By Zachary Huang
Under some circumstances you might want to send classified messages or files to other users. Openssl library provides us a fast and easy way to encrypt these documents. Before encrypting, a key pair is required. This article will be talking about how to produce encryptions using exist key pairs. For more knowledge, you can refer to previous article on this blog.
Creating SSH Key Pair
Before we start talking about encryption and decryption, we need something more fundamental. Ｗe need to create our own key pairs.
ssh-keygen -t rsa
Doing this gives you 2 files, id_rsa and id_rsa.pub, which are your private key and public key, respectively. They are your RSA key pair. Among two files, you must preserve your private key carefully, or this whole encryption thing will not be secured anymore, which loses its very own purpose. On the other side, you can now send your public key to others so they can encrypt messages for you.
Now, assume you received someone else’s public key. You want to send him/her a secret message, let’s say, a love letter, and of course you don’t want anyone else to read it, or you might die of embarrassment.
To encrypt files, we can use openssl rsa library. By default, ssh-keygen generates key in OpenSSH format that is not very friendly to openssl. It needs some before processing. Transform the public key into PKCS8 format. There are 2 ways to do this
1. OpenSSH -> PKCS8
ssh-keygen -e -f ./id_rsa.pub -m PKCS8 > ./id_rsa.pub.pkcs8
2. OpenSSH -> PKCS1 -> PKCS8
ssh-keygen -e -f ./id_rsa.pub -m pem > id_rsa.pub.pem
openssl rsa -in id_rsa.pub.pem -RSAPublicKey_in -pubout > id_rsa.pub.pkcs8
Now using the PKCS8 file, we can encrypt by doing
openssl rsautl -encrypt -pubin -inkey id_rsa.pub.pkcs8 -in LoveLetter.txt -out LoveLetter.txt.enc
However, we usually don’t do this. Despite being well-secured, there are several disadvantages for RSA algorithm. Being an asymmetric cryptography, RSA is much slower on performance. Most importantly, RSA can only encrypt files of the same size as its key size. By default, ssh-keygen creates a 2048 bits key pair. This implies that our target file cannot be longer than 2048 bits. Which means that our love letter here cannot be longer than approximately 256 letters. That would be about 3 sentences. Not a very efficient way to express feelings.
We can do this in an alternative way. Openssl provides us other cryptography algorithm, one of which is AES. Though we will not talk about the details in this article, all we have to know is that as a symmetric cryptography, AES is a good choice when dealing with large files. Now we change our plan a little tiny bit. Instead of encrypting directly with RSA, we first encrypt our target with AES.
Generate a symmetric AES key
openssl rand 32 -out secret_key // this will be a 32x8 = 256 bits key
Encrypt using our new AES key
openssl aes-256-cbc -in LoveLetter.txt -out LoveLetter.txt.enc -pass file:secret_key
Note that the secret key generated should only be use this one time. Now, as we have done before, we encrypt with RSA. But this time, encrypt the key instead
openssl rsautl -encrypt -pubin -inkey id_rsa.pub.pkcs8 -in secret_key -out secret_key.enc
After everything is settled, send the encrypted LoveLetter along with the encrypted secret_key to your friend, and tell him/her to follow the instructions below to decrypt.
STEP 1. Find their private key.
STEP 2. Decrypt the secret_key with private key
openssl rsautl -decrypt -ssl -inkey id_rsa -in secret_key.enc -out secret_key
STEP 3. Decrypt the message with the secret_key
openssl aes-256-cbc -d -in LoveLetter.txt.enc -out LoveLetter.txt -pass file:secret_key
STEP 4. Enjoy the message
In this article, I use RSA key pair as the key of AES key to solve the problem of key size limitation. Of course, this is just one of many possible solutions. I hope this help.