# Cryptography Tutorial

This notebook will guide you through real examples of each of the concepts that we just covered in the presentation. Each section will provide a description of what commands to type, but it's up to you to actually type them out and run them! 

Be sure that you are running commands in code cells that have `%%bash` at the top. If you're stuck, click the sections with the 3 dots to expand them and show exactly what commands to run. You can run commands by highlighting the code cell and clicking on "Run" at the top of the screen. You can also use CMD+Enter (Mac) or Ctrl+Enter (Windows/Linux) to run a single code block.

We'll be using the OpenSSL command in this tutorial. [OpenSSL](https://www.openssl.org/) is a project that provides free and open source implementations of modern cryptographic algorithms.

I'll walk you through both symmetric key and asymmetric key examples, and we'll start with symmetric since it's a bit easier.

## Keys

Before we can encrypt or decrypt anything, we need keys! I've already made all the keys necessary for this tutorial. Go back and check the window that originally opened when you clicked the link in the powerpoint, and you'll see the *Keys* folder that contains all of the key files. If you're interested in learning how to make your own, you can go to the bottom of this document to learn about key generation.

## Symmetric key walkthrough

Let's walk through the most basic symmetric key operations: encrypting and decrypting messages that we want to keep confidential. Remember that with symmetric key cryptography, we only one key to encrypt and decrypt messages. This key is the [symmetric.key](keys/symmetric.key) file in the keys folder. You can click on the link to that file to see what it looks like: it should just show up as a long, random string of letters and numbers.

### Encryption

Our goal is the encrypt the message in the [message.txt](message.txt) file:
> This is a confidential message.

We can use the `openssl enc` command for symmetric key encryption, but we have to be sure to provide all the information it needs. We pass this information as "options" to the command. I'll list them all out here before actually showing the full command.
- `-aes-256-cbc` : This option specifies the algorithm to use. There are many algorithms that implement the one-way function that transforms the short key into a much longer key, and we are going to use the [AES standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard). 
- `-in message.txt` : The `-in` option allows us to specify the file that we want to encrypt. In our case this file is [message.txt](message.txt).
- `-pass file:keys/symmetric.key` : The `-pass` option let's us specify which key we want to use for encryption. We let the command know that our key is in a file and that this file is called *symmetric.key* and it's in the *keys* folder.
- `-out message.enc` : Finally, we have to tell the command where to put the encrypted version of the message. We do this with the `-out` option followed by the file name of the encrypted message, which we can call *message.enc*.
- `-base64` : Don't worry too much about this option; it just ensures that the encrypted file can still be opened by a text editor so that we can look at it.

Putting it all together, here's the full command you should run:

`openssl enc -aes-256-cbc -base64 -in message.txt -out message.enc -pass file:keys/symmetric.key`

You can actually run it by running the code block below. Once you've run it, you'll see a new file appear called *message.enc*, which is the encrypted version of our message.

In [16]:
%%bash

openssl enc -aes-256-cbc -base64 -in message.txt -out message.enc -pass file:keys/symmetric.key

Using -iter or -pbkdf2 would be better.


Now that you've run that command, let's check out the output! Just open [message.enc](message.enc) by clicking on the link. If all went well, it'll just look like gibberish. Success!

### Decryption

Now assume that you've just received that encrypted message and you want to decrypt it. Decryption is almost identical to encryption, we just slightly change a few of the options:
- `-d` : We have to add this option to indicate to the `openssl enc` command that we want to decrypt instead of encrypt.
- `-in message.enc` : We obviously need to change the input to be the encrypted file.
- `-out message-decrypted.txt` : And we should also change the output to reflect that it's the decrypted message (although *message-decrypted.txt* should be identical to *message.txt*).

Again putting it together, here's the command you should run:

`openssl enc -d -aes-256-cbc -base64 -in message.enc -out message-decrypted.txt -pass file:keys/symmetric.key`

Again, I've already typed it out for you below, and you only need to run the code block as it is.

In [17]:
%%bash

openssl enc -d -aes-256-cbc -base64 -in message.enc -out message-decrypted.txt -pass file:keys/symmetric.key

Using -iter or -pbkdf2 would be better.


Now we can check out [message-decrypted.txt](message-decrypted.txt) to see if it worked! If all went well, it should read 
> This is a confidential message.

which is exactly what we encrypted at the beginning.

## Asymmetric key walkthrough 

## Key Generation

We can easily generate keys for symmetric and asymmetric cryptography using open source and free software. The keys in this tutorial were generated with [OpenSSL](https://www.openssl.org/), which can be installed easily on Linux and Mac. On Windows, I would recommend installing [Ubuntu](https://www.microsoft.com/en-us/p/ubuntu-1804-lts/9n9tngvndl3q?activetab=pivot:overviewtab), which will include OpenSSL. You can also mess around with the commands below to generate keys in this notebook.

### Symmetric keys

One way to generate a symmetric key with OpenSSL is to simply generate a random number, which the following code block does.

In [5]:
%%bash

openssl rand -hex 64 

cafb64e690c2dd21f2b6065e947a730b1a6b7d4b63e1b6d22b085ffe3a345ab77d03e1264cf7cf41d5b3ccaf625c6c5bcbba9d1b93bfa0cc9567333e75b8e402


This is how I generated the [symmetric.key](keys/symmetric.key) file. In general, however, it is possible to have the keys result from passwords, which is more secure. Read more about the `openssl enc` command to learn about symmetric encryption.

### Asymmetric keys

It is also possible to generate asymmetric keys with OpenSSL. This first command generates the a private key. 

In [8]:
%%bash

openssl genrsa

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA35SolHHOR31T0ldTcIQ8kB2yhlGBwlFexyZFMO166cDNMBpq
j6nwrm009lecn1NY/v8arqA074GaeHLlqUjthX94l933Mot0ivGWFZvd2ok6kQVB
Q6vwuiMHTAH1+UZlwOvjCJftRaNTU0dZ3sV3rVeAZwbUqBNtK6Au3B2pG2zJcbQO
pbC8bWpc+GCbYGJeJObNWHM7IfCFsknWZx8GXPQEN03WV58ECZLzgClMCHi1s1G4
n2DCm4EgFxnvlaxjGYo7u45fRzs4ssVgow0PSPFjmvAOXyaOKtIBayFVT3+eN2S3
vQLyqRdBqMtxsDIRpWpriyYuJCpCSfYrc7Fj+wIDAQABAoIBAAo17tEAtYv8RES5
6jycPWvTf2C0/jkSoEJ2E/jdD5z3SielPTKcbzp4EFAjxipckxbqLZzGAkTh5V0U
2jo182sCXE6LO4vaZJMn31PTT3l4hO00kTt28cJ+cQnemQ4uUd1SqIau8Y4ZnGeU
PZ135TRMZ7fMzw9x+61fXmR9EkkHQ/1pZXi8ButKt1/X2y/s2Fuq4W7jCJeYbDLw
E8CI4xW3eciiCAYzdd0dzT+kK1I+oYQwQ2D7vUyiNdSkCQgzR1uJY+oQb5YKmc+A
Ov8P+a1ZjFIw9wSPxRgXVriKXMlBG8GA1POziY8xSRCi3ATNfGauP/J0XdyrTHho
+DrIMrECgYEA8eXu5skSVG+ZJlnzZzuuHsxlHsX7HVmm6Y2LCJid0EW3+zkEVPXE
Hx9dAnGC4t0cBt+SyXi9ZvviMt2mHz5OtmipjLSs7YYbbYJOu1crKNxtCBAW4jWm
vMKT3Dmyen/K+A0Sma0YlfctxWmfeDBnduZ9KWevwajgU50TBZZs3bMCgYEA7J1b
XInzioT9jEZku7tTJLN+QILcv2LCOprtnfEBX0QXYl2sEZIjw0BJEd0tIN

Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................................+++++
.................................+++++
e is 65537 (0x010001)


Next, we have to generate a public key corresponding to this private key:

In [11]:
%%bash

echo "-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA35SolHHOR31T0ldTcIQ8kB2yhlGBwlFexyZFMO166cDNMBpq
j6nwrm009lecn1NY/v8arqA074GaeHLlqUjthX94l933Mot0ivGWFZvd2ok6kQVB
Q6vwuiMHTAH1+UZlwOvjCJftRaNTU0dZ3sV3rVeAZwbUqBNtK6Au3B2pG2zJcbQO
pbC8bWpc+GCbYGJeJObNWHM7IfCFsknWZx8GXPQEN03WV58ECZLzgClMCHi1s1G4
n2DCm4EgFxnvlaxjGYo7u45fRzs4ssVgow0PSPFjmvAOXyaOKtIBayFVT3+eN2S3
vQLyqRdBqMtxsDIRpWpriyYuJCpCSfYrc7Fj+wIDAQABAoIBAAo17tEAtYv8RES5
6jycPWvTf2C0/jkSoEJ2E/jdD5z3SielPTKcbzp4EFAjxipckxbqLZzGAkTh5V0U
2jo182sCXE6LO4vaZJMn31PTT3l4hO00kTt28cJ+cQnemQ4uUd1SqIau8Y4ZnGeU
PZ135TRMZ7fMzw9x+61fXmR9EkkHQ/1pZXi8ButKt1/X2y/s2Fuq4W7jCJeYbDLw
E8CI4xW3eciiCAYzdd0dzT+kK1I+oYQwQ2D7vUyiNdSkCQgzR1uJY+oQb5YKmc+A
Ov8P+a1ZjFIw9wSPxRgXVriKXMlBG8GA1POziY8xSRCi3ATNfGauP/J0XdyrTHho
+DrIMrECgYEA8eXu5skSVG+ZJlnzZzuuHsxlHsX7HVmm6Y2LCJid0EW3+zkEVPXE
Hx9dAnGC4t0cBt+SyXi9ZvviMt2mHz5OtmipjLSs7YYbbYJOu1crKNxtCBAW4jWm
vMKT3Dmyen/K+A0Sma0YlfctxWmfeDBnduZ9KWevwajgU50TBZZs3bMCgYEA7J1b
XInzioT9jEZku7tTJLN+QILcv2LCOprtnfEBX0QXYl2sEZIjw0BJEd0tINvSDfSG
F4BaHhfsCaJTxFi1Nmop3H3TtBZMikLZeq0M3CHT2Ic7QsiF65eXSWJD46dtvc48
sf0Ob0dZ8Gg76co/Vudp6WFydlCYGPQZPEuRjJkCgYBMvHpa7/JGothcmDBk0UPd
NU3mwzt0BhqzAFnYskFt7o/8vAupwAUlMlfZDJVOzoGzlH0GOK0s3D7XkATA6I0j
xHP01OP+vYo55RqAx5hDcBmOczwvKoHoY3lwZUU/IwcKRWtfINAp0q3McENMZ16L
E3clCWVx89al77A3F48VjQKBgAjAaTirAY8GDDq7/83Rx+l7mhfYv0F07aotQMyu
tVZItnS08kBUH26BWjKG87xbZRGPEcacwLiMOfbBQkfo4Ar7MkEthj8K9BnJDzIy
ZF9gAO3pUo/NyuZD3RyhvdEVyEFU93m92mLTSMhTkqO7D0yvkoNHT2yA3p9NqAFK
6j9BAoGBAItkz3WaEDfQTTXzkTLA2rCF1TZKOYMEw/438RpFykOKqLEc2jY7elYb
Zg7B9mAZleubUvFnRYSAzLFH0VcE0dbEJpYW5HRuD/pmvc2Ui1MYhNB90c7E3wE2
acc5EwCJdbi9Z7x5h1OyOMsIumJeuP/342OBISLpoSKI8IGYJ0fj
-----END RSA PRIVATE KEY-----" | openssl rsa -pubout

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA35SolHHOR31T0ldTcIQ8
kB2yhlGBwlFexyZFMO166cDNMBpqj6nwrm009lecn1NY/v8arqA074GaeHLlqUjt
hX94l933Mot0ivGWFZvd2ok6kQVBQ6vwuiMHTAH1+UZlwOvjCJftRaNTU0dZ3sV3
rVeAZwbUqBNtK6Au3B2pG2zJcbQOpbC8bWpc+GCbYGJeJObNWHM7IfCFsknWZx8G
XPQEN03WV58ECZLzgClMCHi1s1G4n2DCm4EgFxnvlaxjGYo7u45fRzs4ssVgow0P
SPFjmvAOXyaOKtIBayFVT3+eN2S3vQLyqRdBqMtxsDIRpWpriyYuJCpCSfYrc7Fj
+wIDAQAB
-----END PUBLIC KEY-----


writing RSA key


Notice that we have to feed the private key directly into the command since the public key directly depends on the private key.