Using openssl for symmetric encryption

Nothing to hand in

Using openssl to encrypt and decrypt

This is a quick walkthrough of the demo in my symmetric encryption video.

• Create a text file named plain.txt containing some text. Whatever you want.

• Generate a random 16-byte (32-hexadecimal-digit) key K using this command:

  openssl rand 16 | od -An -tx1 | tr -d ' \n'
• What the heck was that command doing? I mean, openssl rand 16 is clear enough, but see what happens if you leave off the tr command or both the od and tr commands. Check man od and man tr to make sense of the specifics of this pipeline.
• Generate another 32-hex-digit number to be your initialization vector IV.

• Encrypt your plaintext:

  openssl enc -aes-128-cbc -K YOUR_K -iv YOUR_IV -base64 -in plain.txt -out cipher.base64
• What is everything in that command for? And why do we want the result in base64?

• Do cat cipher.base64 just to see what you ended up with. Then try

  base64 -d cipher.base64 | hexdump -C

  Is this human-readable text? Did you want it to be?

• Let's see if we can decrypt this baby.

  openssl enc -d -aes-128-cbc -K YOUR_K -iv YOUR_IV -base64 -in cipher.base64 -out decrypted.txt

• Did you get what you hoped for?

  cat decrypted.txt diff decrypted.txt plain.txt
• Why did we use 32-hex-digit key and IV for this exercise instead of some other length? Do they need to be the same length? Why or why not?

More questions about openssl

Use openssl help, openssl enc -help, manual pages, the internet, and experimentation to answer a few more questions.

• How can you get a list of symmetric encryption algorithms supported by openssl?
• How many of those algorithms involve AES? Among those, how do they differ?
• That crazy pipeline of openssl rand, od, and tr above came straight out of a StackOverflow post. Can you do that more easily with just openssl? (Hint: yes, and it's so much less of a hassle!) How?
• What does the -engine flag for openssl rand do? (As I type this question, I have not researched its answer and now I have to go to a meeting. But I'm curious, so check it out for me.)
• How can you get a list of asymmetric encryption algorithms?
• What output formats does openssl enc support?
• ...etc. We will use openssl for more tasks later, but it's huge, so we won't get close to covering everything it does. Feel free to investigate on your own.

Getting started with asymmetric encryption: logging into mantis without a password

If you're on the Carleton network and you have a Unix terminal open, you can get a command prompt on mantis.mathcs.carleton.edu like so:

To avoid typing your password every time you do this, you can create a (public, private) key pair for an asymmetric encryption algorithm like RSA or ECC. Then you can store the private key in a particular place and format on your local machine and the public key inside your mantis account. If those two keys are in the right places, when you execute the ssh command above, you won't need to type a password. We'll discuss the security of this mechanism soon. (It's secure enough that I use this technique extensively in my own digital life, but it's still important to discuss the vulnerabilities.)

For this exercise, find yourself some instructions online for setting this up properly. (For example, you could search for "ssh public key authentication" and get a ton of more-or-less-understandable instruction pages.)

When you're done and the login-without-password is working, here are some follow-up questions:

• Does this setup work with VS Code? i.e., if you try to connect to mantis like we do in CS208 or CS251, does it work now without a password?
• Where does the private key live, exactly? What's its format?
• Where does the public key live, exactly? What's its format?