#### <center> Module 4b - Asymmetric Cryptographic Primitives 
## <center> SYSE 541: Secure Vehicle and Industrial Networking
## <center> <img src="https://www.engr.colostate.edu/~jdaily/Systems-EN-CSU-1-C357.svg" width="400" /> 
### <center> Instructor: Dr. Jeremy Daily

## Learning Objectives
By the end of this exercise, students should be able to
1. Use asymmetric encryption algorithms to encrypt messages
1. Use asymmetric encryption algorithms for envelope encryption
by using RSA public-private key pairs.

In [1]:
# Install some prequisites
# Be sure version 3.1 or higher is installed
%pip install --upgrade --user cryptography


[notice] A new release of pip available: 22.2 -> 23.0.1
[notice] To update, run: python.exe -m pip install --upgrade pip
Note: you may need to restart the kernel to use updated packages.


## Proposition: 

### Confidentiality
Alice would like to send a message to Bob such that only Bob can read it.

Bob sends Alice his public key. He doesn't care if anyone else can read it. 

Alice uses Bob's public key to encrypt data and send it back to Bob.

Bob decrypts the data with his private key. 

<img src="Asymmetric Encryption Primitives - Send Secret Message.svg"/> 



Let's work out these scenarios with some code. We'll use the RSA asymmetric key for this example.

In [2]:
# Import only the modules we need
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/

## Generate Keys for Alice

In [3]:
#Alice needs to generate a key pair
private_key_for_alice = rsa.generate_private_key(
                         public_exponent=65537,
                         key_size=2048 # should use at least 4096, but smaller keys are easier to display
                        )
private_key_for_alice

<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey at 0x1771c5b2608>

In [4]:
# let's see what this looks like. We'll serialize the key and render it in ascii text (base64 encoded)
private_pem_for_alice = private_key_for_alice.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
 )
print(private_pem_for_alice.decode('ascii'))

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuD/8pRWRIwO63eO9yuVzmnLQAeW5ZXmbszj/nhPPhcb6sSXC
uVcGjvl32HLEzrqry4eJwZlCSiz+BcvryE+NPGE5v1s+6Cab/GIDNC40NTnQN+kV
XffPhX3bR6YEOuCfflPzNBH1z8ldVKKQK2FWeJYOor09A6fkherx2wLPERs0up/N
3KFGfnyiQ9zBYRvfHoS24pTuG8EP8SWuxeVAnR7kRIz7q+7TwFhs2B4SP/qzf8xm
C/uIOB7iFW+4qQXTwd8i3nV0jvgTXTGKYOVUf4ayXNdmPWu9Gqw0vjNz4zANEJpF
KMgOlulI6melFZuQMHZUp+ORBIdnPPL0c72rXwIDAQABAoIBAEqWDI4/lstX3TOp
19Dk5dFmHPJHrq93dSIuNrwlROLg0+cWZCdnJU6Hio5il20ggB8aNRfcFMu2PvbV
wBMMsR36NchTBbowtwCKJMXg1l2dk76uamnpwWZGtpfgiuHSwH4BOfigNKPy3gc+
76G/+6NBC5exh5uNQaM8or+H+Y7whmvnQWRseWHjD4Bd/XnsKTlkzWzHPlae2oQo
SFrG5LuVnlbBUgwfbNzKGlHyHwXuajZFb0z0U79bQANeMbG4QUEPknt1iGv3BOc2
dxtfRXWhIDfJacGTvU1audMsXAk5YKlH1eT2obxTKf7ydD08ryigxxMZvxTO7y/p
O46lO9ECgYEA5KgywFhFZFfCpRxvz6BtboQDj0B4SZvZFREeHs0YkmD03HtEbtUw
FO8tLuqBLIwMD+qVFIDritLylGIrTiQyovDde7zhnMY9C+y616Ubxp8+6+SLI8TY
NX0KJlSk80RSBbtWOhoECaFosVA7VcAtE/U09xkc8ERtcAISjMJaZMMCgYEAzkhe
ms6zGNdExfIC1yjcQ4Gb0WjnSiS6BLBBzTJz3ywkh+1qC5l09MZVOcJXKT

In [5]:
#To send out the public key, we have to derive it from the private key and serialize it
public_key_for_alice = private_key_for_alice.public_key()
public_key_for_alice

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x1771c7b33c8>

In [6]:
#Let's serialize it so we can send it accross the network to bob (and everyone)
public_pem_key_for_alice = public_key_for_alice.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_alice.decode('ascii'))

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD/8pRWRIwO63eO9yuVz
mnLQAeW5ZXmbszj/nhPPhcb6sSXCuVcGjvl32HLEzrqry4eJwZlCSiz+BcvryE+N
PGE5v1s+6Cab/GIDNC40NTnQN+kVXffPhX3bR6YEOuCfflPzNBH1z8ldVKKQK2FW
eJYOor09A6fkherx2wLPERs0up/N3KFGfnyiQ9zBYRvfHoS24pTuG8EP8SWuxeVA
nR7kRIz7q+7TwFhs2B4SP/qzf8xmC/uIOB7iFW+4qQXTwd8i3nV0jvgTXTGKYOVU
f4ayXNdmPWu9Gqw0vjNz4zANEJpFKMgOlulI6melFZuQMHZUp+ORBIdnPPL0c72r
XwIDAQAB
-----END PUBLIC KEY-----



## Generate Keys for Bob

In [7]:
#Bob also needs to generate a key pair
private_key_for_bob = rsa.generate_private_key(
                         public_exponent=65537,
                         key_size=2048 # should use at least 4096, but smaller keys are easier to display
                        )
private_key_for_bob

<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey at 0x1771c7b6708>

In [8]:
# let's see what this looks like. We'll serialize the key and render it in ascii text (base64 encoded)
private_pem_for_bob = private_key_for_bob.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
 )
print(private_pem_for_bob.decode('ascii'))

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtELh5G7tOxViKzXwUi82qKStVb4K0OCOZKtt/2NaJdgH8liX
ZQo/Z24v3hCqn/wHwqHpe9L4jZE182WAiEhgHPS2xF2QG9XDUB6SqV+faDmmSnai
KQz++dBbVnwy8Bt/BJsJVE/xvGvEkFcUzu5sIanGT3qagEp2ozg39wpGPqsRNWGc
0m2wSweCV53sTVoY10WT4begPpKe/mswWUmdAPaNfaoocNqse1iGD5+kyzhu1In7
OtJFJmGgMcyUtP053vZK6zVIno04nwHYdFqmKthVg3Z+2vc/VOCPm2W5OmXq7FWN
rseJOkLtUzF6NSRspqFVh1mUsJ9r6Ro6QGir0wIDAQABAoIBAADbW8AY8ya1solh
kZGvT8Fa/XoAOCA0IaQMApFNvukX/0SDiXt6su0NYa4onkDfQmm/1e9qiZWnYrp+
AbNa3isx0lbhGRglaoNbQM31wdE4ROBnUYNsBXy5mc4DTV9Z7r8qdZYls83s15EA
3X0LK0Ego2D4bUcb3qMJrq/QNPyfVtsNbcLs9PLqVMBFlMuCGzB17JGAB8A2Nt93
5RAL9tg+ufgIoYQTsIxNvVJo6IcK2mBt4ZxJMDRR3qiLRA3MK/MhuyuXmkeBKqGZ
dNgy30uPVtBtAQj/Yl9f5N7/O4a39PEiVifJ4KMI8K6Rr2oihMgEzJer2quy/ThA
TKdBKj0CgYEA3SXtohZl58OmqlLT7+FhjsqzVuk3XsrLLzr9CEmf72xgE7rgVnz3
g6sfpUpgGmuEOUdnHboQRD4ikYuzYgs0XhIQCFLby2Ip1S6UKdvwNm/DlSuVkvNm
OIRb8u5t6ddyydGTOWk9l8ZeZoNZYY9qRJ4a9r5tzw29/UJJb7FUMr8CgYEA0Ktm
bLDaR3Ux2Wk0XbhWkyuglUa084nBvuaLs8QA7sL8+Ky7vnh/QWBOBvp5Fc

In [9]:
# Bob extracts the public key 
public_key_for_bob = private_key_for_bob.public_key()
public_key_for_bob

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x1771c7b6608>

In [10]:
#Let's serialize it so we can send it across the network to Alice (and everyone)
public_pem_key_for_bob = public_key_for_bob.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_bob.decode('ascii'))

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtELh5G7tOxViKzXwUi82
qKStVb4K0OCOZKtt/2NaJdgH8liXZQo/Z24v3hCqn/wHwqHpe9L4jZE182WAiEhg
HPS2xF2QG9XDUB6SqV+faDmmSnaiKQz++dBbVnwy8Bt/BJsJVE/xvGvEkFcUzu5s
IanGT3qagEp2ozg39wpGPqsRNWGc0m2wSweCV53sTVoY10WT4begPpKe/mswWUmd
APaNfaoocNqse1iGD5+kyzhu1In7OtJFJmGgMcyUtP053vZK6zVIno04nwHYdFqm
KthVg3Z+2vc/VOCPm2W5OmXq7FWNrseJOkLtUzF6NSRspqFVh1mUsJ9r6Ro6QGir
0wIDAQAB
-----END PUBLIC KEY-----



## Alice Sends a Message to Bob

In [11]:
# Alice has a message for Bob:
plain_text = b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'

In [12]:
public_pem_key_for_bob

b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtELh5G7tOxViKzXwUi82\nqKStVb4K0OCOZKtt/2NaJdgH8liXZQo/Z24v3hCqn/wHwqHpe9L4jZE182WAiEhg\nHPS2xF2QG9XDUB6SqV+faDmmSnaiKQz++dBbVnwy8Bt/BJsJVE/xvGvEkFcUzu5s\nIanGT3qagEp2ozg39wpGPqsRNWGc0m2wSweCV53sTVoY10WT4begPpKe/mswWUmd\nAPaNfaoocNqse1iGD5+kyzhu1In7OtJFJmGgMcyUtP053vZK6zVIno04nwHYdFqm\nKthVg3Z+2vc/VOCPm2W5OmXq7FWNrseJOkLtUzF6NSRspqFVh1mUsJ9r6Ro6QGir\n0wIDAQAB\n-----END PUBLIC KEY-----\n'

In [13]:
# Alice needs Bob's public key as the encryption key
# Alice gets Bob's PEM key (as bytes) and converts it into a usable form
encryption_key = serialization.load_pem_public_key(public_pem_key_for_bob)
encryption_key

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x1771c319688>

In [14]:
# Alice encrypts the message with Bob's public key
cipher_text_from_alice = encryption_key.encrypt(
     plain_text,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
cipher_text_from_alice

b'|h\x1d\xc2\x12,\xf8\x98\xf0\x0e\xa1\xb5"\x90\xdc\\I\xc7\xa5+/\xcbI(r\xbfH\x1awLc!\x1f\xb0%\x11\xaaR\xd0h6ex\xf1\xa7O\xd7\xab\x10RT(\n\xa2r\xcb\xfd\x88\x04\xcb\x99@\xc02.L\x89c\x8e\xafE\xffD<\x9cT\'\r\x9a\x0e\xf2\x04\x85\x11\x19\x8f\xf8_\xcdu\x1a\xac=D\xd0\x9bf\x1dlfl.\x95\x056\xbc\x15\xff\x80\xda0\xc8\xf2\xcbx\xf5\xcf\xe6\x13\x10&i\xcbG\x1a\xb7\xbb\xc9;\xe6\xddzp4\t\x84O\x86<\x1a\x82\x9f\x19\xc6R\x1fr<\xdd\xd5\xf8\x07EO^T\xa1\xed\xbf\xf7N>\x89\xde\x1c\x8e\xe3\xe3\xcd\xea\xb3A]-\x9e#M\x92\xfd\xd34\xedW\x90&L\x90?\x18\xe8\xa1@\xed]\x17W%\xc1\xb0\xcb\xbf\xef\x90m@\xb4N\xe6\x10\x97\x87\xa3\x82)\x98h\x81\x89\xc9\x84\xdd8\xac\xd4\xfb\x8c\x8fY<\xfa\xe8\n\xf4\xac(\x85)\xbdq\x14f\xcb\xcf\x9fG+\x14SE\xec\xd7$G\x16\x82\xaf'

In [15]:
import base64

In [16]:
# To send this to Bob, we need to encode it in base64 and then transmit it 
# across the network.
message_from_alice = base64.b64encode(cipher_text_from_alice)
message_from_alice

b'fGgdwhIs+JjwDqG1IpDcXEnHpSsvy0kocr9IGndMYyEfsCURqlLQaDZlePGnT9erEFJUKAqicsv9iATLmUDAMi5MiWOOr0X/RDycVCcNmg7yBIURGY/4X811Gqw9RNCbZh1sZmwulQU2vBX/gNowyPLLePXP5hMQJmnLRxq3u8k75t16cDQJhE+GPBqCnxnGUh9yPN3V+AdFT15Uoe2/904+id4cjuPjzeqzQV0tniNNkv3TNO1XkCZMkD8Y6KFA7V0XVyXBsMu/75BtQLRO5hCXh6OCKZhogYnJhN04rNT7jI9ZPProCvSsKIUpvXEUZsvPn0crFFNF7NckRxaCrw=='

In [17]:
# Only bob can decrypt the message. If Alice tries, it won't work
plaintext = private_key_for_alice.decrypt(
     base64.b64decode(message_from_alice),
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )

ValueError: Encryption/decryption failed.

In [18]:
#Only Bob can decrypt the message with his private key, which was kept safe.
plaintext = private_key_for_bob.decrypt(
     base64.b64decode(message_from_alice),
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
plaintext

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'

## There's more to it
What happens if the message is actually longer? For example, we wanted to include more content.
Let's make the message longer and repeat the process.

In [19]:
plain_text = plaintext + b' because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [20]:
# Alice encrypts the message with Bob's public key
cipher_text_from_alice = encryption_key.encrypt(
     plain_text,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
cipher_text_from_alice

ValueError: Encryption/decryption failed.

# Envelope Encryption
In the previous example, the size limitations of the message became apparent. Asymmetric encryption is not very good at encrypting long messages. Instead, the approach is to encrypt long messages with a symmetric cipher, then use asymmetric encryption to encipher the key. You can then send both the enciphered key and the ciphertext together.

Recall symmetric encryption using the Fernet recipe: https://cryptography.io/en/latest/fernet/

<img src="Asymmetric Encryption Primitives - Envelope Encryption.svg"/> 

Let's work out this scenario.

In [21]:
# Alice has a long message to send to Bob
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [22]:
# This message must be encrypted using a symmetric cipher.
from cryptography.fernet import Fernet
symmetric_key = Fernet.generate_key()
# This key should be unique for each operation.
symmetric_key

b'9zDli6YXjY4od63lk_Ri_L1K0Ua67mLqF3LrDXMBXQY='

In [25]:
f = Fernet(symmetric_key)
cipher_text = f.encrypt(plain_text)
cipher_text

b'gAAAAABkG6NGSBJHDt8N-dM5Vo3vjtJvLKPoq70X2zCLTHGPW0q4ylrzJkiNGtPOCVD1yPJDpNC25oxkw0cBh7SfH5Qi4X84GA9MM8P6TAQ4O0XA61PQVNaoKgEEJhH7aKIN2KWtkGDn0iq9bwDE1z8YYWHiQTw1LvNQmq3p8uVKVE1BpSmzHg_DrUvVPbhC_zCxu00ow0B-hzTCD3F01WS5jGx7jaRZo4ujw7ojDTAJDlegWQ1gb6vWcIS-gXIHpR6bR3G5pQgjRGV5umb2d2rFK04xUBUQqSeniNMN-korIfOXtlYqV-t76-XhyPEqN6k_zphfe14bs6wmtGFQ7UX0BWPgtTjVTRUFpKtGtNgzW-A8qFFzR19BmeTxnsqIuLcj4jONQVY9LHCk0vN-R4JD2X9S0gH8A2apmmUQdxXtkuW_lYcHBjBG4PZwwf0YEW8FE8KMJIT5iW4I17Wmc5UyJ6j-dY3O0bZvSlqyfAFLAX70crIvQGKQj2x2AZlGLkVI44LtHkguQHJVP8GIQ5XANo2KqxPovVEh4XNnH6bDTrLFfwof7aA='

In [26]:
# If the key is sent along with the token, then extracting the message is trivial.
# Therefore, we must protect the key.
# Alice already has Bob's public key, so let's use that to encrypt the key.
protected_key_from_alice = encryption_key.encrypt(
     symmetric_key,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
protected_key_from_alice

b'\x0b\x82\xfcy\xa4)\x0b<\xc2~\xe6\xa9\x1e\xcbX\x91\xa9;\x96\xc4P\xa4\xa3\xb0\x16\xdaTXj\xffP\x8f\xc4\xf2\xbe\xc4\xb1\x08<\x9f\xcf=\xaa\x96,\x94W\xbc\xa9\x07CaJ\xb6\xc0p\x06%!B\x99&\xa4VX\xacr\x01\xff\xef\x0f\xce\xc9\x12\x05\xa5\xe3JNq\xbaZ\xae\xbcoZ\xe7)\xbc\x82@\x81\xd2\xc0\x89Z\xeba\xc1-\x00\x1az\x9e\xfbX\xe5@v\xfeT3\xd8=\xab\n\xb1(;9=g,<w\x96@\xf3<\xb9\xaaV\x08=\xf0\xade\xbc#\xc4\xe1\xa6\xe3\x97Z&\xbc\x05P\x9f\xa9\x81\xe0r\x14 jh\x97i%\x06\x18\x80b\r\xeeE\xaa\xfa6\xaa\xfb\xab[5m\xc6\x80w\x19\x05\xeb\x11\xb0d\xf1\xc1\x9c\x1b\xea\x1b\xf1\xcf/\xd5o\x1cJ\x01\x16?K\xbe\xdf\x181\x9c\x8e\x1c\xc8JH\xfdbi\xaaz\xdd\xce\xc9jo\xc7d\x8c\xb1\xa3$\xe5\x12Z\xa3\xa4%\xeaEm\xd1\x17\x8f\xce\xa1#+\x1e\xc1\xc8X\xcfw\x05\xb5\xab0r'

In [27]:
# Let's create a message for transmission across the internet.
# Use the JSON format
import json

In [28]:
#Raw bytes need to be base64 encoded, then decoded into python strings
# The Fernet recipe already produces a base64 encoded output
message_for_bob = {
    'protected_key': base64.b64encode(protected_key_from_alice).decode('utf-8'),
    'cipher_text': cipher_text.decode('utf-8')
}
message_for_bob

{'protected_key': 'C4L8eaQpCzzCfuapHstYkak7lsRQpKOwFtpUWGr/UI/E8r7EsQg8n889qpYslFe8qQdDYUq2wHAGJSFCmSakVliscgH/7w/OyRIFpeNKTnG6Wq68b1rnKbyCQIHSwIla62HBLQAaep77WOVAdv5UM9g9qwqxKDs5PWcsPHeWQPM8uapWCD3wrWW8I8ThpuOXWia8BVCfqYHgchQgamiXaSUGGIBiDe5Fqvo2qvurWzVtxoB3GQXrEbBk8cGcG+ob8c8v1W8cSgEWP0u+3xgxnI4cyEpI/WJpqnrdzslqb8dkjLGjJOUSWqOkJepFbdEXj86hIysewchYz3cFtaswcg==',
 'cipher_text': 'gAAAAABkG6NGSBJHDt8N-dM5Vo3vjtJvLKPoq70X2zCLTHGPW0q4ylrzJkiNGtPOCVD1yPJDpNC25oxkw0cBh7SfH5Qi4X84GA9MM8P6TAQ4O0XA61PQVNaoKgEEJhH7aKIN2KWtkGDn0iq9bwDE1z8YYWHiQTw1LvNQmq3p8uVKVE1BpSmzHg_DrUvVPbhC_zCxu00ow0B-hzTCD3F01WS5jGx7jaRZo4ujw7ojDTAJDlegWQ1gb6vWcIS-gXIHpR6bR3G5pQgjRGV5umb2d2rFK04xUBUQqSeniNMN-korIfOXtlYqV-t76-XhyPEqN6k_zphfe14bs6wmtGFQ7UX0BWPgtTjVTRUFpKtGtNgzW-A8qFFzR19BmeTxnsqIuLcj4jONQVY9LHCk0vN-R4JD2X9S0gH8A2apmmUQdxXtkuW_lYcHBjBG4PZwwf0YEW8FE8KMJIT5iW4I17Wmc5UyJ6j-dY3O0bZvSlqyfAFLAX70crIvQGKQj2x2AZlGLkVI44LtHkguQHJVP8GIQ5XANo2KqxPovVEh4XNnH6bDTrLFfwof7aA='}

In [29]:
# This is a dictionary
# It works within Python, but isn't able to be sent across the Internet.
type(message_for_bob)

dict

In [30]:
# We can serialize a dictionary 
json_for_bob = json.dumps(message_for_bob, indent=4)
print(json_for_bob)

{
    "protected_key": "C4L8eaQpCzzCfuapHstYkak7lsRQpKOwFtpUWGr/UI/E8r7EsQg8n889qpYslFe8qQdDYUq2wHAGJSFCmSakVliscgH/7w/OyRIFpeNKTnG6Wq68b1rnKbyCQIHSwIla62HBLQAaep77WOVAdv5UM9g9qwqxKDs5PWcsPHeWQPM8uapWCD3wrWW8I8ThpuOXWia8BVCfqYHgchQgamiXaSUGGIBiDe5Fqvo2qvurWzVtxoB3GQXrEbBk8cGcG+ob8c8v1W8cSgEWP0u+3xgxnI4cyEpI/WJpqnrdzslqb8dkjLGjJOUSWqOkJepFbdEXj86hIysewchYz3cFtaswcg==",
    "cipher_text": "gAAAAABkG6NGSBJHDt8N-dM5Vo3vjtJvLKPoq70X2zCLTHGPW0q4ylrzJkiNGtPOCVD1yPJDpNC25oxkw0cBh7SfH5Qi4X84GA9MM8P6TAQ4O0XA61PQVNaoKgEEJhH7aKIN2KWtkGDn0iq9bwDE1z8YYWHiQTw1LvNQmq3p8uVKVE1BpSmzHg_DrUvVPbhC_zCxu00ow0B-hzTCD3F01WS5jGx7jaRZo4ujw7ojDTAJDlegWQ1gb6vWcIS-gXIHpR6bR3G5pQgjRGV5umb2d2rFK04xUBUQqSeniNMN-korIfOXtlYqV-t76-XhyPEqN6k_zphfe14bs6wmtGFQ7UX0BWPgtTjVTRUFpKtGtNgzW-A8qFFzR19BmeTxnsqIuLcj4jONQVY9LHCk0vN-R4JD2X9S0gH8A2apmmUQdxXtkuW_lYcHBjBG4PZwwf0YEW8FE8KMJIT5iW4I17Wmc5UyJ6j-dY3O0bZvSlqyfAFLAX70crIvQGKQj2x2AZlGLkVI44LtHkguQHJVP8GIQ5XANo2KqxPovVEh4XNnH6bDTrLFfwof7aA="
}


In [31]:
# This is simply formated and encoded text data and
# it can be sent safely through the Internet
type(json_for_bob)

str

### Pretend a message went across the internet....


In [32]:
# Once Bob recieves the message, he can decrypt the key, then decrypt the message. 
# (i.e. open the envelope, then read the letter)
message_from_alice = json.loads(json_for_bob)
message_from_alice

{'protected_key': 'C4L8eaQpCzzCfuapHstYkak7lsRQpKOwFtpUWGr/UI/E8r7EsQg8n889qpYslFe8qQdDYUq2wHAGJSFCmSakVliscgH/7w/OyRIFpeNKTnG6Wq68b1rnKbyCQIHSwIla62HBLQAaep77WOVAdv5UM9g9qwqxKDs5PWcsPHeWQPM8uapWCD3wrWW8I8ThpuOXWia8BVCfqYHgchQgamiXaSUGGIBiDe5Fqvo2qvurWzVtxoB3GQXrEbBk8cGcG+ob8c8v1W8cSgEWP0u+3xgxnI4cyEpI/WJpqnrdzslqb8dkjLGjJOUSWqOkJepFbdEXj86hIysewchYz3cFtaswcg==',
 'cipher_text': 'gAAAAABkG6NGSBJHDt8N-dM5Vo3vjtJvLKPoq70X2zCLTHGPW0q4ylrzJkiNGtPOCVD1yPJDpNC25oxkw0cBh7SfH5Qi4X84GA9MM8P6TAQ4O0XA61PQVNaoKgEEJhH7aKIN2KWtkGDn0iq9bwDE1z8YYWHiQTw1LvNQmq3p8uVKVE1BpSmzHg_DrUvVPbhC_zCxu00ow0B-hzTCD3F01WS5jGx7jaRZo4ujw7ojDTAJDlegWQ1gb6vWcIS-gXIHpR6bR3G5pQgjRGV5umb2d2rFK04xUBUQqSeniNMN-korIfOXtlYqV-t76-XhyPEqN6k_zphfe14bs6wmtGFQ7UX0BWPgtTjVTRUFpKtGtNgzW-A8qFFzR19BmeTxnsqIuLcj4jONQVY9LHCk0vN-R4JD2X9S0gH8A2apmmUQdxXtkuW_lYcHBjBG4PZwwf0YEW8FE8KMJIT5iW4I17Wmc5UyJ6j-dY3O0bZvSlqyfAFLAX70crIvQGKQj2x2AZlGLkVI44LtHkguQHJVP8GIQ5XANo2KqxPovVEh4XNnH6bDTrLFfwof7aA='}

In [33]:
# The message from alice is loaded into a dictionary
type(message_from_alice)

dict

In [34]:
# Let's extract the key
key_bytes = base64.b64decode(message_from_alice['protected_key'])
print(key_bytes)

b'\x0b\x82\xfcy\xa4)\x0b<\xc2~\xe6\xa9\x1e\xcbX\x91\xa9;\x96\xc4P\xa4\xa3\xb0\x16\xdaTXj\xffP\x8f\xc4\xf2\xbe\xc4\xb1\x08<\x9f\xcf=\xaa\x96,\x94W\xbc\xa9\x07CaJ\xb6\xc0p\x06%!B\x99&\xa4VX\xacr\x01\xff\xef\x0f\xce\xc9\x12\x05\xa5\xe3JNq\xbaZ\xae\xbcoZ\xe7)\xbc\x82@\x81\xd2\xc0\x89Z\xeba\xc1-\x00\x1az\x9e\xfbX\xe5@v\xfeT3\xd8=\xab\n\xb1(;9=g,<w\x96@\xf3<\xb9\xaaV\x08=\xf0\xade\xbc#\xc4\xe1\xa6\xe3\x97Z&\xbc\x05P\x9f\xa9\x81\xe0r\x14 jh\x97i%\x06\x18\x80b\r\xeeE\xaa\xfa6\xaa\xfb\xab[5m\xc6\x80w\x19\x05\xeb\x11\xb0d\xf1\xc1\x9c\x1b\xea\x1b\xf1\xcf/\xd5o\x1cJ\x01\x16?K\xbe\xdf\x181\x9c\x8e\x1c\xc8JH\xfdbi\xaaz\xdd\xce\xc9jo\xc7d\x8c\xb1\xa3$\xe5\x12Z\xa3\xa4%\xeaEm\xd1\x17\x8f\xce\xa1#+\x1e\xc1\xc8X\xcfw\x05\xb5\xab0r'


In [35]:
# This should match the example above. Let's decrypt this ciphertext.
# Only Bob can decrypt using his private key
key_for_bob = private_key_for_bob.decrypt(
     key_bytes,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
key_for_bob

b'9zDli6YXjY4od63lk_Ri_L1K0Ua67mLqF3LrDXMBXQY='

In [36]:
# We now have the Fernet symmetric key, so we can decrypt the message (as bytes)
f = Fernet(key_for_bob)
plaintext_for_bob = f.decrypt(message_from_alice['cipher_text'].encode('ascii'))
plaintext_for_bob

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [38]:
f1 = Fernet(b'exNKLPQC18asE5mPBId7610ke6VzdoG-ScVAi4zOgfE=')
f1.decrypt(b'gAAAAABhWy14JJVVczjJJN5XiYksAcRUKO_iMfgNMhtAroORPFqtkDDckxiy5fXrJfrY1bBBqSf3TCy_Cvmg8Wv8AwPpwDfo_htZ6NCcF55Lr_VSD0D5EgOXLeg8fFzeVZ_AiQMoha6-TQyRu1WusP5zNAgDR0ToFQ==')

b'Hope to join the CyberTruck Challenge next year !'

This is great! We are no longer limited by the size constraints of RSA encryption. We just focus on encrypting the symmetric key to take advantage of the speed and size of symmetric (i.e. AES-CBC) encryption.

## Class Exercise

Please send me an encrypted form of the Star Spangled Banner (or some other meaningful text).

Use these specifications:
1. RSA with 2048 bit key
2. The message I receive should be in a JSON format with two fields:
    1. 'protected_key': a base64 encoded RSA public key encrypted output of the Fernet key used for enciphering the message.
    1. 'cipher_text': The output of the Fernet encryption

In [39]:
#Using triple quotes keeps the message format by inserting newline characters
text_to_send = b'''O say can you see, by the dawn's early light,
What so proudly we hailed at the twilight's last gleaming,
Whose broad stripes and bright stars through the perilous fight,
O'er the ramparts we watched, were so gallantly streaming?
And the rocket's red glare, the bombs bursting in air,
Gave proof through the night that our flag was still there;
O say does that star-spangled banner yet wave
O'er the land of the free and the home of the brave?'''
text_to_send

b"O say can you see, by the dawn's early light,\nWhat so proudly we hailed at the twilight's last gleaming,\nWhose broad stripes and bright stars through the perilous fight,\nO'er the ramparts we watched, were so gallantly streaming?\nAnd the rocket's red glare, the bombs bursting in air,\nGave proof through the night that our flag was still there;\nO say does that star-spangled banner yet wave\nO'er the land of the free and the home of the brave?"

In [40]:
# Open a locally stored PEM key and create a private key object
with open('Daily_Private_RSA2048_key.pem','rb') as pem:
    private_key_for_daily = serialization.load_pem_private_key(pem.read(),password=None)
private_key_for_daily

<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey at 0x1771c896208>

In [41]:
# Generate the sharable public key
public_key_for_daily = private_key_for_daily.public_key()
public_key_for_daily

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x1771c896488>

In [42]:
# Produce a format that we can share
public_pem_key_for_daily = public_key_for_daily.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_daily.decode('ascii'))
with open('Daily_Public_RSA2048_key.pem','wb') as f:
    f.write(public_pem_key_for_daily)

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bHZs7RxSNTk+Z1MMkHE
v7F7WK5oxLmJ9HypDyagbF4csmwCqsnhMwqJ9vEi3zmlE3VtjfrjpNSJSSvr1RDV
mxh7yz7z+sKvH+JBccMxmFS7/IrKZpNLJPnSY4JlrrCVKYhGwcx0z+kr0Xd4fi97
NVH7xSZaVTXJ+SC19j4EN/gb8nWcYk6umBJmVF688RdOeHQ6ZE3hLbUhKW48oDu1
u8YyRWIHNYyxZXz7G7ojuosd69e7bkO2GR0gAmQpZhXurxD5EGJLYWKvNFYcWPux
YJvgjlmBJCcGz4lKSJcdNzZfSg2YLqopKLcKmNSR9NmywpXIMu0S3wUAWJ7SgGMm
XQIDAQAB
-----END PUBLIC KEY-----



Now, follow some of the steps and make a message for me that I can run through the following function to decode your message.

In [43]:
import json
import base64
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.backends import default_backend

def encrypt_class_message(plain_text,public_pem_key):
    public_key = serialization.load_pem_public_key(public_pem_key.encode('utf-8'))
    print(public_key)
    unique_key = Fernet.generate_key()
    print(unique_key)
    f = Fernet(unique_key)
    cipher_text = f.encrypt(plain_text.encode('ascii'))
    print(cipher_text)
    protected_key = public_key.encrypt(
         unique_key,
         padding.OAEP(
             mgf=padding.MGF1(algorithm=hashes.SHA256()),
             algorithm=hashes.SHA256(),
             label=None
         )
     )
    message_dict = {
        'protected_key': base64.b64encode(protected_key).decode('utf-8'),
        'cipher_text': cipher_text.decode('utf-8')
    }
    json_with_encrypted_message = json.dumps(message_dict)
    return json_with_encrypted_message

In [44]:
daily_pub_pem = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bHZs7RxSNTk+Z1MMkHE
v7F7WK5oxLmJ9HypDyagbF4csmwCqsnhMwqJ9vEi3zmlE3VtjfrjpNSJSSvr1RDV
mxh7yz7z+sKvH+JBccMxmFS7/IrKZpNLJPnSY4JlrrCVKYhGwcx0z+kr0Xd4fi97
NVH7xSZaVTXJ+SC19j4EN/gb8nWcYk6umBJmVF688RdOeHQ6ZE3hLbUhKW48oDu1
u8YyRWIHNYyxZXz7G7ojuosd69e7bkO2GR0gAmQpZhXurxD5EGJLYWKvNFYcWPux
YJvgjlmBJCcGz4lKSJcdNzZfSg2YLqopKLcKmNSR9NmywpXIMu0S3wUAWJ7SgGMm
XQIDAQAB
-----END PUBLIC KEY-----"""

encrypt_class_message("Hello!",daily_pub_pem)

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x000001771C8A0D48>
b'-l0y_uPOPV2bSkSlXzuvobc88exiTWAXgiAdtPl0xdw='
b'gAAAAABkG6PMzUgG5I6yNfs_Z5WH_JtHdCt1kZU8U3MtIzsuLv4gUBonwIf00y4KxTTukZHVAV1CoF5na5oQszo9Eisc6thgRA=='


'{"protected_key": "LwY8JkthvTRdHJ8xA3WarogtrZh9Vy+IMzpfH1eKGX/9twE794AKhfa7djJzuLP+jJX3yv7ehsOnTrvzikk3PGIBIBd6M7c/4jLxLoTqbuWfCeNeV6Yl2Pxzt33a0g77gg3COjnTjNO/ZFn5N7/oIt9qa0uVhiEvFokeaWLVqjRbhqiCC2Pk9hPxcbxlEMtsnC7LYopsL9TiDsMrr4vH743WJIrQ7oy0tlcfCJG0uOCF60nnWCUuCld9U+N+dCYksS0w+KGA517XWG0TKNdzWLDAEidW+ZMsM/dM2Toy0VQqtjaygfZM8C0lX0j3T5KwGRr7QiCz44EbBFC8z9Gc4g==", "cipher_text": "gAAAAABkG6PMzUgG5I6yNfs_Z5WH_JtHdCt1kZU8U3MtIzsuLv4gUBonwIf00y4KxTTukZHVAV1CoF5na5oQszo9Eisc6thgRA=="}'

In [None]:
def decrypt_class_message(json_from_student,private_pem_key):
    message_from_student = json.loads(json_from_student)
    key_bytes = base64.b64decode(message_from_student['protected_key'])
    ##
    ## Fill in this part for the exercise
    ##
    plaintext_message = f.decrypt(message_bytes)
    return plaintext_message

In [45]:
# Example
# This cell won't run if the Private Key file is not available.
with open('Daily_Private_RSA2048_key.pem','rb') as pem:
    private_pem_key = pem.read()

In [48]:
# Who can send me a message through chat?
# Replace the student variable here with your message and try it out.
jeremy = '{"protected_key": "CkWAuKAXMi+BXF/cHRts4VDnp9437JGZCaga/PKFgCglA6q87KxLjS03Xxpa1rwAjP4dyx9lzFfSlyEOdhh45diGXBA2fN7tezJ2W/WTDbv2Sg7K9Bfs0BsXA3uEpuE+5Nj2fPIOC2RYWE1VMhg37OcsOO9xbOpuDzcRACGzWFtCT4R7l5+nLO9u3y9I4UdGYFM4njHriiUcXdFiJD8TbczVRAjt2bi2Pi5RX3tzmhrWlFVyQFELvcCKHv93tfvw7bTzA4QCMyVB4nmT8dsAnqE+SM5KWoDIODEMSRDlpNQz8MCvlkK7dyjDiT9O9a1Q6kaI/qrOHPo+BXXqSgULgw==", "cipher_text": "gAAAAABhQ-8Ecam7MIfrsTrg40qPQnBlgx4ceyMVDbunVMS5D0M8YOmbslEmR7aw_WAjMgYIoNbMV2xHeHCcNxd7Ukiuo8kUIA=="}'
bob = '{"protected_key": "KEo8SI4tLYafiLuqAAsPHE3Vz54ICWXC3UrU6RYpDQf68JPT7B5re10QysECFXausqZuoBcJXjKLqVwW1Ezxk8gKBZsoytJs0PcaMOeLNV9lf1eLAmdjfdiBG8F382rA2QYb5l7q9PfWwDqSL6K7rXaZmBt1i8hZdZ1xxXhcbuFYgF1cN5kNOR7lhrnqPvtqRFi6WmXD52yMwJmyc8Fd7v0UTg5aGJu/uW1WtT6rBao0L+nAA53aGAYiTGkN5JqA+sIytMA6cslFABeTnOXhUS7sPsSYOtpOBpyiM/lPYeEQpl/SSdpBgeD1yumrvNNmLhKLbbgIyfGBvDZBR5DnBg==", "cipher_text": "gAAAAABfbeFZiMpdzgj1ef_irV8Xq1H68PpbM9AYgDJaxjY6tYkAiMa8ZvVVJGisnzcqgb0vEVo6qqB-SZTh2numILEp6jReOoHw_8ElX9iWAysKg7rFrbr_0_eFsnnPVeZonoa7p9BR6Mo9iLmzn1vMh2Hs40XUcXXF5hn_9f1QDs-jA7XkbAieReLguEt6k4TyKQSkD2tgk1iTMhvShfhLQX-Ocv_gwvjtcJlQV4u9sdzIwL06VST-YGLVSqfxTVOpdIodxPz8V6l4vIBWNMNiwrzxFloYrj8M0RCMoXITV23HKIVacFnEJa4SPI_I2tKpGMyNiUEBpBpXlK7a9PDxI_y03Cnw8gIe4TzUDdgDRhsbhdfWEYxfTcUxr8A7db48WjJvdgVlphSgT4YsesN7vbJCKHAPw1m_CJI0SXdMVRhlxfEDOauPB_UHWEEh7suqVFZ5xkJ0dIbmdHYqxnxwv0Sx6L3Zu3bGnK1IU_pl7wI4vRh8lW7R0TwJsHZZfmqIKgzgy4VPCjmIWl1bLn7M9w8IveVdu5e_Jkvq7rdfoWaQmw_gQFA1-2E6yB3Q0VTcBALnEIGtTZ1vg8cv-D3GhBdMdCNsp8IuhtY5UcGqNJjbpqDYrxfyW50bsvMnvAVLcGr51Dy-Lrz2rWqep8Fk8831OSbF6Q=="}'

student = jeremy
decrypt_class_message(student,private_pem_key)

NameError: name 'decrypt_class_message' is not defined

## Summary
We worked with RSA asymmetric encryption to send confidential traffic to a specific person. 

We used envelope encryption to send large messages with symmetric ciphers because asymmetric encryption is too slow and size limited. 

We used asymmetric encryption to digitally sign messages to determine if they have been altered.


A question still remains: How can we trust Alice is who she says? What if Eve is in the middle pretending to be Alice?
