### Generate an RSA keypair

We start this lab by generating rsa keypairs. There are many tools available to help you generate key pairs. In this lab we will start with ssh-keygen. It is available on Linux, Mac and Windows.

------------


### Creating a public-private key pair

Run the openssl command to create a private RSA key. Then run the second command to extract the public key

In [172]:
!openssl genrsa -out key.pem 4096

In [173]:
!openssl rsa -in key.pem -pubout > key.pub

writing RSA key


### Using public-private key pair

The two basic uses of public-key cryptography are to encrypt something or to sign something. But we typically never use asymmetric encryption to encrypt files.

Why? Give 2 reasons.

Run the openssl command to encrypt a file. Use your password file as the data to encrypt.

In [174]:
!openssl pkeyutl -in /etc/passwd -out ./passwd.ctxt -inkey ./key.pub -pubin -encrypt

Public Key operation error
40775061927F0000:error:0200006E:rsa routines:ossl_rsa_padding_add_PKCS1_type_2_ex:data too large for key size:../crypto/rsa/rsa_pk1.c:129:


This generated a "Public Key operation error". Why was that?

Look at the size of the file. `!wc -m /etc/passwd`

Does that help?

Typcially we use public-key encryption to encrypt something small, like the digest (hash value) of the file.

Use the openssl command to generate the sha2-256 digest for your password file (/etc/passwd)<br>
`!openssl dgst -sha2-256` <br>


In [175]:
!cat /etc/passwd | openssl dgst -sha2-256 -out ./passwd.dgst

Now take a look at the digest.

In [176]:
%cat ./passwd.dgst

SHA2-256(stdin)= bbb5b41faf87dc348dfc4def35fde32a0bf5f6c3f788b46836d735b11496abd4


In [177]:
!openssl pkeyutl -in ./passwd.dgst -out ./passwd.cdgst -inkey ./key.pub -pubin -encrypt

Now take a look at the output.

In [178]:
!cat ./passwd.cdgst

�ߩ�A�8βE�D������i��ѷ@���0 ��R�z&�4�`yhg�D�F���5�NZ,0;�[�r���38ǁ�#�Mq��H�@�_�L�����_������������k>���P�L�ܱ�s��K�b`�FE 0�{�����McZ�8}?�	�<׈��W_���.A�W��Oy4�?"!�Y��b�.橰4�4��7�T�w����e�@�@q6e�0�3d
��[����f:�Ђ�Jު����tL��T��!Jj�(a�֢��uK�5�`�ס�j��F�hPӠ�q��h�����`���Fc�J.-��|���_��w��0��S0Z�y<���$4�tj"��H/{�y���)W��7�S��FE-j����7���ϛ�!���B�Q,�dx �����X���U�����A�S#�F�#��h��1܂N'�P�(����

Rerun the command to encrypt the digest and then review the output. What do you notice? Explain.

---
## Digital Signatures

Asymmetric cryptography can also be used to digitally sign data, but here you use the private key, and just like encrypting, the size of the data you can sign is limited.

In [179]:
!openssl dgst -sha2-256 -sign key.pem -out passwd.sign /etc/passwd

In [180]:
!cat ./passwd.sign

>-94_���;u0g��p��-�ISr:"c��L�?�� P���x#˯!�]\�hiV�� E���S��z��`�a�G
���yyg.�Ɣޏl�ڡ2*��L���o�(B�_Ia�M���!.�j�K�"�D=��sR&�dx�W����X4ن�`9�{&a��m؜��'>R���
S�e�s�X.�mԋ�����:�=F�{AQ��w1���r2D,���h�,��F��y%���/�����n�B-��B�C-c��M�8!v�N�r�5SF�W��5��?�M���D����3VH��W"�͝��9�K2��8���K�

Now verify the file:<br>
`!openssl dgst -verify ./key.pub -keyform pem -sha256 -signature passwd.sign -binary /etc/passwd`


In [188]:
!openssl dgst -verify ./key.pub -keyform pem -sha256 -signature passwd.sign -binary /etc/passwd


Verified OK


----------
### This concludes the lab.

Use File > Save and Export Notebook as... > PDF