OpenSSL reports error writing key. The AES 128/256 GCM both failed, however AES 128 CBC worked. What am I doing wrong? Do I need extra parameters when using GCM? Here is the command: $ openssl genpkey -out ca.key.pem -aes-128-gcm -algorithm rsa -pkeyopt rsakeygenbits:4096 The output is this. Generate Aes Key Openssl Mar 12, 2020 Generating AES keys and password Use the OpenSSL command-line tool, which is included with InfoSphere® MDM, to generate AES 128-, 192-, or 256-bit keys. The madpwd3 utility is used to create the password. Demo of AES encryption in both ECB and CBC mode using OpenSSL toolkit. Openssl genrsa -aes256 -out clientprivate.key 2048 openssl req -new -key clientprivate.key -out client.csr. Require 'openssl' require 'pry' datatoencrypt = 'now you can read me!' Cipher = OpenSSL::Cipher.new('aes256') cipher.encrypt key = cipher.randomkey.
- Openssl Generate Aes Key
- C Openssl Generate Aes 256 Key Generator
- C Openssl Generate Aes 256 Keyboard
- C Openssl Generate Aes 256 Key Size
- C Openssl Generate Aes 256 Key Detection
- Aes 256 Java
This post briefly describes how to utilise AES to encrypt and decrypt files with OpenSSL.
AES - Advanced Encryption Standard (also known as Rijndael).
OpenSSL - Cryptography and SSL/TLS Toolkit
We’ll walk through the following steps:
- Generate an AES key plus Initialization vector (iv) with
openssl
and - how to encode/decode a file with the generated key/iv pair
Note: AES is a symmetric-key algorithm which means it uses the same key during encryption/decryption.
Generating key/iv pair
We want to generate a 256
-bit key and use Cipher Block Chaining (CBC).
The basic command to use is openssl enc
plus some options:
-P
— Print out the salt, key and IV used, then exit-k <secret>
or-pass pass:<secret>
— to specify the password to use-aes-256-cbc
— the cipher name
Note: We decided to use no salt to keep the example simple.
Issue openssl enc --help
for more details and options (e.g. other ciphernames, how to specify a salt, …).
Encoding
Let's start with encoding Hello, AES!
contained in the text file message.txt
:
Decoding
Decoding is almost the same command line - just an additional -d
for decrypting:
Note: Beware of the line breaks
While working with AES encryption I encountered the situation where the encoder sometimes produces base 64 encoded data with or without line breaks...
Short answer: Yes, use the OpenSSL -A
option.
BASICS
Checking versionopenssl version -aHow fast it runs on the system using four CPU cores and testing RSA algorithm
openssl speed -multi 4 rsaGet basic help
openssl helpGenerate 20 random bytes and show them on screen
openssl rand -hex 20
ENCODING / DECODING
Encoding a file using Base64openssl base64 -in file.dataEncoding some text using Base64
echo -n 'some text' | openssl base64Base64 decode a file with output to another file
openssl base64 -d -in encoded.data -out decoded.data
WORKING WITH HASHES
List digest algorithms availableopenssl list -digest-algorithmsHash a file using SHA256
openssl dgst -sha256 file.dataHash a file using SHA256 with its output in binary form (no output hex encoding)
No ASCII or encoded characters will be printed out to the console, just pure bytes. You can append ' | xxd'
openssl dgst -binary -sha256 file.dataHash text using SHA3-512
echo -n 'some text' | openssl dgst -sha3-512Create HMAC - SHA384 of a file using a specific key in bytes
openssl dgst -SHA384 -mac HMAC -macopt hexkey:369bd7d655 file.dataCreate HMAC - SHA512 of some text
echo -n 'some text' | openssl dgst -mac HMAC -macopt hexkey:369bd7d655 -sha512
ASYMMETRIC ENCRYPTION
List elliptic curves availableopenssl ecparam -list_curvesCreate 4096 bits RSA public-private key pair
openssl genrsa -out pub_priv.key 4096Display detailed private key information
openssl rsa -text -in pub_priv.key -nooutEncrypt public-private key pair using AES-256 algorithm
openssl rsa -in pub_priv.key -out encrypted.key -aes256Remove keys file encryption and save them to another file
openssl rsa -in encrypted.key -out cleartext.keyCopy the public key of the public-private key pair file to another file
openssl rsa -in pub_priv.key -pubout -out pubkey.keyEncrypt a file using RSA public key
openssl rsautl -encrypt -inkey pubkey.key -pubin -in cleartext.file -out ciphertext.fileDecrypt a file using RSA private key
openssl rsautl -decrypt -inkey pub_priv.key -in ciphertext.file -out decrypted.fileCreate private key using the P-224 elliptic curve
openssl ecparam -name secp224k1 -genkey -out ecpriv.keyEncrypt private key using 3DES algorithm
openssl ec -in ecP384priv.key -des3 -out ecP384priv_enc.key
SYMMETRIC ENCRYPTION
List all supported symmetric encryption ciphersopenssl enc -listEncrypt a file using an ASCII encoded password provided and AES-128-ECB algorithm
openssl enc -aes-128-ecb -in cleartext.file -out ciphertext.file -pass pass:thisisthepasswordDecrypt a file using AES-256-CBC and a keyfile
openssl enc -d -aes-256-cbc -in ciphertext.file -out cleartext.file -pass file:./key.fileEncrypt a file using a specific encryption key (K) provided as hex digits
openssl enc -aes-128-ecb -in cleartext.file -out ciphertext.file -K 1881807b2d1b3d22f14e9ec52563d981 -nosaltEncrypt a file using ARIA 256 in CBC block cipher mode using a specified encryption key (K:256 bits) and initialization vector (iv:128 bits)
openssl enc -aria-256-cbc -in cleartext.file -out ciphertext.file -K f92d2e986b7a2a01683b4c40d0cbcf6feaa669ef2bb5ec3a25ce85d9548291c1 -iv 470bc29762496046882b61ecee68e07c -nosaltEncrypt a file using Camellia 192 algorithm in COUNTER block cipher mode with key and iv provided
openssl enc -camellia-192-ctr -in cleartext.file -out ciphertext.file -K 6c7a1b3487d28d3bf444186d7c529b48d67dd6206c7a1b34 -iv 470bc29762496046882b61ecee68e07c
DIGITAL SIGNATURES
Generate DSA parameters for the private key. 2048 bits lengthopenssl dsaparam -out dsaparam.pem 2048Generate DSA public-private key for signing documents and protect it using AES128 algorithm
openssl gendsa -out dsaprivatekey.pem -aes-128-cbc dsaparam.pemCopy the public key of the DSA public-private key file to another file
openssl dsa -in dsaprivatekey.pem -pubout -out dsapublickey.pemTo print out the contents of a DSA key pair file
openssl dsa -in dsaprivatekey.pem -text -nooutSigning the sha-256 hash of a file using RSA private key
openssl dgst -sha256 -sign rsakey.key -out signature.data document.pdfVerify a SHA-256 file signature using a public key
openssl dgst -sha256 -verify publickey.pem -signature signature.data original.fileSigning the sha3-512 hash of a file using DSA private key
openssl pkeyutl -sign -pkeyopt digest:sha3-512 -in document.docx -inkey dsaprivatekey.pem -out signature.dataVerify DSA signature
openssl pkeyutl -verify -sigfile dsasignature.data -inkey dsakey.pem -in document.docxCreate a private key using P-384 Elliptic Curve
openssl ecparam -name secp384r1 -genkey -out ecP384priv.keyEncrypt private key using 3DES algorithm
openssl ec -in ecP384priv.key -des3 -out ecP384priv_enc.keySign a PDF file using Elliptic Curves with the generated key
openssl pkeyutl -sign -inkey ecP384priv_enc.key -pkeyopt digest:sha3-512 -in document.pdf -out signature.dataVerify the file's signature. If it's ok you must receive 'Signature Verified Successfully'
openssl pkeyutl -verify -in document.pdf -sigfile signature.data -inkey ecP384priv_enc.key
DIGITAL CERTIFICATES
Generating a CSR file and a 4096 bits RSA key pairopenssl req -newkey rsa:4096 -keyout private.key -out request.csrDisplay Certificate Signing Request ( CSR ) content
openssl req -text -noout -in request.csrDisplay the public key contained in the CSR file
openssl req -pubkey -noout -in request.csrCreating a Certificate Signing Request ( CSR ) using an existing private key. This can be useful when you need to renew the public digital certificate without changing the private key.
openssl req -new -key private.key -out request.csrCreate EC P384 curve parameters file to generate a CSR using Elliptic Curves in the next step.
openssl genpkey -genparam -algorithm EC -out EC_params.pem -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curveCreate a CSR file using Elliptic Curve P384 parameters file created in the previous step. Instead of using RSA keys.
openssl req -newkey ec:EC_params.pem -keyout EC_P384_priv.key -out EC_request.csrCreate a self-signed certificate, a new 2048 bits RSA key pair with one year of validity
openssl req -newkey rsa:2048 -nodes -keyout priv.key -x509 -days 365 -out cert.crtCreate and sign a new certificate using the CSR file and the private key for signing ( you must have a openssl.cnf file prepared )
openssl ca -in request.csr -out certificate.crt -config ./CA/config/openssl.cnfDisplay PEM format certificate information
openssl x509 -text -noout -in cert.crtDisplay certificate information in Abstract Sintax Notation One (ASN.1)
openssl asn1parse -in cert.crtExtract the certificate's public key
openssl x509 -pubkey -noout -in cert.crtExtract the public key's modulus in the certificate
openssl x509 -modulus -noout -in cert.crtExtract the domain certificate from an HTTPS/TLS connection
openssl s_client -connect domain.com:443 | openssl x509 -out certificate.crtConvert a certificate from PEM to DER format
openssl x509 -inform PEM -outform DER -in cert.crt -out cert.derChecking whether the certificate pubic key matches a private key and request file. One step per file. Must match in the output hashes.
openssl x509 -modulus -in certificate.crt -noout | openssl dgst -sha256
openssl rsa -modulus -in private.key -noout | openssl dgst -sha256
openssl req -modulus -in request.csr -noout | openssl dgst -sha256
WORKING WITH TLS PROTOCOL
List all cipher suites supportedopenssl ciphers -V 'ALL'List all cipher suites supported with AES
openssl ciphers -V 'AES'List all cipher suites supporting CAMELLIA & SHA256 algorithms.
openssl ciphers -V 'CAMELLIA+SHA256'TLS connection to a server using port 443 (HTTPS)
openssl s_client -connect domain.com:443TLS connection to a server using v1.2
Openssl Generate Aes Key
C Openssl Generate Aes 256 Key Generator
openssl s_client -tls1_2 -connect domain.com:443TLS connection & disable v1.0openssl s_client -no_tls1 domain.com:443TLS connection using a specific cipher suite
openssl s_client -cipher DHE-RSA-AES256-GCM-SHA384 domain.com:443TLS connection displaying all certificates provided by server
openssl s_client -showcerts domain.com:443Setting up a listening port to receive TLS connections using a certificate, the private key & supporting only TLS 1.2
openssl s_server -port 443 -cert cert.crt -key priv.key -tls1_2Extract the domain certificate from an HTTPS/TLS connection
openssl s_client -connect domain.com:443 | openssl x509 -out certificate.crtnmap command: Display enabled cipher-suites over an HTTPS/TLS Connection
nmap --script ssl-enum-ciphers -p 443 domain.comnmap command: Display enabled cipher-suites over a TLS (HTTPS) Connection using SNI. (change it to desired IP & domain name)
nmap --script ssl-enum-ciphers --script-args=tls.servername=domain.com 172.67.129.11
PERSONAL SECURITY ENVIRONMENTS ( PSE )
Convert a certificate from PEM (base64) to DER (binary) formatopenssl x509 -in certificate.pem -outform DER -out certificate.derInsert certificate & private key into PKCS #12 format file. These files can be imported in windows certificate manager or to a Java Key Store (jks) file
openssl pkcs12 -export -out cert_key.p12 -inkey private.key -in certificate.crtTo show the contents of a PKCS #12 file
openssl pkcs12 -in cert_key.p12Convert the .p12 file into a Java Key Store.
C Openssl Generate Aes 256 Keyboard
This commnad uses java keytool instead of openssl.keytool -importkeystore -destkeystore javakeystore.jks -srckeystore cert_key.p12 -srcstoretype pkcs12Convert PEM certificate to PKCS #7 format
openssl crl2pkcs7 -nocrl -certfile certificate.crt -out cert.p7bConvert a PKCS #7 file from PEM to DER
openssl pkcs7 -in cert.p7b -outform DER -out p7.der
SIMPLE CA CONFIGURATION FILE ( openssl.cnf )
[ ca ]default_ca = CA_default
[ CA_default ]
dir = ./personalCA
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
rand_serial = yes
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
default_days = 365
default_crl_days= 30
default_md = SHA256
policy = policy_any
email_in_dn = no
name_opt = ca_default
cert_opt = ca_default
copy_extensions = none
[ policy_any ]
countryName = supplied
stateOrProvinceName = optional
C Openssl Generate Aes 256 Key Size
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
FINAL NOTES
- All openssl commands were tested using OpenSSL version 1.1.1fC Openssl Generate Aes 256 Key Detection
- All nmap commands were tested using nmap version 7.80. nmap is compiled using openssl libraries.
Aes 256 Java
- The default format for almost all operations in openssl is PEM, however you can always specify a DER format using arguments or export to other formats with appropriate commands indicated on the document.