SSL and TLS
Nowadays we always speak about cryptography and secure connections. Security has been primary matter for every business in the world. For these reasons it’s very important to understand basis. Secure sockets layer is a protocol engineered to provide security on a public network communication. Transport Layer Security (TLS) is its successor. The goal of such protocols is to create a secure channel over an insecure network which is public.
Asymmetric and Symmetric encryption
Asymmetric encryption is created when you open your browser and point it out on a website. Before any data is shown, the browser makes the connection and determine if the certificate is valid before allowing any data flow to come. If it is, in a fraction of second, the site is loaded and you cant notice this event. If not, you are notified by the browser that there is a problem and you can decide to avoid navigating the site. During this procedure public key encrypts the data while the private decrypts. When this worked, the browser can go on.
Symmetric encryption is used by process that happens later, after certificate is checked. The data exchange is made and the session keys works for encrypting and decrypting data.
So what happens when you go on your favourite website? an asymmetric encryption checks that website and browser are safe to communicate and that certificate is valid and safe. Then symmetric encryption allows you can go on in navigating the website securely. You will not see the change in process and all would happen in few instants.
RSA
RSA is one of the first crypto systems used for data transmission. RSA creates a public key based on two large prime numbers along with an auxiliary value and then publishes this key. The original prime numbers are kept secret. The public key can be used by anyone for encrypting a message. Only the user who knows the corresponding private key can decrypt the message.
Here an example of the process. Marc and Alison want to communicate securely using RSA. Marc wants to send a message M to Alison. Marc (the sender) must have the public key (PUB) of Alison. Alison, instead, will use her private key (PRIV) to decript the message M. Alison has to send her public key to Marc (it’s not important with which medium since it’s the public one).
Marc, received the PUB from Alison. Now he can send M to Alison.
After Bob obtains Alice’s public key, he can send a message M to Alison. When Alison gets the encrypted message M, she can decrypt with her PRIV. If someone intercepts the message before arriving to Alison, there will be no problem since the message will be crypted to eyes of the interceptor and then no possible to decrypt without Alison PRIV key.
RSA Signature
The problem of signature arises because Alison has no way to be sure that message comes from Marc because anyone can have used the PUB key to encrypt the message. In order to be possible to verify who sent the message, RSA can be used for signature. Marc infact can use his PRIV key to produce an hash value of the message (using the same function as when decrypting a message) and attaches it to the message. When the signed message is received by Alison, she uses the same hash algo with Marc PUB key (using the same function as when encrypting a message) and compares the resulting hash value with the message hash value. If the two hashes match, then Alison knows that message was created by a user who used Marc PRIV key (hopefully Marc).
Now let’s test
We want to test all above theoretical article with something that really makes aware of how it works. There is nothing bette than doing it with own fingers. First step let’s generate RSA key:
$ openssl genrsa -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
………………………………………++++++
…………++++++
e is 65537 (0x10001)
then
$ openssl rsa -in key.pem -text -noout
Private-Key: (1024 bit)
modulus:
00:99:ef:0b:50:d9:2e:2e:97:07:1b:d7:e3:2b:db:
[…omissis…]
now let’s create the public key in pub.pem file:
$ openssl rsa -in key.pem -pubout -out pub.pem
writing RSA key
$ openssl rsa -in pub.pem -pubin -text -noout
Public-Key: (1024 bit)
Modulus:
00:99:ef:0b:50:d9:2e:2e:97:07:1b:d7:e3:2b:db:
f2:30:bc:b3:b4:0a:ec:9d:95:df:4b:ee:b5:68:d8:
96:dc:e6:a8:96:6a:70:53:90:5c:ee:4c:70:81:0c:
72:20:ab:0e:47:d6:c1:a5:70:9c:69:e2:e1:ae:90:
e6:47:0b:c1:6b:bf:28:72:55:51:9a:db:c8:23:1f:
96:41:59:59:56:9f:7f:b5:b3:33:c3:ae:2e:f6:4b:
74:54:60:6b:d7:25:99:dd:bb:fd:b6:db:64:ca:d1:
ca:2d:a4:f3:6b:a7:17:1e:42:0b:9d:c5:5c:bb:29:
76:7f:89:87:a3:85:a1:57:23
Exponent: 65537 (0x10001)
Now we have key.pem as private key and pub.pem as public key. As learnt before we can use the public key to encrypt a message and then use the corresponding private key to decrypt it.
Create an example message file
$ echo “hello world” > plainmessage.txt
encrypt it
$ openssl rsautl -encrypt -inkey pub.pem -pubin -in plainmessage.txt -out message.enc
now test decrypting it back
$ openssl rsautl -decrypt -inkey key.pem -in message.enc
hello world
The test worked. We simply created a private and public key pair. then encrypted a message with public key and then decrypted with the private one. All went fine with our RSA command line test on debian. Remember that it’s important to know very well these matters in order to be safer in the crypto world.