#### <center> Module 4b - Asymmetric Cryptographic Primitives 
## <center> SYSE 541: Secure Vehicle and Industrial Networking
## <center> <img src="https://www.engr.colostate.edu/~jdaily/Systems-EN-CSU-1-C357.svg" width="400" /> 
### <center> Instructor: Dr. Jeremy Daily

## Learning Objectives
By the end of this exercise, students should be able to
1. Use asymmetric encryption algorithms to encrypt messages
1. Use asymmetric encryption algorithms for envelope encryption
by using RSA public-private key pairs.

In [1]:
# Install some prequisites
# Be sure version 3.1 or higher is installed
%pip install --upgrade --user cryptography


[notice] A new release of pip available: 22.2 -> 23.0.1
[notice] To update, run: python.exe -m pip install --upgrade pip
Note: you may need to restart the kernel to use updated packages.


## Proposition: 

### Confidentiality
Alice would like to send a message to Bob such that only Bob can read it.

Bob sends Alice his public key. He doesn't care if anyone else can read it. 

Alice uses Bob's public key to encrypt data and send it back to Bob.

Bob decrypts the data with his private key. 

<img src="Asymmetric Encryption Primitives - Send Secret Message.svg"/> 



Let's work out these scenarios with some code. We'll use the RSA asymmetric key for this example.

In [2]:
# Import only the modules we need
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/

## Generate Keys for Alice

In [3]:
#Alice needs to generate a key pair
private_key_for_alice = rsa.generate_private_key(
                         public_exponent=65537,
                         key_size=2048 # should use at least 4096, but smaller keys are easier to display
                        )
private_key_for_alice

<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey at 0x221fbe8ae50>

In [4]:
# let's see what this looks like. We'll serialize the key and render it in ascii text (base64 encoded)
private_pem_for_alice = private_key_for_alice.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
 )
print(private_pem_for_alice.decode('ascii'))

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuOA4N8J7YID/hmY1qpTjlw7R2tYiX7O6lOUi4F3OG09rOEbT
Olu6ZidaBlVMUinGlj3PIj2xxle+VPQKAB9Vy/Mpxl34giSJQ3kTK16hEhSjXNje
eSFHscl5x36ysji5/AbR+MvTECol6JpsCaRVGxxQJ6ArdT/TPTGHt3CAm8LD7XdR
kL07VqkGOfn+oYo2ouHrnFdK7KAkRYb/7/brGz/DsASQY6JsaWu3ZDPfHUj3GM7b
yyBFWCwgzZxmt229Ajc6qt3oKQOQ2s2szWtRkjyzTtCvbUrambMK+aJKnB8PqZzM
a1YnJHSTEkD4S2iM8h0cNC4Pemy6ElPYOxqFWwIDAQABAoIBAAyh1XWJ5mA7sDoA
td4H+l0R+CjZxNOBNliCJ5XpEvIuxQa9YCV2qw/b1HzmSya6EAWoB4Uxbfo9eJXZ
bu1/Np+O5+XT+ez6jh58IWEvQBY6LsdjUiA4s+tj9tw4vgELeznLRYGYe715A8oW
8xbdkasejiOHADEswURHJBzWpRL/aCOZidtDDezmBSrFbUU++szIFD9CZ8kQQ/TC
OFPBOf8s8GlAkz45pPijcB+O0IONca3Ra8co4Ru8Jp6B485wk/vrVUlCMEEHHPWT
xQ56k3B7GfdvuVsdkfSjNzOlNEbu9bsbAK1gqBZiB7wFFJ28a8jcI34iUD+RDhsM
3kfRFtECgYEA3aboGkaHXH8iHxdxL2QSf1f8EB/y4WOjPTDVnuqDKatNn9W0WdP2
+9cYSIHQIy7FUuYbeFkNYRXKcTQr7TMhVm/Uj1mtiNrn3Gmh4ijVCk+cVhzudZVV
F0Onh+NubK1pvUMZrZx8SyM3GR4JxbJOTL8iCJ78rEAQr/Bzhia1XC8CgYEA1YZg
tkWzAFhjOd6VnOS6XycPasmlhkOVJBP/LiSTyLtayCTN9IsLpJQhxHcz0q

In [5]:
#To send out the public key, we have to derive it from the private key and serialize it
public_key_for_alice = private_key_for_alice.public_key()
public_key_for_alice

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x221fc085e50>

In [6]:
#Let's serialize it so we can send it accross the network to bob (and everyone)
public_pem_key_for_alice = public_key_for_alice.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_alice.decode('ascii'))

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuOA4N8J7YID/hmY1qpTj
lw7R2tYiX7O6lOUi4F3OG09rOEbTOlu6ZidaBlVMUinGlj3PIj2xxle+VPQKAB9V
y/Mpxl34giSJQ3kTK16hEhSjXNjeeSFHscl5x36ysji5/AbR+MvTECol6JpsCaRV
GxxQJ6ArdT/TPTGHt3CAm8LD7XdRkL07VqkGOfn+oYo2ouHrnFdK7KAkRYb/7/br
Gz/DsASQY6JsaWu3ZDPfHUj3GM7byyBFWCwgzZxmt229Ajc6qt3oKQOQ2s2szWtR
kjyzTtCvbUrambMK+aJKnB8PqZzMa1YnJHSTEkD4S2iM8h0cNC4Pemy6ElPYOxqF
WwIDAQAB
-----END PUBLIC KEY-----



## Generate Keys for Bob

In [7]:
#Bob also needs to generate a key pair
private_key_for_bob = rsa.generate_private_key(
                         public_exponent=65537,
                         key_size=2048 # should use at least 4096, but smaller keys are easier to display
                        )
private_key_for_bob

<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey at 0x221fbd9b3d0>

In [8]:
# let's see what this looks like. We'll serialize the key and render it in ascii text (base64 encoded)
private_pem_for_bob = private_key_for_bob.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
 )
print(private_pem_for_bob.decode('ascii'))

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvi8W7+37OIXV7qStnaeZPuov/0rxxBSMfey5OD9LcE7gV3mG
O81+7ezVzqZTB+elSSNiEWbG+2Ox/9zvMILvfbmMj0qV4UEfeeM2BGvF4Ng0Drps
wIoYW3bubAWOWi2ycH6IGhB38gg6W0Tz1LEq0LuldbB+rUXq2w0wssPyouwybf5d
pxl127pZin7n00bIVzmmJC24OAZrdtx20rhb4xLoJZ0IzHFCj8sJzhs8utdyf1XA
vgr0HIMDcixsNXbVJMJacCK1BTJhF5Z7rTCnhmAc7FKE7763RJiJ/8ITXiKKrSYf
sUwOM3+OR5kEvmG+6WF4qkeV68HJekmGbt6n3wIDAQABAoIBAA+jdaJjEk5SiwXl
mrUlC+/ld+7pLbou6mKMbaqXYc+pXL80qfoO6soLuIUWnis/PBMoiq7doa0YRJHC
jBSUH7dZ45oAyxRLs5flPBLe/dWAUb+IStsGP/x9ahuN1WfK7Cpd7Tkfc41+abYJ
lHc/3kJtu6xSyAfdgPNkQUXh4PjOiP1X0//Eq15gUM3MB1DLhCrq6eV4n4ZmKDyw
oeNDCu2UaTb8YXE72iCvyQNWoqhx8OgA7ucclH6DdZ8LEz2jA4Jbv9sRTpiNPy4y
S9ovJdQTQ5mDeH5G4I0Qtix8h2WrrNqPZ61BJHIjdcR18FE2fTjrIBEOKttZLWCq
MaTwewkCgYEA6B8/YpaQjonRjcaEnJt6GklvKH2n8Q1zcQAA2tLn5xG0PISD9V73
damAbPEzHhC9ph13Z1ZrzzeTUYGJPCAIyL7c1q5TzXkTLfd6uTtHv5LrH0ILuKmi
IKuApN7a5iINxPoeCC6G0RJrhQNcKWOz8FAgsb6JS7ZYzCrICDsNddUCgYEA0b9v
QKE/jPcAWXcTj4mP7IBR1swrMA3xuA+K31FVsk5iewN/kc6bmy9DEueozA

In [9]:
# Bob extracts the public key 
public_key_for_bob = private_key_for_bob.public_key()
public_key_for_bob

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x221fc0a3220>

In [10]:
#Let's serialize it so we can send it across the network to Alice (and everyone)
public_pem_key_for_bob = public_key_for_bob.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_bob.decode('ascii'))

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvi8W7+37OIXV7qStnaeZ
Puov/0rxxBSMfey5OD9LcE7gV3mGO81+7ezVzqZTB+elSSNiEWbG+2Ox/9zvMILv
fbmMj0qV4UEfeeM2BGvF4Ng0DrpswIoYW3bubAWOWi2ycH6IGhB38gg6W0Tz1LEq
0LuldbB+rUXq2w0wssPyouwybf5dpxl127pZin7n00bIVzmmJC24OAZrdtx20rhb
4xLoJZ0IzHFCj8sJzhs8utdyf1XAvgr0HIMDcixsNXbVJMJacCK1BTJhF5Z7rTCn
hmAc7FKE7763RJiJ/8ITXiKKrSYfsUwOM3+OR5kEvmG+6WF4qkeV68HJekmGbt6n
3wIDAQAB
-----END PUBLIC KEY-----



## Alice Sends a Message to Bob

In [11]:
# Alice has a message for Bob:
plain_text = b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'

In [12]:
public_pem_key_for_bob

b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvi8W7+37OIXV7qStnaeZ\nPuov/0rxxBSMfey5OD9LcE7gV3mGO81+7ezVzqZTB+elSSNiEWbG+2Ox/9zvMILv\nfbmMj0qV4UEfeeM2BGvF4Ng0DrpswIoYW3bubAWOWi2ycH6IGhB38gg6W0Tz1LEq\n0LuldbB+rUXq2w0wssPyouwybf5dpxl127pZin7n00bIVzmmJC24OAZrdtx20rhb\n4xLoJZ0IzHFCj8sJzhs8utdyf1XAvgr0HIMDcixsNXbVJMJacCK1BTJhF5Z7rTCn\nhmAc7FKE7763RJiJ/8ITXiKKrSYfsUwOM3+OR5kEvmG+6WF4qkeV68HJekmGbt6n\n3wIDAQAB\n-----END PUBLIC KEY-----\n'

In [13]:
# Alice needs Bob's public key as the encryption key
# Alice gets Bob's PEM key (as bytes) and converts it into a usable form
encryption_key = serialization.load_pem_public_key(public_pem_key_for_bob)
encryption_key

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x221fc0a9100>

In [14]:
# Alice encrypts the message with Bob's public key
cipher_text_from_alice = encryption_key.encrypt(
     plain_text,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
cipher_text_from_alice

b'\x83\rl0!\xd5\xf0/\x0c\xa2\xe9K\x97\xfb\xf7+\x8ay\xcd\xc7v\x97\xdc\x1c#\xc1\xb7\x97\xee\x8c:`\xf9\xc6\xa8\xa7J\x91T~{\xb3G<\x16\x00\xb2\xf3,\xc6\x82\xcf\xd9G\x91\xf1q4%\x13\xbc]\x1c<\xd6\x17\x1f\x82-\xd3\xe0\x02\xfe3\xaeI\xa6~\xee\xdfj{\xae\x83\xcc.l_\xd7\x80\xf0??-\xa9a\x01*\xbd5\xa0\xc5\xbdc\x18\xb1\x0f@\xcd\x91\x06F\xf2o]\xc1\x14\xeaf\xad$\x1c\x9c\x1b\x08\x89\xae\xb5\xa4lHy\xc3\xddg\xc0\xed\xb0b2*\x05l\xda\xaa\xeam/(\xf8\xfa\x148\xbb-\x0f\n\xd3\xe6\xd7\x10\xd4\x19\xd2\xde\x8ey>\xb9 \x02\x89v\\\x887\xd1\xcb\xf9~\x12\x95\xe5\xdca\xc0\x8f\xd1\xb7\xa4.\xda\xb7C\xde\x9b\x83oR\xb9\xd8CC\xcc\n\x8b\x7f\xe0\xc9\xf8\x85\xa5Z\xc9\t\x82\nb\xf6\x9eA\x9f\x8f\\\xe4\xc1\xf9\xfd\x9dY|\xdbW\x1e\xc8\x19\xe9\xb4+\xb3\xcc\xd9\xee[\xe7\xca\x17\xd1o-\xc5\x97\x95\xe1W\xbb'

In [15]:
import base64

In [16]:
# To send this to Bob, we need to encode it in base64 and then transmit it 
# across the network.
message_from_alice = base64.b64encode(cipher_text_from_alice)
message_from_alice

b'gw1sMCHV8C8MoulLl/v3K4p5zcd2l9wcI8G3l+6MOmD5xqinSpFUfnuzRzwWALLzLMaCz9lHkfFxNCUTvF0cPNYXH4It0+AC/jOuSaZ+7t9qe66DzC5sX9eA8D8/LalhASq9NaDFvWMYsQ9AzZEGRvJvXcEU6matJBycGwiJrrWkbEh5w91nwO2wYjIqBWzaquptLyj4+hQ4uy0PCtPm1xDUGdLejnk+uSACiXZciDfRy/l+EpXl3GHAj9G3pC7at0Pem4NvUrnYQ0PMCot/4Mn4haVayQmCCmL2nkGfj1zkwfn9nVl821ceyBnptCuzzNnuW+fKF9FvLcWXleFXuw=='

In [17]:
# Only bob can decrypt the message. If Alice tries, it won't work
plaintext = private_key_for_alice.decrypt(
     base64.b64decode(message_from_alice),
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )

ValueError: Encryption/decryption failed.

In [18]:
#Only Bob can decrypt the message with his private key, which was kept safe.
plaintext = private_key_for_bob.decrypt(
     base64.b64decode(message_from_alice),
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
plaintext

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'

## There's more to it
What happens if the message is actually longer? For example, we wanted to include more content.
Let's make the message longer and repeat the process.

In [19]:
plain_text = plaintext + b' because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [20]:
# Alice encrypts the message with Bob's public key
cipher_text_from_alice = encryption_key.encrypt(
     plain_text,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
cipher_text_from_alice

ValueError: Encryption/decryption failed.

# Envelope Encryption
In the previous example, the size limitations of the message became apparent. Asymmetric encryption is not very good at encrypting long messages. Instead, the approach is to encrypt long messages with a symmetric cipher, then use asymmetric encryption to encipher the key. You can then send both the enciphered key and the ciphertext together.

Recall symmetric encryption using the Fernet recipe: https://cryptography.io/en/latest/fernet/

<img src="Asymmetric Encryption Primitives - Envelope Encryption.svg"/> 

Let's work out this scenario.

In [21]:
# Alice has a long message to send to Bob
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [22]:
# This message must be encrypted using a symmetric cipher.
from cryptography.fernet import Fernet
key = Fernet.generate_key()
# This key should be unique for each operation.
key

b'9vZYKXwYqriqG5IelLeuiRH-wmzzkKwbdBORpY54rxk='

In [23]:
f = Fernet(key)
cipher_text = f.encrypt(plain_text)
cipher_text

b'gAAAAABhXIy1jsQWqQPZyteRFGGmem5b8Ngik0nbs4VAc3iaAUdMt_FAeS5nRObh-T8q4HltirLausCFol-lrhSzZUqxS9JPIyO_YNrEIUm2pJBAGX7mbTt-zvk5UmovcB0LFz8D1kY2pMdP-9RvJWzdTmC-zI0oHwKSO0MUvpoidT-pgddKz59EivFMeYyX2ERlZQxrnQsDI6WtMaXCBb8wixPwqNHU3g17EHlyfwHfjfS01ZjPGIzjXZ5Cd7L5OrgBpzNRgtU30mT9sLFI9fnGHdcPoaqL84Gb-Z6A9bo7Xs7FshsdGhQO3kBEBritn4uZ_RtDrUjliGq4maDZZoW6WR8TwrUkn35XQ9wPC0pvdEtBD8YW31W0WkfJSre-uMA_Z2Er2vrfkyjUlxfU8S3Fd-eebE2t3Dab2Rt_IwI7_l_Jzs4aJ0rLV6azpD4bzWEcgYSu_RBQ80zmgeGPoitfnMWHY9fH3btJKlxIyTDoGzQPLKuxbwVu-WYmXYgVF6FBINtYAYAEuTlwjPkWfBwLP-X8lQQhPsxxzeqZGZdUXcmtyXDMefY='

In [24]:
# If the key is sent along with the token, then extracting the message is trivial.
# Therefore, we must protect the key.
# Alice already has Bob's public key, so let's use that to encrypt the key.
protected_key_from_alice = encryption_key.encrypt(
     key,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
protected_key_from_alice

b"\xbaZ;\xe7\x16T\xfe\xb7f\xa4q\xec\xde\xa7yJe(\xb4\x83\x00\x83\xf6/\xd9\x8b\xdbv'\x85\xa8\xb7\xc3a\xe6LUM\xc9\x1e\x82O]\xac\xd8,\xb0\x8cPe\xf72\xc9\x93k=R\xd1\xd1\xbb\xc6\xa0M\xe7\x92?.4\xc3l\x8f\xe9|\xdd\xda\xcbD|a\xa3\x9at\x92\xd2\xf0\x8e\xb5\xea\xef\x94\xe6\xe1=\xba\xc2\x02\xf7rW\xc9\xf1\x98}z:i\x08\xf9\xfb3\xb8\xd8\x96\xbd\xaee@\x8d/\x89R\xffF\xca\xf9\xb8\xbao:x\xff^ef+\x97\xad\x8b\x0cP.\x86j\x9c?\xc2\xb7c\x9aGH\xdb\xb22f\xe1\x9e)PV\xac\xfe\xcb\xc8\xc9\xcb*\xfd#\x19\xe8\x02\x07\xf3-Qj\xc3\rx\xa6\x87\xb7\xeb \x17Zw\xddZ\xbaa\xf4\xa1\xd8\x05kN>~\xc7\r1\x13\xa1\xb8\xf4\xbf\xa1}pg\x9e\xfc\x95\tb\xcc\x14\xfc\x0ba\xd3\x01^M\x13\xe4g\xb9 \xed\xd7\x04a\xbdp\n\xb8\x0b)\\\x9a5\x1d\xec\x9c\t\xeb/\xff\x865Dl["

In [25]:
# Let's create a message for transmission across the internet.
# Use the JSON format
import json

In [26]:
#Raw bytes need to be base64 encoded, then decoded into python strings
# The Fernet recipe already produces a base64 encoded output
message_for_bob = {
    'protected_key': base64.b64encode(protected_key_from_alice).decode('utf-8'),
    'cipher_text': cipher_text.decode('utf-8')
}
message_for_bob

{'protected_key': 'ulo75xZU/rdmpHHs3qd5SmUotIMAg/Yv2YvbdieFqLfDYeZMVU3JHoJPXazYLLCMUGX3MsmTaz1S0dG7xqBN55I/LjTDbI/pfN3ay0R8YaOadJLS8I616u+U5uE9usIC93JXyfGYfXo6aQj5+zO42Ja9rmVAjS+JUv9Gyvm4um86eP9eZWYrl62LDFAuhmqcP8K3Y5pHSNuyMmbhnilQVqz+y8jJyyr9IxnoAgfzLVFqww14poe36yAXWnfdWrph9KHYBWtOPn7HDTETobj0v6F9cGee/JUJYswU/Ath0wFeTRPkZ7kg7dcEYb1wCrgLKVyaNR3snAnrL/+GNURsWw==',
 'cipher_text': 'gAAAAABhXIy1jsQWqQPZyteRFGGmem5b8Ngik0nbs4VAc3iaAUdMt_FAeS5nRObh-T8q4HltirLausCFol-lrhSzZUqxS9JPIyO_YNrEIUm2pJBAGX7mbTt-zvk5UmovcB0LFz8D1kY2pMdP-9RvJWzdTmC-zI0oHwKSO0MUvpoidT-pgddKz59EivFMeYyX2ERlZQxrnQsDI6WtMaXCBb8wixPwqNHU3g17EHlyfwHfjfS01ZjPGIzjXZ5Cd7L5OrgBpzNRgtU30mT9sLFI9fnGHdcPoaqL84Gb-Z6A9bo7Xs7FshsdGhQO3kBEBritn4uZ_RtDrUjliGq4maDZZoW6WR8TwrUkn35XQ9wPC0pvdEtBD8YW31W0WkfJSre-uMA_Z2Er2vrfkyjUlxfU8S3Fd-eebE2t3Dab2Rt_IwI7_l_Jzs4aJ0rLV6azpD4bzWEcgYSu_RBQ80zmgeGPoitfnMWHY9fH3btJKlxIyTDoGzQPLKuxbwVu-WYmXYgVF6FBINtYAYAEuTlwjPkWfBwLP-X8lQQhPsxxzeqZGZdUXcmtyXDMefY='}

In [27]:
# This is a dictionary
# It works within Python, but isn't able to be sent across the Internet.
type(message_for_bob)

dict

In [28]:
# We can serialize a dictionary 
json_for_bob = json.dumps(message_for_bob, indent=4)
print(json_for_bob)

{
    "protected_key": "ulo75xZU/rdmpHHs3qd5SmUotIMAg/Yv2YvbdieFqLfDYeZMVU3JHoJPXazYLLCMUGX3MsmTaz1S0dG7xqBN55I/LjTDbI/pfN3ay0R8YaOadJLS8I616u+U5uE9usIC93JXyfGYfXo6aQj5+zO42Ja9rmVAjS+JUv9Gyvm4um86eP9eZWYrl62LDFAuhmqcP8K3Y5pHSNuyMmbhnilQVqz+y8jJyyr9IxnoAgfzLVFqww14poe36yAXWnfdWrph9KHYBWtOPn7HDTETobj0v6F9cGee/JUJYswU/Ath0wFeTRPkZ7kg7dcEYb1wCrgLKVyaNR3snAnrL/+GNURsWw==",
    "cipher_text": "gAAAAABhXIy1jsQWqQPZyteRFGGmem5b8Ngik0nbs4VAc3iaAUdMt_FAeS5nRObh-T8q4HltirLausCFol-lrhSzZUqxS9JPIyO_YNrEIUm2pJBAGX7mbTt-zvk5UmovcB0LFz8D1kY2pMdP-9RvJWzdTmC-zI0oHwKSO0MUvpoidT-pgddKz59EivFMeYyX2ERlZQxrnQsDI6WtMaXCBb8wixPwqNHU3g17EHlyfwHfjfS01ZjPGIzjXZ5Cd7L5OrgBpzNRgtU30mT9sLFI9fnGHdcPoaqL84Gb-Z6A9bo7Xs7FshsdGhQO3kBEBritn4uZ_RtDrUjliGq4maDZZoW6WR8TwrUkn35XQ9wPC0pvdEtBD8YW31W0WkfJSre-uMA_Z2Er2vrfkyjUlxfU8S3Fd-eebE2t3Dab2Rt_IwI7_l_Jzs4aJ0rLV6azpD4bzWEcgYSu_RBQ80zmgeGPoitfnMWHY9fH3btJKlxIyTDoGzQPLKuxbwVu-WYmXYgVF6FBINtYAYAEuTlwjPkWfBwLP-X8lQQhPsxxzeqZGZdUXcmtyXDMefY="
}


In [29]:
# This is simply formated and encoded text data and
# it can be sent safely through the Internet
type(json_for_bob)

str

In [30]:
# Once Bob recieves the message, he can decrypt the key, then decrypt the message. 
# (i.e. open the envelope, then read the letter)
message_from_alice = json.loads(json_for_bob)
message_from_alice

{'protected_key': 'ulo75xZU/rdmpHHs3qd5SmUotIMAg/Yv2YvbdieFqLfDYeZMVU3JHoJPXazYLLCMUGX3MsmTaz1S0dG7xqBN55I/LjTDbI/pfN3ay0R8YaOadJLS8I616u+U5uE9usIC93JXyfGYfXo6aQj5+zO42Ja9rmVAjS+JUv9Gyvm4um86eP9eZWYrl62LDFAuhmqcP8K3Y5pHSNuyMmbhnilQVqz+y8jJyyr9IxnoAgfzLVFqww14poe36yAXWnfdWrph9KHYBWtOPn7HDTETobj0v6F9cGee/JUJYswU/Ath0wFeTRPkZ7kg7dcEYb1wCrgLKVyaNR3snAnrL/+GNURsWw==',
 'cipher_text': 'gAAAAABhXIy1jsQWqQPZyteRFGGmem5b8Ngik0nbs4VAc3iaAUdMt_FAeS5nRObh-T8q4HltirLausCFol-lrhSzZUqxS9JPIyO_YNrEIUm2pJBAGX7mbTt-zvk5UmovcB0LFz8D1kY2pMdP-9RvJWzdTmC-zI0oHwKSO0MUvpoidT-pgddKz59EivFMeYyX2ERlZQxrnQsDI6WtMaXCBb8wixPwqNHU3g17EHlyfwHfjfS01ZjPGIzjXZ5Cd7L5OrgBpzNRgtU30mT9sLFI9fnGHdcPoaqL84Gb-Z6A9bo7Xs7FshsdGhQO3kBEBritn4uZ_RtDrUjliGq4maDZZoW6WR8TwrUkn35XQ9wPC0pvdEtBD8YW31W0WkfJSre-uMA_Z2Er2vrfkyjUlxfU8S3Fd-eebE2t3Dab2Rt_IwI7_l_Jzs4aJ0rLV6azpD4bzWEcgYSu_RBQ80zmgeGPoitfnMWHY9fH3btJKlxIyTDoGzQPLKuxbwVu-WYmXYgVF6FBINtYAYAEuTlwjPkWfBwLP-X8lQQhPsxxzeqZGZdUXcmtyXDMefY='}

In [31]:
# The message from alice is loaded into a dictionary
type(message_from_alice)

dict

In [32]:
# Let's extract the key
key_bytes = base64.b64decode(message_from_alice['protected_key'])
print(key_bytes)

b"\xbaZ;\xe7\x16T\xfe\xb7f\xa4q\xec\xde\xa7yJe(\xb4\x83\x00\x83\xf6/\xd9\x8b\xdbv'\x85\xa8\xb7\xc3a\xe6LUM\xc9\x1e\x82O]\xac\xd8,\xb0\x8cPe\xf72\xc9\x93k=R\xd1\xd1\xbb\xc6\xa0M\xe7\x92?.4\xc3l\x8f\xe9|\xdd\xda\xcbD|a\xa3\x9at\x92\xd2\xf0\x8e\xb5\xea\xef\x94\xe6\xe1=\xba\xc2\x02\xf7rW\xc9\xf1\x98}z:i\x08\xf9\xfb3\xb8\xd8\x96\xbd\xaee@\x8d/\x89R\xffF\xca\xf9\xb8\xbao:x\xff^ef+\x97\xad\x8b\x0cP.\x86j\x9c?\xc2\xb7c\x9aGH\xdb\xb22f\xe1\x9e)PV\xac\xfe\xcb\xc8\xc9\xcb*\xfd#\x19\xe8\x02\x07\xf3-Qj\xc3\rx\xa6\x87\xb7\xeb \x17Zw\xddZ\xbaa\xf4\xa1\xd8\x05kN>~\xc7\r1\x13\xa1\xb8\xf4\xbf\xa1}pg\x9e\xfc\x95\tb\xcc\x14\xfc\x0ba\xd3\x01^M\x13\xe4g\xb9 \xed\xd7\x04a\xbdp\n\xb8\x0b)\\\x9a5\x1d\xec\x9c\t\xeb/\xff\x865Dl["


In [33]:
# This should match the example above. Let's decrypt this ciphertext.
# Only Bob can decrypt using his private key
key_for_bob = private_key_for_bob.decrypt(
     key_bytes,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
key_for_bob

b'9vZYKXwYqriqG5IelLeuiRH-wmzzkKwbdBORpY54rxk='

In [44]:
# We now have the Fernet symmetric key, so we can decrypt the message (as bytes)
f = Fernet(key_for_bob)
plaintext_for_bob = f.decrypt(message_from_alice['cipher_text'].encode('ascii'))
plaintext_for_bob

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [45]:
f1 = Fernet(b'exNKLPQC18asE5mPBId7610ke6VzdoG-ScVAi4zOgfE=')
f1.decrypt(b'gAAAAABhWy14JJVVczjJJN5XiYksAcRUKO_iMfgNMhtAroORPFqtkDDckxiy5fXrJfrY1bBBqSf3TCy_Cvmg8Wv8AwPpwDfo_htZ6NCcF55Lr_VSD0D5EgOXLeg8fFzeVZ_AiQMoha6-TQyRu1WusP5zNAgDR0ToFQ==')

b'Hope to join the CyberTruck Challenge next year !'

This is great! We are no longer limited by the size constraints of RSA encryption. We just focus on encrypting the symmetric key to take advantage of the speed and size of symmetric (i.e. AES-CBC) encryption.

## Class Exercise

Please send me an encrypted form of the Star Spangled Banner (or some other meaningful text).

Use these specifications:
1. RSA with 2048 bit key
2. The message I receive should be in a JSON format with two fields:
    1. 'protected_key': a base64 encoded RSA public key encrypted output of the Fernet key used for enciphering the message.
    1. 'cipher_text': The output of the Fernet encryption

In [35]:
#Using triple quotes keeps the message format by inserting newline characters
text_to_send = b'''O say can you see, by the dawn's early light,
What so proudly we hailed at the twilight's last gleaming,
Whose broad stripes and bright stars through the perilous fight,
O'er the ramparts we watched, were so gallantly streaming?
And the rocket's red glare, the bombs bursting in air,
Gave proof through the night that our flag was still there;
O say does that star-spangled banner yet wave
O'er the land of the free and the home of the brave?'''
text_to_send

b"O say can you see, by the dawn's early light,\nWhat so proudly we hailed at the twilight's last gleaming,\nWhose broad stripes and bright stars through the perilous fight,\nO'er the ramparts we watched, were so gallantly streaming?\nAnd the rocket's red glare, the bombs bursting in air,\nGave proof through the night that our flag was still there;\nO say does that star-spangled banner yet wave\nO'er the land of the free and the home of the brave?"

In [36]:
# Open a locally stored PEM key and create a private key object
with open('Daily_Private_RSA2048_key.pem','rb') as pem:
    private_key_for_daily = serialization.load_pem_private_key(pem.read(),password=None)
private_key_for_daily

<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey at 0x221fc1653d0>

In [37]:
# Generate the sharable public key
public_key_for_daily = private_key_for_daily.public_key()
public_key_for_daily

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x221fc1655b0>

In [38]:
# Produce a format that we can share
public_pem_key_for_daily = public_key_for_daily.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_daily.decode('ascii'))
with open('Daily_Public_RSA2048_key.pem','wb') as f:
    f.write(public_pem_key_for_daily)

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bHZs7RxSNTk+Z1MMkHE
v7F7WK5oxLmJ9HypDyagbF4csmwCqsnhMwqJ9vEi3zmlE3VtjfrjpNSJSSvr1RDV
mxh7yz7z+sKvH+JBccMxmFS7/IrKZpNLJPnSY4JlrrCVKYhGwcx0z+kr0Xd4fi97
NVH7xSZaVTXJ+SC19j4EN/gb8nWcYk6umBJmVF688RdOeHQ6ZE3hLbUhKW48oDu1
u8YyRWIHNYyxZXz7G7ojuosd69e7bkO2GR0gAmQpZhXurxD5EGJLYWKvNFYcWPux
YJvgjlmBJCcGz4lKSJcdNzZfSg2YLqopKLcKmNSR9NmywpXIMu0S3wUAWJ7SgGMm
XQIDAQAB
-----END PUBLIC KEY-----



Now, follow some of the steps and make a message for me that I can run through the following function to decode your message.

In [39]:
import json
import base64
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.backends import default_backend

def encrypt_class_message(plain_text,public_pem_key):
    public_key = serialization.load_pem_public_key(public_pem_key.encode('utf-8'))
    print(public_key)
    unique_key = Fernet.generate_key()
    print(unique_key)
    f = Fernet(unique_key)
    cipher_text = f.encrypt(plain_text.encode('ascii'))
    print(cipher_text)
    protected_key = public_key.encrypt(
         unique_key,
         padding.OAEP(
             mgf=padding.MGF1(algorithm=hashes.SHA256()),
             algorithm=hashes.SHA256(),
             label=None
         )
     )
    message_dict = {
        'protected_key': base64.b64encode(protected_key).decode('utf-8'),
        'cipher_text': cipher_text.decode('utf-8')
    }
    json_with_encrypted_message = json.dumps(message_dict)
    return json_with_encrypted_message

In [40]:
daily_pub_pem = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bHZs7RxSNTk+Z1MMkHE
v7F7WK5oxLmJ9HypDyagbF4csmwCqsnhMwqJ9vEi3zmlE3VtjfrjpNSJSSvr1RDV
mxh7yz7z+sKvH+JBccMxmFS7/IrKZpNLJPnSY4JlrrCVKYhGwcx0z+kr0Xd4fi97
NVH7xSZaVTXJ+SC19j4EN/gb8nWcYk6umBJmVF688RdOeHQ6ZE3hLbUhKW48oDu1
u8YyRWIHNYyxZXz7G7ojuosd69e7bkO2GR0gAmQpZhXurxD5EGJLYWKvNFYcWPux
YJvgjlmBJCcGz4lKSJcdNzZfSg2YLqopKLcKmNSR9NmywpXIMu0S3wUAWJ7SgGMm
XQIDAQAB
-----END PUBLIC KEY-----"""

encrypt_class_message("Hello!",daily_pub_pem)

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x00000221FC0A9E20>
b'pzLai9P2kn1xsurtfNPURS4dRSh5wHSaCsyr7BDRZfk='
b'gAAAAABhXIzCCBUljCAwXckjAA7IW16ySJRVK2-4P-dRWRJOFHCQoR7IvKuLY8MiAoaWyMWla6HDeCvIdqeTGNQBvEXFsJiJ3g=='


'{"protected_key": "z/ESFuOxcYyAToVD4TceIZTrgIkDD1rMt05wnwKoeCrgRfgbEgtA4JW/NZCOJyW7r0n2TQmK/Iw3gp436YiFnv0bT7tJTIGLWZdc9hEXBv3GjlZRv5SFxF17ym6AFs7Do6VpYJjxWCuKfMq7kfRygccM6HOh+zhGShluEUZHnyq1OAuiJJSE96cXgfwNz708G7l9bTLYKHqN1CrJb4lRYOraTrWAEq39xYlSIk3ZLqBwv62c6MTCG5vnL7U5+sPRrZJO6h73HcD53s6LQAqO59g4U7R1+SWPD1CZdjqPiaSynJfMnKZujLO2dQkwEvX0ShO0oC6eVhVUribqb18tww==", "cipher_text": "gAAAAABhXIzCCBUljCAwXckjAA7IW16ySJRVK2-4P-dRWRJOFHCQoR7IvKuLY8MiAoaWyMWla6HDeCvIdqeTGNQBvEXFsJiJ3g=="}'

In [41]:
def decrypt_class_message(json_from_student,private_pem_key):
    message_from_student = json.loads(json_from_student)
    key_bytes = base64.b64decode(message_from_student['protected_key'])
    ##
    ## Fill in this part for the exercise
    ##
    plaintext_message = f.decrypt(message_bytes)
    return plaintext_message

In [42]:
# Example
# This cell won't run if the Private Key file is not available.
with open('Daily_Private_RSA2048_key.pem','rb') as pem:
    private_pem_key = pem.read()

In [43]:
# Who can send me a message through chat?
# Replace the student variable here with your message and try it out.
jeremy = '{"protected_key": "CkWAuKAXMi+BXF/cHRts4VDnp9437JGZCaga/PKFgCglA6q87KxLjS03Xxpa1rwAjP4dyx9lzFfSlyEOdhh45diGXBA2fN7tezJ2W/WTDbv2Sg7K9Bfs0BsXA3uEpuE+5Nj2fPIOC2RYWE1VMhg37OcsOO9xbOpuDzcRACGzWFtCT4R7l5+nLO9u3y9I4UdGYFM4njHriiUcXdFiJD8TbczVRAjt2bi2Pi5RX3tzmhrWlFVyQFELvcCKHv93tfvw7bTzA4QCMyVB4nmT8dsAnqE+SM5KWoDIODEMSRDlpNQz8MCvlkK7dyjDiT9O9a1Q6kaI/qrOHPo+BXXqSgULgw==", "cipher_text": "gAAAAABhQ-8Ecam7MIfrsTrg40qPQnBlgx4ceyMVDbunVMS5D0M8YOmbslEmR7aw_WAjMgYIoNbMV2xHeHCcNxd7Ukiuo8kUIA=="}'
bob = '{"protected_key": "KEo8SI4tLYafiLuqAAsPHE3Vz54ICWXC3UrU6RYpDQf68JPT7B5re10QysECFXausqZuoBcJXjKLqVwW1Ezxk8gKBZsoytJs0PcaMOeLNV9lf1eLAmdjfdiBG8F382rA2QYb5l7q9PfWwDqSL6K7rXaZmBt1i8hZdZ1xxXhcbuFYgF1cN5kNOR7lhrnqPvtqRFi6WmXD52yMwJmyc8Fd7v0UTg5aGJu/uW1WtT6rBao0L+nAA53aGAYiTGkN5JqA+sIytMA6cslFABeTnOXhUS7sPsSYOtpOBpyiM/lPYeEQpl/SSdpBgeD1yumrvNNmLhKLbbgIyfGBvDZBR5DnBg==", "cipher_text": "gAAAAABfbeFZiMpdzgj1ef_irV8Xq1H68PpbM9AYgDJaxjY6tYkAiMa8ZvVVJGisnzcqgb0vEVo6qqB-SZTh2numILEp6jReOoHw_8ElX9iWAysKg7rFrbr_0_eFsnnPVeZonoa7p9BR6Mo9iLmzn1vMh2Hs40XUcXXF5hn_9f1QDs-jA7XkbAieReLguEt6k4TyKQSkD2tgk1iTMhvShfhLQX-Ocv_gwvjtcJlQV4u9sdzIwL06VST-YGLVSqfxTVOpdIodxPz8V6l4vIBWNMNiwrzxFloYrj8M0RCMoXITV23HKIVacFnEJa4SPI_I2tKpGMyNiUEBpBpXlK7a9PDxI_y03Cnw8gIe4TzUDdgDRhsbhdfWEYxfTcUxr8A7db48WjJvdgVlphSgT4YsesN7vbJCKHAPw1m_CJI0SXdMVRhlxfEDOauPB_UHWEEh7suqVFZ5xkJ0dIbmdHYqxnxwv0Sx6L3Zu3bGnK1IU_pl7wI4vRh8lW7R0TwJsHZZfmqIKgzgy4VPCjmIWl1bLn7M9w8IveVdu5e_Jkvq7rdfoWaQmw_gQFA1-2E6yB3Q0VTcBALnEIGtTZ1vg8cv-D3GhBdMdCNsp8IuhtY5UcGqNJjbpqDYrxfyW50bsvMnvAVLcGr51Dy-Lrz2rWqep8Fk8831OSbF6Q=="}'
rik = '{"protected_key": exNKLPQC18asE5mPBId7610ke6VzdoG-ScVAi4zOgfE=' b'gAAAAABhWy14JJVVczjJJN5XiYksAcRUKO_iMfgNMhtAroORPFqtkDDckxiy5fXrJfrY1bBBqSf3TCy_Cvmg8Wv8AwPpwDfo_htZ6NCcF55Lr_VSD0D5EgOXLeg8fFzeVZ_AiQMoha6-TQyRu1WusP5zNAgDR0ToFQ=='
Key : 


student = bob
#student = jeremy
decrypt_class_message(student,private_pem_key)

AttributeError: '_io.BufferedWriter' object has no attribute 'decrypt'

## Summary
We worked with RSA asymmetric encryption to send confidential traffic to a specific person. 

We used envelope encryption to send large messages with symmetric ciphers because asymmetric encryption is too slow and size limited. 

We used asymmetric encryption to digitally sign messages to determine if they have been altered.


A question still remains: How can we trust Alice is who she says? What if Eve is in the middle pretending to be Alice?
