• Openssl OpenSSL is an all-around cryptography library that offers an open-source application of the TLS protocol. It allows users to perform various SSL-related tasks, including CSR (Certificate Signing Request) generation, private keys generation and SSL certificate installation.

OpenSSL is an open-source command line tool that is commonly used to generate CSRs and private keys, install the SSL files on your server, merge files, convert your certificate into various SSL formats, verify certificate information and troubleshoot any potential issues.

• Symmetric-key

Symmetric-key encryption the message is encrypted by using a key and the same key is used to decrypt the message which makes it easy to use but less secure. It also requires a safe method to transfer the key from one party to another.

• Asymmetric encryption,

Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a pair of keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared with anyone, and a private key, which is kept secret by the owner.

• What is the essence of asymmetric data encryption?

The essence of asymmetric encryption is that it uses two keys — one public (for encryption) and one private (for decryption or signing) — allowing secure communication, authentication, and non-repudiation without needing to share a secret key beforehand.

• What is the essence of symmetric data encryption?

The essence of symmetric encryption is that it uses the same secret key for both encryption and decryption, ensuring confidentiality and efficiency in data transmission. The main challenge lies in the secure sharing and management of the key, as anyone with access to the key can both encrypt and decrypt the data. Symmetric encryption is faster and less resource-intensive than asymmetric encryption, making it ideal for encrypting large amounts of data but requiring secure key management.

• What is the difference between symmetric encryption and asymmetric encryption?

**

• Symmetric Encryption:

**

1. Uses a single shared key for both encryption and decryption. 2.If you encrypt a message with a key, the same key must be used to decrypt it
2. The security relies on keeping the shared secret key confidential

• Asymmetric Encryption:

4. Uses two related keys: a public key and a private key.
5. One key (the public key) is used for encryption, and the other key (the private key) is used for decryption. 6.Provides higher security in terms of key management and eliminates the need to share secret keys over insecure channels..

• How is asymmetric data encryption done?

Asymmetric data encryption involves using a key pair: a public key for encryption and a private key for decryption. The sender uses the recipient's public key to encrypt the message, and only the recipient, with the corresponding private key, can decrypt and read the message. This ensures that even if the encrypted message is intercepted, it cannot be decrypted without the private key

• How is the digital signature of a message generated?

To generate a digital signature, the sender first hashes the message (e.g., "Hello, Alice!") using a cryptographic hash function like SHA-256. The sender then encrypts this hash with their private key, creating the digital signature. The recipient decrypts the signature using the sender's public key, compares the decrypted hash with their own computed hash of the message, and if they match, the message is verified as authentic and unaltered

• What is the verification of the digital signature of a message?

The verification of a digital signature involves the recipient decrypting the signature with the sender's public key to obtain the original hash, then hashing the received message and comparing the two hashes. If they match, the message is verified as authentic (Verified OK) .

• What can the error indicate when verifying the digital signature of a message?

An error when verifying a digital signature can indicate that the message has been tampered with, the wrong public key was used, or the signature is invalid or corrupted (BAD DECRYPT)

SCENERIO: Secure Message Exchange Using RSA and Symmetric Encryption With A Friend

Create a secure message exchange with a friend: generate an RSA key pair, share your public key, and receive your friend's public key. Encrypt a message using a symmetric encryption key, encrypt the key with your friend's public key, and send both the encrypted message and key to your friend. Sign the message with your private key, and let your friend verify the signature and decrypt the message. Then swap roles and repeat the process.

LAB: To generate the RSA private key, I used the command openssl genrsa -out pri-key.pem -des3 1024. The openssl genrsa part instructs OpenSSL to generate an RSA key pair, while -out pri-key.pem specifies that the private key should be saved in the file named pri-key.pem. The -des3 flag encrypts the private key using the Triple DES algorithm, and 1024 sets the key size to 1024 bits, which is a commonly used standard for RSA keys.

Bob used the command openssl rsa -in pri-key.pem -pubout -out pub-key.pem to extract the RSA public key from the private key. openssl rsa invokes RSA-related functions in OpenSSL, -in pri-key.pem specifies the input file (the encrypted private key), -pubout tells OpenSSL to output the corresponding public key, and -out pub-key.pem saves the public key in the pub-key.pem file

In this step, I created a file named Secret.txt that contains sensitive information.

Bob used the openssl rand command to generate a random 32-byte password in hexadecimal format. The command ran successfully and created a file named password.txt, which contains the generated random password.

The command openssl pkeyutl -encrypt -inkey alice-pub-key.pem -pubin -in password.txt -out password.crypt works as follows: openssl pkeyutl invokes OpenSSL's public key utility for cryptographic operations, -encrypt specifies encryption as the operation, -inkey friend-pub.pem uses the public key from the friend-pub.pem file for encryption, -pubin indicates the provided key is a public key, -in password.txt specifies the input file to be encrypted, and -out password.crypt saves the encrypted result to password.crypt. This encrypts the password from password.txt and stores the encrypted version in password.crypt.

This command creates a new text file named confidential.txt and writes the string "This is another confidential file" into

Bob used the command openssl aes-256-cbc -in confidential.txt -out confidential.crypt -e -kfile password.txt -pbkdf2 -iter 10000 to encrypt the confidential.txt file using the AES-256-CBC algorithm. This command specifies the input file (confidential.txt), saves the encrypted output to confidential.crypt, and uses the password from password.txt to derive the encryption key with the PBKDF2 algorithm, applying 10,000 iterations for stronger key derivation.

Bob used the command openssl dgst -sha1 -sign bob-pri-key.pem -out digital-signature.sig confidential.crypt to create a digital signature for the encrypted file confidential.crypt. This command works as follows: openssl dgst -sha1 invokes OpenSSL's dgst command and specifies the SHA-1 hash algorithm to compute the hash of the file, -sign pri-key.pem signs the file's hash using the private RSA key from pri-key.pem, -out digital-signature.sig saves the generated signature in the file digitalsignature.sig, and confidential.crypt is the file being signed.

Alice needs:

1. Bob Public key (bob-pub-key.pem)
2. Digital signature (dig-signature.sig)
3. Encrypted password (password.crypt) that was used to encrypt the file confidentail.txt
4. Encrypted file (confidential.crypt)

Alice used the command openssl dgst -sha1 -verify friend-bob-pub-key.pem -signature digital-signature.sig confidential.crypt to verify the digital signature for the file confidential.crypt. In this case, bob public key, stored as bob-pub-key.pem, was used to verify the signature.

This process ensures that the file was signed by bob, confirming the integrity and authenticity of the transmitted data between Bob and Alice. The output Verified OK indicates that the verification was successful, meaning the digital signature is valid, and Bob can trust that the message came from me before proceeding to decrypt it.

Alice executed the command openssl pkeyutl -decrypt -inkey alice-priv-key.pem -in password.crypt -out password.txt to decrypt the password.crypt file using his private key (key.pri). After entering the passphrase for his private key, the decryption was successful, and the decrypted data was saved into password.txt. Bob confirmed the successful decryption by listing the directory, where password.txt now appeared.

Alice successfully decrypted the password.crypt file using her private key, creating the password.txt file. Then,

Alice used the password.txt file to decrypt the confidential.crypt file with the AES-256-CBC algorithm. The decrypted file, confidential.txt, revealed its contents, which was "confidential file for admin only, the code pin is 1098@!-$%" This demonstrates the decryption process, where Bob utilized both asymmetric and symmetric encryption methods to securely decrypt and access the data

• CONCLUSION: OpenSSL enables secure communication by combining symmetric and asymmetric encryption techniques. Symmetric encryption ensures efficient data protection, while asymmetric encryption securely exchanges keys without prior sharing. Digital signatures authenticate the sender and ensure message integrity, making OpenSSL a powerful tool for secure data exchange.

In my lab, I achieved secure message exchange by using OpenSSL to generate RSA key pairs for asymmetric encryption, encrypt a message using AES-256-CBC for symmetric encryption, and sign the encrypted message with my private key. I successfully demonstrated how my friend could verify the digital signature using my public key, decrypt the password using his private key, and then decrypt the message using the symmetric key. This lab effectively combined both encryption methods to ensure data confidentiality, authenticity, and integrity in a real-world secure communication scenario.

---