Practical SSL/TSL and Cryptography technical Part I
RSA, DSA, Signature generation. OPENSSL Commands to Generate RSA Key Pairs, validate CSR, Certificates and Private key.
RSA
Is the most common Asymmetric Encryption Algorithm,
It generates commutative Key, I.e., encryption with one key and decryption with other.
How Secure is RSA.
It is Mathematically very difficult to factor Semi Prime Numbers.
DSA
Is also Asymmetric algorithm, but is different than RSA.
With RSA we can do following,
Encryption decryption using pub and Private key respectively
Signature Generation and its validation using Hashing mechanism with Private and Public Key respectively
“Key Exchange” for Seed value using Encryption and Decryption mentioned above.
DSA (Digital Signature Algo) can do only 1 thing.
Simply creates and validates Signatures.
No Encryption decryption, and No Key Exchange.
So DSA Can do Signature Generation
Signature Generation
Input -> Message, Private Key, Random #, DSA Parameters
O/p -> Signature
Signature Verification
I/p -> message, public key, signature, DSA Params
O/p -> 1 or 0 (I.e. true or false)
Radom # is very important in DSA because it must be unique for each message otherwise if we use same
Random number on 2 different message then Private key can be extracted.
To Avoid this use RFC 6979 to gen rand # based on input message, so that no 2 different message will have same Random #
And Above issue can be resolved.
Same Message will have same Random number but that is ok and cannot be used to extract private key.
OPEN SSL Commands for RSA
Gen Pub and Pr Key
Generates “RSA Key File” which has pub pr key and more information
Openssl genrsa -out RSA-KEY1.pem 1024
Converting an RSA Private Key into text
Openssl rsa -in RSA-KEY1.pem -text
Same as above except it doesn’t display PEM formatted value of private key
Openssl rsa -in RSA-KEY1.pem -text -noout
Generating RSA Private key (2048 bits private key) which is encrypted using AES128
Openssl genrsa -out RSA-key2.pem -aes128 2048
Its a Symmetric encryption hence it needs a symmetric key.
// Key Size must be last argument in genrsa.
Openssl list -cipher-algorithms
aes128 is considered secure
Directly creating RSA Key on console
Openssl genrsa 1024
openssl genrsa -out RSA-KEY3.pem -aes128 4096
Generating DSA Public and Private keys
Generate DSA Parameters file
Openssl dsaparam -out DSA-PARAM.pem 1024
Generate DSA Keys File with Param files created above
Openssl gendsa -out DSA-KEY.pem DSA-PARAM.pem
Generate DSA Parameter and Keys in one shot in a file
Openssl dsaparam -genkey -out DSA-PARAM-KEY.pem 2048
Adding Removing Encryption to RSA Key.
In real world Servers/F5 etc require you to import either Encrypted or non-encrypted Certifies(keys)
How to add encryption to RSA
openssl rsa -in RSA-KEY1.pem -aes192 -out RSA-KEY1_enc.pem
When we try to display Key Content into text, then use below command and provide the pass phrase while Encrypting the key
openssl rsa -in RSA-KEY1_enc.pem -noout -text
How to Decrypt the File You just Encrypted
Openssl rsa -in RSA-KEY1_enc.pem -out RSA-KEY1_dec.pem
So basically this Decrypted Key is same as Original Key which was encrypted, so now lets compare Unencrypted Original Key with Decrypted Key using Hashing
Hashing is a algorithm which takes a input data/file and gives back a digest(digest is a signature)
sha1sum RSA-KEY1*
A common Hashing Algorithm is SHA1 and we can use SHA1SUM utility and if you see the Digest of Sha1sum utility then Original and Decrypted Key has same Signature(digest)
sha1sum RSA-KEY1*
898ac500bd58fb6efb69a11c7108d130c80ec449 RSA-KEY1.pem
898ac500bd58fb6efb69a11c7108d130c80ec449 RSA-KEY1_dec.pem
861471094c46fef92c3722fbf67911e25dde5866 RSA-KEY1_enc.pem
Openssl Pkey utility
It is algo idependent/agnostic utility which can extract/read information of different key (RSA, DSA Key)
Simply replace rsa with pkey….
*** Matching (RSA or Elliptic curve )Key files to Certificates and CSR’s.
First we need to know, How to check if a Certificates or CSR contains RSA Keys.
Viewing x509 Certificate as human Readable text
Openssl x509 -in RSA-CERT.pem -noout -text
Above will give certificate info in human readable format.
In the output we need to focus on middle part as we can see public key algorithm is RSAEncryption.
So we have validated that our certificate is indeed RSA.
Cat RSA-CERT.pem
Above will give the base64 encoded version of human readable certificate information.
We can do the same for CSR(certificate is already done above)
Openssl req -in mycsrfile.pem -noout -text
In the output we can again focus on the middle part with mentioned public key Algorithm = RSA or something else like elliptic curve algorithm.
Now the Idea is to ensure that RSA Key (Private Key) matches with CSR and CERTIFICATE (signed one from CA)
On CSR run below command to get Modulus Value
Openssl req -in RSA-CSR.pem -noout -modulus
// above command will give modulus={some text, lets say aaaabbbbcccddd)
Now Run Similar command on the Certificate file
Openssl x509 -in RSA-CERT.pem -noout -modulus
// above command will also give modulus value {this should match with value for CSR, I.e. aaaabbbcccddd}
Now Finally Run command on Private Key
Openssl rsa -in RSA-key1.pem -noout -modulus
// above command will also give modulus value {this should match with value for CSR and CERT file I.e. aaaabbbcccddd}
Similar to RSA CSR/CERT and KEY(Private and Public in same file), we can compare the commonness or relation between EC CSR/CERT and Key.
Here a minor difference will be that in RSA we look for value of Modulus in EC we look for value of public key.
Here are its command
Openssl req in EC-CSR.pem -noout -pubkey
Openssl x509 in EC-CERT.pem -noout -pubkey
Openssl ec -in EC-KEY1.pem -pubout
All 3 commands above will give me the value of public Key…
All must match.
We can simplify the comparison of above 3 commands by simply hashing the output and comparing the output …
Openssl req in EC-CSR.pem -noout -pubkey | sha1sum
Openssl x509 in EC-CERT.pem -noout -pubkey | sha1sum
Openssl ec -in EC-KEY1.pem -pubout | sha1sum
hope this summary helps.