#### <center> Module 4b - Asymmetric Cryptographic Primitives 
## <center> SYSE 541: Secure Vehicle and Industrial Networking
## <center> <img src="https://www.engr.colostate.edu/~jdaily/Systems-EN-CSU-1-C357.svg" width="400" /> 
### <center> Instructor: Dr. Jeremy Daily

## Learning Objectives
By the end of this exercise, students should be able to
1. Use asymmetric encryption algorithms to encrypt messages
1. Use asymmetric encryption algorithms for envelope encryption
by using RSA public-private key pairs.

In [2]:
# Install some prequisites
# Be sure version 41 or higher is installed
%pip install --upgrade cryptography

Defaulting to user installation because normal site-packages is not writeable
Note: you may need to restart the kernel to use updated packages.


## Proposition: 

### Confidentiality
Alice would like to send a message to Bob such that only Bob can read it.

Bob sends Alice his public key. He doesn't care if anyone else can read it. 

Alice uses Bob's public key to encrypt data and send it back to Bob.

Bob decrypts the data with his private key. 

<img src="Asymmetric Encryption Primitives - Send Secret Message.svg"/> 



Let's work out these scenarios with some code. We'll use the RSA asymmetric key for this example.

In [3]:
# Import only the modules we need
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/

## Generate Keys for Alice

In [4]:
#Alice needs to generate a key pair
private_key_for_alice = rsa.generate_private_key(
                         public_exponent=65537,
                         key_size=2048 # should use at least 4096, but smaller keys are easier to display
                        )
private_key_for_alice

<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPrivateKey at 0x20a7f70e710>

In [5]:
# let's see what this looks like. We'll serialize the key and render it in ascii text (base64 encoded)
private_pem_for_alice = private_key_for_alice.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
 )
print(private_pem_for_alice.decode('ascii'))

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAm9gJWEHwc8a4hG3AqvIoDt8JwvJCiFUFeo/wvLFfDdfaw2ct
ln8VK8wXj5rLxpt2W8PiolhdYZmS916bowL2oDRgeFzwrfL0+HnQunbPhP+VjjRT
MUHiN6tNp32hSkFUI8MgkU3MCmVwU9u3sLqkitt0TyOWCJ+Pdsx/KWlQ1lyjppw0
biRECv3uZU6eAFsSzGzL0Fmmz/wPVzV7cxa5n+lw12yKJzMKI673jU2ViXsSmtGi
oOa8DikZmzFWPf+8IE536/FsvgRBJAgkGIgnSHlxH+YTFkg4S0KSYDmxxEz6y50z
FX7R0VIht6YVYALymwTXtg/XHmXyxMO0XYvW0QIDAQABAoIBAB0fvPNU81I3n3EE
L77inVDWJrVbX8qplOoIL1WcEib8oWHmDNN0sWirbfXE2HMnx3EzxM1RFTZxpFD9
Sbmnip5621JzD/l6D4TGAxdtr69rsi/OoINyjAuaRFtaM4O0fLxoMVRmRQzmUx0g
0Q3Ce5CFnZFSla3L39w0MEl1aIl+oKK+iFJ59r9mxu/V1dgh3AW36/bwcEWWNl85
7OIzSWDaKFgQP65X5lNGwmMyA2dtXKk9dSccvRlff8+b+v3Zv4XJ6OubFWTqvK+7
7piUApGGNABFBtbxu5Ay3/rPKVfhQ+DTUlTR03CEknUQ0u2YaDnfHXpggycks0jy
mL7OlEkCgYEA2IKO5xIbvkk6YR3XzPdN4hg90dA09SMRAZWYSOVgf48ZUm3B4IVB
+2wkPX8MjFyRYF4uka+8+Icd05+WOryIycSrr4GkmhOFYgFYd1/mLTroIKugKuAc
PfIRe/adTgvzA8TFVg4d866lRdt3xiQNfJj6UsXVge2lkEc+RUfTKaUCgYEAuETQ
C/zUAD8qj7jtGTYfd0yqmVSnLqY60/PV/IzPOWeDv5h8VpNe/+oc8eLvrq

In [6]:
#To send out the public key, we have to derive it from the private key and serialize it
public_key_for_alice = private_key_for_alice.public_key()
public_key_for_alice

<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPublicKey at 0x20a7f5c7870>

In [7]:
#Let's serialize it so we can send it accross the network to bob (and everyone)
public_pem_key_for_alice = public_key_for_alice.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_alice.decode('ascii'))

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9gJWEHwc8a4hG3AqvIo
Dt8JwvJCiFUFeo/wvLFfDdfaw2ctln8VK8wXj5rLxpt2W8PiolhdYZmS916bowL2
oDRgeFzwrfL0+HnQunbPhP+VjjRTMUHiN6tNp32hSkFUI8MgkU3MCmVwU9u3sLqk
itt0TyOWCJ+Pdsx/KWlQ1lyjppw0biRECv3uZU6eAFsSzGzL0Fmmz/wPVzV7cxa5
n+lw12yKJzMKI673jU2ViXsSmtGioOa8DikZmzFWPf+8IE536/FsvgRBJAgkGIgn
SHlxH+YTFkg4S0KSYDmxxEz6y50zFX7R0VIht6YVYALymwTXtg/XHmXyxMO0XYvW
0QIDAQAB
-----END PUBLIC KEY-----



## Generate Keys for Bob

In [8]:
#Bob also needs to generate a key pair
private_key_for_bob = rsa.generate_private_key(
                         public_exponent=65537,
                         key_size=2048 # should use at least 4096, but smaller keys are easier to display
                        )
private_key_for_bob

<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPrivateKey at 0x20a7f70e6f0>

In [9]:
# let's see what this looks like. We'll serialize the key and render it in ascii text (base64 encoded)
private_pem_for_bob = private_key_for_bob.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
 )
print(private_pem_for_bob.decode('ascii'))

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5c7ZUGw55R7h/uKxoE0bsbzC1kjv3ryNGrXfH06w86vQ20sb
EwvGMJdDth7NT7uakjGfToJQ8GK1q1lx3UYGXrEm48XkAq6osfV1/2gHaHPx5VWP
qzJzoEm4qQ27BUjRmlSN0zioKKeUVvNLCaMOAzV06nF0Kd0lQxfFXIBY7GjV1Qy1
z9Ew5j+dcfeBNVlcwXN01FaF8K9udWJFDPNxy26dTzhXKl6tv8FLmd8Jblv5R/zO
u+cIQcLcIsMNUrZDmGQ49xP1JC71wMDwg3QBfMzo+BsrNSDfpeKz/TLoy6dqnPeQ
McoTaHPrnChMhSPAbakL1GJO1/7YvrSaBUOESQIDAQABAoIBAAV9TvCeXTWtaq2Z
ga+4F9DDlw3iWSSDcYVxUb6gNRblBEywuxlV3yqa+mmXy8S7UQJsAAeykjdjzD4n
GVK1UQKjDbBEMmGkBXCW0fZDaGXk2yLky9VFk8CA8lHLe6uxJRygJ3EjudSayC7Z
ifHVfMiz1rKg+irj1veG0laW1Ej1XouSIxD5YfkSCop5oJuYWIHBPp3Z9ATTelE0
zHZxMjUcsk9bEWSRCPS9eypbGwMRc2QVq1Fm8cRgqK/jNrDKh4QRB/cd7BtfQOLe
v7RC8v727oIqOobxb1AEJ+YyPBwrwKVI8h8chDUb5zJVwXPWi5SBv3NLnNdFNcX2
uyKcmDcCgYEA9UZ6SVxRZAacbSzkDa51TRGiL4c2gAsXx6RnSe69WtPFqNwtPyot
MXsI8ECOVUp0mS18A2QIfFqszrnYPLLzgrrU/0tJSjScos4NFNQQFyXOEyeoYc18
A2AKheZaIbIiwI60U2fH6IG+Oa5KnraGqdbkaK2kutJ0XeMjjQy4BZMCgYEA79s8
YvLQBLmydcQGw7M2ye0uLKzGwlCe57TA0d68uptIkavOjGjHri4+31dPAh

In [10]:
# Bob extracts the public key 
public_key_for_bob = private_key_for_bob.public_key()
public_key_for_bob

<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPublicKey at 0x20a7f70e2f0>

In [11]:
#Let's serialize it so we can send it across the network to Alice (and everyone)
public_pem_key_for_bob = public_key_for_bob.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_bob.decode('ascii'))

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c7ZUGw55R7h/uKxoE0b
sbzC1kjv3ryNGrXfH06w86vQ20sbEwvGMJdDth7NT7uakjGfToJQ8GK1q1lx3UYG
XrEm48XkAq6osfV1/2gHaHPx5VWPqzJzoEm4qQ27BUjRmlSN0zioKKeUVvNLCaMO
AzV06nF0Kd0lQxfFXIBY7GjV1Qy1z9Ew5j+dcfeBNVlcwXN01FaF8K9udWJFDPNx
y26dTzhXKl6tv8FLmd8Jblv5R/zOu+cIQcLcIsMNUrZDmGQ49xP1JC71wMDwg3QB
fMzo+BsrNSDfpeKz/TLoy6dqnPeQMcoTaHPrnChMhSPAbakL1GJO1/7YvrSaBUOE
SQIDAQAB
-----END PUBLIC KEY-----



## Alice Sends a Message to Bob

In [12]:
# Alice has a message for Bob:
plain_text = b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'

In [13]:
public_pem_key_for_bob

b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c7ZUGw55R7h/uKxoE0b\nsbzC1kjv3ryNGrXfH06w86vQ20sbEwvGMJdDth7NT7uakjGfToJQ8GK1q1lx3UYG\nXrEm48XkAq6osfV1/2gHaHPx5VWPqzJzoEm4qQ27BUjRmlSN0zioKKeUVvNLCaMO\nAzV06nF0Kd0lQxfFXIBY7GjV1Qy1z9Ew5j+dcfeBNVlcwXN01FaF8K9udWJFDPNx\ny26dTzhXKl6tv8FLmd8Jblv5R/zOu+cIQcLcIsMNUrZDmGQ49xP1JC71wMDwg3QB\nfMzo+BsrNSDfpeKz/TLoy6dqnPeQMcoTaHPrnChMhSPAbakL1GJO1/7YvrSaBUOE\nSQIDAQAB\n-----END PUBLIC KEY-----\n'

In [14]:
# Alice needs Bob's public key as the encryption key
# Alice gets Bob's PEM key (as bytes) and converts it into a usable form
encryption_key = serialization.load_pem_public_key(public_pem_key_for_bob)
encryption_key

<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPublicKey at 0x20a7f70e2b0>

In [15]:
# Alice encrypts the message with Bob's public key
cipher_text_from_alice = encryption_key.encrypt(
     plain_text,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
cipher_text_from_alice

b'P\x0c\x12\xbc\x04(nx\xb6rO\xa7\xc5Z\x90\xfde\x0b\x1eT\x97\xebA\x8b\xb2!\x9b\xa82y\x9f\xc03>\xa2\xe3\xce,\x88?\x9aY*b\xf7`<\x0fp\xe6@\x02\xfb\xbb\xdaf\xa2\xa2K\x11\x83\x85\xc7\xc3\x00\x97m\xc1\\>\xd5\xb0\xed\x9e\xa8\x07s\xf9\x91\x9f1\xfc\xcdRN\xf1\xf8\xd3\xefj\xb2F_\x9ar\x00>\x86x\xe8D\xa6A\xa5n/k\xe0"\xf4\xf0+\t+\xdeu\x198I1\xcf\xbb\x86\x04-\xf4\rP\xc4\x81\xe2|\xe3{\xa3k\x062\xdf4\x89\xf2\xc2#\x88\x04S\xce3\xb8\xebB\x01\xd7k#\xba|\x9b\xdf\x89P\x8dct\xf9\x16\xbc\xca\xe9P\xe1\xaf\xa0\r\xd3\xd9\xbe\xef&\xf9\xd5\xe4+\x9b\x04\x920*\x98N:\x81r%$P\xf3_\xa0\x9c\tc,\x84E\xfd\xf8)\xde\x8c\x10\xf0\x10\xad(\x1a\xbd\xe1y_\x8c \x1b\x8b\x1fN\x1d\x19\xc0\xe5\x92K\xa8\x90\xc4\xf3\x8a\x1c\xbb\xbe\xfb\x1dO\xc5\x0c\x86\x06\x00\xb1P)\xe3I\xbc\xd5'

In [16]:
import base64

In [17]:
# To send this to Bob, we need to encode it in base64 and then transmit it 
# across the network.
message_from_alice = base64.b64encode(cipher_text_from_alice)
message_from_alice

b'UAwSvAQobni2ck+nxVqQ/WULHlSX60GLsiGbqDJ5n8AzPqLjziyIP5pZKmL3YDwPcOZAAvu72maioksRg4XHwwCXbcFcPtWw7Z6oB3P5kZ8x/M1STvH40+9qskZfmnIAPoZ46ESmQaVuL2vgIvTwKwkr3nUZOEkxz7uGBC30DVDEgeJ843ujawYy3zSJ8sIjiARTzjO460IB12sjunyb34lQjWN0+Ra8yulQ4a+gDdPZvu8m+dXkK5sEkjAqmE46gXIlJFDzX6CcCWMshEX9+CnejBDwEK0oGr3heV+MIBuLH04dGcDlkkuokMTzihy7vvsdT8UMhgYAsVAp40m81Q=='

In [19]:
# Only bob can decrypt the message. If Alice tries, it won't work
# The process will throw an exception
plaintext = private_key_for_alice.decrypt(
     base64.b64decode(message_from_alice),
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )

ValueError: Decryption failed

In [20]:
#Only Bob can decrypt the message with his private key, which was kept safe.
plaintext = private_key_for_bob.decrypt(
     base64.b64decode(message_from_alice),
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
plaintext

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard;'

## There's more to it
What happens if the message is actually longer? For example, we wanted to include more content.
Let's make the message longer and repeat the process.

In [21]:
plain_text = plaintext + b' because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [22]:
# Alice encrypts the message with Bob's public key
# But, this fails because RSA encryption only works on small data.
cipher_text_from_alice = encryption_key.encrypt(
     plain_text,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
cipher_text_from_alice

ValueError: Encryption failed

# Envelope Encryption
In the previous example, the size limitations of the message became apparent. Asymmetric encryption is not very good at encrypting long messages. Instead, the approach is to encrypt long messages with a symmetric cipher, then use asymmetric encryption to encipher the key. You can then send both the enciphered key and the ciphertext together.

Recall symmetric encryption using the Fernet recipe: https://cryptography.io/en/latest/fernet/

<img src="Asymmetric Encryption Primitives - Envelope Encryption.svg"/> 

Let's work out this scenario.

In [23]:
# Alice has a long message to send to Bob
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [24]:
# This message must be encrypted using a symmetric cipher.
from cryptography.fernet import Fernet
symmetric_key = Fernet.generate_key()
# This key should be unique for each operation.
symmetric_key

b'He84tHMDhkr-_n4tx8t0ViP5FHbRTUFxS2esZ0lqakg='

In [25]:
# Let's use the symmetric Fernet recipie from cryptography.io
f = Fernet(symmetric_key)
cipher_text = f.encrypt(plain_text)
cipher_text

b'gAAAAABnyKGeVHOQ45QV1bnwtKFpDTsvOje51qK7G7PjiXb3CVeGd1JxWUpyAs02JJ_mA7fyjhMC7yOcx51BYC-YwKEQmcHWb2AZx2j1a3ZPOumSdHlK4wcVqDeHyU6tTdmIMXVlCqPmf_1QErHprxoxyb_O9zl_9gkTrnf3FNk7x_U50l8ElqEsD50sZ6zY4s94Vobp0wNiK5STrmzklcH3UnJPzJvFYI_6aUsuPRIuSIfyRN61PmP4Daf95r-KCknlF8O5VF6z2_isyCyX3q0kvtGzvaQQwUrUUCjLqVILp2GxjdeHsUgR3CI5YBNTy0g6bAvXLmWa76DP6qX6aczhDc2fpmi3bNzdMIfPtt1FWUMOI9wDw9rIvbzkWVe-oBdIkXaUddomvespuYkJlg6XB3E7EQTBDx3sTlaR3yJ9paV3sU2JheIuMIPGVBIjhul9wIRlIXws0f4ap4Efq1NhJyTnlQcvIQXgt7YYUSTD-NZLFbhRHFxGkHh-AGfVEOTuzxeCsX0370jZUTF-EOg5HvFLmOHTsU6XFug7MhiT0Chz15J-JGY='

In [26]:
# If the key is sent along with the token, then extracting the message is trivial.
# Therefore, we must protect the key.
# Alice already has Bob's public key, so let's use that to encrypt the key.
protected_key_from_alice = encryption_key.encrypt(
     symmetric_key,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
protected_key_from_alice

b'\xba\xb0l\xa3]\x83v\xeb"\xdd\x92\xbcp\x88\xde\xe2[\x15\xeaOJ\x06\x19lv\xb0&\xe4+\x81/\x02\x0e-8\xa3Gk-\xf7\xef.#z[\xae&\xbfI\xcb\xc0\xb1m\xa7\x06\x03V\xaaJ`Fg\xed\x8c2\xaa9\xa3\xc9\x0f\xba\xe5\xd5\x19C\xfb\xf6\xd3^\x1f\x97\x08\x89e\x83\xcet\xadgF=S\x0f\xf3U\x11\xf09\x10gX5A\x03\xbd\xd5E\xf4Ea\x06R\x8f\x9c\x914yi8W\x9f\xed\xb8\x02M\x07\xb3\xd2\xe3\xce\xb0\xf0\xd9r\xc5\xc5\x06\x99\xd4\xee\x10W\xb9X{\xb0|\x01\xb6uz\xc7\x88\xf7+\x02\t\x18]a\xfe\x9c\x934\x05\x12\xb7\x85\xa2]\x92q\x97i\x19\xcc\xae[f8\x9d\t\x17\x98\xad\x8bg\xa1\xd7\xec\x97\x93\x9aaoX\xe6\xde\x9a5s\xda\xaa\xc7\x98\xfde\xe5y@d\x86B\xd1/\xc5j;L\xf6=\x99\\TN\xb1pee\x87\xe9\xf8+\xf5\x13\x07\xf1\x93O\xfbm\x8a\x1a\xd7\xbeL\x904 c\xe57\r\xf4\xce\x8e'

In [27]:
# Let's create a message for transmission across the internet.
# Use the JSON format
import json

In [28]:
#Raw bytes need to be base64 encoded, then decoded into python strings
# The Fernet recipe already produces a base64 encoded output
message_for_bob = {
    'protected_key': base64.b64encode(protected_key_from_alice).decode('utf-8'),
    'cipher_text': cipher_text.decode('utf-8')
}
message_for_bob

{'protected_key': 'urBso12Ddusi3ZK8cIje4lsV6k9KBhlsdrAm5CuBLwIOLTijR2st9+8uI3pbria/ScvAsW2nBgNWqkpgRmftjDKqOaPJD7rl1RlD+/bTXh+XCIllg850rWdGPVMP81UR8DkQZ1g1QQO91UX0RWEGUo+ckTR5aThXn+24Ak0Hs9LjzrDw2XLFxQaZ1O4QV7lYe7B8AbZ1eseI9ysCCRhdYf6ckzQFEreFol2ScZdpGcyuW2Y4nQkXmK2LZ6HX7JeTmmFvWObemjVz2qrHmP1l5XlAZIZC0S/FajtM9j2ZXFROsXBlZYfp+Cv1Ewfxk0/7bYoa175MkDQgY+U3DfTOjg==',
 'cipher_text': 'gAAAAABnyKGeVHOQ45QV1bnwtKFpDTsvOje51qK7G7PjiXb3CVeGd1JxWUpyAs02JJ_mA7fyjhMC7yOcx51BYC-YwKEQmcHWb2AZx2j1a3ZPOumSdHlK4wcVqDeHyU6tTdmIMXVlCqPmf_1QErHprxoxyb_O9zl_9gkTrnf3FNk7x_U50l8ElqEsD50sZ6zY4s94Vobp0wNiK5STrmzklcH3UnJPzJvFYI_6aUsuPRIuSIfyRN61PmP4Daf95r-KCknlF8O5VF6z2_isyCyX3q0kvtGzvaQQwUrUUCjLqVILp2GxjdeHsUgR3CI5YBNTy0g6bAvXLmWa76DP6qX6aczhDc2fpmi3bNzdMIfPtt1FWUMOI9wDw9rIvbzkWVe-oBdIkXaUddomvespuYkJlg6XB3E7EQTBDx3sTlaR3yJ9paV3sU2JheIuMIPGVBIjhul9wIRlIXws0f4ap4Efq1NhJyTnlQcvIQXgt7YYUSTD-NZLFbhRHFxGkHh-AGfVEOTuzxeCsX0370jZUTF-EOg5HvFLmOHTsU6XFug7MhiT0Chz15J-JGY='}

In [29]:
# This is a dictionary
# It works within Python, but isn't able to be sent across the Internet.
type(message_for_bob)

dict

In [30]:
# We can serialize a dictionary 
json_for_bob = json.dumps(message_for_bob, indent=4)
print(json_for_bob)

{
    "protected_key": "urBso12Ddusi3ZK8cIje4lsV6k9KBhlsdrAm5CuBLwIOLTijR2st9+8uI3pbria/ScvAsW2nBgNWqkpgRmftjDKqOaPJD7rl1RlD+/bTXh+XCIllg850rWdGPVMP81UR8DkQZ1g1QQO91UX0RWEGUo+ckTR5aThXn+24Ak0Hs9LjzrDw2XLFxQaZ1O4QV7lYe7B8AbZ1eseI9ysCCRhdYf6ckzQFEreFol2ScZdpGcyuW2Y4nQkXmK2LZ6HX7JeTmmFvWObemjVz2qrHmP1l5XlAZIZC0S/FajtM9j2ZXFROsXBlZYfp+Cv1Ewfxk0/7bYoa175MkDQgY+U3DfTOjg==",
    "cipher_text": "gAAAAABnyKGeVHOQ45QV1bnwtKFpDTsvOje51qK7G7PjiXb3CVeGd1JxWUpyAs02JJ_mA7fyjhMC7yOcx51BYC-YwKEQmcHWb2AZx2j1a3ZPOumSdHlK4wcVqDeHyU6tTdmIMXVlCqPmf_1QErHprxoxyb_O9zl_9gkTrnf3FNk7x_U50l8ElqEsD50sZ6zY4s94Vobp0wNiK5STrmzklcH3UnJPzJvFYI_6aUsuPRIuSIfyRN61PmP4Daf95r-KCknlF8O5VF6z2_isyCyX3q0kvtGzvaQQwUrUUCjLqVILp2GxjdeHsUgR3CI5YBNTy0g6bAvXLmWa76DP6qX6aczhDc2fpmi3bNzdMIfPtt1FWUMOI9wDw9rIvbzkWVe-oBdIkXaUddomvespuYkJlg6XB3E7EQTBDx3sTlaR3yJ9paV3sU2JheIuMIPGVBIjhul9wIRlIXws0f4ap4Efq1NhJyTnlQcvIQXgt7YYUSTD-NZLFbhRHFxGkHh-AGfVEOTuzxeCsX0370jZUTF-EOg5HvFLmOHTsU6XFug7MhiT0Chz15J-JGY="
}


In [31]:
# This is simply formated and encoded text data and
# it can be sent safely through the Internet
type(json_for_bob)

str

### Pretend a message went across the internet....


In [32]:
# Once Bob recieves the message, he can decrypt the key, then decrypt the message. 
# (i.e. open the envelope, then read the letter)
message_from_alice = json.loads(json_for_bob)
message_from_alice

{'protected_key': 'urBso12Ddusi3ZK8cIje4lsV6k9KBhlsdrAm5CuBLwIOLTijR2st9+8uI3pbria/ScvAsW2nBgNWqkpgRmftjDKqOaPJD7rl1RlD+/bTXh+XCIllg850rWdGPVMP81UR8DkQZ1g1QQO91UX0RWEGUo+ckTR5aThXn+24Ak0Hs9LjzrDw2XLFxQaZ1O4QV7lYe7B8AbZ1eseI9ysCCRhdYf6ckzQFEreFol2ScZdpGcyuW2Y4nQkXmK2LZ6HX7JeTmmFvWObemjVz2qrHmP1l5XlAZIZC0S/FajtM9j2ZXFROsXBlZYfp+Cv1Ewfxk0/7bYoa175MkDQgY+U3DfTOjg==',
 'cipher_text': 'gAAAAABnyKGeVHOQ45QV1bnwtKFpDTsvOje51qK7G7PjiXb3CVeGd1JxWUpyAs02JJ_mA7fyjhMC7yOcx51BYC-YwKEQmcHWb2AZx2j1a3ZPOumSdHlK4wcVqDeHyU6tTdmIMXVlCqPmf_1QErHprxoxyb_O9zl_9gkTrnf3FNk7x_U50l8ElqEsD50sZ6zY4s94Vobp0wNiK5STrmzklcH3UnJPzJvFYI_6aUsuPRIuSIfyRN61PmP4Daf95r-KCknlF8O5VF6z2_isyCyX3q0kvtGzvaQQwUrUUCjLqVILp2GxjdeHsUgR3CI5YBNTy0g6bAvXLmWa76DP6qX6aczhDc2fpmi3bNzdMIfPtt1FWUMOI9wDw9rIvbzkWVe-oBdIkXaUddomvespuYkJlg6XB3E7EQTBDx3sTlaR3yJ9paV3sU2JheIuMIPGVBIjhul9wIRlIXws0f4ap4Efq1NhJyTnlQcvIQXgt7YYUSTD-NZLFbhRHFxGkHh-AGfVEOTuzxeCsX0370jZUTF-EOg5HvFLmOHTsU6XFug7MhiT0Chz15J-JGY='}

In [33]:
# The message from alice is loaded into a dictionary
type(message_from_alice)

dict

In [34]:
# Let's extract the key
key_bytes = base64.b64decode(message_from_alice['protected_key'])
print(key_bytes)

b'\xba\xb0l\xa3]\x83v\xeb"\xdd\x92\xbcp\x88\xde\xe2[\x15\xeaOJ\x06\x19lv\xb0&\xe4+\x81/\x02\x0e-8\xa3Gk-\xf7\xef.#z[\xae&\xbfI\xcb\xc0\xb1m\xa7\x06\x03V\xaaJ`Fg\xed\x8c2\xaa9\xa3\xc9\x0f\xba\xe5\xd5\x19C\xfb\xf6\xd3^\x1f\x97\x08\x89e\x83\xcet\xadgF=S\x0f\xf3U\x11\xf09\x10gX5A\x03\xbd\xd5E\xf4Ea\x06R\x8f\x9c\x914yi8W\x9f\xed\xb8\x02M\x07\xb3\xd2\xe3\xce\xb0\xf0\xd9r\xc5\xc5\x06\x99\xd4\xee\x10W\xb9X{\xb0|\x01\xb6uz\xc7\x88\xf7+\x02\t\x18]a\xfe\x9c\x934\x05\x12\xb7\x85\xa2]\x92q\x97i\x19\xcc\xae[f8\x9d\t\x17\x98\xad\x8bg\xa1\xd7\xec\x97\x93\x9aaoX\xe6\xde\x9a5s\xda\xaa\xc7\x98\xfde\xe5y@d\x86B\xd1/\xc5j;L\xf6=\x99\\TN\xb1pee\x87\xe9\xf8+\xf5\x13\x07\xf1\x93O\xfbm\x8a\x1a\xd7\xbeL\x904 c\xe57\r\xf4\xce\x8e'


In [35]:
# This should match the example above. Let's decrypt this ciphertext.
# Only Bob can decrypt using his private key
key_for_bob = private_key_for_bob.decrypt(
     key_bytes,
     padding.OAEP(
         mgf=padding.MGF1(algorithm=hashes.SHA256()),
         algorithm=hashes.SHA256(),
         label=None
     )
 )
key_for_bob

b'He84tHMDhkr-_n4tx8t0ViP5FHbRTUFxS2esZ0lqakg='

In [36]:
# We now have the Fernet symmetric key, so we can decrypt the message (as bytes)
f = Fernet(key_for_bob)
plaintext_for_bob = f.decrypt(message_from_alice['cipher_text'].encode('ascii'))
plaintext_for_bob

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [37]:
f1 = Fernet(b'exNKLPQC18asE5mPBId7610ke6VzdoG-ScVAi4zOgfE=')
f1.decrypt(b'gAAAAABhWy14JJVVczjJJN5XiYksAcRUKO_iMfgNMhtAroORPFqtkDDckxiy5fXrJfrY1bBBqSf3TCy_Cvmg8Wv8AwPpwDfo_htZ6NCcF55Lr_VSD0D5EgOXLeg8fFzeVZ_AiQMoha6-TQyRu1WusP5zNAgDR0ToFQ==')

b'Hope to join the CyberTruck Challenge next year !'

This is great! We are no longer limited by the size constraints of RSA encryption. We just focus on encrypting the symmetric key to take advantage of the speed and size of symmetric (i.e. AES-CBC) encryption.

## Class Exercise

Please send me an encrypted form of the Star Spangled Banner (or some other meaningful text).

Use these specifications:
1. RSA with 2048 bit key
2. The message I receive should be in a JSON format with two fields:
    1. 'protected_key': a base64 encoded RSA public key encrypted output of the Fernet key used for enciphering the message.
    1. 'cipher_text': The output of the Fernet encryption

In [38]:
#Using triple quotes keeps the message format by inserting newline characters
text_to_send = b'''O say can you see, by the dawn's early light,
What so proudly we hailed at the twilight's last gleaming,
Whose broad stripes and bright stars through the perilous fight,
O'er the ramparts we watched, were so gallantly streaming?
And the rocket's red glare, the bombs bursting in air,
Gave proof through the night that our flag was still there;
O say does that star-spangled banner yet wave
O'er the land of the free and the home of the brave?'''
text_to_send

b"O say can you see, by the dawn's early light,\nWhat so proudly we hailed at the twilight's last gleaming,\nWhose broad stripes and bright stars through the perilous fight,\nO'er the ramparts we watched, were so gallantly streaming?\nAnd the rocket's red glare, the bombs bursting in air,\nGave proof through the night that our flag was still there;\nO say does that star-spangled banner yet wave\nO'er the land of the free and the home of the brave?"

In [39]:
# Open a locally stored PEM key and create a private key object
with open('Daily_Private_RSA2048_key.pem','rb') as pem:
    private_key_for_daily = serialization.load_pem_private_key(pem.read(),password=None)
private_key_for_daily

<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPrivateKey at 0x20a7fcfd730>

In [40]:
# Generate the sharable public key
public_key_for_daily = private_key_for_daily.public_key()
public_key_for_daily

<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPublicKey at 0x20a7fcfd6b0>

In [41]:
# Produce a format that we can share
public_pem_key_for_daily = public_key_for_daily.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_daily.decode('ascii'))
with open('Daily_Public_RSA2048_key.pem','wb') as f:
    f.write(public_pem_key_for_daily)

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bHZs7RxSNTk+Z1MMkHE
v7F7WK5oxLmJ9HypDyagbF4csmwCqsnhMwqJ9vEi3zmlE3VtjfrjpNSJSSvr1RDV
mxh7yz7z+sKvH+JBccMxmFS7/IrKZpNLJPnSY4JlrrCVKYhGwcx0z+kr0Xd4fi97
NVH7xSZaVTXJ+SC19j4EN/gb8nWcYk6umBJmVF688RdOeHQ6ZE3hLbUhKW48oDu1
u8YyRWIHNYyxZXz7G7ojuosd69e7bkO2GR0gAmQpZhXurxD5EGJLYWKvNFYcWPux
YJvgjlmBJCcGz4lKSJcdNzZfSg2YLqopKLcKmNSR9NmywpXIMu0S3wUAWJ7SgGMm
XQIDAQAB
-----END PUBLIC KEY-----



Now, follow some of the steps and make a message for me that I can run through the following function to decode your message.

In [42]:
import json
import base64
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.backends import default_backend

def encrypt_class_message(plain_text,public_pem_key):
    public_key = serialization.load_pem_public_key(public_pem_key.encode('utf-8'))
    print(public_key)
    unique_key = Fernet.generate_key()
    print(unique_key)
    f = Fernet(unique_key)
    cipher_text = f.encrypt(plain_text.encode('ascii'))
    print(cipher_text)
    protected_key = public_key.encrypt(
         unique_key,
         padding.OAEP(
             mgf=padding.MGF1(algorithm=hashes.SHA256()),
             algorithm=hashes.SHA256(),
             label=None
         )
     )
    message_dict = {
        'protected_key': base64.b64encode(protected_key).decode('utf-8'),
        'cipher_text': cipher_text.decode('utf-8')
    }
    json_with_encrypted_message = json.dumps(message_dict)
    return json_with_encrypted_message

In [43]:
daily_pub_pem = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bHZs7RxSNTk+Z1MMkHE
v7F7WK5oxLmJ9HypDyagbF4csmwCqsnhMwqJ9vEi3zmlE3VtjfrjpNSJSSvr1RDV
mxh7yz7z+sKvH+JBccMxmFS7/IrKZpNLJPnSY4JlrrCVKYhGwcx0z+kr0Xd4fi97
NVH7xSZaVTXJ+SC19j4EN/gb8nWcYk6umBJmVF688RdOeHQ6ZE3hLbUhKW48oDu1
u8YyRWIHNYyxZXz7G7ojuosd69e7bkO2GR0gAmQpZhXurxD5EGJLYWKvNFYcWPux
YJvgjlmBJCcGz4lKSJcdNzZfSg2YLqopKLcKmNSR9NmywpXIMu0S3wUAWJ7SgGMm
XQIDAQAB
-----END PUBLIC KEY-----"""

encrypt_class_message("Hello!",daily_pub_pem)

<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPublicKey object at 0x0000020A7FCFD5D0>
b'nh1HaDphO6Dd1KSNDdmkugeOn2lH_hGIetGdGdy2-5M='
b'gAAAAABnyKH3SR_5mtLPLsC0atrdE7Km7XtKVTjzArsPljtDIEuiJkdcPhz65w5Bag0BlQT4J-xiePsr40VRDLOgIFTioxK1mg=='


'{"protected_key": "BD4zZCCioHBhc2XxRrSVutdAHz5B+Yxnx8PrZVQ6tHWKLyMjRIi7oPeSj1Y+eTvuUmcdPdbxu90jwdqRD9uCieMiiS7T7IFQ2URIqZ9yR/3DXBw3i3fChjv38U5SzkuQrztQxtC9I8kvsICDo1AOdBYJG+qj4o9foDOFy7PoEeRAXW4GV7MX5raTBjhBZO+ChVxeNHOlJmncLWi8fNxqSzuCVsr93cAS5JV3sTtvtdBHyAkKDPrQJDDa+IPNJ5S9v88yINVoYY852EgM7BHWrxYAC7Tr3g2EV7kYQNTVtOuCRw7ssWNrEDNi27z02fIvrP1T8r1+I0NO6wvYshyNFQ==", "cipher_text": "gAAAAABnyKH3SR_5mtLPLsC0atrdE7Km7XtKVTjzArsPljtDIEuiJkdcPhz65w5Bag0BlQT4J-xiePsr40VRDLOgIFTioxK1mg=="}'

In [44]:
def decrypt_class_message(json_from_student,private_pem_key):
    message_from_student = json.loads(json_from_student)
    key_bytes = base64.b64decode(message_from_student['protected_key'])
    ##
    ## Fill in this part for the exercise
    ##
    plaintext_message = f.decrypt(message_bytes)
    return plaintext_message

In [45]:
# Example
# This cell won't run if the Private Key file is not available.
with open('Daily_Private_RSA2048_key.pem','rb') as pem:
    private_pem_key = pem.read()

In [46]:
# Who can send me a message through chat?
# Replace the student variable here with your message and try it out.
jeremy = '{"protected_key": "CkWAuKAXMi+BXF/cHRts4VDnp9437JGZCaga/PKFgCglA6q87KxLjS03Xxpa1rwAjP4dyx9lzFfSlyEOdhh45diGXBA2fN7tezJ2W/WTDbv2Sg7K9Bfs0BsXA3uEpuE+5Nj2fPIOC2RYWE1VMhg37OcsOO9xbOpuDzcRACGzWFtCT4R7l5+nLO9u3y9I4UdGYFM4njHriiUcXdFiJD8TbczVRAjt2bi2Pi5RX3tzmhrWlFVyQFELvcCKHv93tfvw7bTzA4QCMyVB4nmT8dsAnqE+SM5KWoDIODEMSRDlpNQz8MCvlkK7dyjDiT9O9a1Q6kaI/qrOHPo+BXXqSgULgw==", "cipher_text": "gAAAAABhQ-8Ecam7MIfrsTrg40qPQnBlgx4ceyMVDbunVMS5D0M8YOmbslEmR7aw_WAjMgYIoNbMV2xHeHCcNxd7Ukiuo8kUIA=="}'
bob = '{"protected_key": "KEo8SI4tLYafiLuqAAsPHE3Vz54ICWXC3UrU6RYpDQf68JPT7B5re10QysECFXausqZuoBcJXjKLqVwW1Ezxk8gKBZsoytJs0PcaMOeLNV9lf1eLAmdjfdiBG8F382rA2QYb5l7q9PfWwDqSL6K7rXaZmBt1i8hZdZ1xxXhcbuFYgF1cN5kNOR7lhrnqPvtqRFi6WmXD52yMwJmyc8Fd7v0UTg5aGJu/uW1WtT6rBao0L+nAA53aGAYiTGkN5JqA+sIytMA6cslFABeTnOXhUS7sPsSYOtpOBpyiM/lPYeEQpl/SSdpBgeD1yumrvNNmLhKLbbgIyfGBvDZBR5DnBg==", "cipher_text": "gAAAAABfbeFZiMpdzgj1ef_irV8Xq1H68PpbM9AYgDJaxjY6tYkAiMa8ZvVVJGisnzcqgb0vEVo6qqB-SZTh2numILEp6jReOoHw_8ElX9iWAysKg7rFrbr_0_eFsnnPVeZonoa7p9BR6Mo9iLmzn1vMh2Hs40XUcXXF5hn_9f1QDs-jA7XkbAieReLguEt6k4TyKQSkD2tgk1iTMhvShfhLQX-Ocv_gwvjtcJlQV4u9sdzIwL06VST-YGLVSqfxTVOpdIodxPz8V6l4vIBWNMNiwrzxFloYrj8M0RCMoXITV23HKIVacFnEJa4SPI_I2tKpGMyNiUEBpBpXlK7a9PDxI_y03Cnw8gIe4TzUDdgDRhsbhdfWEYxfTcUxr8A7db48WjJvdgVlphSgT4YsesN7vbJCKHAPw1m_CJI0SXdMVRhlxfEDOauPB_UHWEEh7suqVFZ5xkJ0dIbmdHYqxnxwv0Sx6L3Zu3bGnK1IU_pl7wI4vRh8lW7R0TwJsHZZfmqIKgzgy4VPCjmIWl1bLn7M9w8IveVdu5e_Jkvq7rdfoWaQmw_gQFA1-2E6yB3Q0VTcBALnEIGtTZ1vg8cv-D3GhBdMdCNsp8IuhtY5UcGqNJjbpqDYrxfyW50bsvMnvAVLcGr51Dy-Lrz2rWqep8Fk8831OSbF6Q=="}'

student = jeremy
decrypt_class_message(student,private_pem_key)

AttributeError: '_io.BufferedWriter' object has no attribute 'decrypt'

## Summary
We worked with RSA asymmetric encryption to send confidential traffic to a specific person. 

We used envelope encryption to send large messages with symmetric ciphers because asymmetric encryption is too slow and size limited. 

We used asymmetric encryption to digitally sign messages to determine if they have been altered.


A question still remains: How can we trust Alice is who she says? What if Eve is in the middle pretending to be Alice?
