OpenSSL
What is OpenSSL
OpenSSL is a library used for communication and is used for encrypting and decrypting messages and files for security purposes.
The general syntax for the terminal interface for the program is:
openssl command [ command_options ] [ command_args ]To generate a private RSA key you will need to use this command:
openssl genrsa -out private.pem [ bit count ]Above, genrsa instructs openssl to create an RSA key named private.pem. Another common extension instead of *.pem is *.key. The [ bit count ] specifies how large the key should be, default is usually 512, but that is quite insecure these days.
If you want to generate a public key from a previous one created, the syntax is:
openssl rsa -in private.pem -pubout > public.pemThe command above, rsa reads from the private key private.pem and outputs it to a public key file named public.pem.
If you need to sign documents or files with a private key, then you will need to use the following syntax. Note that it uses the cryptography function sha1. However, others exist like sha256, sha384 and sha512. Additionally the example below uses a *.txt file, but files of any extension can be encrypted or indeed no extensions.
openssl dgst -sha1 -sign private.pem -out sha1.sign your_document.txtSpecifically the syntax above embeds the private key in the document your_document.txt by signing it using the signature sha1.sign.
To verify a public key together with a signature when decyprting a message, the syntax to use is:
openssl dgst -sha1 -verify public.pem -signature sha1.sign your_document.txtAfter generating keys and verifying your signature, the next step is to encrypt a document. Following the steps above this can be achieved in the following way:
openssl rsautl -encrypt -pubin -inkey public.pem -ssl -in your_document.txt -out your_encrypted_document.txtThe syntax above is quite a bit more involved. The rsautl command can be used to sign, verify, encrypt and decrypt data by using the RSA algorith. The argument -encrypt is used to encrypt the input data using the RSA public key. The argument pubin signifies the input file is an RSA public key. The argument -inkey denotes the name of the keyfile. Finally, the argument -ssl denotes what padding to use. The remainder of the command identifies the file to encrypt and names the crypted file.
To decrypt a file using a key provided by another user, you will need to use the following syntax:
openssl rsautl -decrypt -inkey user_public_key.pem -in user_document.txt -out user_decrypted_document.txtThis syntax has -decrypt to imply to openssl to decrypt the input data by using the RSA public key provided. The remainder of the command identifies the file to decrypt and names the decrypted file.
Of course, there are many different types of encryption and decryption methods that can be used dependent on needs. However, the RSA method is the most popular and simplest to use. Feel free to review the official OpenSSL Documentation Links to an external site. for further exploration.
Example of the workflow to encrypt and verify SSL messages
mit/module11_client-server on main
❯ openssl genrsa -out myprivate.pem 512
Generating RSA private key, 512 bit long modulus
........+++++++++++++++++++++++++++
..........+++++++++++++++++++++++++++
e is 65537 (0x10001)
mit/module11_client-server on main [?]
❯ openssl rsa -in myprivate.pem -pubout > mypublic.pem
writing RSA key
mit/module11_client-server on main [?]
❯ echo "Hello World!" > hello.txt
mit/module11_client-server on main [?]
❯ touch hello.txt
mit/module11_client-server on main [?]
❯ echo "Hello World > hello.txt
mit/module11_client-server on main [?]
❯ echo "Hello World!" > hello.txt
mit/module11_client-server on main [?]
❯ echo "Hello World > hello.txt
mit/module11_client-server on main [?]
❯ openssl dgst -sha1 -sign myprivate.pem -out sh1.sign hello.txt
mit/module11_client-server on main [?]
❯ openssl dgst -sha1 -verify mypublic.pem -signature sh1.sign hello.txt
Verified OK
mit/module11_client-server on main [?]
❯