Lab3: Encryption and Decryption using OpenSSL

1. Introduction
In this lab, we will explore encryption and decryption techniques using OpenSSL, a widely used
open-source toolkit for implementing SSL/TLS protocols and other cryptographic operations.
OpenSSL provides powerful encryption and decryption functions, allowing us to work with
symmetric key algorithms such as AES (Advanced Encryption Standard) and asymmetric key
algorithms such as RSA.

OpenSSL is an open-source software library useful for encryption and secure network
communication. SSL stands for Secure Sockets Layer, a cryptographic communications
protocol. This tutorial will demonstrate one way to use OpenSSL to exchange a file between two
parties.

Objectives:

1. Understand how to perform symmetric and asymmetric encryption and decryption using
OpenSSL.

2. Gain practical knowledge of OpenSSL commands for cryptographic operations.

Tools Required:
1. Linux-based system or Windows with OpenSSL installed.

2. Terminal or command line.

Part 1: Symmetric Encryption with AES

Step 1: Encrypting a File with AES-256-CBC

• Create a Sample File

Start by creating a file named plaintext.txt which contains the text that we will encrypt.

echo "This is a secret message." > plaintext.txt

• Encrypt the File using AES-256-CBC

AES is a symmetric encryption algorithm. We'll use the AES-256-CBC cipher to encrypt the file.
OpenSSL will prompt for a password to generate a key for the encryption.
 openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.txt

Explain each part of command:

1. openssl enc

• The enc “encode” command in OpenSSL is used for encryption and decryption.
• It supports various symmetric encryption algorithms, such as AES, DES, and Blowfish.

• In this command, it is being used for file encryption.

2. -aes-256-cbc

• Specifies the encryption algorithm:

o AES: Advanced Encryption Standard (a widely used symmetric encryption

algorithm).

o 256: Refers to the key size, which is 256 bits (32 bytes). This is the highest key size
for AES and provides strong encryption.

o CBC: Cipher Block Chaining mode. In this mode:

Cipher Block Chaining (CBC) mode, the input plaintext is divided into fixed-size
blocks (e.g., 128 bits for AES). Each plaintext block is XORed with the previous
ciphertext block before being encrypted with the cipher. This chaining mechanism
ensures that the encryption of each block depends on the previous block, providing
better security.

3. -salt
• Adds a cryptographic salt to the encryption process.

• What is Salt?:

o A random value added to the key derivation process.

o It ensures that even if the same password is used, the output ciphertext will differ
each time encryption is performed.

4. -in plaintext.txt

• Specifies the input file to be encrypted.

• In this case, the file plaintext.txt contains the data you want to protect.

5. -out encrypted.txt
• Specifies the output file where the encrypted data will be written.
 • In this case, the ciphertext is saved in encrypted.txt.

• Check the Encrypted File

After encryption, the file encrypted.txt will contain the encrypted message. You can
check the contents using the cat command, but the content will be unreadable.

type encrypted.txt

Step 2: Decrypting the File

• Decrypt the File

Now, let’s decrypt the file back to its original content. You'll need to use the same password you
used for encryption.

openssl enc -aes-256-cbc -d -in encrypted.txt -out decrypted.txt

Explain each part of command:

`-d`: Indicates decryption mode.

`-in encrypted.txt`: The encrypted file.

`-out decrypted.txt`: The output file that will contain the decrypted content.

Verify the Decrypted Content

Check the contents of decrypted.txt to ensure the message has been decrypted correctly.

type decrypted.txt

Part 2: Asymmetric Encryption with RSA

Step 1: Generating RSA Keys

• Generate a Private Key: Use OpenSSL to generate a 2048-bit RSA private key.
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
Explain each part of command:

genpkey: Generates private keys.

-algorithm RSA: Specifies the RSA algorithm.

-out private_key.pem: Saves the private key to a file named private_key.pem.

-pkeyopt rsa_keygen_bits:2048: Specifies the key size (2048 bits in this example).

• Generate a Public Key: Extract the public key from the private key.
openssl rsa -pubout -in private_key.pem -out public_key.pem

Explain each part of command:

rsa: Used to process RSA keys.

-pubout: Extracts the public key from the private key.

-in private_key.pem: Specifies the input private key file.

-out public_key.pem: Saves the extracted public key to public_key.pem.

Encrypting and Decrypting with RSA

• Encrypt a Message with the Public Key

o Create a new file, message.txt, containing the message you want to encrypt.
echo "This is a confidential message." > mes.txt

• Encrypt Data with the Public Key

openssl pkeyutl -encrypt -inkey public_key.pem -pubin -in mes.txt -out encrypted_mes.bin

Explain each part of command:

1. openssl pkeyutl:

o A utility for public key cryptographic operations like encryption, decryption,

signing, and verification.

2. -encrypt:
o Specifies the operation to encrypt the input file.

3. -inkey public_key.pem:
 o Points to the RSA public key file to be used for encryption.

4. -pubin:

o Indicates the input key (public_key.pem) is a public key (not a private key).

5. -in mes.txt:
o Specifies the plaintext input file (mes.txt) that will be encrypted.

6. -out encrypted_mes.bin:

o Specifies the output file to save the encrypted data (encrypted_mes.bin).

This command encrypts the contents of mes.txt using the public key provided in public_key.pem.

• Decrypt Data with the Private Key

openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted_mes.bin -out decrypted_mes.txt

• Verify the Decrypted Message

Check the content of decrypted_message.txt to ensure that it matches the original message.

type decrypted_mes.txt