generation of safe primes - encryption

I need to generate a safe prime which has the form 2p + 1 where p is also prime of a certain
bit length (lets say 1024 bits). It is to be used in a DH key exchange.
I believe openssl can do this via
openssl gendh 1024
however this return's a base64 pem format
-----BEGIN DH PARAMETERS-----
MIGHAoGBANzQ1j1z7RGB8XUagrGWK5a8AABecNrovcIgalv1hQdkna2PZorHtbOa
wYe1eDy1t/EztsM2Cncwvj5LBO3Zqsd5tneehKf8JoT35/q1ZznfLD8s/quBgrH8
es2xjSD/9syOMMiSv7/72GPJ8hzhLrbTgNlZ+kYBAPw/GcTlYjc7AgEC
-----END DH PARAMETERS-----
How can I extract the safe prime number from this base64 pem?
is it easier to generate my own safe prime with my own code?
how can i test that a prime is 'safe' and of a certain bit length.

#GregS has an approach that will probably work for you. Based on what you have told me, I would just create a C binary and leverage the BN_generate_prime(...) function in OpenSSL. That cuts out all of the intermediate parsing and despite adding a separate binary into the mix, it's probably easier than the road you are headed down.

I agree with the comments made by #Luke. However, if for some reason you must use openssl command lines there are a few options but they'll only get you so far. None of these will do any significant arithmetic for you; they won't retrieve (p-1)/2 and check it for primality.
You can use the openssl dh command and parse the output. Try it with and without the -C option to see which works better for you. Examples.
openssl gendh -out testdh.pem 1024
openssl dh -in testdh.pem -noout -C
openssl dh -in testdh.pem -noout
If you can handle or prefer binary then you can parse the binary output for the DER-encoded DH structure.
openssl dh -in testdh.pem -outform der -out testdh.der
Another option is to parse the output of the ans1parse command:
openssl asn1parse -in testdh.pem

Related

Generate a triple DES key in a file, and use it to encrypt a message

I'm learning cryptography, and I want to use the OpenSSL command line to generate a triple DES key coded in base64 and save the resulting key to a text file, then I want to encrypt a text message using this key file.
I used the standard command "rand" to generate a random value of size 24 bytes coded in base64 and saved it as a key in a text file, but I don't know how to use this file to encrypt a text message using the command "enc", and I'm wondering if there is a better way to generate a triple DES key using OpenSSL command line.
This isn't a programming or development question, and not really ontopic for SO. It would fit better on security.SX or maybe superuser.
If this were (or is) anything oher than a throwaway test, saving a key in clear in a file is probably going to be insecure. That part really belongs on security.SX.
Technically a triple-DES key (like a single-DES key in the years before it was obsolete) should have the low bit of each octet (on modern systems, byte) set for odd parity. In the '70s when DES was developed and usually implemented in specialized hardware using discrete transistors, this was a very important feature. For the last few decades, and especially for software, these parity bits are usually ignored. For OpenSSL in particular, libcrypto ignores them by default (although there is an option to set or check) and commandline enc uses the libcrypto default.
Commandine enc defaults to password-based encryption which derives the key from a supplied password, but can take the actual key with -K (uppercase) IN HEX; see the man page.
On Unix this would make it easy if you use rand -hex instead:
openssl rand -hex 24 >key.hex
openssl enc -des-ede3-cbc -K $(cat key.hex) -iv 0123456789ABCDEF -in X -out Y
# see below
On Windows this is also manageable but not as easy; you need something like
openssl rand -hex 24 >key.hex
for /f %t in ('type key.hex') do set k=%t
rem double the % if used in a batch file
openssl enc -des-ede3-cbc -K %k% -iv 0123456789ABCDEF -in X -out Y
rem ditto
If you insist on base64, you'll need a helper program on Unix
openssl rand -base64 24 >key.b64
K=$( openssl base64 -d <key.b64 | xxd -p )
openssl enc -des-ede3-cbc -K $K ... # as above
and I don't think it can be done on Windows at all.
Note the IV should be different for each encryption, not hardcoded as in my example, and for CBC in particular it should also be unpredictable by an adversary; this is often most easily done by making it random. Although if it's not CBC mode only loses security to an active attacker while if it repeats at all other modes like CTR and OFB lose security even to a passive attacker. This part belongs on security.SX or crypto.SX where there are already dozens if not hundreds of Qs about it.

Faster Encryption of large file public key and three users

It is a large file to encrypt. I am at the encrypting part. The error is showing:
"Error reading password from Bios"
"Error getting password."
Please let me know what to do. Thanks in advance.
I kind of want to remove cbc mode because it is slow. I read it in an article. Also, the directions say to make it faster since it is needed for three users.
I think this is the problem by using 192 instead of 4096 or higher but I need to lower it to make it go faster speed from the question.
openssl genrsa -aes256 -out pubPrivate.key 192
openssl enc -aes-256-cbc -in BigFile.txt -out cipher.bin -pass File: pubPrivate.key
Also, I read somewhere that there are numbers 0000 in front of the code somewhere causing the error if that matters?
It's unclear what you are trying to do. Encrypt a large file, sure. But how? Symmetric with AES, or asymmetric with RSA?
Your first command, openssl genrsa creates a RSA public/private keypair with length 192, which as Ken White notes is a bad idea, not only is it not a power of 2, but also an incredibly short key length; to give you an estimate of how bad this is, 512 bit RSA keys were broken twenty years ago. In fact, my openssl, version 1.1.1b plainly refuses to even create such a keypair:
$ openssl genrsa -aes256 -out foo.key 192
Generating RSA private key, 192 bit long modulus (2 primes)
25769803792:error:04081078:rsa routines:rsa_builtin_keygen:key size too small:crypto/rsa/rsa_gen.c:78:
Your second command then does something completely different. It tries to encrypt Bigfile.txt using AES256 in CBC mode, which is ok, but you don't give the command a 256bit AES key. Instead, you tell it to look in the RSA key file for a passphrase, which is certainly not what you want. Openssl does not accept this either:
$ openssl enc -aes-256-cbc -in BigFile.txt -out cipher.bin -pass File: pubPrivate.key
Extra arguments given.
enc: Use -help for summary.
So let's assume what you want is to encrypt BigFile.txt symmetrically, with AES256 in CBC mode using a key derived from a password. You would then distribute this password to you three recipients. How fast is this? On my laptop, with a 1GB BigFile.txt:
$ time openssl enc -aes-256-cbc -in BigFile.txt -out cipher.bin -pass pass:start123
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
real 0m3,099s
user 0m1,562s
sys 0m0,968s
So, openssl encrypts around 330MB/sec, and it also tells us that the key derivation is unsafe, and we should use PBKDF2 instead. Let's do this:
$ time openssl enc -aes-256-cbc -in BigFile.txt -out cipher.bin -pbkdf2 -pass pass:start123
real 0m3,202s
user 0m1,656s
sys 0m1,077s

Openssl "data greater than mod len"

What does the "data is greater than mod len" error message mean? I have encountered this while trying to decrypt data using php's openssl_private_decrypt. How does one go about solving this issue? Been searching hours online, not getting anywhere.
Asymmetric RSA keys can encrypt/decrypt only data of limited length i.e. RSAES-PKCS1-v1_5 encryption scheme defined in RFC3447 can operate on messages of length up to k - 11 octets (k is the octet length of the RSA modulus) so if you are using 2048-bit RSA key then maximum length of the plain data to be encrypted is 245 bytes.
If you are having this decryption error: RSA_EAY_PRIVATE_DECRYPT:data greater than mod len try this command before decrypt your file:
cat yourEncryptedFile| base64 -D > yourEncryptedRawFile
You can also try openssl enc -in cipherTextFile.base64 -out binaryTextFile.bin -d -a. This was what worked for me when I got this error while trying to decrypt. I was then able to decrypt using openssl rsautl -decrypt -in binaryTextFile.bin -out plainTextFile.txt -inkey my-private-key.pem without failure.

How to use OpenSSL to encrypt/decrypt files?

I want to encrypt and decrypt one file using one password.
How can I use OpenSSL to do that?
Security Warning: AES-256-CBC does not provide authenticated encryption and is vulnerable to padding oracle attacks. You should use something like age instead.
Encrypt:
openssl aes-256-cbc -a -salt -pbkdf2 -in secrets.txt -out secrets.txt.enc
Decrypt:
openssl aes-256-cbc -d -a -pbkdf2 -in secrets.txt.enc -out secrets.txt.new
More details on the various flags
Better Alternative: GPG
Though you have specifically asked about OpenSSL you might want to consider using GPG instead for the purpose of encryption based on this article OpenSSL vs GPG for encrypting off-site backups?
To use GPG to do the same you would use the following commands:
To Encrypt:
gpg --output encrypted.data --symmetric --cipher-algo AES256 un_encrypted.data
To Decrypt:
gpg --output un_encrypted.data --decrypt encrypted.data
Note: You will be prompted for a password when encrypting or decrypt. And use --no-symkey-cache flag for no cache.
RE: OpenSSL - Short Answer
You likely want to use gpg instead of openssl so see "Additional Notes" at the end of this answer. But to answer the question using openssl:
To Encrypt:
openssl enc -aes-256-cbc -in un_encrypted.data -out encrypted.data
To Decrypt:
openssl enc -d -aes-256-cbc -in encrypted.data -out un_encrypted.data
Note: You will be prompted for a password when encrypting or decrypt.
RE: OpenSSL - Long Answer
Your best source of information for openssl enc would probably be: https://www.openssl.org/docs/man1.1.1/man1/enc.html
Command line:
openssl enc takes the following form:
openssl enc -ciphername [-in filename] [-out filename] [-pass arg]
[-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename]
[-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P]
[-bufsize number] [-nopad] [-debug] [-none] [-engine id]
Explanation of most useful parameters with regards to your question:
-e
Encrypt the input data: this is the default.
-d
Decrypt the input data.
-k <password>
Only use this if you want to pass the password as an argument.
Usually you can leave this out and you will be prompted for a
password. The password is used to derive the actual key which
is used to encrypt your data. Using this parameter is typically
not considered secure because your password appears in
plain-text on the command line and will likely be recorded in
bash history.
-kfile <filename>
Read the password from the first line of <filename> instead of
from the command line as above.
-a
base64 process the data. This means that if encryption is taking
place the data is base64 encoded after encryption. If decryption
is set then the input data is base64 decoded before being
decrypted.
You likely DON'T need to use this. This will likely increase the
file size for non-text data. Only use this if you need to send
data in the form of text format via email etc.
-salt
To use a salt (randomly generated) when encrypting. You always
want to use a salt while encrypting. This parameter is actually
redundant because a salt is used whether you use this or not
which is why it was not used in the "Short Answer" above!
-K key
The actual key to use: this must be represented as a string
comprised only of hex digits. If only the key is specified, the
IV must additionally be specified using the -iv option. When
both a key and a password are specified, the key given with the
-K option will be used and the IV generated from the password
will be taken. It probably does not make much sense to specify
both key and password.
-iv IV
The actual IV to use: this must be represented as a string
comprised only of hex digits. When only the key is specified
using the -K option, the IV must explicitly be defined. When a
password is being specified using one of the other options, the
IV is generated from this password.
-md digest
Use the specified digest to create the key from the passphrase.
The default algorithm as of this writing is sha-256. But this
has changed over time. It was md5 in the past. So you might want
to specify this parameter every time to alleviate problems when
moving your encrypted data from one system to another or when
updating openssl to a newer version.
Encrypt:
openssl enc -in infile.txt -out encrypted.dat -e -aes256 -k symmetrickey
Decrypt:
openssl enc -in encrypted.dat -out outfile.txt -d -aes256 -k symmetrickey
For details, see the openssl(1) docs.
DO NOT USE OPENSSL DEFAULT KEY DERIVATION.
Currently the accepted answer makes use of it and it's no longer recommended and secure.
It is very feasible for an attacker to simply brute force the key.
https://www.ietf.org/rfc/rfc2898.txt
PBKDF1 applies a hash function, which shall be MD2 [6], MD5 [19] or
SHA-1 [18], to derive keys. The length of the derived key is bounded
by the length of the hash function output, which is 16 octets for MD2
and MD5 and 20 octets for SHA-1. PBKDF1 is compatible with the key
derivation process in PKCS #5 v1.5. PBKDF1 is recommended only for compatibility with existing
applications since the keys it produces may not be large enough for
some applications.
PBKDF2 applies a pseudorandom function (see Appendix B.1 for an
example) to derive keys. The length of the derived key is essentially
unbounded. (However, the maximum effective search space for the derived key may be limited by the structure of the underlying
pseudorandom function. See Appendix B.1 for further discussion.)
PBKDF2 is recommended for new applications.
Do this:
openssl enc -aes-256-cbc -pbkdf2 -iter 20000 -in hello -out hello.enc -k meow
openssl enc -d -aes-256-cbc -pbkdf2 -iter 20000 -in hello.enc -out hello.out
Note: Iterations in decryption have to be the same as iterations in encryption.
Iterations have to be a minimum of 10000.
Here is a good answer on the number of iterations: https://security.stackexchange.com/a/3993
Also... we've got enough people here recommending GPG. Read the damn question.
As mentioned in the other answers, previous versions of openssl used a weak key derivation function to derive an AES encryption key from the password. However, openssl v1.1.1 supports a stronger key derivation function, where the key is derived from the password using pbkdf2 with a randomly generated salt, and multiple iterations of sha256 hashing (10,000 by default).
To encrypt a file:
openssl aes-256-cbc -e -salt -pbkdf2 -iter 10000 -in plaintextfilename -out encryptedfilename
To decrypt a file:
openssl aes-256-cbc -d -salt -pbkdf2 -iter 10000 -in encryptedfilename -out plaintextfilename
Note: An equivalent/compatible implementation in javascript (using the web crypto api) can be found at https://github.com/meixler/web-browser-based-file-encryption-decryption.
Update using a random generated public key.
Encypt:
openssl enc -aes-256-cbc -a -salt -in {raw data} -out {encrypted data} -pass file:{random key}
Decrypt:
openssl enc -d -aes-256-cbc -in {ciphered data} -out {raw data}
To Encrypt:
$ openssl bf < arquivo.txt > arquivo.txt.bf
To Decrypt:
$ openssl bf -d < arquivo.txt.bf > arquivo.txt
bf === Blowfish in CBC mode
There is an open source program that I find online it uses openssl to encrypt and decrypt files. It does this with a single password. The great thing about this open source script is that it deletes the original unencrypted file by shredding the file. But the dangerous thing about is once the original unencrypted file is gone you have to make sure you remember your password otherwise they be no other way to decrypt your file.
Here the link it is on github
https://github.com/EgbieAnderson1/linux_file_encryptor/blob/master/file_encrypt.py
Note that the OpenSSL CLI uses a weak non-standard algorithm to convert the passphrase to a key, and installing GPG results in various files added to your home directory and a gpg-agent background process running. If you want maximum portability and control with existing tools, you can use PHP or Python to access the lower-level APIs and directly pass in a full AES Key and IV.
Example PHP invocation via Bash:
IV='c2FtcGxlLWFlcy1pdjEyMw=='
KEY='Twsn8eh2w2HbVCF5zKArlY+Mv5ZwVyaGlk5QkeoSlmc='
INPUT=123456789023456
ENCRYPTED=$(php -r "print(openssl_encrypt('$INPUT','aes-256-ctr',base64_decode('$KEY'),OPENSSL_ZERO_PADDING,base64_decode('$IV')));")
echo '$ENCRYPTED='$ENCRYPTED
DECRYPTED=$(php -r "print(openssl_decrypt('$ENCRYPTED','aes-256-ctr',base64_decode('$KEY'),OPENSSL_ZERO_PADDING,base64_decode('$IV')));")
echo '$DECRYPTED='$DECRYPTED
This outputs:
$ENCRYPTED=nzRi252dayEsGXZOTPXW
$DECRYPTED=123456789023456
You could also use PHP's openssl_pbkdf2 function to convert a passphrase to a key securely.

Openssl asymmetric encryption without salt (in php)

I need to encrypt a string data with SSH-2 RSA 1024 bit ( with the public key ) then with RMD-160 algorithm. I do it like this:
generate private key:
openssl genrsa -des3 -out privatekey.key 1024
public key:
openssl rsa -in privatekey.key -pubout -out public.pem
encrypt the data:
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out encrypted_data.txt
But , the request is: need to get the same output with the same input! For example if the input string is "some data" and the encrypted string is "a23c40327a6c5a67a5bb332" then i need to get the "a23c40327a6c5a67a5bb332" output every time when the input is "some data"
Can i do it with asymmetric encryption?
I know it can be done with symmetric encryption like DES with the -nosalt option
openssl des3 -nosalt -in file.txt -out file.des3
but is it possible with asymmetric encryption?
Probably not.
The man page for openssl shows that the rsautl sub-command accepts pkcs1 1.5 padding, oaep padding, backwards-compatible SSL padding or no padding. All of these (except no padding) generate random data to pad the message, so no two encryptions will generate that same ciphertext (this is a good thing).
If you can manually pad your data to the right length then you might be able to use no padding but be warned that this will significantly weaken your security.
Cameron Skinner is right - you should be making use of randomized padding.
That said, if you don't want to, you can use phpseclib, a pure PHP RSA implementation, to do so, as follows:
$ciphertext = base64_decode('...');
$ciphertext = new Math_BigInteger($ciphertext, 256);
echo $rsa->_exponentiate($ciphertext)->toBytes();
It's a hackish solution since phpseclib doesn't natively let you do RSA encryption without randomized padding but it does get the job done.

Resources