c4:3e:d7:40:25:93:42:6e:fb:57: 3d:d6:46:b4:9d:ca:ae:56:c5:2c:46:42:a6:5a:23: bd:f7:68:04:5c:de:2c:20:2d:26:e9:35:07:c7:7f: 9f:05:0a:36:fa:b2:24:1c:17:15:6c:11:96:82:27: f7:46:b5:68:eb:a2:7c:0c:7c:e4:93:71:9f:8a:b5: 72:6a:85:93:5d:9b:eb:ab:71:ba:f2:de:f5:fa:e2: 8d:72:a4:ad:11:84:db:2c:cd:55:9d:87:3c:c6:3d: cb:89:b0:be:8f:e9:fe:ec:dc:be:5b:41:a9:bd:73: c3:3e:19:49:7c:23:34:77:ea:1f:1f:d7:15:da:52: 1f:f0:dc:6e:71:38:8b:a8:18:d4:2c:31:12:16:eb: e7:fd:af:ef:81:1d:23:4e:ae:52:34:2f:f1:e7:e1: 06:45:08:6b:5e:ac:35:c8:84:98:0d:45:48:5c:7c: 33:a5:3f:1d:47:c9:30:0e:96:a5:e7:d4:87:02:f1: a6:7a:c7:8d:3c:38:8d:95:54:a6:a1:14:a7:ea:51: fa:6d:77:68:60:25:c3:cb:9e:b7:db:d4:2c:b2:c4: b2:b4:df:a8:15:44:d7:19:11:94:05:f7:d0:35:a2: 68:d5:2c:f1:0f:96:58:4a:13:0f:a5:00:9f:71:2c: 3d exponent2: 00:a7:8b:7a:bb:5f:f2:46:75:2c:f9:51:b0:2c:ca: 00:04:64:0c:bc:a1:1f:d0:49:92:b2:60:67:5a:4c: 00:2a:84:ca:d4:81:45:87:a1:66:a1:08:c0:af:96: c0:ab:fe:53:7e:9b:ab:70:cf:1a:cf:e6:e9:27:aa: d1:d7:24:21:87:7e:aa:f1:6f:30:c7:e2:5e:6a:3b: b0:2d:5f:be:ba:a1:c0:1b:a0:f1:3b:b7:21:a4:56: 4b:42:45:dd:8a:f6:3d:f6:19:ff:0e:30:ce:5c:d5: e6:57:05:d9:61:18:b1:e7:81:a9:8e:39:42:8a:85: 57:53:77:4b:48:66:d5:41:bd:3b:82:31:89:71:fb: 71:61:43:ff:96:7a:5e:a5:e7:51:d2:74:69:22:df: 89:0c:e7:d3:2a:e9:4f:47:66:9e:d2:9f:d7:a9:7c: be:d7:c1:f3:c1:a5:69:7c:d2:ea:1a:b2:64:b2:d0: 34:01:48:21:b0:f2:5f:93:ce:7d:52:ba:d5:db:b8: d9:59:77:ab:4f:71:16:3a:a5:99:2b:3e:52:33:4d: 00:7b:25:6f:ca:00:12:23:24:0b:c0:5a:1f:5a:6e: e5:25:8a:34:97:c7:8b:41:81:15:3f:9c:a1:b1:26: 17:63:83:40:37:cd:49:7a:49:f2:ad:4b:76:a2:de: 23:31 coefficient: 75:85:4c:40:ef:7a:4f:e1:1e:25:3c:15:94:7c:d4: c1:4e:1f:95:90:e8:5b:d4:07:a8:15:65:e4:b5:d3: 3e:9a:dd:b0:b5:9a:c1:a3:f6:0a:3f:18:74:90:72: 3a:5a:d8:08:da:3f:f8:44:d9:3c:75:fe:b7:f3:53: b4:39:d5:09:49:35:0a:dd:de:a2:b9:81:24:67:82: de:d7:06:66:b3:83:71:e3:a9:33:b4:98:3a:27:f4: 72:bb:07:8f:a2:df:e8:c6:3c:41:73:64:ea:31:d7: ed:eb:b2:e4:72:1b:bb:0f:79:42:a7:fc:2f:75:b8: a2:14:0d:3b:66:7f:d5:9f:7b:8c:35:9c:b9:91:af: 61:f7:04:dc:2c:5b:db:99:a1:26:44:a4:45:6b:64: 9f:58:4c:f8:4a:b4:21:53:69:b0:6c:71:89:36:a6: f2:c4:2e:dc:b9:6e:13:f6:a5:2e:29:ee:d4:2e:46: b3:5e:0d:a8:10:f4:79:32:70:2a:1d:23:d9:6e:c9: d5:2b:b7:f0:14:2e:06:a6:d7:69:cd:b4:38:8a:b2: 39:53:80:61:77:7b:4f:8a:a5:0d:59:77:61:25:14: 65:26:54:5c:5d:70:33:2e:5f:ca:7a:6f:5d:3f:36: f5:56:d5:a6:3c:f6:99:e6:95:9f:c5:9a:b7:b6:da: eb
Extracting Public Key From Keypair
openssl pkey -in rsa_keypair.pem -pubout -out rsa_public_key.pem
~/opensslcodes/asymm:openssl pkey -in rsa_keypair.pem -pubout -out rsa_public_key.pem ~/opensslcodes/asymm:ls -lh total 8.0K -rw------- 1 root root 3.2K Jun 7 05:13 rsa_keypair.pem -rw-r--r-- 1 root root 800 Jun 7 13:40 rsa_public_key.pem ~/opensslcodes/asymm: ~/opensslcodes/asymm:cat rsa_public_key.pem -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmWBfEWgPf5DO/RG9dPyK AOTVEDAoouT6afsXqdty5F/DeTWiyCwyVfX5ZmTAMiQQq29EUgfifx6AoukVWNLs ZYq+JRqlbO3+3D8299GlxJBYigvry84RxKiSpsr/eWxOOeOay1a6KmKxEKsdhYU8 nORww376Xx0YPpoAFx2OF1En10rXhWNubmeSj7FFngPal8m9/Ht9NyIKih0Mco2V QthXBhEWWo2JZyXc8Slk+Oc7cujF1UKCK8ClQUa+ajeGZfyOCUt4jLmWjRiRPfuv WMb75M2Z8b6+OQRqa30kokS1fGHn4N1XGujHpm0RxROHxujNoBfY/aPKyN5PWu6Q tw+X9NeZFf0tJ5iUh6Ow0FvhYnwiLj9AzmIjz4Ia/AFm/W48ccuKNUDQCc4kDCbk Pq4aOK1n/0SCGVdcC9qjxziy095GeE5H2XYEFBo9Rpnm5VMbKQQkUIiixBplTj3F f3eQKmrXODch6mZJsaRJsYGVhM4OfPr6IRCGht3Bge/lAZyfhFt8vqg5I+Yd9Se7 no/2YQ6LAKQJis7z41m80c/AVa43IPLvEwEaXtUTH/vhlfuUre0480QPSZ163knJ RGOuLfNoSEX2CIJQlqUifBjEY9HRo6ddkbg/LOcFWzTZ3U4Rbof1E1tpLYospdS3 UhqSKNihhukdn8E0yh4tdy8CAwEAAQ== -----END PUBLIC KEY-----
Inspect Structure Of Generated Public Key
openssl pkey -pubin -in rsa_public_key.pem -noout -text
~/opensslcodes/asymm:openssl pkey -pubin -in rsa_public_key.pem -noout -text Public-Key: (4096 bit) Modulus: 00:99:60:5f:11:68:0f:7f:90:ce:fd:11:bd:74:fc: 8a:00:e4:d5:10:30:28:a2:e4:fa:69:fb:17:a9:db: 72:e4:5f:c3:79:35:a2:c8:2c:32:55:f5:f9:66:64: c0:32:24:10:ab:6f:44:52:07:e2:7f:1e:80:a2:e9: 15:58:d2:ec:65:8a:be:25:1a:a5:6c:ed:fe:dc:3f: 36:f7:d1:a5:c4:90:58:8a:0b:eb:cb:ce:11:c4:a8: 92:a6:ca:ff:79:6c:4e:39:e3:9a:cb:56:ba:2a:62: b1:10:ab:1d:85:85:3c:9c:e4:70:c3:7e:fa:5f:1d: 18:3e:9a:00:17:1d:8e:17:51:27:d7:4a:d7:85:63: 6e:6e:67:92:8f:b1:45:9e:03:da:97:c9:bd:fc:7b: 7d:37:22:0a:8a:1d:0c:72:8d:95:42:d8:57:06:11: 16:5a:8d:89:67:25:dc:f1:29:64:f8:e7:3b:72:e8: c5:d5:42:82:2b:c0:a5:41:46:be:6a:37:86:65:fc: 8e:09:4b:78:8c:b9:96:8d:18:91:3d:fb:af:58:c6: fb:e4:cd:99:f1:be:be:39:04:6a:6b:7d:24:a2:44: b5:7c:61:e7:e0:dd:57:1a:e8:c7:a6:6d:11:c5:13: 87:c6:e8:cd:a0:17:d8:fd:a3:ca:c8:de:4f:5a:ee: 90:b7:0f:97:f4:d7:99:15:fd:2d:27:98:94:87:a3: b0:d0:5b:e1:62:7c:22:2e:3f:40:ce:62:23:cf:82: 1a:fc:01:66:fd:6e:3c:71:cb:8a:35:40:d0:09:ce: 24:0c:26:e4:3e:ae:1a:38:ad:67:ff:44:82:19:57: 5c:0b:da:a3:c7:38:b2:d3:de:46:78:4e:47:d9:76: 04:14:1a:3d:46:99:e6:e5:53:1b:29:04:24:50:88: a2:c4:1a:65:4e:3d:c5:7f:77:90:2a:6a:d7:38:37: 21:ea:66:49:b1:a4:49:b1:81:95:84:ce:0e:7c:fa: fa:21:10:86:86:dd:c1:81:ef:e5:01:9c:9f:84:5b: 7c:be:a8:39:23:e6:1d:f5:27:bb:9e:8f:f6:61:0e: 8b:00:a4:09:8a:ce:f3:e3:59:bc:d1:cf:c0:55:ae: 37:20:f2:ef:13:01:1a:5e:d5:13:1f:fb:e1:95:fb: 94:ad:ed:38:f3:44:0f:49:9d:7a:de:49:c9:44:63: ae:2d:f3:68:48:45:f6:08:82:50:96:a5:22:7c:18: c4:63:d1:d1:a3:a7:5d:91:b8:3f:2c:e7:05:5b:34: d9:dd:4e:11:6e:87:f5:13:5b:69:2d:8a:2c:a5:d4: b7:52:1a:92:28:d8:a1:86:e9:1d:9f:c1:34:ca:1e: 2d:77:2f Exponent: 65537 (0x10001)
Encrypt Session Key with public key
# Let's generate 256-bit session Key openssl rand -out session_key.bin 32 # Encrypt Session Key openssl pkeyutl -encrypt -in session_key.bin -out session_key.bin.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep
~/opensslcodes/asymm:ls -lh total 8.0K -rw------- 1 root root 3.2K Jun 7 05:13 rsa_keypair.pem -rw-r--r-- 1 root root 800 Jun 7 13:40 rsa_public_key.pem ~/opensslcodes/asymm:openssl rand -out session_key.bin 32 ~/opensslcodes/asymm:cat session_key.bin #1~x =THR~/opensslcodes/asymm: ~/opensslcodes/asymm:openssl pkeyutl -encrypt -in session_key.bin -out session_key.bin.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep ~/opensslcodes/asymm:ls -lha total 24K drwxr-xr-x 2 root root 4.0K Jun 7 13:48 . drwxr-xr-x 5 root root 4.0K Jun 7 05:07 .. -rw------- 1 root root 3.2K Jun 7 05:13 rsa_keypair.pem -rw-r--r-- 1 root root 800 Jun 7 13:40 rsa_public_key.pem -rw-r--r-- 1 root root 32 Jun 7 13:46 session_key.bin -rw-r--r-- 1 root root 512 Jun 7 13:48 session_key.bin.encrypted ~/opensslcodes/asymm:cat session_key.bin.encrypted 23n\O5[#ΪQaI}eMyYFx\9w,3I̠9x Oa3ݵ%|ϟ"е0#`nGScG5ޫ`^EJe7W RKe/>\R` M"~h11 B(Z]%v! {x<n4.߲ 3E7LB_XA<UN3A]( jo4GgKR|oh2_]
-pkeyopt rsa_padding_mode:oaep
→ Instructs openssl to use PKCS V2.0 Optimal Asymmetric Encryption Padding (OAEP) padding type for RSA Encryption.~/opensslcodes/asymm:cksum session_key.bin* 190170457 32 session_key.bin 583170061 512 session_key.bin.encrypted
Note that the input session key file is only 32 bytes long, but it’s encrypted version is 512 bytes. This is because RSA’s output ciphertext block is the same size as the RSA key size used.
Encrypting the same file different times will give the same size but a different checksum everytime. This is because even though RSA encryption is deterministic the padding algorithm used is non-deterministic.
Decrypting The Session Key
openssl pkeyutl -decrypt -in session_key.bin.encrypted -out session_key.bin.decrypted -inkey rsa_keypair.pem -pkeyopt rsa_padding_mode:oaep
~/opensslcodes/asymm:ls -lh total 124K -rw------- 1 root root 3.2K Jun 7 05:13 rsa_keypair.pem -rw-r--r-- 1 root root 800 Jun 7 13:40 rsa_public_key.pem -rw-r--r-- 1 root root 32 Jun 7 13:46 session_key.bin -rw-r--r-- 1 root root 512 Jun 7 13:48 session_key.bin.encrypted -rw-r--r-- 1 root root 107K Jun 7 13:55 somefile.txt -rw-r--r-- 1 root root 0 Jun 7 13:56 somefile.txt.encrypted ~/opensslcodes/asymm: ~/opensslcodes/asymm:openssl pkeyutl -decrypt -in session_key.bin.encrypted -out session_key.bin.decrypted -inkey rsa_keypair.pem -pkeyopt rsa_padding_mode:oaep ~/opensslcodes/asymm: ~/opensslcodes/asymm:cksum session_key.bin* 190170457 32 session_key.bin 190170457 32 session_key.bin.decrypted 583170061 512 session_key.bin.encrypted
Encrypting File Larger Than Key Length
# Generate 100 KB File seq 20000 > somefile.txt # Encryption openssl pkeyutl -encrypt -in somefile.txt -out somefile.txt.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep
~/opensslcodes/asymm:ls -lh total 16K -rw------- 1 root root 3.2K Jun 7 05:13 rsa_keypair.pem -rw-r--r-- 1 root root 800 Jun 7 13:40 rsa_public_key.pem -rw-r--r-- 1 root root 32 Jun 7 13:46 session_key.bin -rw-r--r-- 1 root root 512 Jun 7 13:48 session_key.bin.encrypted ~/opensslcodes/asymm: ~/opensslcodes/asymm: ~/opensslcodes/asymm:seq 20000 > somefile.txt ~/opensslcodes/asymm: ~/opensslcodes/asymm: ~/opensslcodes/asymm:ls -lh total 124K -rw------- 1 root root 3.2K Jun 7 05:13 rsa_keypair.pem -rw-r--r-- 1 root root 800 Jun 7 13:40 rsa_public_key.pem -rw-r--r-- 1 root root 32 Jun 7 13:46 session_key.bin -rw-r--r-- 1 root root 512 Jun 7 13:48 session_key.bin.encrypted -rw-r--r-- 1 root root 107K Jun 7 13:55 somefile.txt ~/opensslcodes/asymm: ~/opensslcodes/asymm: ~/opensslcodes/asymm:openssl pkeyutl -encrypt -in somefile.txt -out somefile.txt.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep Public Key operation error 40F7946400700000:error:0200006E:rsa routines:ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex:data too large for key size:../crypto/rsa/rsa_oaep.c:87: ~/opensslcodes/asymm:
We get an error. This is because RSA cannot encrypt anything anylonger than its key length during one operation. If you use padding than it becomes even shorter.