Using Asymmetric Cryptography in Ruby

68414aba518bb5898c6ae29d9ae7dd7d?s=47 wrzasa
January 19, 2017

Using Asymmetric Cryptography in Ruby

Presentation from my talk during RRUG (Rzeszów Ruby User Group, http://rrug.pl) meetup on 19 Jan 2017.

68414aba518bb5898c6ae29d9ae7dd7d?s=128

wrzasa

January 19, 2017
Tweet

Transcript

  1. Encryption Signatures Bulk data Identity Summary Using Asymmetric Cryptography in

    Ruby Rzeszów Ruby User Group #4 Wojciech Rząsa wrzasa@prz-rzeszow.pl @wrzasa Katedra Informatyki i Automatyki, Politechnika Rzeszowska http://www.kia.prz.edu.pl/ 19.01.2017 Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 1/35
  2. Encryption Signatures Bulk data Identity Summary Wojciech Rząsa, @wrzasa, KIiA

    PRz RRUG#4, Asymmetric Cryptography in Ruby 2/35
  3. Encryption Signatures Bulk data Identity Summary Plan 1 Asymmetric encryption

    Concepts Key management Encryption/decryption 2 Digital signatures 3 Bulk data 4 Identity of private key owner 5 Summary Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 3/35
  4. Encryption Signatures Bulk data Identity Summary Why use cryptography? Confidentiality

    (data privacy) Authenticity (who wrote it?) Integrity (was it changed along the way?) Non-repudiation . . . Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 4/35
  5. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Symmetric cryptography Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 5/35
  6. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Asymmetric cryptography Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 6/35
  7. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Asymmetric cryptography Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 6/35
  8. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Asymmetric keys Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 7/35
  9. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Asymmetric vs. symmetric Key distribution problem Extensive applications More CPU intensive → slow (complex math. operations) Longer keys symmetric 128, 129, 256 bit (AES) asymmetric 1024, 2048, 4096 bit (RSA) Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 8/35
  10. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Generating keys § 1 require ’openssl ’ 2 3 key = OpenSSL :: PKey :: RSA.new 2048 4 5 File.write(’keys/private.pem ’, key) 6 File.write(’keys/public.pem ’, key.public_key .to_pem)  ¦ ¥ Generating keys Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 9/35
  11. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Private key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAqjxB4SgdG5+bOZcHhJh9BPcmyCW+HeFtzByQLMGf8Li0Apq4 FH18BexAxu3KmTftG4/eS/+3ny0wDqI+KecJflCJVOJFCFlooFnlW6C7p/cAx+WO hi5HkS0vwwRuHnmBL9KemmxNyG+rG2tUwCuSa8ToMQrw9QzDeCC8drqGWDmirFAE M+k2gr4clPfkttKrxfOnQJb0uKBeI4c4yNEfHV8bGyQhIQbDqmBXr6hcsOyFUQ5r K49heteWD3c0d1lOHnpGURYId7zu8wZPhEMvjOhCbpHkXusYna310kxT1tmNH8jx /gzEBkgUF68GErJWRFFgQA0atvY+7LRWuCZvjQIDAQABAoIBAQCe+EZNDDiiYxmB XhgXKo8U4/fDT/uJy8nMoZ/BK88/7Dutcu4TtFrs7QJQwh4/lopFAsSEE/hVHM2T 3M5QMwAahPq52dK9SUD6/PfB6QdUgsSn5yaBBxat65R+eNScgLqy/ew+KIU6d41B vakXC5lgKjDqG12IeLLQq0FTXju2hhXbTFhgLs7bnx6db8wwb9mtaka9tuOYMPVQ LHgDmh7lmAzJOqeLtF/PXRsn+rzMf2IaKzpgrEksWqGsynwclFi+9YyNtoF0xda2 n0GhbyqycXn0/Cuw93+LhEN3S8milC2y6Z/HVI6eIQ0eeXGeHFm818iDwh5Qa+1S mrJxmmABAoGBANeHOqR6DUaAxxjrh8P0oSEssAjNr+OC2fbQlCR0S5YR8Np+dZlI BNr2SIB+mI8WSzfReRgvUnZfrFkQRr7iV43J31NvkGGV3BHzDo2IYbQ+OEmhueE/ g/IDP0ecv74e+vkgSp3Mg5+h8Mk73cUVxLMFUaAc4+AOT4L9kWNL8oyBAoGBAMoz u0X5JKAeavU4ROtIMz09wcLTBXJ134MYLd/9+YLjcg6tpn78kDeHdwkIJN2Rz8G2 aJjgGaxKmuHxjVF6bzkwVl3AYT8Yuplq07dFxB3NVNSy6r/OEmrsmqgSA3H8R3QL LN26DQhWfP4pOcuQg2PTo9X5fL8qcvDyhC0hUs0NAoGBALD43CE0CvSKR3Fh7L/t feUUoZMI+dURm9H7YLkyOOKH5sIyNnPfXAVDVzMTQEe1oZu6x/kg2lBSrN0Q7VZN 2mCVk2gaYm6Os/6VGq0CgF+U+3kSb+PR2JD/M5Wk0xjUrXWkm0BJLwcD3QgPvUDY aAQraOPU9RQEDCvd8+SZ9xaBAoGAfnhS1xZY+SltXsl+GeeD3PcmnRPd4VSmo1lZ QDObf2mBanrkm6KfFYxOQMDuRgOwfYn47D2m8SOMsmuiJ2c77/oy2tq8OHngJJsz pvslCjrmp07tE2DyFhy9MwhpTT8s9gETY++9vQxTi6j/dDqEY8j5PZmZk/wZ/mjB kXS5VHUCgYAA6ZbNR6VGDL2TroPh7UUEslTUPYnl1CE4fSw72q35wgSGQtiO+rgs diNLA8iPeGVvJvxHG2I34DRn+AZXB9SnwOfc9KX0UdV/XcJzZHgI/O99SgTYueZF J8rhmMMdvpW0XZmi75wAEIEmArO6MpVUPkeJLCfcDlsbzIrgYEB0Yg== -----END RSA PRIVATE KEY----- Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 10/35
  12. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Public key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjxB4SgdG5+bOZcHhJh9 BPcmyCW+HeFtzByQLMGf8Li0Apq4FH18BexAxu3KmTftG4/eS/+3ny0wDqI+KecJ flCJVOJFCFlooFnlW6C7p/cAx+WOhi5HkS0vwwRuHnmBL9KemmxNyG+rG2tUwCuS a8ToMQrw9QzDeCC8drqGWDmirFAEM+k2gr4clPfkttKrxfOnQJb0uKBeI4c4yNEf HV8bGyQhIQbDqmBXr6hcsOyFUQ5rK49heteWD3c0d1lOHnpGURYId7zu8wZPhEMv jOhCbpHkXusYna310kxT1tmNH8jx/gzEBkgUF68GErJWRFFgQA0atvY+7LRWuCZv jQIDAQAB -----END PUBLIC KEY----- Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 11/35
  13. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Separating keys § 1 require ’openssl ’ 2 3 key = OpenSSL :: PKey :: RSA.new 2048 4 5 pub_key = key.public_key 6 7 puts key.private? # => true 8 puts pub_key.private? # => false  ¦ ¥ Separating keys Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 12/35
  14. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Exporting private key § 1 require ’openssl ’ 2 3 key = OpenSSL :: PKey :: RSA.new 2048 4 5 cipher = OpenSSL :: Cipher.new ’AES -256 - CTR ’ 6 password = "A secret password" 7 8 secure_key = key.export cipher , password 9 10 File.write(’keys/private2 -secure.pem ’, secure_key ) 11 File.write(’keys/public2.pem ’, key.public_key .to_pem)  ¦ ¥ Exporting private key Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 13/35
  15. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Encrypted private key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CTR,AAEDBF418F7B10D6A7B711E9064C8DA3 maYOnxpD2vVXbbyUXLVM/Mn0x36PDFLV8YIhj264Zfoe4ceLCqWY5iZ7304Jkni2 X8Enkd456/8Hwim4ydgvLIxP/VTGR+wOWTM8eswckPzKIqWuJXNzG5QR2D+jZvGg 0OBz8qgW7vSKj9NunGOFuxlJNiv5VSATvi5VN6sAPQYMm68pjj69UsKoe53sI9r4 JGOYFATlEk4fgnByGf35t3SGHFf4GhcUtNywH/VIR3ZimKs9325JoErsb+aUCWHf lA3TXJEuew1QGTa9pO5qDsiYkAAKeqvHeINvUONrthgsLuWIx08ZMhv/FYP/necV aDzstvQFve1nndwaoXuLu7uOzPw0MiXO4MQavzCLpFZYZUbsZPJNVTXc954CorpZ TaOmLMLTM9rDP/SZt2r2tYIv7rvTKYGuJ77ehCHwfNGRiJfC7kN3JlbW+pmCTiKx PwxcKwubIVxeRghficYQvEymPv8aSxC/nN7YRcLSaNFchlaNMlWqx9RsiTmEJOwr zTwj3Vs4IvhmdWfcWVPedXvloNBSftOEu9qX1luOUORnR83T5WDD3Z2+P7mo8dQt Z+adSgdADvY2C9HKrzn7/MOJnzZNs9HydwfO5lhKWwA3SUHTTsVI68yYM/kLH94E rlAPoweKnQrmwRgrAKFLZeZ1U3y17aML5AoDMT/YzRcRmgVXu9+UUKIIqzIGE3St CC8yvT/mc9x8pRHsFBqGPbthNEGsEMrFQgMTppmb8aJawj7qHZ8k+0AMDwJwco5a wDnwUvXujj7dnUmPVkbfO+/tQAiJ+8gwrXZuEUWNr2lkX5MQs6lE4sV1JJVqlDoo htx9G3dD9zQUt6S4CSRhK117Cw9VEX89DU2n30+eExQVPAkLEG3vXyHXC7DWjuFF npWGu/aeGZ7a908zL/SKdnpQU0q2N5lRvC+7qqEuE75xTQrITEy5rFnBSHKFvPhz V9py503o0a0VfptDzKF7bflpWsy1dlVHv8Fd+oM3t0otThQ2Hxu02sFpAj7A/iv3 2jxC5zgQR3fPPVaSSrta/Jw7hRVo3sVrC/QlHLDSTSaI4yD+Ag9qIYq2stKpLP8Z 8DoeCPi03iHh9RiCuWXRlaL9Pt7aja1eFWYHIGPNzWOaOeRtajaBl8wY5aOf1VJR D86IvVeEUIxbWwD3XkZwz15IaKwjCJa1a7RhNLCuMwW0rfFBk1Hh5hGSTaxbXxU4 flxvmxxB4Bv0Q+wehOjrZOx56+uGP/HymJo6PQTJCk7bll2XsjeEv7qG7nXZz/+t /mrLw3KhHHED4FbpZ2G+Q4i0xPVtPJGf3Przz1lZUvN2KqOpQ4zZ8fQqGZcmaAZu bIIJ25ETi7ryuYlH7ACPr9RvhcxoJs40zgQFzd/cz712U8oEQGallUzB427iNmNX PoD94PzzfjRBiMOrPGbBHM0uis/z6jZ3eNJqRFCWy/X0P+y6XNwJP8R92eK/Dx94 Kl5zQaHL5potmn4UsXx7hZwybCTaqbO8O88Jox4uYcKW99nW/oQn+6wG1SKtRgxl nOQ6gpjMOswD5EmJVbKMi/fkHwWefB79p+VqPcttDap3Ux/aNCQN -----END RSA PRIVATE KEY----- Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 14/35
  16. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Importing keys § 1 require ’openssl ’ 2 3 key = OpenSSL :: PKey :: RSA.new( 4 File.read(’keys/public2.pem ’) 5 ) 6 7 puts key.private? # => false  ¦ ¥ Importing public key Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 15/35
  17. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Importing keys § 1 require ’openssl ’ 2 3 key = OpenSSL :: PKey :: RSA.new( 4 File.read(’keys/public2.pem ’) 5 ) 6 7 puts key.private? # => false  ¦ ¥ Importing public key § 1 require ’openssl ’ 2 3 password = "A secret password" 4 key = OpenSSL :: PKey :: RSA.new( 5 File.read(’keys/private2 -secure.pem ’), 6 password 7 ) 8 9 puts key.private? # => true 10 puts key.public? # => true  ¦ ¥ Importing encrypted private key Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 15/35
  18. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Public key encryption § 1 require ’openssl ’ 2 3 message = "W Tyńcu , w gospodzie ,,Pod Lutym Turem ’’, 4 należącej do opactwa , siedziało kilku ludzi , słuchając 5 opowiadania wojaka bywalca , który z dalekich stron 6 przybywszy , prawił im o przygodach , jakich na wojnie 7 i w czasie podróży doznał." 8 9 key = OpenSSL :: PKey :: RSA.new File.read(’keys/public2.pem ’) 10 11 encrypted = key. public_encrypt message  ¦ ¥ Public key encryption Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 16/35
  19. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Public key encryption § 1 require ’openssl ’ 2 3 message = "W Tyńcu , w gospodzie ,,Pod Lutym Turem ’’, 4 należącej do opactwa , siedziało kilku ludzi , słuchając 5 opowiadania wojaka bywalca , który z dalekich stron 6 przybywszy , prawił im o przygodach , jakich na wojnie 7 i w czasie podróży doznał." 8 9 key = OpenSSL :: PKey :: RSA.new File.read(’keys/public2.pem ’) 10 11 encrypted = key. public_encrypt message 12 13 password = "A secret password" 14 key = OpenSSL :: PKey :: RSA.new( 15 File.read(’keys/private2 -secure.pem ’), 16 password 17 ) 18 19 decrypted = key. private_decrypt encrypted  ¦ ¥ Private key decryption Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 16/35
  20. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Private key encryption § 1 require ’openssl ’ 2 3 message = "W Tyńcu , w gospodzie ,,Pod Lutym Turem ’’, 4 należącej do opactwa , siedziało kilku ludzi , słuchając 5 opowiadania wojaka bywalca , który z dalekich stron 6 przybywszy , prawił im o przygodach , jakich na wojnie 7 i w czasie podróży doznał." 8 9 password = "A secret password" 10 key = OpenSSL :: PKey :: RSA.new( 11 File.read(’keys/private2 -secure.pem ’), 12 password 13 ) 14 15 encrypted = key. private_encrypt message  ¦ ¥ Private key encryption Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 17/35
  21. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Private key encryption § 1 require ’openssl ’ 2 3 message = "W Tyńcu , w gospodzie ,,Pod Lutym Turem ’’, 4 należącej do opactwa , siedziało kilku ludzi , słuchając 5 opowiadania wojaka bywalca , który z dalekich stron 6 przybywszy , prawił im o przygodach , jakich na wojnie 7 i w czasie podróży doznał." 8 9 password = "A secret password" 10 key = OpenSSL :: PKey :: RSA.new( 11 File.read(’keys/private2 -secure.pem ’), 12 password 13 ) 14 15 encrypted = key. private_encrypt message 16 17 key = OpenSSL :: PKey :: RSA.new File.read(’keys/public2.pem ’) 18 19 decrypted = key. public_decrypt encrypted  ¦ ¥ Public key decryption Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 17/35
  22. Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption

    Asymmetric encryption/decryption Easy (?) key distribution Slow encryption/decryption Vulnerable when used for bulk data Private-key cipher-text is a large ”signature” Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 18/35
  23. Encryption Signatures Bulk data Identity Summary Digital signatures Signing 1

    Compute message digest (e.g. SHA) 2 Encrypt digest with private key Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 19/35
  24. Encryption Signatures Bulk data Identity Summary Digital signatures Signing 1

    Compute message digest (e.g. SHA) 2 Encrypt digest with private key Verifying 1 Decrypt signature with public key 2 Compute message digest (e.g. SHA) 3 Compare decrypted signature with computed digest Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 19/35
  25. Encryption Signatures Bulk data Identity Summary Digital signatures in Ruby

    § 1 require ’openssl ’ 2 3 message = "W Tyńcu , w gospodzie ,,Pod Lutym Turem ’’, 4 należącej do opactwa , siedziało kilku ludzi , słuchając 5 opowiadania wojaka bywalca , który z dalekich stron 6 przybywszy , prawił im o przygodach , jakich na wojnie 7 i w czasie podróży doznał." 8 9 password = "A secret password" 10 key = OpenSSL :: PKey :: RSA.new( 11 File.read(’keys/private2 -secure.pem ’), 12 password 13 ) 14 digest = OpenSSL :: Digest :: SHA256.new 15 16 signature = key.sign digest , message 17 # send: 18 # - message 19 # - signature 20 # - digest name  ¦ ¥ Public key encryption Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 20/35
  26. Encryption Signatures Bulk data Identity Summary Digital signatures in Ruby

    § 22 # receive: 23 # - message 24 # - signature 25 # - digest name 26 digest = OpenSSL :: Digest :: SHA256.new 27 key = OpenSSL :: PKey :: RSA.new File.read(’keys/public2.pem ’) 28 29 puts key.verify digest , signature , message # => true  ¦ ¥ Verifying signature Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 21/35
  27. Encryption Signatures Bulk data Identity Summary Digital signatures in Ruby

    § 22 # receive: 23 # - message 24 # - signature 25 # - digest name 26 digest = OpenSSL :: Digest :: SHA256.new 27 key = OpenSSL :: PKey :: RSA.new File.read(’keys/public2.pem ’) 28 29 puts key.verify digest , signature , message # => true 30 31 message2 = message.sub(’bywalca ’, ’Szwejka ’) 32 puts message2 33 puts key.verify digest , signature , message2 # => false  ¦ ¥ Verifying signature W Tyńcu, w gospodzie ,,Pod Lutym Turem’’, należącej do opactwa, siedziało kilku ludzi, słuchając opowiadania wojaka Szwejka, który z dalekich stron przybywszy, prawił im o przygodach, jakich na wojnie i w czasie podróży doznał. Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 21/35
  28. Encryption Signatures Bulk data Identity Summary Bulk data 1 Share

    public keys 2 Generate arbitrary secure symmetric key 3 Encrypt message with the symmetric key 4 Encrypt symmetric key with public key of recipient 5 Send/save ciphertext and encrypted key Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 22/35
  29. Encryption Signatures Bulk data Identity Summary Bulk data 1 Share

    public keys 2 Generate arbitrary secure symmetric key 3 Encrypt message with the symmetric key 4 Encrypt symmetric key with public key of recipient 5 Send/save ciphertext and encrypted key Advantages of both cryptography types Key distribution with asymmetric cryptography Efficient data exchange with symmetric cryptography Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 22/35
  30. Encryption Signatures Bulk data Identity Summary Bulk data 1 Share

    public keys 2 Generate arbitrary secure symmetric key 3 Encrypt message with the symmetric key 4 Encrypt symmetric key with public key of recipient 5 Send/save ciphertext and encrypted key Advantages of both cryptography types Key distribution with asymmetric cryptography Efficient data exchange with symmetric cryptography How to use it? Get one of existing solutions TLS or SSH protocol for communication GPG/PGP for file encryption Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 22/35
  31. Encryption Signatures Bulk data Identity Summary Identity of private key

    owner Key owner problem I have a public key. How do I know who owns corresponding private key? Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 23/35
  32. Encryption Signatures Bulk data Identity Summary Identity of private key

    owner Key owner problem I have a public key. How do I know who owns corresponding private key? Key with identity Public key Identity data . . . Digital signature(s) Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 23/35
  33. Encryption Signatures Bulk data Identity Summary X.509 Certificate Public key

    Identity data Validity period Certificate issuer Extensions . . . Digital signature Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 24/35
  34. Encryption Signatures Bulk data Identity Summary Who signs the certificate?

    Certificate owner (self-signed certificate) A Certificate Authority (CA) → PKI Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 25/35
  35. Encryption Signatures Bulk data Identity Summary X.509 Certificates in Ruby

    § 1 require ’openssl ’ 2 3 key = OpenSSL :: PKey :: RSA.new 2048 4 5 name = OpenSSL :: X509 :: Name.parse( 6 ’CN=Henryk Sienkiewicz /UID=heniek/DC= sienkiewicz .name ’ 7 ) 8 9 cert = OpenSSL :: X509 :: Certificate .new 10 cert.version = 2 11 cert.serial = 0 12 cert. not_before = Time.now 13 cert.not_after = Time.now + 3600 14 15 cert. public_key = key. public_key 16 cert.subject = name 17 18 puts cert.to_pem 19 puts cert.to_text  ¦ ¥ Generating X.509 certificate Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 26/35
  36. Encryption Signatures Bulk data Identity Summary X.509 Certificate -----BEGIN CERTIFICATE-----

    MIIDJzCCAg+gAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMRswGQYDVQQDDBJIZW5y eWsgU2llbmtpZXdpY3oxFjAUBgoJkiaJk/IsZAEBDAZoZW5pZWsxIDAeBgoJkiaJ k/IsZAEZFhBzaWVua2lld2ljei5uYW1lMB4XDTE3MDExOTEwMTIwMFoXDTE3MDEx OTExMTIwMFowVzEbMBkGA1UEAwwSSGVucnlrIFNpZW5raWV3aWN6MRYwFAYKCZIm iZPyLGQBAQwGaGVuaWVrMSAwHgYKCZImiZPyLGQBGRYQc2llbmtpZXdpY3oubmFt ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOCfhIgGicHAlV4sOxay Sg+DoikSMqlrmNT1SS8YriQIIhMVJijf2P3uRKVXEP965E8DO4j1vjwvxex260BZ tJUgMVL0one/PoKHTOtcRuFFPYBOx1GTa8MwFxfQuZkHyiNxqivxLKKNHgBmK2aj JkWFTzxLXeOInxqvKyk5a1Py/VeScl4XKaBm8Nfb5V/aryYily/ih40aBsw225Gt bj/iL+8VkJEO32w5gA5Bhf4b8VE7Rly9OnRaJisJbJ/yPina54gPXkwIvFkMpUuV VfIxAP8FYxINH9fXpf42sc2EY/9f/BoaPy/BRGn2yP/4g47iP6LfLm9ec+Z06Laz GXMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAx1NzDlvKXv25MjODsxtiL54Z7yao ma3lHIUDnhD0XmDXGhfHaMcCjFPNFvKNldhcPH0BSmJWOJHgZaORWiO0kk/DzRB1 l3kC4m5yH9TIqrRWfWdoGjZePL7DsAiHJ4VawA2jnar6QZiaH1XRbCnlRW0qUPWS qJrZvYyGUsZf/3g/KKr3qBqWHHERGoeyDESBL7WUlYnI08HWSkDILvDpt4J/tG4m TcdU4nddXCedtlcDWbwr3LSz60HqpaigFvyS5rzXw9cUMXs2qvtvSWjjm7bs/Yjk WIU/PFHC6iEpEprJbuYTyRi2+7em6T7/cVt1v0cr41ji8CbNWSAnES5E3A== -----END CERTIFICATE----- Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 27/35
  37. Encryption Signatures Bulk data Identity Summary X.509 Certificate Certificate: Data:

    Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: NULL Issuer: Validity Not Before: Jan 19 09:56:08 2017 GMT Not After : Jan 19 10:56:08 2017 GMT Subject: CN=Henryk Sienkiewicz/UID=heniek, DC=sienkiewicz.name Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d6:a3:cd:1e:e6:8c:60:81:de:49:eb:92:c1:86: b4:77:00:b2:7a:c1:b2:c3:9b:fa:45:ed:93:02:c4: 09:db:63:d6:12:05:38:a2:fe:bb:07:50:45:61:5b: 29:9e:d1:c9:8b:b9:ab:28:2b:07:3d:c6:52:57:73: 82:54:c8:4f:a3:5d:cf:41:e4:dc:55:5a:bb:5a:89: 82:70:c9:11:54:fe:12:8a:93:31:00:ef:f2:d1:ee: 73:d3:84:f2:84:26:cf:ad:7c:4c:e4:b4:a4:8e:ab: 54:9d:ca:4c:93:ce:e0:72:55:11:88:7e:69:5b:6f: -----------8<---- CUT THREE LINES HERE --------8<------------------------- 9f:f2:fb:6f:bb:22:b5:59:50:79:c4:0f:15:ce:65: 81:6c:59:63:c0:d3:6b:ce:df:f9:e2:7f:a8:08:98: b5:2e:a6:ea:4c:94:fc:e0:e1:2a:a1:c3:11:c7:57: 64:d5:54:32:41:06:0a:36:e8:22:85:70:6d:76:6b: 5d:15:8c:c0:41:a4:06:ad:7d:69:25:95:4d:72:75: ab:be:a5:af:8a:f7:ba:1f:b8:5d:bb:13:d1:34:44: 4d:29 Exponent: 65537 (0x10001) Signature Algorithm: NULL Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 28/35
  38. Encryption Signatures Bulk data Identity Summary Signed X.509 Certificates in

    Ruby § 20 21 cert.issuer = name 22 cert.sign key , OpenSSL :: Digest :: SHA1.new 23 24 puts cert.to_text  ¦ ¥ Signing X.509 certificate Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 29/35
  39. Encryption Signatures Bulk data Identity Summary X.509 Certificate Certificate: Data:

    Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Henryk Sienkiewicz/UID=heniek, DC=sienkiewicz.name Validity Not Before: Jan 19 10:05:39 2017 GMT Not After : Jan 19 11:05:39 2017 GMT Subject: CN=Henryk Sienkiewicz/UID=heniek, DC=sienkiewicz.name Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ------------8<-----CUT WHOLE MODULUS HERE ------8<----------------- Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 88:38:8a:23:0b:ed:41:b4:20:1b:d1:12:77:c3:a2:29:65:ff: f5:97:97:d9:06:66:8a:77:dd:b0:7f:c9:54:04:0d:8f:85:b5: bd:d2:65:2b:3a:ce:7e:48:ae:50:c9:58:88:f9:0f:88:b8:30: a1:e6:31:68:de:03:ac:56:f7:b1:35:a9:91:e1:8a:c2:fb:b5: 52:98:4a:c7:7a:50:51:70:5c:c9:be:ba:91:d9:ca:99:09:1e: a1:99:82:13:55:a8:3b:80:ff:84:ca:31:6f:43:eb:57:cd:60: d5:d4:46:27:d0:09:58:51:3c:a6:6b:80:b4:49:35:5f:82:4f: a6:a8:45:8c:b3:a0:56:e0:30:ca:d1:e7:f2:7a:1f:2f:f3:5b: b4:89:03:8f:12:79:69:73:92:ba:8f:a5:d0:30:d3:7c:13:8c: 19:a2:c6:82:ef:bf:19:3b:54:49:f8:91:af:6d:13:e4:be:82: d6:46:fc:10:32:d1:5f:d2:8f:b0:9c:0d:c6:8b:8c:64:0d:9d: 89:a2:ac:89:0e:4f:56:ae:3e:a5:60:56:ad:9c:08:54:26:d1: 43:d2:b5:ef:90:5f:99:e6:84:52:9a:85:bf:e1:84:aa:3a:27: ce:9a:94:f3:19:d0:9d:7a:f9:8f:44:12:d9:ce:35:6a:a3:85: fa:bf:e9:49 Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 30/35
  40. Encryption Signatures Bulk data Identity Summary Verifying certificate signature §

    1 require ’openssl ’ 2 3 cert = OpenSSL :: X509 :: Certificate .new( 4 File.read ’keys/cert.pem ’ 5 ) 6 7 puts cert.verify cert. public_key # => true  ¦ ¥ Verifying self-signed certificate Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 31/35
  41. Encryption Signatures Bulk data Identity Summary Plan 1 Asymmetric encryption

    Concepts Key management Encryption/decryption 2 Digital signatures 3 Bulk data 4 Identity of private key owner 5 Summary Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 32/35
  42. Encryption Signatures Bulk data Identity Summary Not covered yet Public

    Key Infrastructure (PKI) PGP/GPG SSL/TLS network communication . . . Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 33/35
  43. Encryption Signatures Bulk data Identity Summary References Ruby OpenSSL RDoc

    RFC5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile RFC4514 Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names Samolej, Rząsa, Rzońca, Sadolewski: Wprowadzenie do informatyki II – bezpieczeństwo systemów informatycznych, sieci komputerowe, systemy operacyjne i bazy danych, Oficyna Wyd. PRz., 2014. Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 34/35
  44. Encryption Signatures Bulk data Identity Summary Questions? Wojciech Rząsa wrzasa@prz-rzeszow.pl

    @wrzasa Katedra Informatyki i Automatyki, Politechnika Rzeszowska http://www.kia.prz.edu.pl/ Wojciech Rząsa, @wrzasa, KIiA PRz Questions? 35/35