Notes on OpenSSL (for Herbrip)
==============================

file: NOTES_OPENSSL
last altered:  20 -Nov-2001


To read man pages:
   cd /usr/local/ssl/man/man1
   man -l dsa.1
   (etc)


Public Key Algorithms:
~~~~~~~~~~~~~~~~~~~~~~

 * RSA encryption/decryption/generation.  
   (no limit on the number of bits)
 * DSA encryption/decryption/generation.   
   (no limit on the number of bits)
 * Diffie-Hellman key-exchange/key generation. 

Are any of these patented?


Commands
~~~~~~~~

openssl <command> <parameters>

 * ciphers = outputs list of ciphers it understands


DSA:
 * dsa = DSA data management
 * dsaparam = DSA parameter generation 
 * gendsa = DSA parameter generation

RSA:
 * rsa = RSA data management
 * rsautl = RSA utility for signing, verification,
   encryption, and decryption
 * genrsa = RSA parameter generation

Diffie-Hellman:
 * dhparam = generation of Diffie-Hillman parameters


Examples, using RSA
~~~~~~~~~~~~~~~~~~~

openssl genrsa -out rsa.key -rand NOTES 1024
   generates 1024-bit keypair into rsa.key.
   uses file NOTES for randomness.

openssl rsa -inform PEM -outform DER -in rsa.key -out rsa2.key 
   converts rsa.key (an ascii file) to rsa2.key (same data 
   but binary)
   
openssl rsa -in rsa.key -out rsapub.key -pubout
   reads the keypair rsa.key; outputs the public 
   key into rsapub.key; both files ascii.
   
openssl rsa -in rsa.key -out rsasec.key 
   as above but outputs secret key (?? Does it -- it actually
   returns the same as <rsa.key> which is the keypair ??)
 
openssl rsautl -in NOTES -out NOTES.ctf -inkey rsapub.key -pubin -encrypt
  Doesn't work, because RSA can only directly encrypt a small file.
  I need to create a random blowfish session key, and encrypt
  that with RSA. Then encode the data in the blowfish key
  
openssl bf -in NOTES -out NOTES.ctf -e -a -K 01234567890123456789012345678922
  Using the blowfish algorithm, encrypt (-e) input file NOTES
  into output file NOTES.ctf using the key specified after -K
     
openssl bf -in NOTES.ctf -out NOTES2 -d -a -K 01234567890123456789012345678922
  The corresponding decryption

How do we randomly generate a 128-bit BF session key?
Use:

openssl rand -rand NOTES -base64 32
   Writes to stdout 32 bytes, base64 encoded
 
   
openssl base64 -in f1 -out f2
   base 64 encode f1 -> f2   
   
openssl base64 -in f2 -out f1_new -d
   base 64 decode f2 -> f1_new

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
 
Sequence of commands to encrypt a file <plainText> using 
publickey and private session key encryption:

(1) get public/secret keypair into <rsa.key>:

openssl genrsa -out rsa.key -rand NOTES 1024

(2) get 32 byte (128 bit) random session key into <sesskey>:

openssl rand -rand NOTES 32 >sesskey

(3) translate sesskey to hex (od -x will do this), result
is:
   3d304a3121b57fb773c467bc6181f359
   
(4) encrypt this session key into <sesskey.enc>:

openssl rsautl -in sesskey -out sesskey.enc -inkey rsa.key -encrypt

(5) check that we can decrypt the session key into <sesskey.pt>

openssl rsautl -in sesskey.enc -out sesskey.pt -inkey rsa.key -decrypt
 
{This works <sesskey.pt> == <sesskey>; check it still works 
if we extract the public key from rsa.key and encrypt with that:}

openssl rsa -in rsa.key -out rsapub.key -pubout
openssl rsautl -in sesskey -out sesskey.enc2 -inkey rsapub.key -pubin -encrypt
openssl rsautl -in sesskey.enc2 -out sesskey.pt2 -inkey rsa.key -decrypt
 
{This works: <sesskey> == <sesskey.pt2>; GOOD.} 
{Note that <sesskey.enc2> is binary (and must therefore be base64 
encoded before putting into the email-to-be-output)}
 
(6) use the session key to encrypt <plainText> using blowfish 
CBC mode:
 
openssl bf -in plainText -out cipherText -e -a -K 3d304a3121b57fb773c467bc6181f359
 
(output file <cipherText> is base64 encoded
 
(7) use the session key to decrypt <cipherText>:

openssl bf -in cipherText -out plainText_d -d -a -K 3d304a3121b57fb773c467bc6181f359
 
 
;end
