####Encryption and decryption using Openssl
root@EP-Inside:~# openssl version
OpenSSL 1.0.1f 6 Jan 2014
root@EP-Inside:~#
root@EP-Inside:~# openssl list -cipher -commands
openssl:Error: 'list' is an invalid command.
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac srp ts verify
version x509
Message Digest commands (see the `dgst' command for more details)
md4 md5 rmd160 sha
sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2
rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb
rc2-ecb rc2-ofb rc4 rc4-40
seed seed-cbc seed-cfb seed-ecb
seed-ofb
root@EP-Inside:~#
root@EP-Inside:~#
root@EP-Inside:~#
root@EP-Inside:~#
root@EP-Inside:~# vi msg
##openssl using symmetric encryption
Encrypt using enc
root@EP-Inside:~# openssl enc -aes-256-cbc -base64 -in msg
enter aes-256-cbc encryption password:pass
Verifying - enter aes-256-cbc encryption password:pass
U2FsdGVkX194KOvk95omFCs4EStJY3FQXeV0Nq88vfLv/CBgZCiEwjbKJ48l/vXm
RUdt2WdhSQ76P2RyHOTHIw==
### if want to redirect to output file
root@EP-Inside:~# openssl enc -aes-256-cbc -base64 -in msg -out enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
root@EP-Inside:~#
root@EP-Inside:~#
root@EP-Inside:~# cat msg
Hello to everyone, How are you there!!
root@EP-Inside:~# cat enc
U2FsdGVkX1+ywB0N9km8ZXCEDnbl+Sa92nI59JhCTOLPZS78oH8X4rEcFOlmvdNW
vB/ZL8Uv2lEWISyV2ic/2A==
###if you want to decrypt using -d
root@EP-Inside:~# openssl enc -aes-256-cbc -d -base64 -in enc
enter aes-256-cbc decryption password:
Hello to everyone, How are you there!!
root@EP-Inside:~# openssl enc -aes-256-cbc -d -base64 -in enc -out dec
enter aes-256-cbc decryption password:
root@EP-Inside:~#
##openssl using asymmetric encryption
## create two directory say A and B and generate rsa public and private keys for both users A and B
root@EP-Inside:~# mkdir A
root@EP-Inside:~# mkdir B
root@EP-Inside:~#
root@EP-Inside:~# cd A
root@EP-Inside:~# cd A
root@EP-Inside:~/A#
root@EP-Inside:~/A#
root@EP-Inside:~/A# openssl genrsa -out keypair.pem 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.......................................................................................................................+++
e is 65537 (0x10001)
root@EP-Inside:~/A#
root@EP-Inside:~/A#
root@EP-Inside:~/A# cd ../B
root@EP-Inside:~/B#
root@EP-Inside:~/B#
root@EP-Inside:~/B# openssl genrsa -out keypair.pem 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..........................................................................+++
e is 65537 (0x10001)
root@EP-Inside:~/B#
root@EP-Inside:~/B#
root@EP-Inside:~/B#
## This will show only private key
root@EP-Inside:~/A# cat keypair.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEApViq6sA2/wSvPW4D6wwyMGeeHL0XvKuf1+0dxYxtgQY6vKjM
6ZXdXJ+lBMGs0jYLlntyGu1QJKe9XBv6A0OpoD2TXL4iJ2U/BdA77UoqhUgQIwFH
XXgLVq0w6ShnSyz+eI74WxHfNPwV0jTbVN806u63RmIIS2auJYCoKaSwIF1+KLBV
jbAyAUhLqByWoQK4qLcc8WuPvrkr1A07eVh8OAXqDDtlFkqKdKFFjvNekb07BR20
QoAMTf/FJ+f/kNkY9InrHLcLLuJ2ZpPyGPiR81e/PyV1MaPQYa/+JC7jT3NKVPWR
W+BXTP86tFssVK2aHXoHPR/u1dhugsTCjZJdgwIDAQABAoIBACSAgpr4fCuoWRdy
piLJunq9JUaq6AaazNraWew2qCYHvgfQLAyVLR05kTCPoRt3Gu/JqNMQ+NRew4sG
EheOZHAfp9ydjOStkVAzPEeSS/jIg+d2bM7RpY8pBNc0ODl8YWE0DtfsBh6oWBjj
2lfOPtxufr9m/PXIYUGeOYGX/dnm7wx7SYKHvAyXLVoWUR9hjts0Q/89Ewn82hLn
NJDeeR13NqP2qoi91RK8eQitBQtoZOrKVNB1MOdmXDQmvsoGprU7tRWJrtrM551Y
v7Y7GjS43WshIuYbCCLRhIXHmHziOAjQXPdMX4lrjq64v3F/UzgemziDdFM+k+96
AMCgfiECgYEA0V9sLiFHPsfHe3pm86ALTwe+7UpkoCUJPYLzr0hl+4tRmkqtHep5
RGcve0FROy/CKxtEuJLZq7BKHVpEddizFhwCYp0AcaQOWyRBsNJmrylj0aOv9p6Q
RHscgj8nP7xL3aAPGj4UMV9snBisvdtD0rWBCBt8uKM7zZPTMstfdT0CgYEAyitA
Od000AryF7YsV/NCU2QwCxHPejK1c0+XQbuLoPMxOxqR6goM6Az+EviF8EY18Vov
Dgns/RfiLmBgvkr8K0LvZIWuK54Dadozuz4G31LsLPPihpXxrOu2q/bvLkn+W5iC
/gXsBLOxefnlPs08HXsM02gnntQ3Ae6gTj5Ryb8CgYAH9UOMYVFu7nMDm3xsSCoF
3/p+1HQMrjuyrdaLVAokTIBWh/4ag/4F/pIMckgfIsqTjt7G0TYa04GNqg+uFwV/
kqL4kpUgvKabCj7A9M5YXA9iOYGHszEymSdVQAdC4epUSzAnxDJKSiE7sahnMv1Z
9fIol7re3b15K+Q8KwS+1QKBgAv+ZOEJ7ogpHhOqCxdspxKrbu45MEXfnEQrBJ4x
sibqRpFrEh0AW6OooaoedFO81pZq8z+x9w1MzW5S6WpgqHUok2szQxHzXeB5wXfq
Rh4ZnUlNbrLtUlkf4sZw79+fJCfq9Fp9n3Ln9i92U9NV+asGEcy48SDLFjhXH8uE
hvWhAoGBAJ+T3ZO/x9FAU3UJEHRwgHF8JWPaDaZ/LsHBkxC6zrtFjaV0+U3Zb1Us
3kIcW60OvbOHEKvgcyldji4zXu9yGeH9FDsKFvC2Fi/qI0piAJDke3VIq4qoB0ZZ
TdivGSwGokcZBrH6SPieZajVPfOcO8bV7VPkM9/VrmqSmbNvAwcX
-----END RSA PRIVATE KEY-----
root@EP-Inside:~/A#
To see both public and private keys:
root@EP-Inside:~/A# openssl rsa -in keypair.pem -text
Private-Key: (2048 bit)
modulus:
00:a5:58:aa:ea:c0:36:ff:04:af:3d:6e:03:eb:0c:
32:30:67:9e:1c:bd:17:bc:ab:9f:d7:ed:1d:c5:8c:
6d:81:06:3a:bc:a8:cc:e9:95:dd:5c:9f:a5:04:c1:
ac:d2:36:0b:96:7b:72:1a:ed:50:24:a7:bd:5c:1b:
fa:03:43:a9:a0:3d:93:5c:be:22:27:65:3f:05:d0:
3b:ed:4a:2a:85:48:10:23:01:47:5d:78:0b:56:ad:
30:e9:28:67:4b:2c:fe:78:8e:f8:5b:11:df:34:fc:
15:d2:34:db:54:df:34:ea:ee:b7:46:62:08:4b:66:
ae:25:80:a8:29:a4:b0:20:5d:7e:28:b0:55:8d:b0:
32:01:48:4b:a8:1c:96:a1:02:b8:a8:b7:1c:f1:6b:
8f:be:b9:2b:d4:0d:3b:79:58:7c:38:05:ea:0c:3b:
65:16:4a:8a:74:a1:45:8e:f3:5e:91:bd:3b:05:1d:
b4:42:80:0c:4d:ff:c5:27:e7:ff:90:d9:18:f4:89:
eb:1c:b7:0b:2e:e2:76:66:93:f2:18:f8:91:f3:57:
bf:3f:25:75:31:a3:d0:61:af:fe:24:2e:e3:4f:73:
4a:54:f5:91:5b:e0:57:4c:ff:3a:b4:5b:2c:54:ad:
9a:1d:7a:07:3d:1f:ee:d5:d8:6e:82:c4:c2:8d:92:
5d:83
publicExponent: 65537 (0x10001)
privateExponent:
24:80:82:9a:f8:7c:2b:a8:59:17:72:a6:22:c9:ba:
7a:bd:25:46:aa:e8:06:9a:cc:da:da:59:ec:36:a8:
26:07:be:07:d0:2c:0c:95:2d:1d:39:91:30:8f:a1:
1b:77:1a:ef:c9:a8:d3:10:f8:d4:5e:c3:8b:06:12:
17:8e:64:70:1f:a7:dc:9d:8c:e4:ad:91:50:33:3c:
47:92:4b:f8:c8:83:e7:76:6c:ce:d1:a5:8f:29:04:
d7:34:38:39:7c:61:61:34:0e:d7:ec:06:1e:a8:58:
18:e3:da:57:ce:3e:dc:6e:7e:bf:66:fc:f5:c8:61:
41:9e:39:81:97:fd:d9:e6:ef:0c:7b:49:82:87:bc:
0c:97:2d:5a:16:51:1f:61:8e:db:34:43:ff:3d:13:
09:fc:da:12:e7:34:90:de:79:1d:77:36:a3:f6:aa:
88:bd:d5:12:bc:79:08:ad:05:0b:68:64:ea:ca:54:
d0:75:30:e7:66:5c:34:26:be:ca:06:a6:b5:3b:b5:
15:89:ae:da:cc:e7:9d:58:bf:b6:3b:1a:34:b8:dd:
6b:21:22:e6:1b:08:22:d1:84:85:c7:98:7c:e2:38:
08:d0:5c:f7:4c:5f:89:6b:8e:ae:b8:bf:71:7f:53:
38:1e:9b:38:83:74:53:3e:93:ef:7a:00:c0:a0:7e:
21
prime1:
00:d1:5f:6c:2e:21:47:3e:c7:c7:7b:7a:66:f3:a0:
0b:4f:07:be:ed:4a:64:a0:25:09:3d:82:f3:af:48:
65:fb:8b:51:9a:4a:ad:1d:ea:79:44:67:2f:7b:41:
51:3b:2f:c2:2b:1b:44:b8:92:d9:ab:b0:4a:1d:5a:
44:75:d8:b3:16:1c:02:62:9d:00:71:a4:0e:5b:24:
41:b0:d2:66:af:29:63:d1:a3:af:f6:9e:90:44:7b:
1c:82:3f:27:3f:bc:4b:dd:a0:0f:1a:3e:14:31:5f:
6c:9c:18:ac:bd:db:43:d2:b5:81:08:1b:7c:b8:a3:
3b:cd:93:d3:32:cb:5f:75:3d
prime2:
00:ca:2b:40:39:dd:34:d0:0a:f2:17:b6:2c:57:f3:
42:53:64:30:0b:11:cf:7a:32:b5:73:4f:97:41:bb:
8b:a0:f3:31:3b:1a:91:ea:0a:0c:e8:0c:fe:12:f8:
85:f0:46:35:f1:5a:2f:0e:09:ec:fd:17:e2:2e:60:
60:be:4a:fc:2b:42:ef:64:85:ae:2b:9e:03:69:da:
33:bb:3e:06:df:52:ec:2c:f3:e2:86:95:f1:ac:eb:
b6:ab:f6:ef:2e:49:fe:5b:98:82:fe:05:ec:04:b3:
b1:79:f9:e5:3e:cd:3c:1d:7b:0c:d3:68:27:9e:d4:
37:01:ee:a0:4e:3e:51:c9:bf
exponent1:
07:f5:43:8c:61:51:6e:ee:73:03:9b:7c:6c:48:2a:
05:df:fa:7e:d4:74:0c:ae:3b:b2:ad:d6:8b:54:0a:
24:4c:80:56:87:fe:1a:83:fe:05:fe:92:0c:72:48:
1f:22:ca:93:8e:de:c6:d1:36:1a:d3:81:8d:aa:0f:
ae:17:05:7f:92:a2:f8:92:95:20:bc:a6:9b:0a:3e:
c0:f4:ce:58:5c:0f:62:39:81:87:b3:31:32:99:27:
55:40:07:42:e1:ea:54:4b:30:27:c4:32:4a:4a:21:
3b:b1:a8:67:32:fd:59:f5:f2:28:97:ba:de:dd:bd:
79:2b:e4:3c:2b:04:be:d5
exponent2:
0b:fe:64:e1:09:ee:88:29:1e:13:aa:0b:17:6c:a7:
12:ab:6e:ee:39:30:45:df:9c:44:2b:04:9e:31:b2:
26:ea:46:91:6b:12:1d:00:5b:a3:a8:a1:aa:1e:74:
53:bc:d6:96:6a:f3:3f:b1:f7:0d:4c:cd:6e:52:e9:
6a:60:a8:75:28:93:6b:33:43:11:f3:5d:e0:79:c1:
77:ea:46:1e:19:9d:49:4d:6e:b2:ed:52:59:1f:e2:
c6:70:ef:df:9f:24:27:ea:f4:5a:7d:9f:72:e7:f6:
2f:76:53:d3:55:f9:ab:06:11:cc:b8:f1:20:cb:16:
38:57:1f:cb:84:86:f5:a1
coefficient:
00:9f:93:dd:93:bf:c7:d1:40:53:75:09:10:74:70:
80:71:7c:25:63:da:0d:a6:7f:2e:c1:c1:93:10:ba:
ce:bb:45:8d:a5:74:f9:4d:d9:6f:55:2c:de:42:1c:
5b:ad:0e:bd:b3:87:10:ab:e0:73:29:5d:8e:2e:33:
5e:ef:72:19:e1:fd:14:3b:0a:16:f0:b6:16:2f:ea:
23:4a:62:00:90:e4:7b:75:48:ab:8a:a8:07:46:59:
4d:d8:af:19:2c:06:a2:47:19:06:b1:fa:48:f8:9e:
65:a8:d5:3d:f3:9c:3b:c6:d5:ed:53:e4:33:df:d5:
ae:6a:92:99:b3:6f:03:07:17
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEApViq6sA2/wSvPW4D6wwyMGeeHL0XvKuf1+0dxYxtgQY6vKjM
6ZXdXJ+lBMGs0jYLlntyGu1QJKe9XBv6A0OpoD2TXL4iJ2U/BdA77UoqhUgQIwFH
XXgLVq0w6ShnSyz+eI74WxHfNPwV0jTbVN806u63RmIIS2auJYCoKaSwIF1+KLBV
jbAyAUhLqByWoQK4qLcc8WuPvrkr1A07eVh8OAXqDDtlFkqKdKFFjvNekb07BR20
QoAMTf/FJ+f/kNkY9InrHLcLLuJ2ZpPyGPiR81e/PyV1MaPQYa/+JC7jT3NKVPWR
W+BXTP86tFssVK2aHXoHPR/u1dhugsTCjZJdgwIDAQABAoIBACSAgpr4fCuoWRdy
piLJunq9JUaq6AaazNraWew2qCYHvgfQLAyVLR05kTCPoRt3Gu/JqNMQ+NRew4sG
EheOZHAfp9ydjOStkVAzPEeSS/jIg+d2bM7RpY8pBNc0ODl8YWE0DtfsBh6oWBjj
2lfOPtxufr9m/PXIYUGeOYGX/dnm7wx7SYKHvAyXLVoWUR9hjts0Q/89Ewn82hLn
NJDeeR13NqP2qoi91RK8eQitBQtoZOrKVNB1MOdmXDQmvsoGprU7tRWJrtrM551Y
v7Y7GjS43WshIuYbCCLRhIXHmHziOAjQXPdMX4lrjq64v3F/UzgemziDdFM+k+96
AMCgfiECgYEA0V9sLiFHPsfHe3pm86ALTwe+7UpkoCUJPYLzr0hl+4tRmkqtHep5
RGcve0FROy/CKxtEuJLZq7BKHVpEddizFhwCYp0AcaQOWyRBsNJmrylj0aOv9p6Q
RHscgj8nP7xL3aAPGj4UMV9snBisvdtD0rWBCBt8uKM7zZPTMstfdT0CgYEAyitA
Od000AryF7YsV/NCU2QwCxHPejK1c0+XQbuLoPMxOxqR6goM6Az+EviF8EY18Vov
Dgns/RfiLmBgvkr8K0LvZIWuK54Dadozuz4G31LsLPPihpXxrOu2q/bvLkn+W5iC
/gXsBLOxefnlPs08HXsM02gnntQ3Ae6gTj5Ryb8CgYAH9UOMYVFu7nMDm3xsSCoF
3/p+1HQMrjuyrdaLVAokTIBWh/4ag/4F/pIMckgfIsqTjt7G0TYa04GNqg+uFwV/
kqL4kpUgvKabCj7A9M5YXA9iOYGHszEymSdVQAdC4epUSzAnxDJKSiE7sahnMv1Z
9fIol7re3b15K+Q8KwS+1QKBgAv+ZOEJ7ogpHhOqCxdspxKrbu45MEXfnEQrBJ4x
sibqRpFrEh0AW6OooaoedFO81pZq8z+x9w1MzW5S6WpgqHUok2szQxHzXeB5wXfq
Rh4ZnUlNbrLtUlkf4sZw79+fJCfq9Fp9n3Ln9i92U9NV+asGEcy48SDLFjhXH8uE
hvWhAoGBAJ+T3ZO/x9FAU3UJEHRwgHF8JWPaDaZ/LsHBkxC6zrtFjaV0+U3Zb1Us
3kIcW60OvbOHEKvgcyldji4zXu9yGeH9FDsKFvC2Fi/qI0piAJDke3VIq4qoB0ZZ
TdivGSwGokcZBrH6SPieZajVPfOcO8bV7VPkM9/VrmqSmbNvAwcX
-----END RSA PRIVATE KEY-----
root@EP-Inside:~/A#
## this shows everything except base64 format
root@EP-Inside:~/A# openssl rsa -in keypair.pem -text -noout
Private-Key: (2048 bit)
modulus:
00:a5:58:aa:ea:c0:36:ff:04:af:3d:6e:03:eb:0c:
32:30:67:9e:1c:bd:17:bc:ab:9f:d7:ed:1d:c5:8c:
6d:81:06:3a:bc:a8:cc:e9:95:dd:5c:9f:a5:04:c1:
ac:d2:36:0b:96:7b:72:1a:ed:50:24:a7:bd:5c:1b:
fa:03:43:a9:a0:3d:93:5c:be:22:27:65:3f:05:d0:
3b:ed:4a:2a:85:48:10:23:01:47:5d:78:0b:56:ad:
30:e9:28:67:4b:2c:fe:78:8e:f8:5b:11:df:34:fc:
15:d2:34:db:54:df:34:ea:ee:b7:46:62:08:4b:66:
ae:25:80:a8:29:a4:b0:20:5d:7e:28:b0:55:8d:b0:
32:01:48:4b:a8:1c:96:a1:02:b8:a8:b7:1c:f1:6b:
8f:be:b9:2b:d4:0d:3b:79:58:7c:38:05:ea:0c:3b:
65:16:4a:8a:74:a1:45:8e:f3:5e:91:bd:3b:05:1d:
b4:42:80:0c:4d:ff:c5:27:e7:ff:90:d9:18:f4:89:
eb:1c:b7:0b:2e:e2:76:66:93:f2:18:f8:91:f3:57:
bf:3f:25:75:31:a3:d0:61:af:fe:24:2e:e3:4f:73:
4a:54:f5:91:5b:e0:57:4c:ff:3a:b4:5b:2c:54:ad:
9a:1d:7a:07:3d:1f:ee:d5:d8:6e:82:c4:c2:8d:92:
5d:83
publicExponent: 65537 (0x10001)
privateExponent:
24:80:82:9a:f8:7c:2b:a8:59:17:72:a6:22:c9:ba:
7a:bd:25:46:aa:e8:06:9a:cc:da:da:59:ec:36:a8:
26:07:be:07:d0:2c:0c:95:2d:1d:39:91:30:8f:a1:
1b:77:1a:ef:c9:a8:d3:10:f8:d4:5e:c3:8b:06:12:
17:8e:64:70:1f:a7:dc:9d:8c:e4:ad:91:50:33:3c:
47:92:4b:f8:c8:83:e7:76:6c:ce:d1:a5:8f:29:04:
d7:34:38:39:7c:61:61:34:0e:d7:ec:06:1e:a8:58:
18:e3:da:57:ce:3e:dc:6e:7e:bf:66:fc:f5:c8:61:
41:9e:39:81:97:fd:d9:e6:ef:0c:7b:49:82:87:bc:
0c:97:2d:5a:16:51:1f:61:8e:db:34:43:ff:3d:13:
09:fc:da:12:e7:34:90:de:79:1d:77:36:a3:f6:aa:
88:bd:d5:12:bc:79:08:ad:05:0b:68:64:ea:ca:54:
d0:75:30:e7:66:5c:34:26:be:ca:06:a6:b5:3b:b5:
15:89:ae:da:cc:e7:9d:58:bf:b6:3b:1a:34:b8:dd:
6b:21:22:e6:1b:08:22:d1:84:85:c7:98:7c:e2:38:
08:d0:5c:f7:4c:5f:89:6b:8e:ae:b8:bf:71:7f:53:
38:1e:9b:38:83:74:53:3e:93:ef:7a:00:c0:a0:7e:
21
prime1:
00:d1:5f:6c:2e:21:47:3e:c7:c7:7b:7a:66:f3:a0:
0b:4f:07:be:ed:4a:64:a0:25:09:3d:82:f3:af:48:
65:fb:8b:51:9a:4a:ad:1d:ea:79:44:67:2f:7b:41:
51:3b:2f:c2:2b:1b:44:b8:92:d9:ab:b0:4a:1d:5a:
44:75:d8:b3:16:1c:02:62:9d:00:71:a4:0e:5b:24:
41:b0:d2:66:af:29:63:d1:a3:af:f6:9e:90:44:7b:
1c:82:3f:27:3f:bc:4b:dd:a0:0f:1a:3e:14:31:5f:
6c:9c:18:ac:bd:db:43:d2:b5:81:08:1b:7c:b8:a3:
3b:cd:93:d3:32:cb:5f:75:3d
prime2:
00:ca:2b:40:39:dd:34:d0:0a:f2:17:b6:2c:57:f3:
42:53:64:30:0b:11:cf:7a:32:b5:73:4f:97:41:bb:
8b:a0:f3:31:3b:1a:91:ea:0a:0c:e8:0c:fe:12:f8:
85:f0:46:35:f1:5a:2f:0e:09:ec:fd:17:e2:2e:60:
60:be:4a:fc:2b:42:ef:64:85:ae:2b:9e:03:69:da:
33:bb:3e:06:df:52:ec:2c:f3:e2:86:95:f1:ac:eb:
b6:ab:f6:ef:2e:49:fe:5b:98:82:fe:05:ec:04:b3:
b1:79:f9:e5:3e:cd:3c:1d:7b:0c:d3:68:27:9e:d4:
37:01:ee:a0:4e:3e:51:c9:bf
exponent1:
07:f5:43:8c:61:51:6e:ee:73:03:9b:7c:6c:48:2a:
05:df:fa:7e:d4:74:0c:ae:3b:b2:ad:d6:8b:54:0a:
24:4c:80:56:87:fe:1a:83:fe:05:fe:92:0c:72:48:
1f:22:ca:93:8e:de:c6:d1:36:1a:d3:81:8d:aa:0f:
ae:17:05:7f:92:a2:f8:92:95:20:bc:a6:9b:0a:3e:
c0:f4:ce:58:5c:0f:62:39:81:87:b3:31:32:99:27:
55:40:07:42:e1:ea:54:4b:30:27:c4:32:4a:4a:21:
3b:b1:a8:67:32:fd:59:f5:f2:28:97:ba:de:dd:bd:
79:2b:e4:3c:2b:04:be:d5
exponent2:
0b:fe:64:e1:09:ee:88:29:1e:13:aa:0b:17:6c:a7:
12:ab:6e:ee:39:30:45:df:9c:44:2b:04:9e:31:b2:
26:ea:46:91:6b:12:1d:00:5b:a3:a8:a1:aa:1e:74:
53:bc:d6:96:6a:f3:3f:b1:f7:0d:4c:cd:6e:52:e9:
6a:60:a8:75:28:93:6b:33:43:11:f3:5d:e0:79:c1:
77:ea:46:1e:19:9d:49:4d:6e:b2:ed:52:59:1f:e2:
c6:70:ef:df:9f:24:27:ea:f4:5a:7d:9f:72:e7:f6:
2f:76:53:d3:55:f9:ab:06:11:cc:b8:f1:20:cb:16:
38:57:1f:cb:84:86:f5:a1
coefficient:
00:9f:93:dd:93:bf:c7:d1:40:53:75:09:10:74:70:
80:71:7c:25:63:da:0d:a6:7f:2e:c1:c1:93:10:ba:
ce:bb:45:8d:a5:74:f9:4d:d9:6f:55:2c:de:42:1c:
5b:ad:0e:bd:b3:87:10:ab:e0:73:29:5d:8e:2e:33:
5e:ef:72:19:e1:fd:14:3b:0a:16:f0:b6:16:2f:ea:
23:4a:62:00:90:e4:7b:75:48:ab:8a:a8:07:46:59:
4d:d8:af:19:2c:06:a2:47:19:06:b1:fa:48:f8:9e:
65:a8:d5:3d:f3:9c:3b:c6:d5:ed:53:e4:33:df:d5:
ae:6a:92:99:b3:6f:03:07:17
root@EP-Inside:~/A#
lets rename keypair as A and B
oot@EP-Inside:~/A# rm keypair.pem
root@EP-Inside:~/A#
root@EP-Inside:~/A#
root@EP-Inside:~/A# openssl genrsa -out keypairA.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
......+++
e is 65537 (0x10001)
root@EP-Inside:~/A#
root@EP-Inside:~/A#
root@EP-Inside:~/A#
root@EP-Inside:~/B# openssl genrsa -out keypairB.pem 2048
Generating RSA private key, 2048 bit long modulus
.............................................................................................+++
.................+++
e is 65537 (0x10001)
root@EP-Inside:~/B#
# we want to share public key with others so lets share public key in some file.
root@EP-Inside:~/A# openssl rsa -in keypairA.pem -pubout -out publicA.pem
writing RSA key
root@EP-Inside:~/A#
root@EP-Inside:~/A# ls
keypairA.pem publicA.pem
root@EP-Inside:~/A# cat publicA.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4x6sZrAeiH3HOf4Lyap3
1fXlsFJcX3uDUlCObVd55CoMfHXeOksyC7ArPR+5Byck+gQAPguMntsvNq01unGI
9q06rg7rF84qyg1CK+VOE73kLkFnsfhVq9kyvz635f9vux9nfbyLsPauJmHpOApH
+17w2MiC8sI+lZaYPC3j3qkzbkSu60LpKW0o9JtUVWxtRtnm7qPeRtk/SG/OsCKx
mGdjro/qc8TAFuPoGjJTIZCcQGCVKd8qJ10bjgrI1/PWNNn/4vQxZgWOpLrNDisH
jLobvagSfcHk6AcoVfYqKo1PrFt7xJXxT5Odcud4mP4SxWTyzOJFnvssMnr4cWFA
EwIDAQAB
-----END PUBLIC KEY-----
root@EP-Inside:~/A#
Same process for B
root@EP-Inside:~/B# openssl rsa -in keypairB.pem -pubout -out publicB.pem
writing RSA key
root@EP-Inside:~/B#
root@EP-Inside:~/B# ls
keypairB.pem publicB.pem
root@EP-Inside:~/B#
root@EP-Inside:~/B#
root@EP-Inside:~/B# cat publicB.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCbTcjLfHQ40+NV3jWm4
Z7fiz/4+JSlF7XtWpsVcbrjdniN1ieim7zx1TsfxR9QfROFcXYXfMclJEB7MoQ2d
0deISuugPoYREke1zNmgGZQZw9sHYISzZlTeZf0lNwuMqMKf/NaHCfnD9CBU7qsK
f+fNoQwqOZnC6uji9s/TIp1rz2GzyPeCiiqXtDGJNUpqx5PvxHfYFXvcj/yBVluV
fChfLn2N7GlOlkNnt7A2qVmYnmktlUPuoAkrl+gQjjjv87hUMdjo1EigNFO90oXe
29yi1JMxh2X+O/xywcxSI1LKzMlSJBYSbAtFFxGD7MW67HST+Fy/rkT5UOrjawDQ
XQIDAQAB
-----END PUBLIC KEY-----
root@EP-Inside:~/B#
## Now lets share the public key to each other.
## to share we are making link of public key B in folder A
root@EP-Inside:~/A# pwd
/root/A
root@EP-Inside:~/A# ln -s /root/B/publicB.pem
root@EP-Inside:~/A# ls
keypairA.pem publicA.pem publicB.pem
root@EP-Inside:~/A#
root@EP-Inside:~/A# ls -lrt
total 8
-rw-r--r-- 1 root root 1675 Mar 1 23:38 keypairA.pem
-rw-r--r-- 1 root root 451 Mar 1 23:41 publicA.pem
lrwxrwxrwx 1 root root 19 Mar 1 23:44 publicB.pem -> /root/B/publicB.pem
root@EP-Inside:~/B# ln -s /root/A/publicA.pem
root@EP-Inside:~/B#
root@EP-Inside:~/B# ls
keypairB.pem publicA.pem publicB.pem
root@EP-Inside:~/B#
Now each user has its own public/private keys and public key of other user
Say now lets encrypt msg and sent to B
root@EP-Inside:~/A# vi msg
root@EP-Inside:~/A#
root@EP-Inside:~/A#
root@EP-Inside:~/A# cat msg
Hello, my account no is 1232432682357023
root@EP-Inside:~/A#
root@EP-Inside:~/A# openssl rsautl -encrypt -in msg -out enc -inkey publicB.pem -pubin
root@EP-Inside:~/A# ls
enc keypairA.pem msg publicA.pem publicB.pem
root@EP-Inside:~/A# cat enc
kYmX>L `_ϝZٔTOwԑ _݂
`rHOV(aMnېC5A)uyI@) lZjbo e$D?W-0_m2~SjfR`fgLh;root@EP-Inside:~/A#
root@EP-Inside:~/A#
##With asymmetric encryption, we did encrypt and decyrpt using rsa public and private keys. Now Let’s sign and verify signature on files.
Sign file using private key
root@EP-Inside:~/A# openssl rsautl -sign -in msg -out signed -inkey keypairA.pem
root@EP-Inside:~/A# ls
enc keypairA.pem msg publicA.pem publicB.pem signed
root@EP-Inside:~/A#
copy this file in B and verify signed file:
root@EP-Inside:~/B# cp /root/A/signed signed
root@EP-Inside:~/B# ls
keypairB.pem msg publicA.pem publicB.pem received signed
root@EP-Inside:~/B#
root@EP-Inside:~/B# openssl rsautl -verify -in signed -out signedFile -inkey publicA.pem -pubin
root@EP-Inside:~/B#
root@EP-Inside:~/B# ls
keypairB.pem msg publicA.pem publicB.pem received signed signedFile
root@EP-Inside:~/B#
root@EP-Inside:~/B#
root@EP-Inside:~/B# cat signedFile
Hello, my account no is 1232432682357023
root@EP-Inside:~/B#
original and final values are same.
Till now used private key in clear text as it is easier to use. Normally we don’t have private key in clear text as it is security issue so use encyrpted private key
root@EP-Inside:~/A# openssl rsa -in keypairA.pem -des3 -out privateA.pem
writing RSA key
Enter PEM pass phrase: pass
Verifying - Enter PEM pass phrase:pass
root@EP-Inside:~/A#
root@EP-Inside:~/A#
root@EP-Inside:~/A# ls
enc keypairA.pem msg privateA.pem publicA.pem publicB.pem signed
root@EP-Inside:~/A#
Now istead of using keypairA.pem which is in clear text we will use privateA.pem
Lets use privateA.pem for signing, The only diff here is it will ask for password so this more secure. It used encrypted private key
root@EP-Inside:~/A# openssl rsautl -sign -in msg -out signed -inkey privateA.pem
Enter pass phrase for privateA.pem: pass
root@EP-Inside:~/A#
Create and manage certificates and certification authorities
## this is CA file
root@EP-Inside:~# vi /usr/lib/ssl/misc/CA.pl
root@EP-Inside:~#
## this is openssl config file
root@EP-Inside:~# vi /usr/lib/ssl/openssl.cnf
root@EP-Inside:~#
## create CA file fresh. This will create public/private keys of CA and aslo creates self-signed certificate of CA
root@EP-Inside:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ... ## cretae private/public keys
Generating a 2048 bit RSA private key
........+++
..............+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: capass
Verifying - Enter PEM pass phrase: capass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:nawraj
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: capass ## this will create self signed cert
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 12249924576713975915 (0xaa00797fe85d286b)
Validity
Not Before: Mar 2 05:46:50 2020 GMT
Not After : Mar 2 05:46:50 2023 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
organizationName = cisco
commonName = nawraj
X509v3 extensions:
X509v3 Subject Key Identifier:
7B:ED:33:EB:C4:50:96:50:A7:60:AE:1C:BE:3E:F2:DD:4D:72:CF:EA
X509v3 Authority Key Identifier:
keyid:7B:ED:33:EB:C4:50:96:50:A7:60:AE:1C:BE:3E:F2:DD:4D:72:CF:EA
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 2 05:46:50 2023 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
root@EP-Inside:~#
root@EP-Inside:~/demoCA# ls -lrt c*
-rw-r--r-- 1 root root 3 Mar 2 00:44 crlnumber
-rw-r--r-- 1 root root 952 Mar 2 00:46 careq.pem
-rw-r--r-- 1 root root 4248 Mar 2 00:46 cacert.pem
crl:
total 0
certs:
total 0
## generate new certificate request to CA
root@EP-Inside:~/user# openssl req -new -keyout privateUser.pem -out reqUser.pem
Generating a 2048 bit RSA private key
..............+++
.............................+++
writing new private key to 'privateUser.pem'
Enter PEM pass phrase: userpass
Verifying - Enter PEM pass phrase: userpass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:karnataka
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.mysite.com ## request is for my own site say
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
## password is optional here
A challenge password []:
An optional company name []:
root@EP-Inside:~/user#
Note: make sure Country and state should match exactly in CA create and while creating new request. what all option to match is mentioned in openssl config file vi /usr/lib/ssl/openssl.cnf
root@EP-Inside:~/user# ls
privateUser.pem reqUser.pem
root@EP-Inside:~/user#
## Now sign certificate request with CA private key ie capass
root@EP-Inside:~/user# openssl ca -in reqUser.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
140443545278112:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r')
140443545278112:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load CA private key
root@EP-Inside:~/user# ls
privateUser.pem reqUser.pem
Here is some issue. otherwise it will ask for private key of CA and provide: capass
root@EP-Inside:~/user# cd ../demoCA
root@EP-Inside:~/demoCA#
root@EP-Inside:~/demoCA# ls
cacert.pem careq.pem certs crl crlnumber index.txt index.txt.attr index.txt.old newcerts private serial
root@EP-Inside:~/demoCA# cd newcerts/
root@EP-Inside:~/demoCA/newcerts# ls
AA00797FE85D286B.pem
In actual in will have two certs under newcerts. One is CA cert and other 2nd one as shown below is user cert.
Now let’s verify authenticity of user cert using CA cert. Got response as Ok means user certificate is autneticated
this is the user certificate is indeed signed by this CA
Now let’s revoke the certificate.
After revoking cert we have to update the crl list. Even after that we are seeing ouput as Ok because we have not mentioned crl location while verifying.
Once we provide crl location, certificate verification fails.
No comments:
Post a Comment