Using Asymmetric Cryptography in Ruby

Encryption Signatures Bulk data Identity Summary
Using Asymmetric Cryptography in Ruby
Rzeszów Ruby User Group #4
Wojciech Rząsa
[email protected]
@wrzasa
Katedra Informatyki i Automatyki, Politechnika Rzeszowska
http://www.kia.prz.edu.pl/
19.01.2017
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#4, Asymmetric Cryptography in Ruby 1/35

View Slide


View Slide

Plan
1 Asymmetric encryption
Concepts
Key management
Encryption/decryption
2 Digital signatures
3 Bulk data
4 Identity of private key owner
5 Summary

View Slide

Why use cryptography?
Conﬁdentiality (data privacy)
Authenticity (who wrote it?)
Integrity (was it changed along the way?)
Non-repudiation
. . .

View Slide

Encryption Signatures Bulk data Identity Summary Concepts Key management Encryption/decryption
Symmetric cryptography

View Slide

Asymmetric cryptography

View Slide

Asymmetric keys

View Slide

Asymmetric vs. symmetric
Key distribution problem
Extensive applications
More CPU intensive → slow (complex math. operations)
Longer keys
symmetric 128, 129, 256 bit (AES)
asymmetric 1024, 2048, 4096 bit (RSA)

View Slide

Generating keys
§
1 require ’openssl ’
2
3 key = OpenSSL :: PKey :: RSA.new 2048
4
5 File.write(’keys/private.pem ’, key)
6 File.write(’keys/public.pem ’, key.public_key .to_pem)

¦ ¥
Generating keys

View Slide

Private key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqjxB4SgdG5+bOZcHhJh9BPcmyCW+HeFtzByQLMGf8Li0Apq4
FH18BexAxu3KmTftG4/eS/+3ny0wDqI+KecJflCJVOJFCFlooFnlW6C7p/cAx+WO
hi5HkS0vwwRuHnmBL9KemmxNyG+rG2tUwCuSa8ToMQrw9QzDeCC8drqGWDmirFAE
M+k2gr4clPfkttKrxfOnQJb0uKBeI4c4yNEfHV8bGyQhIQbDqmBXr6hcsOyFUQ5r
K49heteWD3c0d1lOHnpGURYId7zu8wZPhEMvjOhCbpHkXusYna310kxT1tmNH8jx
/gzEBkgUF68GErJWRFFgQA0atvY+7LRWuCZvjQIDAQABAoIBAQCe+EZNDDiiYxmB
XhgXKo8U4/fDT/uJy8nMoZ/BK88/7Dutcu4TtFrs7QJQwh4/lopFAsSEE/hVHM2T
3M5QMwAahPq52dK9SUD6/PfB6QdUgsSn5yaBBxat65R+eNScgLqy/ew+KIU6d41B
vakXC5lgKjDqG12IeLLQq0FTXju2hhXbTFhgLs7bnx6db8wwb9mtaka9tuOYMPVQ
LHgDmh7lmAzJOqeLtF/PXRsn+rzMf2IaKzpgrEksWqGsynwclFi+9YyNtoF0xda2
n0GhbyqycXn0/Cuw93+LhEN3S8milC2y6Z/HVI6eIQ0eeXGeHFm818iDwh5Qa+1S
mrJxmmABAoGBANeHOqR6DUaAxxjrh8P0oSEssAjNr+OC2fbQlCR0S5YR8Np+dZlI
BNr2SIB+mI8WSzfReRgvUnZfrFkQRr7iV43J31NvkGGV3BHzDo2IYbQ+OEmhueE/
g/IDP0ecv74e+vkgSp3Mg5+h8Mk73cUVxLMFUaAc4+AOT4L9kWNL8oyBAoGBAMoz
u0X5JKAeavU4ROtIMz09wcLTBXJ134MYLd/9+YLjcg6tpn78kDeHdwkIJN2Rz8G2
aJjgGaxKmuHxjVF6bzkwVl3AYT8Yuplq07dFxB3NVNSy6r/OEmrsmqgSA3H8R3QL
LN26DQhWfP4pOcuQg2PTo9X5fL8qcvDyhC0hUs0NAoGBALD43CE0CvSKR3Fh7L/t
feUUoZMI+dURm9H7YLkyOOKH5sIyNnPfXAVDVzMTQEe1oZu6x/kg2lBSrN0Q7VZN
2mCVk2gaYm6Os/6VGq0CgF+U+3kSb+PR2JD/M5Wk0xjUrXWkm0BJLwcD3QgPvUDY
aAQraOPU9RQEDCvd8+SZ9xaBAoGAfnhS1xZY+SltXsl+GeeD3PcmnRPd4VSmo1lZ
QDObf2mBanrkm6KfFYxOQMDuRgOwfYn47D2m8SOMsmuiJ2c77/oy2tq8OHngJJsz
pvslCjrmp07tE2DyFhy9MwhpTT8s9gETY++9vQxTi6j/dDqEY8j5PZmZk/wZ/mjB
kXS5VHUCgYAA6ZbNR6VGDL2TroPh7UUEslTUPYnl1CE4fSw72q35wgSGQtiO+rgs
diNLA8iPeGVvJvxHG2I34DRn+AZXB9SnwOfc9KX0UdV/XcJzZHgI/O99SgTYueZF
J8rhmMMdvpW0XZmi75wAEIEmArO6MpVUPkeJLCfcDlsbzIrgYEB0Yg==
-----END RSA PRIVATE KEY-----

View Slide

Public key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjxB4SgdG5+bOZcHhJh9
BPcmyCW+HeFtzByQLMGf8Li0Apq4FH18BexAxu3KmTftG4/eS/+3ny0wDqI+KecJ
flCJVOJFCFlooFnlW6C7p/cAx+WOhi5HkS0vwwRuHnmBL9KemmxNyG+rG2tUwCuS
a8ToMQrw9QzDeCC8drqGWDmirFAEM+k2gr4clPfkttKrxfOnQJb0uKBeI4c4yNEf
HV8bGyQhIQbDqmBXr6hcsOyFUQ5rK49heteWD3c0d1lOHnpGURYId7zu8wZPhEMv
jOhCbpHkXusYna310kxT1tmNH8jx/gzEBkgUF68GErJWRFFgQA0atvY+7LRWuCZv
jQIDAQAB
-----END PUBLIC KEY-----

View Slide

Separating keys
§
2
4
5 pub_key = key.public_key
6
7 puts key.private? # => true
8 puts pub_key.private? # => false

¦ ¥
Separating keys

View Slide

Exporting private key
§
2
4
5 cipher = OpenSSL :: Cipher.new ’AES -256 - CTR ’
6 password = "A secret password"
7
8 secure_key = key.export cipher , password
9
10 File.write(’keys/private2 -secure.pem ’, secure_key )
11 File.write(’keys/public2.pem ’, key.public_key .to_pem)

¦ ¥
Exporting private key

View Slide

Encrypted private key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CTR,AAEDBF418F7B10D6A7B711E9064C8DA3
maYOnxpD2vVXbbyUXLVM/Mn0x36PDFLV8YIhj264Zfoe4ceLCqWY5iZ7304Jkni2
X8Enkd456/8Hwim4ydgvLIxP/VTGR+wOWTM8eswckPzKIqWuJXNzG5QR2D+jZvGg
0OBz8qgW7vSKj9NunGOFuxlJNiv5VSATvi5VN6sAPQYMm68pjj69UsKoe53sI9r4
JGOYFATlEk4fgnByGf35t3SGHFf4GhcUtNywH/VIR3ZimKs9325JoErsb+aUCWHf
lA3TXJEuew1QGTa9pO5qDsiYkAAKeqvHeINvUONrthgsLuWIx08ZMhv/FYP/necV
aDzstvQFve1nndwaoXuLu7uOzPw0MiXO4MQavzCLpFZYZUbsZPJNVTXc954CorpZ
TaOmLMLTM9rDP/SZt2r2tYIv7rvTKYGuJ77ehCHwfNGRiJfC7kN3JlbW+pmCTiKx
PwxcKwubIVxeRghficYQvEymPv8aSxC/nN7YRcLSaNFchlaNMlWqx9RsiTmEJOwr
zTwj3Vs4IvhmdWfcWVPedXvloNBSftOEu9qX1luOUORnR83T5WDD3Z2+P7mo8dQt
Z+adSgdADvY2C9HKrzn7/MOJnzZNs9HydwfO5lhKWwA3SUHTTsVI68yYM/kLH94E
rlAPoweKnQrmwRgrAKFLZeZ1U3y17aML5AoDMT/YzRcRmgVXu9+UUKIIqzIGE3St
CC8yvT/mc9x8pRHsFBqGPbthNEGsEMrFQgMTppmb8aJawj7qHZ8k+0AMDwJwco5a
wDnwUvXujj7dnUmPVkbfO+/tQAiJ+8gwrXZuEUWNr2lkX5MQs6lE4sV1JJVqlDoo
htx9G3dD9zQUt6S4CSRhK117Cw9VEX89DU2n30+eExQVPAkLEG3vXyHXC7DWjuFF
npWGu/aeGZ7a908zL/SKdnpQU0q2N5lRvC+7qqEuE75xTQrITEy5rFnBSHKFvPhz
V9py503o0a0VfptDzKF7bflpWsy1dlVHv8Fd+oM3t0otThQ2Hxu02sFpAj7A/iv3
2jxC5zgQR3fPPVaSSrta/Jw7hRVo3sVrC/QlHLDSTSaI4yD+Ag9qIYq2stKpLP8Z
8DoeCPi03iHh9RiCuWXRlaL9Pt7aja1eFWYHIGPNzWOaOeRtajaBl8wY5aOf1VJR
D86IvVeEUIxbWwD3XkZwz15IaKwjCJa1a7RhNLCuMwW0rfFBk1Hh5hGSTaxbXxU4
flxvmxxB4Bv0Q+wehOjrZOx56+uGP/HymJo6PQTJCk7bll2XsjeEv7qG7nXZz/+t
/mrLw3KhHHED4FbpZ2G+Q4i0xPVtPJGf3Przz1lZUvN2KqOpQ4zZ8fQqGZcmaAZu
bIIJ25ETi7ryuYlH7ACPr9RvhcxoJs40zgQFzd/cz712U8oEQGallUzB427iNmNX
PoD94PzzfjRBiMOrPGbBHM0uis/z6jZ3eNJqRFCWy/X0P+y6XNwJP8R92eK/Dx94
Kl5zQaHL5potmn4UsXx7hZwybCTaqbO8O88Jox4uYcKW99nW/oQn+6wG1SKtRgxl
nOQ6gpjMOswD5EmJVbKMi/fkHwWefB79p+VqPcttDap3Ux/aNCQN
-----END RSA PRIVATE KEY-----

View Slide

Importing keys
§
2
3 key = OpenSSL :: PKey :: RSA.new(
4 File.read(’keys/public2.pem ’)
5 )
6
7 puts key.private? # => false

¦ ¥
Importing public key

View Slide

Importing keys
§
2
4 File.read(’keys/public2.pem ’)
5 )
6
7 puts key.private? # => false

¦ ¥
Importing public key
§
2
5 File.read(’keys/private2 -secure.pem ’),
6 password
7 )
8
9 puts key.private? # => true
10 puts key.public? # => true

¦ ¥
Importing encrypted private key

View Slide

Public key encryption
§
2
3 message = "W Tyńcu , w gospodzie ,,Pod Lutym Turem ’’,
4 należącej do opactwa , siedziało kilku ludzi , słuchając
5 opowiadania wojaka bywalca , który z dalekich stron
6 przybywszy , prawił im o przygodach , jakich na wojnie
7 i w czasie podróży doznał."
8
9 key = OpenSSL :: PKey :: RSA.new File.read(’keys/public2.pem ’)
10
11 encrypted = key. public_encrypt message

¦ ¥

View Slide

§
2
8
10
11 encrypted = key. public_encrypt message
12
16 password
17 )
18
19 decrypted = key. private_decrypt encrypted

¦ ¥
Private key decryption

View Slide

Private key encryption
§
2
8
12 password
13 )
14
15 encrypted = key. private_encrypt message

¦ ¥

View Slide

§
2
8
12 password
13 )
14
15 encrypted = key. private_encrypt message
16
18
19 decrypted = key. public_decrypt encrypted

¦ ¥
Public key decryption

View Slide

Asymmetric encryption/decryption
Easy (?) key distribution
Slow encryption/decryption
Vulnerable when used for bulk data
Private-key cipher-text is a large ”signature”

View Slide

Digital signatures
Signing
1 Compute message digest (e.g. SHA)
2 Encrypt digest with private key

View Slide

Digital signatures
Signing
2 Encrypt digest with private key
Verifying
1 Decrypt signature with public key
3 Compare decrypted signature with computed digest

View Slide

Digital signatures in Ruby
§
2
8
12 password
13 )
14 digest = OpenSSL :: Digest :: SHA256.new
15
16 signature = key.sign digest , message
17 # send:
18 # - message
19 # - signature
20 # - digest name

¦ ¥

View Slide

§
22 # receive:
23 # - message
24 # - signature
25 # - digest name
28
29 puts key.verify digest , signature , message # => true

¦ ¥
Verifying signature

View Slide

§
22 # receive:
23 # - message
24 # - signature
25 # - digest name
28
29 puts key.verify digest , signature , message # => true
30
31 message2 = message.sub(’bywalca ’, ’Szwejka ’)
32 puts message2
33 puts key.verify digest , signature , message2 # => false

¦ ¥
Verifying signature
W Tyńcu, w gospodzie ,,Pod Lutym Turem’’,
należącej do opactwa, siedziało kilku ludzi, słuchając
opowiadania wojaka Szwejka, który z dalekich stron
przybywszy, prawił im o przygodach, jakich na wojnie
i w czasie podróży doznał.

View Slide

Bulk data
1 Share public keys
2 Generate arbitrary secure symmetric key
3 Encrypt message with the symmetric key
4 Encrypt symmetric key with public key of recipient
5 Send/save ciphertext and encrypted key

View Slide

Bulk data
1 Share public keys
Advantages of both cryptography types
Key distribution with asymmetric cryptography
Eﬃcient data exchange with symmetric cryptography

View Slide

Bulk data
1 Share public keys
Advantages of both cryptography types
Key distribution with asymmetric cryptography
Eﬃcient data exchange with symmetric cryptography
How to use it? Get one of existing solutions
TLS or SSH protocol for communication
GPG/PGP for ﬁle encryption

View Slide

Identity of private key owner
Key owner problem
I have a public key. How do I know who owns corresponding
private key?

View Slide

Identity of private key owner
Key owner problem
I have a public key. How do I know who owns corresponding
private key?
Key with identity
Public key
Identity data
. . .
Digital signature(s)

View Slide

X.509 Certiﬁcate
Public key
Identity data
Validity period
Certiﬁcate issuer
Extensions
. . .
Digital signature

View Slide

Who signs the certificate?
Certificate owner (self-signed certificate)
A Certificate Authority (CA) → PKI

View Slide

X.509 Certiﬁcates in Ruby
§
2
4
5 name = OpenSSL :: X509 :: Name.parse(
6 ’CN=Henryk Sienkiewicz /UID=heniek/DC= sienkiewicz .name ’
7 )
8
9 cert = OpenSSL :: X509 :: Certificate .new
10 cert.version = 2
11 cert.serial = 0
12 cert. not_before = Time.now
13 cert.not_after = Time.now + 3600
14
15 cert. public_key = key. public_key
16 cert.subject = name
17
18 puts cert.to_pem
19 puts cert.to_text

¦ ¥
Generating X.509 certiﬁcate

View Slide

X.509 Certiﬁcate
-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMRswGQYDVQQDDBJIZW5y
eWsgU2llbmtpZXdpY3oxFjAUBgoJkiaJk/IsZAEBDAZoZW5pZWsxIDAeBgoJkiaJ
k/IsZAEZFhBzaWVua2lld2ljei5uYW1lMB4XDTE3MDExOTEwMTIwMFoXDTE3MDEx
OTExMTIwMFowVzEbMBkGA1UEAwwSSGVucnlrIFNpZW5raWV3aWN6MRYwFAYKCZIm
iZPyLGQBAQwGaGVuaWVrMSAwHgYKCZImiZPyLGQBGRYQc2llbmtpZXdpY3oubmFt
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOCfhIgGicHAlV4sOxay
Sg+DoikSMqlrmNT1SS8YriQIIhMVJijf2P3uRKVXEP965E8DO4j1vjwvxex260BZ
tJUgMVL0one/PoKHTOtcRuFFPYBOx1GTa8MwFxfQuZkHyiNxqivxLKKNHgBmK2aj
JkWFTzxLXeOInxqvKyk5a1Py/VeScl4XKaBm8Nfb5V/aryYily/ih40aBsw225Gt
bj/iL+8VkJEO32w5gA5Bhf4b8VE7Rly9OnRaJisJbJ/yPina54gPXkwIvFkMpUuV
VfIxAP8FYxINH9fXpf42sc2EY/9f/BoaPy/BRGn2yP/4g47iP6LfLm9ec+Z06Laz
GXMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAx1NzDlvKXv25MjODsxtiL54Z7yao
ma3lHIUDnhD0XmDXGhfHaMcCjFPNFvKNldhcPH0BSmJWOJHgZaORWiO0kk/DzRB1
l3kC4m5yH9TIqrRWfWdoGjZePL7DsAiHJ4VawA2jnar6QZiaH1XRbCnlRW0qUPWS
qJrZvYyGUsZf/3g/KKr3qBqWHHERGoeyDESBL7WUlYnI08HWSkDILvDpt4J/tG4m
TcdU4nddXCedtlcDWbwr3LSz60HqpaigFvyS5rzXw9cUMXs2qvtvSWjjm7bs/Yjk
WIU/PFHC6iEpEprJbuYTyRi2+7em6T7/cVt1v0cr41ji8CbNWSAnES5E3A==
-----END CERTIFICATE-----

View Slide

X.509 Certiﬁcate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: NULL
Issuer:
Validity
Not Before: Jan 19 09:56:08 2017 GMT
Not After : Jan 19 10:56:08 2017 GMT
Subject: CN=Henryk Sienkiewicz/UID=heniek, DC=sienkiewicz.name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:a3:cd:1e:e6:8c:60:81:de:49:eb:92:c1:86:
b4:77:00:b2:7a:c1:b2:c3:9b:fa:45:ed:93:02:c4:
09:db:63:d6:12:05:38:a2:fe:bb:07:50:45:61:5b:
29:9e:d1:c9:8b:b9:ab:28:2b:07:3d:c6:52:57:73:
82:54:c8:4f:a3:5d:cf:41:e4:dc:55:5a:bb:5a:89:
82:70:c9:11:54:fe:12:8a:93:31:00:ef:f2:d1:ee:
73:d3:84:f2:84:26:cf:ad:7c:4c:e4:b4:a4:8e:ab:
54:9d:ca:4c:93:ce:e0:72:55:11:88:7e:69:5b:6f:
-----------8<---- CUT THREE LINES HERE --------8<-------------------------
9f:f2:fb:6f:bb:22:b5:59:50:79:c4:0f:15:ce:65:
81:6c:59:63:c0:d3:6b:ce:df:f9:e2:7f:a8:08:98:
b5:2e:a6:ea:4c:94:fc:e0:e1:2a:a1:c3:11:c7:57:
64:d5:54:32:41:06:0a:36:e8:22:85:70:6d:76:6b:
5d:15:8c:c0:41:a4:06:ad:7d:69:25:95:4d:72:75:
ab:be:a5:af:8a:f7:ba:1f:b8:5d:bb:13:d1:34:44:
4d:29
Exponent: 65537 (0x10001)
Signature Algorithm: NULL

View Slide

Signed X.509 Certiﬁcates in Ruby
§
20
21 cert.issuer = name
22 cert.sign key , OpenSSL :: Digest :: SHA1.new
23
24 puts cert.to_text

¦ ¥
Signing X.509 certiﬁcate

View Slide

X.509 Certiﬁcate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Henryk Sienkiewicz/UID=heniek, DC=sienkiewicz.name
Validity
Not Before: Jan 19 10:05:39 2017 GMT
Not After : Jan 19 11:05:39 2017 GMT
Subject: CN=Henryk Sienkiewicz/UID=heniek, DC=sienkiewicz.name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
------------8<-----CUT WHOLE MODULUS HERE ------8<-----------------
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
88:38:8a:23:0b:ed:41:b4:20:1b:d1:12:77:c3:a2:29:65:ff:
f5:97:97:d9:06:66:8a:77:dd:b0:7f:c9:54:04:0d:8f:85:b5:
bd:d2:65:2b:3a:ce:7e:48:ae:50:c9:58:88:f9:0f:88:b8:30:
a1:e6:31:68:de:03:ac:56:f7:b1:35:a9:91:e1:8a:c2:fb:b5:
52:98:4a:c7:7a:50:51:70:5c:c9:be:ba:91:d9:ca:99:09:1e:
a1:99:82:13:55:a8:3b:80:ff:84:ca:31:6f:43:eb:57:cd:60:
d5:d4:46:27:d0:09:58:51:3c:a6:6b:80:b4:49:35:5f:82:4f:
a6:a8:45:8c:b3:a0:56:e0:30:ca:d1:e7:f2:7a:1f:2f:f3:5b:
b4:89:03:8f:12:79:69:73:92:ba:8f:a5:d0:30:d3:7c:13:8c:
19:a2:c6:82:ef:bf:19:3b:54:49:f8:91:af:6d:13:e4:be:82:
d6:46:fc:10:32:d1:5f:d2:8f:b0:9c:0d:c6:8b:8c:64:0d:9d:
89:a2:ac:89:0e:4f:56:ae:3e:a5:60:56:ad:9c:08:54:26:d1:
43:d2:b5:ef:90:5f:99:e6:84:52:9a:85:bf:e1:84:aa:3a:27:
ce:9a:94:f3:19:d0:9d:7a:f9:8f:44:12:d9:ce:35:6a:a3:85:
fa:bf:e9:49

View Slide

Verifying certiﬁcate signature
§
2
3 cert = OpenSSL :: X509 :: Certificate .new(
4 File.read ’keys/cert.pem ’
5 )
6
7 puts cert.verify cert. public_key # => true

¦ ¥
Verifying self-signed certiﬁcate

View Slide

Plan
1 Asymmetric encryption
Concepts
Key management
Encryption/decryption
2 Digital signatures
3 Bulk data
4 Identity of private key owner
5 Summary

View Slide

Not covered yet
Public Key Infrastructure (PKI)
PGP/GPG
SSL/TLS network communication
. . .

View Slide

References
Ruby OpenSSL RDoc
RFC5280 Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile
RFC4514 Lightweight Directory Access Protocol (LDAP):
String Representation of Distinguished Names
Samolej, Rząsa, Rzońca, Sadolewski: Wprowadzenie do
informatyki II – bezpieczeństwo systemów informatycznych,
sieci komputerowe, systemy operacyjne i bazy danych, Oficyna
Wyd. PRz., 2014.

View Slide

Questions?
Wojciech Rząsa
[email protected]
@wrzasa
Katedra Informatyki i Automatyki, Politechnika Rzeszowska
http://www.kia.prz.edu.pl/
Wojciech Rząsa, @wrzasa, KIiA PRz Questions? 35/35

View Slide

Using Asymmetric Cryptography in Ruby

Using Asymmetric Cryptography in Ruby

wrzasa

More Decks by wrzasa

Other Decks in Programming

Featured

Transcript