NOURA ALSHAREEF

Oct 24, 20235 min read

Mastering Encryption, Decryption and Signing: A Practical Guide

Updated: Nov 25, 2023

Embarking on a journey through the realms of encryption, digital signatures, and digital certificates? Great! This guide is here to navigate you smoothly, ensuring you not only grasp the fundamental concepts of cryptography but also gain the necessary skills to shield your digital treasures effectively. Let's dive in!

Encryption

Imagine you have a top-secret message that you need to transmit safely. This is where encryption comes into play! Encryption transforms your message into a series of cryptic symbols, unreadable to anyone without the corresponding decryption key. Intriguing. Diving deeper, you'll find two main categories of encryption: symmetric and asymmetric.

Symmetric Encryption

Let's picture this - Ahmed and Eman aspire to make their discussions completely private, a secret language nobody else can decipher. How? They agree on an exclusive key, along with an encryption algorithm. Think of this key as their secret handshake, transforming their chats into an unsolvable mystery then back to a readable language. But hold on, there's a kink in the chain. Symmetric encryption, while effective, has a downside. If Eman quiets to whisper secrets with another friend, perhaps Sara, she needs to cook up a fresh secret handshake - spawning another unique key. This leaves Eman playing a game of whodunit with an increasing number of keys to her circle of confidential chats. A bit of a bother, wouldn't you agree?

This image will illustrate how, once a message is encrypted by Ahmed using their shared key, it can be sent to Eman and decrypted by her, making it readable once more.

ahmed send plain text -> plaintext encrypted with a shared key -> ciphertext->Decrypt by shared key be Eman — Symmetric encryption and decryption process

Now, let's bring theory to life by using OpenSSL as a practical example.

Picture this exciting digital story: Ahmed wants to securely send a message to Eman that reads, "Hi Eman, our home's passcode is: 123@2023". They've decided to use the robust AES encryption algorithm along with a 256-bit key and Cipher Block Chaining (CBC) mode. Sounds complicated? Not to worry, we will walk through it step-by-step!

Our first step involves setting up the environment:

First off, install OpenSSL. Hold tight until the installation finishes.

Next, let's create a directory named "cryptography_test".

mkdir /path/to/cryptography_test

Then, navigate inside the directory:

cd /path/to/cryptography_test

There, all set!

Moving forward, let's give Ahmed a handy cheatsheet of commands to generate a shared key and use the AES encryption algorithm with a 256-bit key and Cipher Block Chaining for his message.

Follow these commands:

1. Generate a shared key:

openssl rand 32 > shared.key

2. Encrypt the message:

echo "Hi Eman, our home passcode is: 123@2023" | openssl enc -e -aes-256-cbc -kfile  shared.key -out encrypted.txt

See what happens here? The message is piped (|) to OpenSSL's 'enc' command, which carries out the encryption. Here are the remaining options:

-e for encryption

-aes-256-cbc for specifying the AES algorithm with a 256-bit key and Cipher Block Chaining (CBC) mode

-kfile shared.key to specify the shared key file

-out encrypted.txt to save the encrypted message in the file encrypted.txt.

The encrypted content will be something like this:

πö¬wUπK‘√hk^7_g]V–M¿ö4...

Now we come to Eman's part: she can decrypt the message by using the following command:

openssl enc -d -aes-256-cbc -kfile shared.key -in encrypted.txt

In this command, Eman dictates the decryption operation using the '-d' option.

-kfile option is used to specify the shared key file (shared.key) for decryption

-in option is used to specify the input file (encrypted.txt) containing the encrypted message.

Completion of this command triggers OpenSSL to decrypt the message using the shared key. Voilà! The original plaintext message is displayed on the terminal for Eman to read.

Asymmetric Encryption

Let's explore asymmetric or public-key encryption. This method uses a mathematically linked pair of keys known as the public and private keys.

Ahmed and Eman groups of asymmetric keys

Consider this: Eman and Ahmed each hold their unique set of keys. In a situation where Ahmed feels the need to send a secret message to Eman, what does he do? He employs Eman's public key to encrypt his message.

Eman, being the designated recipient, possesses the matching private key. She uses this key to decipher the message and get hold of the original content. The beauty of asymmetric encryption lies in its convenience - Eman can openly share her public key with anybody wishing to send her an encrypted message. There's no requirement for a prearranged shared key, which conveniently nullifies the hassle of juggling multiple keys for varying communication partners.

Let's dive into this diagram that illuminates the fascinating process of asymmetric encryption.

plaintext -> encrypt with Eman's public key ->ciphertext - >decrypt with Eman's private key — Asymmetric encryption and decryption process

Now, let's consider another typical scenario. Suppose Ahmed wants to share their home passcode "123@2023" with Eman. They've decided on using the AES algorithm empowered with a 256-bit key and Cipher Block Chaining (CBC) mode.

Ready to unfold the process? Let's walk through the steps together:

1- Eman generates a key pair consisting of a private key and a corresponding public key.

openssl genpkey -algorithm RSA -out eman_private.key
openssl rsa -in eman_private.key -pubout -out eman_public.key

2-Eman shares her public key with Ahmed.

3-Ahmed encrypts the message "Hi Eman, our home passcode is: 123@2023" using Eman's public key.

echo "Hi Eman, our home passcode is: 123@2023" | openssl pkeyutl -encrypt -pubin -inkey eman_public.key -out encrypted.txt

-encrypt option specifies the encryption operation.

-pubin option indicates that the input key (eman_public.key) is a public key.

-inkey option is used to specify Eman's public key file.

-out option is used to specify the output file (encrypted.txt) where the encrypted message will be saved.

To decrypt the message encrypted by Ahmed using Eman's private key, Eman can use the following command:

openssl pkeyutl -decrypt -inkey eman_private.key -in encrypted.txt -out decrypted.txt

-decrypt option specifies the decryption operation.

-inkey option is used to specify Eman's private key file (eman_private.key)

-in option is used to specify the input file (encrypted.txt) containing the encrypted message.

-out option is used to specify the output file (decrypted.txt) where the decrypted message will be saved.

Hey there! Just so you know, the original plaintext message is safely stashed away in decrypted.txt. It's ready and waiting for Eman to read.

Signing

Signing is a crucial aspect of asymmetric encryption and is often used in combination with encryption to provide data integrity, authenticity, and non-repudiation.

To generate a digital signature for a message, a two-step process is followed. Initially, the message undergoes a hash function to produce its corresponding hash value. Subsequently, the hash value is encrypted using the private key of the sender. The resulting output is the digital signature of the message, which should be sent alongside the original message, allowing the recipient to verify the authenticity and integrity of the message using the sender's public key.

This diagram simplifies the interesting signing process.

plaintext->hash function-> hash -> encrypt hash with sender's private key — Signing Process

Verifying the Signature

The recipient of the signed message can use the sender's public key to decrypt the digital signature and obtain the hash of the original message. By generating the hash again from the received message, the recipient can compare it with the decrypted hash. If the two hashes match, it indicates that the message has not been altered during transit and that the sender is the legitimate entity that possesses the corresponding private key.

Assume that Ahmed would like to generate his own key pair and use it to sign the following message: "This is Ahmed, and my email address is ahmed@xxx.com”, first he needs to generate his own keypair, then sign the message.

1.Generate ahmed’ keys:

openssl genpkey -algorithm RSA -out ahmed_private.key 
openssl rsa -in ahmed_private.key -pubout -out ahmed_public.key

2.Sign the message using Ahmed's private key:

echo "This is Ahmed and here is my email: ahmed@xxx.com" | openssl dgst -sha256 -sign ahmed_private.key -out signature.txt

Ahmed plans to distribute the plaintext message and its accompanying signature to multiple recipients. Salem, being one of Ahmed's friends, intends to verify the message's authenticity. To accomplish this, Salem will utilize a command to verify the signature associated with the message.

echo "This is Ahmed and here is my email: ahmed@xxx.com" | openssl dgst -sha256 -verify ahmed_public.key -signature signature.txt

The output of the verification process can result in one of two possibilities:

ture signature.txt 
Verified OK

Verification failure

Conclusion,

We explored the world of encryption and digital signatures, including symmetric and asymmetric encryption, with OpenSSL examples.

We examined signing messages with private keys and verifying signatures with public keys for improved security. These concepts are vital for digital asset protection, authenticity, and proof of origin.

Remember, knowledge is the first step in data protection. Understanding these core concepts is critical to protect your digital world.

I hope you enjoyed this article ♡