Generally speaking, currently digital encryption methods can be divided into two main categories, symmetric encryption and asymmetric encryption.
For symmetric encryption, the same key is used for encryption and decryption. The encryption methods are AES, DES, RC4, BlowFish, etc.; On the contrary, asymmetric encryption uses different keys for encryption and decryption, which are called public keys or private keys. The encryption methods of asymmetric encryption include RSA, DSA, Diffie-Hellman, etc.
This post will introduce the workflow of asymmetric encryption with the tool openssl.
OpenSSL
OpenSSL is an open source project that provides a relatively complete implementation of the Transport Layer Security (TLS) and Secure Sockets (SSL) protocols. At the same time, it is also committed to building itself as a general cryptography tool set. Including:
- libssl: Provides server-side and client-side implementations of SSL (including SSLv3) and TLS.
- libcrypto: general cryptography library and support for X.509
- openssl: a versatile command line tool
OpenSSL installation
On Mac we can install the openssl like brew install openssl.
Linuxs users can refer to this article to install https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/.
Windows users can refer to this article to install https://www.xolphin.com/support/OpenSSL/OpenSSL_-_Installation_under_Windows
Step 1: Create private key
To create private key, we can either create key with or without encryption. The difference between the two is with encryption can put extra layer to protect our private key with a password.
Create simple private key
For asymmetric encryption, first thing we need to do is to create a private key. Here we are using RSA algorithm.
# create a private key (private.pem) with 1024 bits long
openssl genrsa -out private.pem 1024
P.S: 1024 means the size of the private key. we can use 512, 1024, 2048 and etc.
Create a private key with encryption
So far we have generated a private key with plain text in it. Also we can use another encryption algorithm to encrypt the private key so as to protect it, here we are using the aes256 to encrypt with a password.
openssl genrsa -aes256 -passout stdin -out private.pem 1024
openssl genrsa -aes256 -passout file:passwd.txt -out private.pem 1024
openssl genrsa -aes256 -passout pass:my_password -out private.pem 1024
P.S: 1024 aes256 requires 4 to 1023 characters as the password
Check the private key we just created:
openssl rsa -text -in private.pemStep 2: Create public key
After we have the private key, we can create the corresponding private key:
openssl rsa -in private.pem -pubout -out public.pem
Step 3: Use the public key to encrypt the content or file
Suppose we have a file named content.txt, we can encrypt it using the above public key:
openssl rsautl -encrypt -pubin -inkey public.pem -in content.txt -out content.txt.encrypt
# content of content.txt
some content
# content ofcontent.txt.encrypt
��e�.�J"��x�9�(�籫��2N�j�Od.��
�u0���j>�dĄ<qz@��9%
Step 4: Use the private key to decrypt the content
openssl rsautl -decrypt -inkey private.pem -in content.txt.encrypt -out content.txt.decrypt
# content.txt.decrypt
some content
Work with symmetric encryption
Although public and private key encryption is working very well, the disadvantage of asymmetric encryption is obvious: the speed of encryption and decryption is much slower than that of symmetric encryption. In some extreme cases, it can even be thousands of times slower than asymmetric encryption. In addition, due to the RSA algorithm itself, if the key is n bits, then the encrypted information capacity cannot be greater than (n-11) bits. Therefore, symmetric encryption is usually used for the encrypted transmission of large files, and we only use asymmetric encryption to encrpyt and descrpyt the key.
# 1
openssl rand -base64 128 -out aeskey.txt
# 2
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.aesenc -pass file:aeskey.txt
# 3
openssl enc -d -aes-256-cbc -in file.txt.aesenc -out file.txt.aesdec -pass file:aeskey.txt
1, We need to generate a key/password which symmetric encryption (AES 256 CBC) algorithm can use to encrpyt/descrpyt. Here it named aeskey.txt contains the key/password randomly generated by openssl
2, Use AES 256 CBC algorithm to encrpyt the large file content, it can be any file type, text or binary.
3, Client will receive the aeskey.txt key file through asymmetric encryption and decrypt the file.txt.aesdec to get the content.