Pages

Tuesday, June 30, 2020

TLS1.2 vs TLS1.3


TLS1.2 




In case of TLS1.2 RSA is used for symmetric key encrypting and exchange and no PFS. If someone find server private key they can decrypt symmetric key and read the content.


TLS1.3


In TLS 1.2 we have two round of message exchange whereas in TLS1.3 there is one round of message exchange.

In TLS 1.3 DH is used for symmetric key exchange and PFS is supported.







Posted by at No comments:

Sunday, June 28, 2020

OpenSSL

####Encryption and decryption using Openssl

root@EP-Inside:~# openssl version
OpenSSL 1.0.1f 6 Jan 2014
root@EP-Inside:~# 
root@EP-Inside:~# openssl list -cipher -commands
openssl:Error: 'list' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             srp               ts                verify            
version           x509              

Message Digest commands (see the `dgst' command for more details)
md4               md5               rmd160            sha               
sha1              

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              rc2               
rc2-40-cbc        rc2-64-cbc        rc2-cbc           rc2-cfb           
rc2-ecb           rc2-ofb           rc4               rc4-40            
seed              seed-cbc          seed-cfb          seed-ecb          
seed-ofb          

root@EP-Inside:~# 
root@EP-Inside:~# 
root@EP-Inside:~# 
root@EP-Inside:~# 
root@EP-Inside:~# vi msg



##openssl using symmetric encryption

Encrypt using enc
root@EP-Inside:~# openssl enc -aes-256-cbc -base64 -in msg
enter aes-256-cbc encryption password:pass
Verifying - enter aes-256-cbc encryption password:pass
U2FsdGVkX194KOvk95omFCs4EStJY3FQXeV0Nq88vfLv/CBgZCiEwjbKJ48l/vXm
RUdt2WdhSQ76P2RyHOTHIw==


### if want to redirect to output file
root@EP-Inside:~# openssl enc -aes-256-cbc -base64 -in msg -out enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
root@EP-Inside:~# 
root@EP-Inside:~# 
root@EP-Inside:~# cat msg

Hello to everyone, How are you there!!
root@EP-Inside:~# cat enc
U2FsdGVkX1+ywB0N9km8ZXCEDnbl+Sa92nI59JhCTOLPZS78oH8X4rEcFOlmvdNW
vB/ZL8Uv2lEWISyV2ic/2A==

###if you want to decrypt using -d
root@EP-Inside:~# openssl enc -aes-256-cbc -d  -base64 -in enc
enter aes-256-cbc decryption password:

Hello to everyone, How are you there!!
root@EP-Inside:~# openssl enc -aes-256-cbc -d  -base64 -in enc -out dec
enter aes-256-cbc decryption password:
root@EP-Inside:~# 


##openssl using asymmetric encryption

## create two directory say A and B and generate rsa public and private keys for both users A and B


root@EP-Inside:~# mkdir A
root@EP-Inside:~# mkdir B
root@EP-Inside:~# 
root@EP-Inside:~# cd A
root@EP-Inside:~# cd A
root@EP-Inside:~/A# 
root@EP-Inside:~/A# 

root@EP-Inside:~/A# openssl genrsa -out keypair.pem 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.......................................................................................................................+++
e is 65537 (0x10001)
root@EP-Inside:~/A# 
root@EP-Inside:~/A# 
root@EP-Inside:~/A# cd ../B
root@EP-Inside:~/B# 
root@EP-Inside:~/B# 
root@EP-Inside:~/B# openssl genrsa -out keypair.pem 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..........................................................................+++
e is 65537 (0x10001)
root@EP-Inside:~/B# 
root@EP-Inside:~/B# 
root@EP-Inside:~/B# 


## This will show only private key

root@EP-Inside:~/A# cat keypair.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEApViq6sA2/wSvPW4D6wwyMGeeHL0XvKuf1+0dxYxtgQY6vKjM
6ZXdXJ+lBMGs0jYLlntyGu1QJKe9XBv6A0OpoD2TXL4iJ2U/BdA77UoqhUgQIwFH
XXgLVq0w6ShnSyz+eI74WxHfNPwV0jTbVN806u63RmIIS2auJYCoKaSwIF1+KLBV
jbAyAUhLqByWoQK4qLcc8WuPvrkr1A07eVh8OAXqDDtlFkqKdKFFjvNekb07BR20
QoAMTf/FJ+f/kNkY9InrHLcLLuJ2ZpPyGPiR81e/PyV1MaPQYa/+JC7jT3NKVPWR
W+BXTP86tFssVK2aHXoHPR/u1dhugsTCjZJdgwIDAQABAoIBACSAgpr4fCuoWRdy
piLJunq9JUaq6AaazNraWew2qCYHvgfQLAyVLR05kTCPoRt3Gu/JqNMQ+NRew4sG
EheOZHAfp9ydjOStkVAzPEeSS/jIg+d2bM7RpY8pBNc0ODl8YWE0DtfsBh6oWBjj
2lfOPtxufr9m/PXIYUGeOYGX/dnm7wx7SYKHvAyXLVoWUR9hjts0Q/89Ewn82hLn
NJDeeR13NqP2qoi91RK8eQitBQtoZOrKVNB1MOdmXDQmvsoGprU7tRWJrtrM551Y
v7Y7GjS43WshIuYbCCLRhIXHmHziOAjQXPdMX4lrjq64v3F/UzgemziDdFM+k+96
AMCgfiECgYEA0V9sLiFHPsfHe3pm86ALTwe+7UpkoCUJPYLzr0hl+4tRmkqtHep5
RGcve0FROy/CKxtEuJLZq7BKHVpEddizFhwCYp0AcaQOWyRBsNJmrylj0aOv9p6Q
RHscgj8nP7xL3aAPGj4UMV9snBisvdtD0rWBCBt8uKM7zZPTMstfdT0CgYEAyitA
Od000AryF7YsV/NCU2QwCxHPejK1c0+XQbuLoPMxOxqR6goM6Az+EviF8EY18Vov
Dgns/RfiLmBgvkr8K0LvZIWuK54Dadozuz4G31LsLPPihpXxrOu2q/bvLkn+W5iC
/gXsBLOxefnlPs08HXsM02gnntQ3Ae6gTj5Ryb8CgYAH9UOMYVFu7nMDm3xsSCoF
3/p+1HQMrjuyrdaLVAokTIBWh/4ag/4F/pIMckgfIsqTjt7G0TYa04GNqg+uFwV/
kqL4kpUgvKabCj7A9M5YXA9iOYGHszEymSdVQAdC4epUSzAnxDJKSiE7sahnMv1Z
9fIol7re3b15K+Q8KwS+1QKBgAv+ZOEJ7ogpHhOqCxdspxKrbu45MEXfnEQrBJ4x
sibqRpFrEh0AW6OooaoedFO81pZq8z+x9w1MzW5S6WpgqHUok2szQxHzXeB5wXfq
Rh4ZnUlNbrLtUlkf4sZw79+fJCfq9Fp9n3Ln9i92U9NV+asGEcy48SDLFjhXH8uE
hvWhAoGBAJ+T3ZO/x9FAU3UJEHRwgHF8JWPaDaZ/LsHBkxC6zrtFjaV0+U3Zb1Us
3kIcW60OvbOHEKvgcyldji4zXu9yGeH9FDsKFvC2Fi/qI0piAJDke3VIq4qoB0ZZ
TdivGSwGokcZBrH6SPieZajVPfOcO8bV7VPkM9/VrmqSmbNvAwcX
-----END RSA PRIVATE KEY-----
root@EP-Inside:~/A# 


To see both public and private keys:

root@EP-Inside:~/A# openssl rsa -in keypair.pem -text
Private-Key: (2048 bit)
modulus:
    00:a5:58:aa:ea:c0:36:ff:04:af:3d:6e:03:eb:0c:
    32:30:67:9e:1c:bd:17:bc:ab:9f:d7:ed:1d:c5:8c:
    6d:81:06:3a:bc:a8:cc:e9:95:dd:5c:9f:a5:04:c1:
    ac:d2:36:0b:96:7b:72:1a:ed:50:24:a7:bd:5c:1b:
    fa:03:43:a9:a0:3d:93:5c:be:22:27:65:3f:05:d0:
    3b:ed:4a:2a:85:48:10:23:01:47:5d:78:0b:56:ad:
    30:e9:28:67:4b:2c:fe:78:8e:f8:5b:11:df:34:fc:
    15:d2:34:db:54:df:34:ea:ee:b7:46:62:08:4b:66:
    ae:25:80:a8:29:a4:b0:20:5d:7e:28:b0:55:8d:b0:
    32:01:48:4b:a8:1c:96:a1:02:b8:a8:b7:1c:f1:6b:
    8f:be:b9:2b:d4:0d:3b:79:58:7c:38:05:ea:0c:3b:
    65:16:4a:8a:74:a1:45:8e:f3:5e:91:bd:3b:05:1d:
    b4:42:80:0c:4d:ff:c5:27:e7:ff:90:d9:18:f4:89:
    eb:1c:b7:0b:2e:e2:76:66:93:f2:18:f8:91:f3:57:
    bf:3f:25:75:31:a3:d0:61:af:fe:24:2e:e3:4f:73:
    4a:54:f5:91:5b:e0:57:4c:ff:3a:b4:5b:2c:54:ad:
    9a:1d:7a:07:3d:1f:ee:d5:d8:6e:82:c4:c2:8d:92:
    5d:83
publicExponent: 65537 (0x10001)
privateExponent:
    24:80:82:9a:f8:7c:2b:a8:59:17:72:a6:22:c9:ba:
    7a:bd:25:46:aa:e8:06:9a:cc:da:da:59:ec:36:a8:
    26:07:be:07:d0:2c:0c:95:2d:1d:39:91:30:8f:a1:
    1b:77:1a:ef:c9:a8:d3:10:f8:d4:5e:c3:8b:06:12:
    17:8e:64:70:1f:a7:dc:9d:8c:e4:ad:91:50:33:3c:
    47:92:4b:f8:c8:83:e7:76:6c:ce:d1:a5:8f:29:04:
    d7:34:38:39:7c:61:61:34:0e:d7:ec:06:1e:a8:58:
    18:e3:da:57:ce:3e:dc:6e:7e:bf:66:fc:f5:c8:61:
    41:9e:39:81:97:fd:d9:e6:ef:0c:7b:49:82:87:bc:
    0c:97:2d:5a:16:51:1f:61:8e:db:34:43:ff:3d:13:
    09:fc:da:12:e7:34:90:de:79:1d:77:36:a3:f6:aa:
    88:bd:d5:12:bc:79:08:ad:05:0b:68:64:ea:ca:54:
    d0:75:30:e7:66:5c:34:26:be:ca:06:a6:b5:3b:b5:
    15:89:ae:da:cc:e7:9d:58:bf:b6:3b:1a:34:b8:dd:
    6b:21:22:e6:1b:08:22:d1:84:85:c7:98:7c:e2:38:
    08:d0:5c:f7:4c:5f:89:6b:8e:ae:b8:bf:71:7f:53:
    38:1e:9b:38:83:74:53:3e:93:ef:7a:00:c0:a0:7e:
    21
prime1:
    00:d1:5f:6c:2e:21:47:3e:c7:c7:7b:7a:66:f3:a0:
    0b:4f:07:be:ed:4a:64:a0:25:09:3d:82:f3:af:48:
    65:fb:8b:51:9a:4a:ad:1d:ea:79:44:67:2f:7b:41:
    51:3b:2f:c2:2b:1b:44:b8:92:d9:ab:b0:4a:1d:5a:
    44:75:d8:b3:16:1c:02:62:9d:00:71:a4:0e:5b:24:
    41:b0:d2:66:af:29:63:d1:a3:af:f6:9e:90:44:7b:
    1c:82:3f:27:3f:bc:4b:dd:a0:0f:1a:3e:14:31:5f:
    6c:9c:18:ac:bd:db:43:d2:b5:81:08:1b:7c:b8:a3:
    3b:cd:93:d3:32:cb:5f:75:3d
prime2:
    00:ca:2b:40:39:dd:34:d0:0a:f2:17:b6:2c:57:f3:
    42:53:64:30:0b:11:cf:7a:32:b5:73:4f:97:41:bb:
    8b:a0:f3:31:3b:1a:91:ea:0a:0c:e8:0c:fe:12:f8:
    85:f0:46:35:f1:5a:2f:0e:09:ec:fd:17:e2:2e:60:
    60:be:4a:fc:2b:42:ef:64:85:ae:2b:9e:03:69:da:
    33:bb:3e:06:df:52:ec:2c:f3:e2:86:95:f1:ac:eb:
    b6:ab:f6:ef:2e:49:fe:5b:98:82:fe:05:ec:04:b3:
    b1:79:f9:e5:3e:cd:3c:1d:7b:0c:d3:68:27:9e:d4:
    37:01:ee:a0:4e:3e:51:c9:bf
exponent1:
    07:f5:43:8c:61:51:6e:ee:73:03:9b:7c:6c:48:2a:
    05:df:fa:7e:d4:74:0c:ae:3b:b2:ad:d6:8b:54:0a:
    24:4c:80:56:87:fe:1a:83:fe:05:fe:92:0c:72:48:
    1f:22:ca:93:8e:de:c6:d1:36:1a:d3:81:8d:aa:0f:
    ae:17:05:7f:92:a2:f8:92:95:20:bc:a6:9b:0a:3e:
    c0:f4:ce:58:5c:0f:62:39:81:87:b3:31:32:99:27:
    55:40:07:42:e1:ea:54:4b:30:27:c4:32:4a:4a:21:
    3b:b1:a8:67:32:fd:59:f5:f2:28:97:ba:de:dd:bd:
    79:2b:e4:3c:2b:04:be:d5
exponent2:
    0b:fe:64:e1:09:ee:88:29:1e:13:aa:0b:17:6c:a7:
    12:ab:6e:ee:39:30:45:df:9c:44:2b:04:9e:31:b2:
    26:ea:46:91:6b:12:1d:00:5b:a3:a8:a1:aa:1e:74:
    53:bc:d6:96:6a:f3:3f:b1:f7:0d:4c:cd:6e:52:e9:
    6a:60:a8:75:28:93:6b:33:43:11:f3:5d:e0:79:c1:
    77:ea:46:1e:19:9d:49:4d:6e:b2:ed:52:59:1f:e2:
    c6:70:ef:df:9f:24:27:ea:f4:5a:7d:9f:72:e7:f6:
    2f:76:53:d3:55:f9:ab:06:11:cc:b8:f1:20:cb:16:
    38:57:1f:cb:84:86:f5:a1
coefficient:
    00:9f:93:dd:93:bf:c7:d1:40:53:75:09:10:74:70:
    80:71:7c:25:63:da:0d:a6:7f:2e:c1:c1:93:10:ba:
    ce:bb:45:8d:a5:74:f9:4d:d9:6f:55:2c:de:42:1c:
    5b:ad:0e:bd:b3:87:10:ab:e0:73:29:5d:8e:2e:33:
    5e:ef:72:19:e1:fd:14:3b:0a:16:f0:b6:16:2f:ea:
    23:4a:62:00:90:e4:7b:75:48:ab:8a:a8:07:46:59:
    4d:d8:af:19:2c:06:a2:47:19:06:b1:fa:48:f8:9e:
    65:a8:d5:3d:f3:9c:3b:c6:d5:ed:53:e4:33:df:d5:
    ae:6a:92:99:b3:6f:03:07:17
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEApViq6sA2/wSvPW4D6wwyMGeeHL0XvKuf1+0dxYxtgQY6vKjM
6ZXdXJ+lBMGs0jYLlntyGu1QJKe9XBv6A0OpoD2TXL4iJ2U/BdA77UoqhUgQIwFH
XXgLVq0w6ShnSyz+eI74WxHfNPwV0jTbVN806u63RmIIS2auJYCoKaSwIF1+KLBV
jbAyAUhLqByWoQK4qLcc8WuPvrkr1A07eVh8OAXqDDtlFkqKdKFFjvNekb07BR20
QoAMTf/FJ+f/kNkY9InrHLcLLuJ2ZpPyGPiR81e/PyV1MaPQYa/+JC7jT3NKVPWR
W+BXTP86tFssVK2aHXoHPR/u1dhugsTCjZJdgwIDAQABAoIBACSAgpr4fCuoWRdy
piLJunq9JUaq6AaazNraWew2qCYHvgfQLAyVLR05kTCPoRt3Gu/JqNMQ+NRew4sG
EheOZHAfp9ydjOStkVAzPEeSS/jIg+d2bM7RpY8pBNc0ODl8YWE0DtfsBh6oWBjj
2lfOPtxufr9m/PXIYUGeOYGX/dnm7wx7SYKHvAyXLVoWUR9hjts0Q/89Ewn82hLn
NJDeeR13NqP2qoi91RK8eQitBQtoZOrKVNB1MOdmXDQmvsoGprU7tRWJrtrM551Y
v7Y7GjS43WshIuYbCCLRhIXHmHziOAjQXPdMX4lrjq64v3F/UzgemziDdFM+k+96
AMCgfiECgYEA0V9sLiFHPsfHe3pm86ALTwe+7UpkoCUJPYLzr0hl+4tRmkqtHep5
RGcve0FROy/CKxtEuJLZq7BKHVpEddizFhwCYp0AcaQOWyRBsNJmrylj0aOv9p6Q
RHscgj8nP7xL3aAPGj4UMV9snBisvdtD0rWBCBt8uKM7zZPTMstfdT0CgYEAyitA
Od000AryF7YsV/NCU2QwCxHPejK1c0+XQbuLoPMxOxqR6goM6Az+EviF8EY18Vov
Dgns/RfiLmBgvkr8K0LvZIWuK54Dadozuz4G31LsLPPihpXxrOu2q/bvLkn+W5iC
/gXsBLOxefnlPs08HXsM02gnntQ3Ae6gTj5Ryb8CgYAH9UOMYVFu7nMDm3xsSCoF
3/p+1HQMrjuyrdaLVAokTIBWh/4ag/4F/pIMckgfIsqTjt7G0TYa04GNqg+uFwV/
kqL4kpUgvKabCj7A9M5YXA9iOYGHszEymSdVQAdC4epUSzAnxDJKSiE7sahnMv1Z
9fIol7re3b15K+Q8KwS+1QKBgAv+ZOEJ7ogpHhOqCxdspxKrbu45MEXfnEQrBJ4x
sibqRpFrEh0AW6OooaoedFO81pZq8z+x9w1MzW5S6WpgqHUok2szQxHzXeB5wXfq
Rh4ZnUlNbrLtUlkf4sZw79+fJCfq9Fp9n3Ln9i92U9NV+asGEcy48SDLFjhXH8uE
hvWhAoGBAJ+T3ZO/x9FAU3UJEHRwgHF8JWPaDaZ/LsHBkxC6zrtFjaV0+U3Zb1Us
3kIcW60OvbOHEKvgcyldji4zXu9yGeH9FDsKFvC2Fi/qI0piAJDke3VIq4qoB0ZZ
TdivGSwGokcZBrH6SPieZajVPfOcO8bV7VPkM9/VrmqSmbNvAwcX
-----END RSA PRIVATE KEY-----
root@EP-Inside:~/A# 


## this shows everything except base64 format
root@EP-Inside:~/A# openssl rsa -in keypair.pem -text -noout
Private-Key: (2048 bit)
modulus:
    00:a5:58:aa:ea:c0:36:ff:04:af:3d:6e:03:eb:0c:
    32:30:67:9e:1c:bd:17:bc:ab:9f:d7:ed:1d:c5:8c:
    6d:81:06:3a:bc:a8:cc:e9:95:dd:5c:9f:a5:04:c1:
    ac:d2:36:0b:96:7b:72:1a:ed:50:24:a7:bd:5c:1b:
    fa:03:43:a9:a0:3d:93:5c:be:22:27:65:3f:05:d0:
    3b:ed:4a:2a:85:48:10:23:01:47:5d:78:0b:56:ad:
    30:e9:28:67:4b:2c:fe:78:8e:f8:5b:11:df:34:fc:
    15:d2:34:db:54:df:34:ea:ee:b7:46:62:08:4b:66:
    ae:25:80:a8:29:a4:b0:20:5d:7e:28:b0:55:8d:b0:
    32:01:48:4b:a8:1c:96:a1:02:b8:a8:b7:1c:f1:6b:
    8f:be:b9:2b:d4:0d:3b:79:58:7c:38:05:ea:0c:3b:
    65:16:4a:8a:74:a1:45:8e:f3:5e:91:bd:3b:05:1d:
    b4:42:80:0c:4d:ff:c5:27:e7:ff:90:d9:18:f4:89:
    eb:1c:b7:0b:2e:e2:76:66:93:f2:18:f8:91:f3:57:
    bf:3f:25:75:31:a3:d0:61:af:fe:24:2e:e3:4f:73:
    4a:54:f5:91:5b:e0:57:4c:ff:3a:b4:5b:2c:54:ad:
    9a:1d:7a:07:3d:1f:ee:d5:d8:6e:82:c4:c2:8d:92:
    5d:83
publicExponent: 65537 (0x10001)
privateExponent:
    24:80:82:9a:f8:7c:2b:a8:59:17:72:a6:22:c9:ba:
    7a:bd:25:46:aa:e8:06:9a:cc:da:da:59:ec:36:a8:
    26:07:be:07:d0:2c:0c:95:2d:1d:39:91:30:8f:a1:
    1b:77:1a:ef:c9:a8:d3:10:f8:d4:5e:c3:8b:06:12:
    17:8e:64:70:1f:a7:dc:9d:8c:e4:ad:91:50:33:3c:
    47:92:4b:f8:c8:83:e7:76:6c:ce:d1:a5:8f:29:04:
    d7:34:38:39:7c:61:61:34:0e:d7:ec:06:1e:a8:58:
    18:e3:da:57:ce:3e:dc:6e:7e:bf:66:fc:f5:c8:61:
    41:9e:39:81:97:fd:d9:e6:ef:0c:7b:49:82:87:bc:
    0c:97:2d:5a:16:51:1f:61:8e:db:34:43:ff:3d:13:
    09:fc:da:12:e7:34:90:de:79:1d:77:36:a3:f6:aa:
    88:bd:d5:12:bc:79:08:ad:05:0b:68:64:ea:ca:54:
    d0:75:30:e7:66:5c:34:26:be:ca:06:a6:b5:3b:b5:
    15:89:ae:da:cc:e7:9d:58:bf:b6:3b:1a:34:b8:dd:
    6b:21:22:e6:1b:08:22:d1:84:85:c7:98:7c:e2:38:
    08:d0:5c:f7:4c:5f:89:6b:8e:ae:b8:bf:71:7f:53:
    38:1e:9b:38:83:74:53:3e:93:ef:7a:00:c0:a0:7e:
    21
prime1:
    00:d1:5f:6c:2e:21:47:3e:c7:c7:7b:7a:66:f3:a0:
    0b:4f:07:be:ed:4a:64:a0:25:09:3d:82:f3:af:48:
    65:fb:8b:51:9a:4a:ad:1d:ea:79:44:67:2f:7b:41:
    51:3b:2f:c2:2b:1b:44:b8:92:d9:ab:b0:4a:1d:5a:
    44:75:d8:b3:16:1c:02:62:9d:00:71:a4:0e:5b:24:
    41:b0:d2:66:af:29:63:d1:a3:af:f6:9e:90:44:7b:
    1c:82:3f:27:3f:bc:4b:dd:a0:0f:1a:3e:14:31:5f:
    6c:9c:18:ac:bd:db:43:d2:b5:81:08:1b:7c:b8:a3:
    3b:cd:93:d3:32:cb:5f:75:3d
prime2:
    00:ca:2b:40:39:dd:34:d0:0a:f2:17:b6:2c:57:f3:
    42:53:64:30:0b:11:cf:7a:32:b5:73:4f:97:41:bb:
    8b:a0:f3:31:3b:1a:91:ea:0a:0c:e8:0c:fe:12:f8:
    85:f0:46:35:f1:5a:2f:0e:09:ec:fd:17:e2:2e:60:
    60:be:4a:fc:2b:42:ef:64:85:ae:2b:9e:03:69:da:
    33:bb:3e:06:df:52:ec:2c:f3:e2:86:95:f1:ac:eb:
    b6:ab:f6:ef:2e:49:fe:5b:98:82:fe:05:ec:04:b3:
    b1:79:f9:e5:3e:cd:3c:1d:7b:0c:d3:68:27:9e:d4:
    37:01:ee:a0:4e:3e:51:c9:bf
exponent1:
    07:f5:43:8c:61:51:6e:ee:73:03:9b:7c:6c:48:2a:
    05:df:fa:7e:d4:74:0c:ae:3b:b2:ad:d6:8b:54:0a:
    24:4c:80:56:87:fe:1a:83:fe:05:fe:92:0c:72:48:
    1f:22:ca:93:8e:de:c6:d1:36:1a:d3:81:8d:aa:0f:
    ae:17:05:7f:92:a2:f8:92:95:20:bc:a6:9b:0a:3e:
    c0:f4:ce:58:5c:0f:62:39:81:87:b3:31:32:99:27:
    55:40:07:42:e1:ea:54:4b:30:27:c4:32:4a:4a:21:
    3b:b1:a8:67:32:fd:59:f5:f2:28:97:ba:de:dd:bd:
    79:2b:e4:3c:2b:04:be:d5
exponent2:
    0b:fe:64:e1:09:ee:88:29:1e:13:aa:0b:17:6c:a7:
    12:ab:6e:ee:39:30:45:df:9c:44:2b:04:9e:31:b2:
    26:ea:46:91:6b:12:1d:00:5b:a3:a8:a1:aa:1e:74:
    53:bc:d6:96:6a:f3:3f:b1:f7:0d:4c:cd:6e:52:e9:
    6a:60:a8:75:28:93:6b:33:43:11:f3:5d:e0:79:c1:
    77:ea:46:1e:19:9d:49:4d:6e:b2:ed:52:59:1f:e2:
    c6:70:ef:df:9f:24:27:ea:f4:5a:7d:9f:72:e7:f6:
    2f:76:53:d3:55:f9:ab:06:11:cc:b8:f1:20:cb:16:
    38:57:1f:cb:84:86:f5:a1
coefficient:
    00:9f:93:dd:93:bf:c7:d1:40:53:75:09:10:74:70:
    80:71:7c:25:63:da:0d:a6:7f:2e:c1:c1:93:10:ba:
    ce:bb:45:8d:a5:74:f9:4d:d9:6f:55:2c:de:42:1c:
    5b:ad:0e:bd:b3:87:10:ab:e0:73:29:5d:8e:2e:33:
    5e:ef:72:19:e1:fd:14:3b:0a:16:f0:b6:16:2f:ea:
    23:4a:62:00:90:e4:7b:75:48:ab:8a:a8:07:46:59:
    4d:d8:af:19:2c:06:a2:47:19:06:b1:fa:48:f8:9e:
    65:a8:d5:3d:f3:9c:3b:c6:d5:ed:53:e4:33:df:d5:
    ae:6a:92:99:b3:6f:03:07:17
root@EP-Inside:~/A# 


lets rename keypair as A and B

oot@EP-Inside:~/A# rm keypair.pem
root@EP-Inside:~/A# 
root@EP-Inside:~/A# 
root@EP-Inside:~/A# openssl genrsa -out keypairA.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
......+++
e is 65537 (0x10001)
root@EP-Inside:~/A# 
root@EP-Inside:~/A# 
root@EP-Inside:~/A# 


root@EP-Inside:~/B# openssl genrsa -out keypairB.pem 2048
Generating RSA private key, 2048 bit long modulus
.............................................................................................+++
.................+++
e is 65537 (0x10001)
root@EP-Inside:~/B# 


# we want to share public key with others so lets share public key in some file.

root@EP-Inside:~/A# openssl rsa -in keypairA.pem -pubout -out publicA.pem
writing RSA key
root@EP-Inside:~/A# 
root@EP-Inside:~/A# ls
keypairA.pem  publicA.pem
root@EP-Inside:~/A# cat publicA.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4x6sZrAeiH3HOf4Lyap3
1fXlsFJcX3uDUlCObVd55CoMfHXeOksyC7ArPR+5Byck+gQAPguMntsvNq01unGI
9q06rg7rF84qyg1CK+VOE73kLkFnsfhVq9kyvz635f9vux9nfbyLsPauJmHpOApH
+17w2MiC8sI+lZaYPC3j3qkzbkSu60LpKW0o9JtUVWxtRtnm7qPeRtk/SG/OsCKx
mGdjro/qc8TAFuPoGjJTIZCcQGCVKd8qJ10bjgrI1/PWNNn/4vQxZgWOpLrNDisH
jLobvagSfcHk6AcoVfYqKo1PrFt7xJXxT5Odcud4mP4SxWTyzOJFnvssMnr4cWFA
EwIDAQAB
-----END PUBLIC KEY-----
root@EP-Inside:~/A# 


Same process for B


root@EP-Inside:~/B# openssl rsa -in keypairB.pem -pubout -out publicB.pem
writing RSA key
root@EP-Inside:~/B# 
root@EP-Inside:~/B# ls
keypairB.pem  publicB.pem
root@EP-Inside:~/B# 
root@EP-Inside:~/B# 
root@EP-Inside:~/B# cat publicB.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCbTcjLfHQ40+NV3jWm4
Z7fiz/4+JSlF7XtWpsVcbrjdniN1ieim7zx1TsfxR9QfROFcXYXfMclJEB7MoQ2d
0deISuugPoYREke1zNmgGZQZw9sHYISzZlTeZf0lNwuMqMKf/NaHCfnD9CBU7qsK
f+fNoQwqOZnC6uji9s/TIp1rz2GzyPeCiiqXtDGJNUpqx5PvxHfYFXvcj/yBVluV
fChfLn2N7GlOlkNnt7A2qVmYnmktlUPuoAkrl+gQjjjv87hUMdjo1EigNFO90oXe
29yi1JMxh2X+O/xywcxSI1LKzMlSJBYSbAtFFxGD7MW67HST+Fy/rkT5UOrjawDQ
XQIDAQAB
-----END PUBLIC KEY-----
root@EP-Inside:~/B# 


## Now lets share the public key to each other.

## to share we are making link of public key B in folder A

root@EP-Inside:~/A# pwd
/root/A
root@EP-Inside:~/A# ln -s /root/B/publicB.pem
root@EP-Inside:~/A# ls
keypairA.pem  publicA.pem  publicB.pem
root@EP-Inside:~/A# 


root@EP-Inside:~/A# ls -lrt
total 8
-rw-r--r-- 1 root root 1675 Mar  1 23:38 keypairA.pem
-rw-r--r-- 1 root root  451 Mar  1 23:41 publicA.pem
lrwxrwxrwx 1 root root   19 Mar  1 23:44 publicB.pem -> /root/B/publicB.pem


root@EP-Inside:~/B# ln -s /root/A/publicA.pem
root@EP-Inside:~/B# 
root@EP-Inside:~/B# ls
keypairB.pem  publicA.pem  publicB.pem
root@EP-Inside:~/B# 

Now each user has its own public/private keys and public key of other user


Say now lets encrypt msg and sent to B

root@EP-Inside:~/A# vi msg
root@EP-Inside:~/A# 
root@EP-Inside:~/A# 
root@EP-Inside:~/A# cat msg
Hello, my account no is 1232432682357023
root@EP-Inside:~/A# 


root@EP-Inside:~/A# openssl rsautl -encrypt -in msg -out enc -inkey publicB.pem -pubin
root@EP-Inside:~/A# ls
enc  keypairA.pem  msg  publicA.pem  publicB.pem
root@EP-Inside:~/A# cat enc
kYmX>L       `_ϝZٔTOwԑ _݂
k~b#nwϱ$;F02,:ojbr4gN\KDA7xK&%I @>Í
 `rHOV(aMnېC5A)uyI@)  lZjbo e­$D?W-0޽_m2~SjfR`fgLh;root@EP-Inside:~/A# 
root@EP-Inside:~/A# 


##With asymmetric encryption, we did encrypt and decyrpt using rsa public and private keys. Now Let’s sign and verify signature on files.


Sign file using private key

root@EP-Inside:~/A# openssl rsautl -sign -in msg -out signed -inkey keypairA.pem
root@EP-Inside:~/A# ls
enc  keypairA.pem  msg  publicA.pem  publicB.pem  signed
root@EP-Inside:~/A# 


copy this file in B and verify signed file:

root@EP-Inside:~/B# cp /root/A/signed signed
root@EP-Inside:~/B# ls
keypairB.pem  msg  publicA.pem  publicB.pem  received  signed
root@EP-Inside:~/B# 

root@EP-Inside:~/B# openssl rsautl -verify -in signed -out signedFile -inkey publicA.pem -pubin
root@EP-Inside:~/B# 
root@EP-Inside:~/B# ls
keypairB.pem  msg  publicA.pem  publicB.pem  received  signed  signedFile
root@EP-Inside:~/B# 
root@EP-Inside:~/B# 
root@EP-Inside:~/B# cat signedFile
Hello, my account no is 1232432682357023
root@EP-Inside:~/B# 

original and final values are same.


Till now used private key in clear text as it is easier to use. Normally we don’t have private key in clear text as it is security issue so use encyrpted private key

root@EP-Inside:~/A# openssl rsa -in keypairA.pem -des3 -out privateA.pem
writing RSA key
Enter PEM pass phrase: pass
Verifying - Enter PEM pass phrase:pass
root@EP-Inside:~/A# 
root@EP-Inside:~/A# 
root@EP-Inside:~/A# ls
enc  keypairA.pem  msg  privateA.pem  publicA.pem  publicB.pem  signed
root@EP-Inside:~/A# 

Now istead of using keypairA.pem which is in clear text we will use privateA.pem


Lets use privateA.pem for signing, The only diff here is it will ask for password so this more secure. It used encrypted private key


root@EP-Inside:~/A# openssl rsautl -sign -in msg -out signed -inkey privateA.pem
Enter pass phrase for privateA.pem: pass
root@EP-Inside:~/A# 



Create and manage certificates and certification authorities

## this is CA file
root@EP-Inside:~# vi /usr/lib/ssl/misc/CA.pl
root@EP-Inside:~# 

## this is openssl config file
root@EP-Inside:~# vi /usr/lib/ssl/openssl.cnf
root@EP-Inside:~# 

## create CA file fresh. This will create public/private keys of CA and aslo creates self-signed certificate of CA

root@EP-Inside:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ... ## cretae private/public keys
Generating a 2048 bit RSA private key
........+++
..............+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: capass
Verifying - Enter PEM pass phrase: capass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:nawraj
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: capass ## this will create self signed cert
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 12249924576713975915 (0xaa00797fe85d286b)
        Validity
            Not Before: Mar  2 05:46:50 2020 GMT
            Not After : Mar  2 05:46:50 2023 GMT
        Subject:
            countryName               = IN
            stateOrProvinceName       = Karnataka
            organizationName          = cisco
            commonName                = nawraj
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                7B:ED:33:EB:C4:50:96:50:A7:60:AE:1C:BE:3E:F2:DD:4D:72:CF:EA
            X509v3 Authority Key Identifier: 
                keyid:7B:ED:33:EB:C4:50:96:50:A7:60:AE:1C:BE:3E:F2:DD:4D:72:CF:EA

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Mar  2 05:46:50 2023 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
root@EP-Inside:~# 


root@EP-Inside:~/demoCA# ls -lrt c*
-rw-r--r-- 1 root root    3 Mar  2 00:44 crlnumber
-rw-r--r-- 1 root root  952 Mar  2 00:46 careq.pem
-rw-r--r-- 1 root root 4248 Mar  2 00:46 cacert.pem

crl:
total 0

certs:
total 0

## generate new certificate request to CA

root@EP-Inside:~/user# openssl req -new -keyout privateUser.pem -out reqUser.pem
Generating a 2048 bit RSA private key
..............+++
.............................+++
writing new private key to 'privateUser.pem'
Enter PEM pass phrase: userpass
Verifying - Enter PEM pass phrase: userpass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:karnataka
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.mysite.com ## request is for my own site say
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
## password is optional here
A challenge password []:
An optional company name []:
root@EP-Inside:~/user# 

Note: make sure Country and state should match exactly in CA create and while creating new request. what all option to match is mentioned in openssl config file vi /usr/lib/ssl/openssl.cnf

root@EP-Inside:~/user# ls
privateUser.pem  reqUser.pem
root@EP-Inside:~/user# 


## Now sign certificate request with CA private key ie capass

root@EP-Inside:~/user# openssl ca -in reqUser.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
140443545278112:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r')
140443545278112:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load CA private key
root@EP-Inside:~/user# ls
privateUser.pem  reqUser.pem

Here is some issue. otherwise it will ask for private key of CA and provide: capass



root@EP-Inside:~/user# cd ../demoCA
root@EP-Inside:~/demoCA# 
root@EP-Inside:~/demoCA# ls
cacert.pem  careq.pem  certs  crl  crlnumber  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial
root@EP-Inside:~/demoCA# cd newcerts/
root@EP-Inside:~/demoCA/newcerts# ls
AA00797FE85D286B.pem

In actual in will have two certs under newcerts. One is CA cert and other 2nd one as shown below is user cert.

Now let’s verify authenticity of user cert using CA cert. Got response as Ok means user certificate is autneticated
this is the user certificate is indeed signed by this CA


Now let’s revoke the certificate.

After revoking cert we have to update the crl list. Even after that we are seeing ouput as Ok because we have not mentioned crl location while verifying.

Once we provide crl location, certificate verification fails.


Posted by at No comments:
Subscribe to: Posts (Atom)