# Public Key Cryptography

雖然解  discrete logarithm problem 的演算法不斷在進步，不過基於此問題的公鑰系統RSA目前還是被廣泛的使用，有討論的價值!

可以在很多場合看到=.=
![](https://i.imgur.com/OUUBsEu.png)
![](https://i.imgur.com/u3Unp4t.png)

Public key cryptography 基本上就是去簡化 key exchange 和 key management的問題， 使得我們不用透過 secure channel 來傳送金鑰。 每個使用者有自己的 private key 和對應的 public key. Public key 是可以公開的。 剩下的問題便是如何 distributing 和 verifying public keys 這將在後面提到。

## RSA school book

RSA 系統為產生兩個大質數:

例如Bob產生 ``p=12553, q=13007`` 接下來算出
```
N=pq=163276871
```

然後計算 ``φ(N)``
```
φ(N)=(p−1)(q−1)=163251312
```

最後選一個整數 k 和 φ(m)互質，例如:
```
e=79921
```
系統的public key就是
```
(N,e)=(163276871,79921).
```

當Alice要傳送訊息給Bob的時候 可以先將訊息轉為數字例如 A = 11, B = 12, C = 13, … 然後連接起來. (CAB-> 131112) 

In [1]:
conversion_dict = dict()
alpha = "abcdefghijklmnopqrstuvwxyz".upper()
curnum = 11
for l in alpha:
    conversion_dict[l] = curnum
    curnum += 1
print "Original Message:"
msg = "NUMBERTHEORYISTHEQUEENOFTHESCIENCES"
print msg

def letters_to_numbers(m):
    return "".join([str(conversion_dict[l]) for l in m.upper()])

print "Numerical Message:"
msg_num = letters_to_numbers(msg)
print msg_num

Original Message:
NUMBERTHEORYISTHEQUEENOFTHESCIENCES
Numerical Message:
2431231215283018152528351929301815273115152425163018152913191524131529


要傳的時候我們可以把它切成8個數字(block的概念)

$24312312, 15283018, 15252835, 19293018, 15273115, 15242516, 30181529, 13191524, 131529.$


加密就是對 block 做 e 次方 modulo m。 例如第一個block

$ 24312312^{79921} \equiv 13851252 \pmod{163276871}.$


In [2]:
# Secret information
p = 12553
q = 13007
m = p*q
phi = (p-1)*(q-1) # varphi(pq)
print m

# Public information
N = p*q # 163276871
e = 79921

print pow(24312312, e, m)

163276871
13851252


傳出第一個block 13851252，Bob接到後計算 
```
φ(N)=(p−1)(q−1)
```
然後找出d 滿足下列條件

$ de \equiv 1 \pmod{φ(N)}.$

In [4]:
def extended_euclidean(a,b):
    if b == 0:
        return (1,0,a)
    else :
        x, y, gcd = extended_euclidean(b, a % b) # Aside: Python has no tail recursion
        return y, x - y * (a // b),gcd           # But it does have meaningful stack traces
    
# This version comes from Exercise 6.3 in the book, but without recursion
def extended_euclidean2(a,b):
    x = 1
    g = a
    v = 0
    w = b
    while w != 0:
        q = g // w
        t = g - q*w
        s = x - q*v
        x,g = v,w
        v,w = s,t
    y = (g - a*x) / b
    return (x,y,g)
 
def modular_inverse(a,m) :
    x,y,gcd = extended_euclidean(a,m)
    if gcd == 1 :
        return x % m
    else :
        return None
print "e, p, q:", e, p, q
d = modular_inverse(e,(p-1)*(q-1))
print d

 e, p, q: 79921 12553 13007
145604785


接下來計算

$ 13851252^{d} \equiv 24312312 \pmod{pq},$

因為

$ 13851252^{d} \equiv (24312312^{e})^d \equiv 24312312^{1 + \varphi(pq)v} \equiv 24312312 \pmod{pq}.$

我們用到了 Euler's Theorem 如下

$ 24312312^{\varphi(pq)v} \equiv 1 \pmod{pq}.$


In [5]:
# Checking this power explicitly.
print pow(13851252, 145604785, N)

24312312


依此類推並做轉換

In [6]:
# Break into chunks of 8 digits in length.
def chunk8(message_number):
    cp = str(message_number)
    ret_list = []
    while len(cp) > 7:
        ret_list.append(cp[:8])
        cp = cp[8:]
    if cp:
        ret_list.append(cp)
    return ret_list

msg_list = chunk8(msg_num)
print msg_list

# Compute ciphertexts separately on each 8-digit chunk.
def encrypt_chunks(chunked_list):
    ret_list = []
    for chunk in chunked_list:
        #print chunk
        #print int(chunk)
        ret_list.append(pow(int(chunk), e, N))
    return ret_list

cipher_list = encrypt_chunks(msg_list)
print cipher_list

# Decipher the ciphertexts all in the same way
def decrypt_chunks(chunked_list):
    ret_list = []
    for chunk in chunked_list:
        ret_list.append(pow(int(chunk), d, N))
    return ret_list

decipher_list = decrypt_chunks(cipher_list)
print decipher_list

alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

# Collect deciphered texts into a single list, and translate back into letters.
def chunks_to_letters(chunked_list):
    s = "".join([str(chunk) for chunk in chunked_list])
    ret_str = ""
    while s:
        ret_str += alpha[int(s[:2])-11].upper()
        s = s[2:]
    return ret_str

print chunks_to_letters(decipher_list)

['24312312', '15283018', '15252835', '19293018', '15273115', '15242516', '30181529', '13191524', '131529']
[13851252, 14944940, 158577269, 117640431, 139757098, 25099917, 88562046, 6640362, 10543199]
[24312312, 15283018, 15252835, 19293018, 15273115, 15242516, 30181529, 13191524, 131529]
NUMBERTHEORYISTHEQUEENOFTHESCIENCES


### 安全性?

假設 Eve 拿到了第一個 chunk, $13851252$. 他如何攻擊呢?

他必須解出e使得

$ x^e \equiv 13851252 \pmod {pq}$

事實上算出``φ(N)`` 和分解N一樣困難


這就是不透過 **Security through Obscurity.**來確保安全性

> 近年來 open, public 程為主流. 最近 Volkswagen cheated in its car emissions-software. 他們的softwar是 proprietary and secret, 故讓這個 deliberate bug 沒人注意到.


### 如何產生大質數

下面我們說明一般如何產生大質數，然後以更符合實際的例子來呈現，注意這邊用到一個概念

> 大數的 **factorization** 在數學上是很難解的 (One-way trapdoor function) 因此加密方可以很容易算出 ciphertex，因為他知道 _p_ 和 _q_,但攻擊者只知道 _N_ 很難推回 _p_ 和 _q_. 
但試測是一個數可不可已被分解是可行的且快許多

> 本文一開始提到的discret logarithm problem(dlp)跟此有何關係呢? 實際上我們也可以繞過分解來直接解出exponent這樣的問題就是dlp，事實上dlp是許多公鑰系統的基礎，像Diffie-Helman。不過破解RSA必須解出modulus為composite的dlp還是跟DH和其他公鑰系統略有不同


In [7]:
import random
import math

random.seed(1)
# Function to test for composite. Return True for composite.
def _func_composite_test(a,d,n,s):
    if pow( a, d, n ) == 1:
        return False
    for i in range(s):
        if pow( a, 2**i * d, n ) == n-1:
            return False
    return True

# Function to test for primality using Miller Rabin.
def _func_millerRabin_probable_prime(n):
    assert n >= 2
    if n == 2:
        return True
    if n % 2 == 0:
        return False
    # Write n-1 as 2**s * d
    # Repeatedly try to divide n-1 by 2
    s, d = 0, n-1
    while True:
        quotient, remainder = divmod(d, 2)
        if remainder == 1:
            break
        s += 1
        d = quotient
    assert ( 2**s * d == n-1 )
    # test the base a to see whether it is a witness for the compositeness of n
    for i in range(0,10): # range is arbitrary...
        a = random.randint( 2, n-1 )
        if _func_composite_test(a,d,n,s):
            return False
    # Return True because n is not found to be a composite.
    return True

# Function to find a prime between a lower and an upper limit.
def find_prime( limit_lower, limit_upper ):
    # Return a pseudo prime number roughly between a and b (can be larger than b).
    # Raise ValueError if cannot find a pseudo prime after 10 * ln(x) + 3 tries.
    x = random.randint(limit_lower, limit_upper)
    for i in range( 0, int(10 * math.log(x) + 3) ):
        if _func_millerRabin_probable_prime(x):
            return x
        else:
            x += 1
    raise ValueError

# Create a prime and show it.
print 'Prime p: ', find_prime( limit_lower=10**12, limit_upper=10**13 )
print 'Prime q: ', find_prime( limit_lower=10**12, limit_upper=10**13 )

Prime p:  2209278197029
Prime q:  1229012748941


In [8]:
p = 2209278197029 
q = 1229012748941
N = p * q
print 'N: ', N

phi_N = N - p - q + 1
print 'Phi of N:   ', phi_N
print 'Difference: ', N - phi_N

N:  2715231070106027509096289
Phi of N:    2715231070102589218150320
Difference:  3438290945969


如何選擇 _e_ 和 _d_ 呢?
通常 _e = 65537 when N - p - q + 1 > 65537_.而 d 則是透過運算算出來，private key為(e, p, q)，public key為(d,N) 

In [9]:
# Function to get d from e and phi(N) Euclediean 
def fn_rsa_get_d( e, phi ):
    N_phi = phi
    x = lasty = 0
    lastx = y = 1
    while phi != 0:
        q = e // phi
        e, phi = phi, e % phi
        x, lastx = lastx - q*x, x
        y, lasty = lasty - q*y, y
    if lastx < 0:
        lastx += N_phi
    return lastx

# Lets try this
e = 65537
d = fn_rsa_get_d( e=e, phi=phi_N )
print 'prime p:    ', p
print 'prime q:    ', q
print 'co-prime N: ', N
print 'Phi of N:   ', phi_N
print 'e:          ', e
print 'd:          ', d
mp = 2328
mc = pow( mp,e,N )
md = pow( mc,d,N )
print 'message: ', mp
print 'cipher:  ', mc
print 'decrypt: ', md

prime p:     2209278197029
prime q:     1229012748941
co-prime N:  2715231070106027509096289
Phi of N:    2715231070102589218150320
e:           65537
d:           1662689065800343477772993
message:  2328
cipher:   993844035141996221196954
decrypt:  2328


## Pycrypto
接下來我們來用 pycrypto, 實務上我們可以用他來產生 private/public key pair。 我們需要指定key的size和用的random number generator

In [10]:
from Crypto.PublicKey import RSA
from Crypto import Random
import base64
random_generator = Random.new().read
key = RSA.generate(2048, random_generator)
public_key = key.publickey()
a = public_key.exportKey()
print public_key.size(), a 
aa = a.strip("-----BEGIN PUBLIC KEY-----").strip("-----END PUBLIC KEY-----")
aa = "".join(aa.split())
print len(aa), base64.b64decode(aa)

2047 -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+C1eBGnSwCPD4OFQsUtg
Y09E7to/uovqDYe83RQLZyexvX/FW7Pe+7LnxQYxp9Y9nG2/4KwbxjGYG6B/3oTX
Z7AEl2fxtkKD56ZgAbN8l+DrekwcdxlJdsfIcfCn+gF0Kme6o62i+qMcSegD1isb
pzP0EE3gOrt1HGagczyGtDyURtAy3g7Uyylb1lC+q3B44iOq6QuOnSRuMh9s0tnB
AOFlsOgOmxkBabJSs9RouinR4B5MFVQsyXogDR2nWOvmCjTNTgLIEBqW/iYUsUPX
U28uPQ1hdEoPAw3v9tdPDUJiqROuGhOc4uvqjAKbRNUdYYS9GnATd/LTyYkIbzJs
hQIDAQAB
-----END PUBLIC KEY-----
392 0�"0	*�H�� � 0�
� �-^i��#���P�K`cOD��?������g'���[������1��=�m���1��ބ�g��g�B��`�|���zLwIv��q��t*g������I��+�3�M�:�uf�s<��<�F�2���)[�P��px�#����$n2l��� �e���i�R��h�)��LT,�z �X��
4�N���&�C�So.=atJ���OBb�������D�a��pw��ɉo2l� 


接下來我們有key pair之後就可以進行加解密了~

In [11]:
public_key = key.publickey()
enc_data = public_key.encrypt(r'abcdefgh',32)
enc_data

('\xda\x0e\xd8?\x89>\xa2\xec\xc2\xc6\x1e\x18\xd8\x06e7j\x9e\x95\xa6\xe8\xcc\xec\xcf\xff\x9f\xf5d\x8b[\x9eP\x13l\x9ey\xca\x19\xd5\x13\xf3,9\xe7#4\x91\xf7 \xe6-\xf84\x00\xda\xee\x02r\xed\xe5s\xb8s\xb2\x13f<\x1f\x92\n\x8du\\N\xd1\xb4\xb62\x9ch|\xae\x12\x88\xb0\xbb\x15\x99\xacl`\x0460\x10\r\xa6\xa2\xaf\x11v\xce\x1a\xd4\xa4\x15w\xf4U\x85B\xdcz\x8a\xe3\xb4\x1c\xd9\xcf\xbaE0\x0b\xdc\xca<j\x80:\x06-\x08\x1aq\x15\x11\x9c*\x14\xf1\xd4\xd6=\x8fw\xde\xff\x18\x85\xf26\xd0{\x9f\x9f\x1dC\xe2\x1a\xe32\x10\xdc\xb2\x17\xd1\x9b\xb0\x83#\xa3\n4\xbaN\x8a\x93Z4\r}I\xca\x04\xcd\xcc\xe8\x80\xc5 d\x0b\xacl\x93\xf7\xf77\xd68\xe6\xdf\xab\x13Z\x15C\x89\x9b\x12\x1d\xd3\xdc"\xdce9+un\xaa\xb3$\xc6\xef\x9a2\xff\xf0\x8c(\xe5Rl\xb59\x8b1\x95\xc8\x08\xba\xa1\xf1\x12P\x7fV\x10q\xf1\xf9QW\xe9<',)

In [12]:
key.decrypt(enc_data)

'abcdefgh'

來看看用RSA做數位簽章

In [13]:
from Crypto.Hash import SHA256
from Crypto.PublicKey import RSA
from Crypto import Random
key = RSA.generate(1024, random_generator)
text = r'abcdefgh'
hash_value = SHA256.new(text).digest()
signature = key.sign(hash_value,'')

In [14]:
public_key = key.publickey()
text = r'abcdefgh'
hash_value = SHA256.new(text).digest()
public_key.verify(hash_value , signature)

True

## Cryptography

讓我們用cryptography來試看看

In [15]:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)

一種常見的格式是``-----BEGIN {format}-----`` 和 ``-----END {format}-----``的pem格式，也可以直接讀取(若該serial有密碼保護，可以提供password)
```
from cryptography.hazmat.primitives import serialization

>>> with open("path/to/key.pem", "rb") as key_file:
...     private_key = serialization.load_pem_private_key(
...         key_file.read(),
...         password=None,
...         backend=default_backend()
...     )

```

不管是產生或讀取的，我們可以透過serialized介面存取

In [16]:
from cryptography.hazmat.primitives import serialization
pem = private_key.private_bytes(
   encoding=serialization.Encoding.PEM,
   format=serialization.PrivateFormat.PKCS8,
   encryption_algorithm=serialization.BestAvailableEncryption(b'mypassword')
)
pem.splitlines()

['-----BEGIN ENCRYPTED PRIVATE KEY-----',
 'MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIbbQg7W7VrKkCAggA',
 'MB0GCWCGSAFlAwQBKgQQhS4ELepki0t2WZvt2PxFUwSCBNBNJZjBa/dZAPGBYoQL',
 'te7suFe7L038yj5WaZMmlWvr8/py6mzADormwBp+ojIV3ve5U7Dah4j/Nfisu7Er',
 'KHHa3g2foPxPElk4gQaiOVNUcQWeC349q4S2ID9elAoz+lP6z8wfFqggECz9NP53',
 'Z0XmWubCD0eVHVyh0/ciwicGRsPPswsXlDrgCcMl4OtdjGyYmSsfrVNEJO7zeiCV',
 'EK80ShTN3WwysyB27k7rdqIK1mVoGV01tb7FdhqBjzmztraQ0vj7A16+yuE42xLs',
 'UVkzzvC057CoBNj2jwNOAPzeWhwG67yEUcW9x+fyrohAO4Vazlzf3P9ii9XuWdhP',
 'y60rVIOmJvwEW3MSUdcKXW6/BHKfO/RDvYqHB5k46GKm76aA0IMEdvFS00WbT8iN',
 '6nAFpD9OmV5qRCxzbLBvvpf/ebgdRmytq8vz8aJtjKOJlDWj2AE0+Affil362UMn',
 '3D84eMYTFlvHXXPw0E8vAlHuLV1NLdfyuOHOD73do+dugweu5Bg4hAP9HJKVqbTX',
 'Ixkd2Jdin7l6BFX92cuTDXRJUzSRrSPNdjq/7o/VHnaLIPZhcKOErP2qFN4Pew8Y',
 'hBaKgG67gOmLA1vlOPSVxyl7xRdLRQGG+TiwmqaqKYls5n7ZbMCiQqc5P05GwCaq',
 'jJaCmSv8l8TOwBRAXr3YcjBWo764GMSHVEmyRRKxoaeLUM5pTm9C2Bu3QDR+EWGc',
 '9QMbxCgqJyOBgb1umAWOORtSALRqzd4xUjAkMQDj4RPIIog5iMohlCX0LGZ

或不做encryption

In [17]:
pem = private_key.private_bytes(
   encoding=serialization.Encoding.PEM,
   format=serialization.PrivateFormat.TraditionalOpenSSL,
   encryption_algorithm=serialization.NoEncryption()
)
pem.splitlines()

['-----BEGIN RSA PRIVATE KEY-----',
 'MIIEowIBAAKCAQEAvOgWmiO2UWeDT1PX3xUEyHEpgCDGe1wKFjphepz/OqN2URi7',
 '7MOVSTepVCm7M6gsECXAxfg7srgdJKVBVh0vfhF8y/Tr9rq1wC0qOsrMz8jY2LCv',
 'o1JVl4TAL0yijRbSFIXbYfHDUM229lBrHrHXxd3srtPm7c26GU6MSmIZ6yW139Fx',
 'z4a8hi152j2Jo9j2wp4BGt3cjGAu3lea/L7usspojPYu+Pbo3y4qIGx5zGCvE5LQ',
 'N5NSPBvvGnFyOxg5zjmOkbeFs76c7g8HFiviRyyDpvoBSRys/wkHW/8MgOP2joko',
 'pQ4q4K1rxQ9gc0oUE9tP3hFFxGBM5mR/0hDRLwIDAQABAoIBAFJFScKrlvVw/XEI',
 '9NUFFGYvUoGoxIhpF0OC/X0m7skc86Rx/zYoH9YZVbd/zTW8IiSOLJyLdYRqRtb0',
 '2bWlVE+1UgKJklKMEie2A9RDClvb/wSwPm4Ep54rhH+VAp4ruCaT/W10mzmPvgUc',
 'FOrzTSOxeSjSxJoApPHskZC7lMohjG3TiHjpA+MR05WjVh3iBzYTKsyEHm3eNlS9',
 'htdyjUxfUYu967B7a1Y0Q4ZVhiksm6X8N3fnxqu6oOBm2Ti8DNXpeQqfPcy1dJiF',
 '7fH0tnlG/D8B3lUCm76dUYqs7cEOSHMrTL5qVGTWes1BYSMoW+QZUneynSy3Lowz',
 'Fp+IFeECgYEA6NKgsr/MU3q9SkMaaJVd+egL1Lg/STUwDjukWgJaA10yde80PNtY',
 '/13B0disxrcb/n6ssQx0kaoVhVe9BeVvRhortrAZrDRBHnG2AmNE71ZqtAOT5qwK',
 'LHCnif+12TosgsQneOkSJJEqfnT8CQimKd1CbRu74krmlUcvN6bsDkcCgYEAz7ZH'

public key可以透過以下方式取得

In [18]:
from cryptography.hazmat.primitives import serialization
public_key = private_key.public_key()
pem = public_key.public_bytes(
   encoding=serialization.Encoding.PEM,
   format=serialization.PublicFormat.SubjectPublicKeyInfo
)
pem.splitlines()

['-----BEGIN PUBLIC KEY-----',
 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOgWmiO2UWeDT1PX3xUE',
 'yHEpgCDGe1wKFjphepz/OqN2URi77MOVSTepVCm7M6gsECXAxfg7srgdJKVBVh0v',
 'fhF8y/Tr9rq1wC0qOsrMz8jY2LCvo1JVl4TAL0yijRbSFIXbYfHDUM229lBrHrHX',
 'xd3srtPm7c26GU6MSmIZ6yW139Fxz4a8hi152j2Jo9j2wp4BGt3cjGAu3lea/L7u',
 'sspojPYu+Pbo3y4qIGx5zGCvE5LQN5NSPBvvGnFyOxg5zjmOkbeFs76c7g8HFivi',
 'RyyDpvoBSRys/wkHW/8MgOP2jokopQ4q4K1rxQ9gc0oUE9tP3hFFxGBM5mR/0hDR',
 'LwIDAQAB',
 '-----END PUBLIC KEY-----']

試著用 private key 來簽署 message。RSA 數位簽章(或多數數位簽章)需要指定 hash function，padding 方法。如下:

> 常見的兩種padding 策略為 PSS (new protocols or applications建議使用),和 PKCS1v15 (過去的協定)

> PSS (Probabilistic Signature Scheme) 訂於 RFC 3447. 他比 PKCS1 複雜並有 security proof. 但他無法在Eencryption使用

In [19]:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

signer = private_key.signer(
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    hashes.SHA256()
)
message = b"A message I want to sign"
signer.update(message)
signature = signer.finalize()

Verify可以用很多種方法 `` load_pem_public_key()``, ``load_der_public_key()``, ``public_key()`` , 或 ``public_key()``取得public key

In [20]:
public_key = private_key.public_key()
verifier = public_key.verifier(
    signature,
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    hashes.SHA256()
)
verifier.update(message)
verifier.verify()

同樣的加密也要提供適當的padding和hash方法

> 常見的兩種padding 策略為 OAEP (new protocols or applications建議使用),和 PKCS1v15 (過去的協定)

> OAEP (Optimal Asymmetric Encryption Padding) 訂於 RFC 3447. 他同樣是 probabilistic encryption且有安全證明. 但不能用於簽章

In [21]:
message = b"encrypted data"
ciphertext = public_key.encrypt(
    message,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA1()),
        algorithm=hashes.SHA1(),
        label=None
    )
)

In [22]:
plaintext = private_key.decrypt(
    ciphertext,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA1()),
        algorithm=hashes.SHA1(),
        label=None
    )
)
plaintext == message

True

## OpenSSL

提到RSA 或許不能不提 OpenSSL。這是一套提供了完整安全通信所需的編碼工具，諸如雜湊演算法（Hash algorithms）、加解密演算法（Encryption / Decryption algorithms）及 SSL / TLS 協議的實現等。加上其開放源碼的特性，使得許多開源專案或商業套件都有其踪跡(例如ssh-keygen, cpabe...)。OpenSSL 除了提供程式 API 擴充接口外，也有命令列模式的操作。

> 雖然一直以來一直有相關的漏洞 (像心淌血HeartBleed...)

開始前我們先補充一些相關背景

key (或Certificate)可以存成多種格式, 常見的有 DER , PEM , PFX

- DER - 將 certificate 或 key 用 DER ASN.1 編碼的原始格式, certificate 就是依照X.509的方式編碼, key 則是又能分為PKCS#1 和PKCS#8
- PEM - 把 DER 格式的 certificate 或 key 使用 base64-encoded 編碼後在頭尾補上資料標明檔案類型

例如:
```
Certificate
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
```

```
RSA private key (PKCS#1)
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY--
RSA private key (PKCS#8, key 沒加密 )
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
```

另外還有相關的編碼如PKCS#7這個格式用來傳遞簽署過或加密的資料(檔案裡可以包含整個用到的 certificate chain)，PKCS#12 (PFX)這個格式可以把 private key和整個 certificate chain 存成一個檔案

以下為產生key的方法

In [23]:
%%bash 
openssl genrsa -out private_key.pem 2048

Generating RSA private key, 2048 bit long modulus
.........................................................................................+++
..........+++
e is 65537 (0x10001)


In [24]:
%%bash 
cat private_key.pem

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA3uU60AToRWMkrTTwTUqWLwYvZhPStXkj6QjF4EcC3l/xbO+A
wFgTG1dTCaRokOMtN59IqKJcHq87s/JiK78Irv0BbegOuyY5g1sk7fNVWS6uGnuZ
ohNRGJ5PZkPB57mID8n7VCaGD5vGAMV/xp0MuSeKPNYDY2SUGvm4cHxpqsy7IRg3
dDMnVv29zMaXZi1VL/S1a0FPTv77fveqX0CE98lLV5PzumM0zkL8sjM8BG4iQwcV
Wnu9vsyZIsY6L7koOMF9mPjlABEwv5+/Ozfz9Cxdf4EmnDNUTVzofMR3SUjKOSou
9GJm1tVlsC2zmTSgIKvMhMBqJxCEq0z1A/PNGQIDAQABAoIBAGXeXgK0O3N63EhM
6YZpkDntmbwNUz+dHcxjNgxKaAU51Bz1WOKPXiwgvNKrUR7mtMO3CH4JthBQBfk3
zaYwqMdQ2lZguFrQHXjrLvWRQHCB5RA1bQGl0mpt79vNG9HL+WM97J+I+7wmdVfk
64DaRfZZG9Sx+tpyHT424xSFx8VG8YZmc2V4bJcGIwwxWXDY8iWsry5+xx/h419M
Yt6Z3AgMCUzeOueRkcXrCMpNnwNhiJTRXTYAZbNiLG2HTHedfe+4GA7k9hYczhvo
PjgQpbrXzIGbItdYjFRjRm3vAl07dUPKtHyqTp0tEjLtK8k7o69quj5kLjQ/2Jb3
A1rkAAECgYEA/UuEc+PVOAPqoKW1KsG13QXgYFnCyBeQnbyvZNQmPAfo6KRrN1r6
bH7VdRrIYigbRpOt8hbBOkJfH2YdbQjvLA/V2CwU2ysUbDNip3h41bvujozEbza8
zCljLaefwnIzUkXBo9tbv10uy1J9EgzIx9K9XaU14E74bEKJoJfglOECgYEA4Uaa
YYwp0I9b6qvRGkyDwGGcW/J4DYTBe9WRAVjOS+3knQRTVghUDZRg0p9uU7

同樣的我們可以從private key(或certificate) 匯出 public key

In [25]:
%%bash 
openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
cat public_key.pem

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3uU60AToRWMkrTTwTUqW
LwYvZhPStXkj6QjF4EcC3l/xbO+AwFgTG1dTCaRokOMtN59IqKJcHq87s/JiK78I
rv0BbegOuyY5g1sk7fNVWS6uGnuZohNRGJ5PZkPB57mID8n7VCaGD5vGAMV/xp0M
uSeKPNYDY2SUGvm4cHxpqsy7IRg3dDMnVv29zMaXZi1VL/S1a0FPTv77fveqX0CE
98lLV5PzumM0zkL8sjM8BG4iQwcVWnu9vsyZIsY6L7koOMF9mPjlABEwv5+/Ozfz
9Cxdf4EmnDNUTVzofMR3SUjKOSou9GJm1tVlsC2zmTSgIKvMhMBqJxCEq0z1A/PN
GQIDAQAB
-----END PUBLIC KEY-----


writing RSA key


In [26]:
%%writefile test.txt
This is a text

Overwriting test.txt


In [27]:
%%bash
openssl rsautl -encrypt -inkey public_key.pem -pubin -in test.txt -out test.txt.rsa
cat test.txt.rsa

B%�TD�$2�P��8&���K��C���(���afZ�c�R.M��/�,��Y�U��4	M�Z�kG(1I�|�{�� �s�R?�f��k+M{��r�c^Y�r�-��3�up4�B�d^�$�uLS@�5��c�h��b�RJ�hvA��=s&� ���G�C΀=6���~���v�X�B,<��g�qS������x��ْ���U̕������X�M)�
?���=�:ùV��~Y��Ԇ�o"�,

In [28]:
%%bash
openssl rsautl -decrypt -inkey private_key.pem -in test.txt.rsa -out test_decrypt.txt
cat test_decrypt.txt

This is a text

相關可參考 http://jianiau.blogspot.tw/p/openssl.html

In [30]:
%reload_ext version_information
%version_information numpy, scipy, matplotlib, pycrypto, cryptography, pyopenssl, version_information

Software,Version
Python,2.7.10 64bit [GCC 5.2.1 20151010]
IPython,5.0.0
OS,Linux 4.2.0 30 generic x86_64 with Ubuntu 15.10 wily
numpy,1.8.2
scipy,0.14.1
matplotlib,1.4.2
pycrypto,2.6.1
cryptography,1.0.1
pyopenssl,0.15.1
version_information,1.0.3
