Introduction to HTTPS: Asymmetric Encrypted RSA

How do we decide what the key is?

Symmetric key cryptography is safe if only the sender and receiver know the key.In a Caesar password, the key is an offset value that determines how much each letter should be offset.In our example, we use an offset value of 3, but it can also be 4 or 12.

There's a problem with this design, though: Alice and Bob don't create a key in a secure way if they've never seen it before before before, before they used the pigeon to deliver information.If they include the key in the information, Mallory intercepts the information and discovers the key.The consequence is that Mallory can read or change the intercepted information whether or not the information Alice and Bob send is encrypted.

This is a typical example of a man-in-the-middle attack.The only way to avoid it is to change the previous password system.

So if there's no such way, Alice and Bob have never seen it before. Alice wants to pass a message to Bob. At first Alice writes an empty letter to Bob, and Bob sends a key to Alice.One of the features of this key is that it can only be used for encryption. You cannot decrypt files you encrypt. Only Bob can unlock them.That is, even if the key was intercepted by Mallory during the transmission process, Mallory knows the key and gets it for encryption only. Even if Alice intercepts the letter that Alice sends to Bob with the key encryption information everyone gets, he can't unlock the cryptographic text.

This is another set of cryptography.

There are differences between him and before. The first is that he needs to communicate twice. The second is that the key given can only be used for encryption and cannot be used for decryption.

This type of transmission over the network can be intercepted by many people, called public keys, and Bob's password to unlock the cryptography is a more private key.

RSA algorithm

The important point of the above cryptographic system is that encryption and decryption can be separated. Encryption and decryption can be separated. Encryption and decryption are not simple and reciprocal processes. Even the encrypted people can not solve them themselves.This is much safer.
Mathematically:
Encryption:
Y=E(X)Y=E(X)Y=E(X)
Where X is plain text and Y is ciphertext, the value converted by function E.
Decrypt:
X=E(Y)X=E(Y)X=E(Y)
Unlike f (inverse function) above, E,D is not inverse.

Now it's time to find E,D. Someone has already found it. Let's have a look:

Encryption formula:

XemodN=YX^e mod N = YXemodN=Y

Decryption formula:

X=YdmodNX = Y^d mod NX=YdmodN

How does this formula work:

N = 319, e = 17, d=33

Number X = 40 to encrypt now

Cryptogram Y=4017mod 319Y=40^{17} mod 319Y=4017mod319 Calculates Y=61.This completes the encryption process, in which we use two numbers, N(319),e(17).d(33) We didn't give it, and he couldn't decrypt it.

Don't believe try it

6117mod319=11861^{17} mod 319=1186117mod319=118

Decrypt with d(33)

6133mod319=4061^{33} mod 319=406133mod319=40

Just encrypted 40, the result is correct.

This is an RSA encryption algorithm.Has a public key and a key.

RSA process in openssl

With knowledge of theory, we don't need to write our own code to accomplish this process. Powerful openssl can do this very well. If you don't have openssl installed, you can install it yourself.

To set up this process using openssl, first, create the private key:

openssl genrsa -out private_key.pem 2048

Show creation success:

Generating RSA private key, 2048 bit long modulus
............+++
..........................+++
e is 65537 (0x10001)

Bob has this private key. When Alice comes to communicate with him, he sends the public key to Alice for the first time. The public key is generated as follows:

root@ubuntu:~/openssl_ca/new_rsa# openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
writing RSA key

Alice takes the public_key.pem public key and encrypts the required file, assuming the name of the letter is hellofile.txt

echo "Welcome in my worls." > hellofile.txt

Encrypt hellofile.txt with a public key.

openssl rsautl -encrypt -inkey public_key.pem -pubin -in hellofile.txt -out hellofile_encrypt.dat

The hellofile_encrypt.dat is obtained, at which point the public key cannot be decrypted.

root@ubuntu:~/openssl_ca/new_rsa# openssl rsautl -decrypt -inkey public_key.pem -in hellofile_encrypt.dat -out new_hellofile.txt
unable to load Private Key
140480186250904:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY

Alice uses a public network to send the hellofile_encrypt.dat file to Bob, who decrypts it using his private key.

openssl rsautl -decrypt -inkey private_key.pem -in hellofile_encrypt.dat -out new_hellofile.txt

View the contents of new_hellofile.txt.

root@ubuntu:~/openssl_ca/new_rsa# cat new_hellofile.txt 
Welcome in my worls.

Digital certificate process in openssl

Encryption formula:

XemodN=YX^e mod N = YXemodN=Y

Decryption formula:

X=YdmodNX = Y^d mod NX=YdmodN

This process is the encryption process of RSA, and the reverse process is the signing process of digital certificates.

Generate digital certificates:

X=YdmodNX = Y^d mod NX=YdmodN

Obtain the signature certificate of X, send the certificate X and source file Y to the client to verify.

Verify signature:

XemodN=YX^e mod N = YXemodN=Y

For example, the signature certificate of the software, the private key is used to generate the digital signature software when packaging the software, and the public key is used by the client to verify the signature.This is a good way to prevent software packages from being modified.

Build a script for the process that just generated the public and private keys:

generate_cert.sh

#!/bin/bash

echo $1

#Step 1: Generate a Private Key
echo -------------------------------------------- 1 
openssl genrsa -des3 -out $1.key 1024

#Step 2: Generate a CSR (Certificate Signing Request)
echo -------------------------------------------- 2
openssl req -new -key $1.key -out $1.csr

#Step 3: Remove Passphrase from Key 
echo -------------------------------------------- 3
cp $1.key $1.key.org
openssl rsa -in $1.key.org -out $1.key


#Step 4: Generating a Self-Signed Certificate
echo -------------------------------------------- 4
openssl x509 -req -days 365 -in $1.csr -signkey $1.key -out $1.crt


#Step 5: Generating PEM Certificate 
echo ---------------------- 5
cat $1.crt > $1.pem
cat $1.key >> $1.pem


echo --------------------------------------------  TERMINATED

Generate s2e.pem public key key.

generate_cert.sh s2e

Create ok.p7e

echo "verify " > ok.p7e

Sign the file:

openssl cms -sign -binary -in ok.p7e -out ok.p7e.p7m.pem -nodetach -outform DER -signer s2e.pem

See the signed file ok.p7e.p7m.pem.

0<82>^Dk^F      *<86>H<86>÷^M^A^G^B <82>^D\0<82>^DX^B^A^A1^M0^K^F       `<86>H^Ae^C^D^B^A0^W^F  *<86>H<86>÷^M^A^G^A 
^D^Hverify
 <82>^B/0<82>^B+0<82>^A<94>^B   ^@ÕZ£ê<84>^Q^V<86>0^M^F *<86>H<86>÷^M^A^A^K^E^@0Z1^K0   ^F^CU^D^F^S^Bcn1^K0     ^F^CU^D^H^L^Bfj1^K0     ^F^CU^D^G^L^Bxm1^Q0^O^F^CU^D
^L^Hchox Ltd1^M0^K^F^CU^D^K^L^Ddemo1^O0^M^F^CU^D^C^L^Fxx.com0^^^W^M181128080158Z^W^M191128080158Z0Z1^K0 ^F^CU^D^F^S^Bcn1^K0     ^F^CU^D^H^L^Bfj1^K0     ^F^CU^D^G^L^Bxm1^Q0^O^F^CU^D
^L^Hchox Ltd1^M0^K^F^CU^D^K^L^Ddemo1^O0^M^F^CU^D^C^L^Fxx.com0<81><9f>0^M^F      *<86>H<86>÷^M^A^A^A^E^@^C<81><8d>^@0<81><89>^B<81><81>^@¨Ê|^NË'ôglr<82>Ú^Uýã?<90>ÚaÈñ   Cé£eÈØ5s¢Ü4^S^AnëSJBëÏ<9e>KráÊ<99>sâsð!^Nª^Rð×W^M^H÷Ûl´^CHÉÎnqi<82>,<8b>^P^C'õùÖ^ZLKV=¾ñ.^[<9a>^MS^MÞötG@ W9<81>^X<98>¯}n<99>^\Æ~´È^Gä^U<92>´\±z-Î>p»^B^C^A^@^A0^M^F   *<86>H<86>÷^M^A^A^K^E^@^C<81><81>^@^FÖoúèÆ=Äç<8a>§m7^E¦0Ë£<97>C^U3<8c>KYÜÃäeä<94>^Mù^P¾^Wà<8c>78~Vi±Û^A^Oä51WA0^E^M^L
Òµ<99><8c>Å)OÃËãÃ9î4ò<9f>6§Á<^Ra<9a><80><9e>y,ù^^<91>$7ò]76º<83>        <8d>Æ(:ʶGFSô<80>4V.¼²sÈàxþééM<99>âú<9f><84>Ý·p1<82>^Aö0<82>^Aò^B^A^A0g0Z1^K0   ^F^CU^D^F^S^Bcn1^K0     ^F^CU^D^H^L^Bfj1^K0     ^F^CU^D^G^L^Bxm1^Q0^O^F^CU^D
^L^Hchox Ltd1^M0^K^F^CU^D^K^L^Ddemo1^O0^M^F^CU^D^C^L^Fxx.com^B  ^@ÕZ£ê<84>^Q^V<86>0^K^F `<86>H^Ae^C^D^B^A <81>ä0^X^F    *<86>H<86>÷^M^A ^C1^K^F *<86>H<86>÷^M^A^G^A0^\^F        *<86>H<86>÷^M^A ^E1^O^W^M181129095832Z0/^F      *<86>H<86>÷^M^A ^D1"^D QÿBÃÓ¹^H<96> B<9a>L^MÊ~m<84><99>cÛÿ¦Ø:+Dº\ `Gc0y^F       *<86>H<86>÷^M^A ^O1l0j0^K^F     `<86>H^Ae^C^D^A*0^K^F   `<86>H^Ae^C^D^A^V0^K^F  `<86>H^Ae^C^D^A^B0
^F^H*<86>H<86>÷^M^C^G0^N^F^H*<86>H<86>÷^M^C^B^B^B^@<80>0^M^F^H*<86>H<86>÷^M^C^B^B^A@0^G^F^E+^N^C^B^G0^M^F^H*<86>H<86>÷^M^C^B^B^A(0^M^F  *<86>H<86>÷^M^A^A^A^E^@^D<81><80>)ñ7BUXYÓ^N?Ü^T@ÝÝõµf©E^P^U<95>SÌ2ÿ<83>ð,Û^Yè^Nç8.<8e>û<8b>6}^H<8a>50^E<94>çËÏ!Çr<8c>BJNffÄgû:^L<83>©^GMkk<98>
µï^^<97>nqë^\^HÄ>Ï(\^H<86>^GHaâ<87>^Zrþ9¹<9a><90>ßÇ@ÏôåÐçTiô^\^?
^ECa>M]°¹­Ì^^ÑÃ

Verify the file signature file:

openssl cms -verify -noverify -in ok.p7e.p7m.pem

If the file after signing is modified, the verification cannot pass.


Reproduction please indicate where: Let's program

Forty-five original articles were published. 8 were praised. 70,000 visits+
Private letter follow

Keywords: OpenSSL Ubuntu network

Added by chipev on Mon, 10 Feb 2020 06:24:49 +0200