Blog-Archiv

Mittwoch, 25. April 2018

Personal Encrypted Communication with OpenSSL

This topic has been explained on many sites on the web. I am neither a cryptography expert nor do I like this kind of things, but the need for it is increasing. Imagine you want to send someone your bank account ID. Would you do this on communication tools like Slack, Hangout, Skype, ... or by e-mail? For sure not, these mediums are not secure. But if you protect your communication, you can use any of them!

Prerequisites

  • Download and install OpenSSL, this is an open source command-line utility (SSL = secure socket layer, used by browsers); on LINUX machines it is mostly already present

  • You can send binary files to your communication partners, and they can send to you

  • You know how to work with terminal windows, command utilities, files and directories

The Public Private Key Method

This method relies on the fact that you never give away your private key to anyone. Persons that want to send you an encrypted message need a public key generated from your private key. Send a public key to them, you can use any medium that allows file attachments. Decrypt the messages they send to you with your private key.

If you want to send an encrypted message to someone, you need the public key of this person (not its private!). The public key of your partner is for your encryption, your own private key is for decryption of your partner's messages. Never use your own public key for anything else than sending it to communication partners.

It is not possible to find out a private key from one of its public keys. This makes it impossible for anyone else to decrypt the messages sent to you, encrypted by one of your public keys. Not even the sender will be able to decrypt it. That's the reason why it is called "asymmetric" cryptography.

Generate a Private Key

Create a directory on your machine where you keep your private key. Then open a command terminal window and change into that directory. Being there, enter following command:

openssl genrsa -out rsa_private.pem 2048

This command creates a file rsa_private.pem that contains an unencrypted private RSA key. You won't need a password when using this key. PEM is a format that uses just ASCII characters ("Privacy Enhanced Mail").

Alternatively:

openssl genrsa -des3 -out rsa_private.pem 2048

This creates a private key encrypted with DES3 cipher. On creation of this key you will be asked for a password. Any time you use the key in file rsa_private.pem, openssl will ask you interactively for this password. Good privacy, but you must remember the password.

It is recommendable to save your private key to a (password-protected) USB stick, in case your machine crashes and you still need the key for decrypting messages sent to you.

Generate a Public Key

You can generate new public keys at any time from your private key (that you may generate just once).

openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem

The public key will be in file rsa_public.pem after.

Encrypt with a Public Key

Mind that only short texts up to 245 bytes can be encrypted with a public key like generated here. Put some lines of text into file cleartext.txt, and then run this command:

openssl rsautl -encrypt -inkey rsa_public.pem -pubin -in cleartext.txt -out encryptedtext.bin

cleartext.txt will have been written encrypted to file encryptedtext.bin. Mind that this file does not contain readable ASCII characters.

Decrypt with your Private Key

You received a (short) encrypted file encryptedtext.bin.

openssl rsautl -decrypt -inkey rsa_private.pem -in encryptedtext.bin -out decrypted.txt

# diff decrypted.txt cleartext.txt || echo "THIS WENT WRONG!"

Having done this, decryptedtext.txt will contain what was in cleartext.txt on the sender side.


Sending Long Files

For trying out this, put some more text into file cleartext.txt.

Because we can encrypt just short texts up to 245 bytes with our public key, we need another technique for longer files. We will encrypt the file with AES algorithm and a randomly generated key. This key is called "symmetric" key, because your communication partner will need it also for decryption. But you can send it along with the data, it will be encrypted using the public key of the receiver.

Create a Random Key

openssl rand -base64 32 >randomkey.txt

A new unencrypted symmetric key now resides in file randomkey.txt.

Encrypt the Random Key with Public Key

openssl rsautl -encrypt -inkey rsa_public.pem -pubin -in randomkey.txt -out randomkey_encrypted.bin

Do this with the public key of your communication partner. File randomkey_encrypted.bin is now the encrypted symmetric key, ready to be sent along with the data.

Encrypt the Data with Random Key

openssl enc -aes-256-cbc -salt -in cleartext.txt -out encryptedtext.bin -pass file:./randomkey.txt

The text that you want to send must be encrypted using the unencrypted symmetric key. Your data in encryptedtext.bin is now encrypted and ready to be sent, along with the encrypted symmetric key.

What to send now:

  1. encryptedtext.bin
  2. randomkey_encrypted.bin

Receiving Long Files

You received two files. One must be identifiable as the encrypted symmetric key, the other holds the data to be decrypted. Lets say they were:

  1. encryptedtext.bin
  2. randomkey_encrypted.bin

Decrypt the Random Key with Private Key

openssl rsautl -decrypt -inkey rsa_private.pem -in randomkey_encrypted.bin -out randomkey.txt

The decrypted symmetric random key is now in file randomkey.txt.

Decrypt the Data with Random Key

openssl enc -d -aes-256-cbc -in encryptedtext.bin -out decrypted.txt -pass file:./randomkey.txt 

That's it, the decrypted data is now in decrypted.txt.



Conclusion

Definitely too cryptic to keep in mind all these parameters:-) Keep it in a Blog.

Latest achievement in cryptography is ECDSA ("Elliptic Curve DSA"). OpenSSL already supports it.

Use secure messengers like Signal, Wire, or Threema.




Keine Kommentare: