Generally speaking, currently digital encryption methods can be divided into two main categories,
symmetric encryption and
symmetric encryption, the same key is used for encryption and decryption. The encryption methods are AES, DES, RC4, BlowFish, etc.; On the contrary,
asymmetric encryption uses different keys for encryption and decryption, which are called public keys or private keys. The encryption methods of asymmetric encryption include RSA, DSA, Diffie-Hellman, etc.
This post will introduce the workflow of
asymmetric encryption with the tool openssl.
OpenSSL is an open source project that provides a relatively complete implementation of the Transport Layer Security (TLS) and Secure Sockets (SSL) protocols. At the same time, it is also committed to building itself as a general cryptography tool set. Including:
- libssl: Provides server-side and client-side implementations of SSL (including SSLv3) and TLS.
- libcrypto: general cryptography library and support for X.509
- openssl: a versatile command line tool
On Mac we can install the openssl like
brew install openssl.
Linuxs users can refer to this article to install https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/.
Windows users can refer to this article to install https://www.xolphin.com/support/OpenSSL/OpenSSL_-_Installation_under_Windows
Step 1: Create private key
Create simple private key
asymmetric encryption, first thing we need to do is to create a private key. Here we are using RSA algorithm.
# create a private key (private.pem) with 1024 bits long openssl genrsa -out private.pem 1024
P.S: 1024 means the size of the private key. we can use 512, 1024, 2048 and etc.
Create a private key with encrpytion
So far we have generated a private key with plain text in it. Also we can use another encrpytion algorithm to encrypt the private key so as to protect it, here we are using the
aes256 to encrpyt with a password
openssl genrsa -aes256 -passout stdin -out private.pem 1024 openssl genrsa -aes256 -passout file:passwd.txt -out private.pem 1024 openssl genrsa -aes256 -passout pass:my_password -out private.pem 1024
P.S: 1024 aes256 requires 4 to 1023 characters as the password
Check the private key we just created:
openssl rsa -text -in private.pem
Step 2: Create public key
After we have the private key, we can create the corresponding private key:
openssl rsa -in private.pem -pubout -out public.pem
Step 3: Use the public key to encrypt the content
Suppose we have a file named content.txt, we can encrypt it using the above public key:
openssl rsautl -encrypt -pubin -inkey public.pem -in content.txt -out content.txt.encrypt # content of content.txt some content # content ofcontent.txt.encrypt ��e�.�J"��x�9�(�籫��2N�j�Od.�� �u0���j>�dĄ<qz@��9%
Step 4: Use the private key to decrypt the content
openssl rsautl -decrypt -inkey private.pem -in content.txt.encrypt -out content.txt.decrypt # content.txt.decrypt some content
Work with symmetric encryption
Although public and private key encryption is working very well, the disadvantage of
asymmetric encryption is obvious: the speed of encryption and decryption is much slower than that of
symmetric encryption. In some extreme cases, it can even be thousands of times slower than asymmetric encryption. In addition, due to the RSA algorithm itself, if the key is
n bits, then the encrypted information capacity cannot be greater than
(n-11) bits. Therefore, symmetric encryption is usually used for the encrypted transmission of large files, and we only use
asymmetric encryption to encrpyt and descrpyt the key.
# 1 openssl rand -base64 128 -out aeskey.txt # 2 openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.aesenc -pass file:aeskey.txt # 3 openssl enc -d -aes-256-cbc -in file.txt.aesenc -out file.txt.aesdec -pass file:aeskey.txt
1, We need to generate a key/password which symmetric encryption (
AES 256 CBC) algorithm can use to encrpyt/descrpyt. Here it named
aeskey.txt contains the key/password randomly generated by openssl
AES 256 CBC algorithm to encrpyt the large file content, it can be any file type, text or binary.
3, Client will receive the
aeskey.txt key file through
asymmetric encryption and decrypt the file.txt.aesdec to get the content.