I’ve previously looked at doing asymmetric crypto with openssl
using the genrsa
, rsa
, and rsautl
commands. This uses RSA, which is one way to do asymmetric crypto. An alternative way is elliptic-curve crypto (ECC), and openssl
has commands for ECC too.
Here’s how Alice and Bob generate their private keys and extract public keys from them:
# Alice generates her private key
openssl ecparam -name secp256k1 -genkey -noout -out alice_priv_key.pem
# Alice extracts her public key from her private key
openssl ec -in alice_priv_key.pem -pubout -out alice_pub_key.pem
(Here, we choose the curve secp256k1
. There are many to choose from.)
However, there are no tools for encrypting and decrypting! ECC doesn’t define these directly. Instead, ECC users use Diffie-Hellman (DH) key exchange to compute a shared secret, then communicate using that shared secret. This combination of ECC and DH is called ECDH.
See Alice and Bob derive their shared secret:
$ openssl pkeyutl -derive -inkey alice_priv_key.pem -peerkey bob_pub_key.pem -out alice_shared_secret.bin
$ openssl pkeyutl -derive -inkey bob_priv_key.pem -peerkey alice_pub_key.pem -out bob_shared_secret.bin
$ base64 alice_shared_secret.bin
BvqYFmmnn7s9M8bOrO0YDmBHs1sBIAtz5/0mmCQY5/8=
$ base64 bob_shared_secret.bin
BvqYFmmnn7s9M8bOrO0YDmBHs1sBIAtz5/0mmCQY5/8=
Notice Alice’s shared secret file is the same as Bob’s. They can now use this shared secret to communicate using any symmetric crypto. For example:
$ echo 'I love you Bob' > plain.txt
$ openssl enc -aes256 -base64 -k $(base64 alice_shared_secret.bin) -e -in plain.txt -out cipher.txt
$ openssl enc -aes256 -base64 -k $(base64 bob_shared_secret.bin) -d -in cipher.txt -out plain_again.txt
$ cat plain_again.txt
I love you Bob
I wrote this because I'm beginning learning SSL/TLS by going through the CLI commands This post is my own, and not associated with my employer.
Jim. Public speaking. Friends. Vidrio.