By Zachary Huang

Under some circumstances you might want to send classified messages or files to other users. Openssl library provides us a fast and easy way to encrypt these documents. Before encrypting, a key pair is required. This article will be talking about how to produce encryptions using exist key pairs. For more knowledge, you can refer to previous article on this blog.

Creating SSH Key Pair

Before we start talking about encryption and decryption, we need something more fundamental. We need to create our own key pairs.

ssh-keygen -t rsa

Doing this gives you 2 files, id_rsa and id_rsa.pub, which are your private key and public key, respectively. They are your RSA key pair. Among two files, you must preserve your private key carefully, or this whole encryption thing will not be secured anymore, which loses its very own purpose. On the other side, you can now send your public key to others so they can encrypt messages for you.

Now, assume you received someone else’s public key. You want to send him/her a secret message, let’s say, a love letter, and of course you don’t want anyone else to read it, or you might die of embarrassment.

Encryption

To encrypt files, we can use openssl rsa library. By default, ssh-keygen generates key in OpenSSH format that is not very friendly to openssl. It needs some before processing. Transform the public key into PKCS8 format. There are 2 ways to do this

1. OpenSSH -> PKCS8
ssh-keygen -e -f ./id_rsa.pub -m PKCS8 > ./id_rsa.pub.pkcs8

or

2. OpenSSH -> PKCS1 -> PKCS8
ssh-keygen -e -f ./id_rsa.pub -m pem > id_rsa.pub.pem
openssl rsa -in id_rsa.pub.pem -RSAPublicKey_in -pubout > id_rsa.pub.pkcs8

Now using the PKCS8 file, we can encrypt by doing

openssl rsautl -encrypt -pubin -inkey id_rsa.pub.pkcs8 -in LoveLetter.txt -out LoveLetter.txt.enc

However, we usually don’t do this. Despite being well-secured, there are several disadvantages for RSA algorithm. Being an asymmetric cryptography, RSA is much slower on performance. Most importantly, RSA can only encrypt files of the same size as its key size. By default, ssh-keygen creates a 2048 bits key pair. This implies that our target file cannot be longer than 2048 bits. Which means that our love letter here cannot be longer than approximately 256 letters. That would be about 3 sentences. Not a very efficient way to express feelings.

We can do this in an alternative way. Openssl provides us other cryptography algorithm, one of which is AES. Though we will not talk about the details in this article, all we have to know is that as a symmetric cryptography, AES is a good choice when dealing with large files. Now we change our plan a little tiny bit. Instead of encrypting directly with RSA, we first encrypt our target with AES.

Generate a symmetric AES key

openssl rand 32 -out secret_key // this will be a 32x8 = 256 bits key

Encrypt using our new AES key

openssl aes-256-cbc -in LoveLetter.txt -out LoveLetter.txt.enc -pass file:secret_key

Note that the secret key generated should only be use this one time. Now, as we have done before, we encrypt with RSA. But this time, encrypt the key instead

openssl rsautl -encrypt -pubin -inkey id_rsa.pub.pkcs8 -in secret_key -out secret_key.enc

After everything is settled, send the encrypted LoveLetter along with the encrypted secret_key to your friend, and tell him/her to follow the instructions below to decrypt.

Decryption

STEP 1. Find their private key.

STEP 2. Decrypt the secret_key with private key

openssl rsautl -decrypt -ssl -inkey id_rsa -in secret_key.enc -out secret_key

STEP 3. Decrypt the message with the secret_key

openssl aes-256-cbc -d -in LoveLetter.txt.enc -out LoveLetter.txt -pass file:secret_key

STEP 4. Enjoy the message

In this article, I use RSA key pair as the key of AES key to solve the problem of key size limitation. Of course, this is just one of many possible solutions. I hope this help.

Akatsuki Taiwan Technology

Engineer Blog of Akatsuki Taiwan

Akatsuki Taiwan Technology

Written by

Akatsuki Taiwan Technology

Engineer Blog of Akatsuki Taiwan

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade