I’ve been playing around with Public-key cryptography or asymmetric cryptography. With revaltions from Eric Snowden on programs like PRISM, I feel that encryption is more important than ever.
Public-key cryptography is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt ciphertext or to create a digital signature.
There are two main uses for public key crypto.
Public key encryption. A message is encrypted with a recipient’s public key. The message can only be unencrypted by the holder of the private key.
Digital Signature. A message is signed with a the senders private key to generate a cryptographic hash. Using the public key, one can verify the message was indeed sent with the coresponding private key and can ensure the message has not been altered.
First, let’s generate some keys. From the private key we will also generate the public key. Remember the private and public key are mathematically linked. This is important.
 pry(main)> require "openssl" => true  pry(main)> private_key = OpenSSL::PKey::RSA.new(2048) => #<OpenSSL::PKey::RSA:0x007ff03b379c30>  pry(main)> public_key = private_key.public_key => #<OpenSSL::PKey::RSA:0x007ff03c3330b8>
Great. Now we have a key pair. We can write these keys to disk if we like.
## write the private key to disk. File.open("~/.ssh/private_key", "w+") do |f| f.write private_key.to_pem end # write the public key to disk. File.open("~/.ssh/public_key.pem", "w+") do |f| f.write public_key.to_pem end
We can read the key in from key like so.
key = OpenSSL::PKey::RSA.new(File.read("~/.ssh/private_key"))
Public key enctryption
We’ll be encrypting a message with the public key. So it can only be unenctrypted by the owner of the private key.
## Use the public key to encrypt a message  pry(main)> encrypted_data = public_key.public_encrypt("Some private data is here.") => "Ò"lûú¢Ì;Ârú\ÛZY4ãiÛµ´<ì¸«"aáàbì®À!È©ÞBe^ÌeÜÜXÖ"bUJ°Bí}÷IýôQ§HÅaá¤kxô6A% ëë: Ñ¢ÿ¤$½PRéÓ\r>5ÙèYde`à½å\öÔmÍJ*¦õS9ÒMÕ 7Îð¹<¯e®`W;HZëØÿÞmò*\tL2â`KÈ)OÚ¯k4Ð\rNó%}êMheßÆåª$V¾~LvÇ´o¡3âÞât!]-È¯ãÕý`TÙÍsÿ®(<½¹"
This will result in some unreadable binary data. Next we’ll decrypt this data with the private key.
## Use the private key to decrypt  pry(main)> private_key.private_decrypt(enc) => "Some private data is here."
The public key can encrypt but cannot decrypt the message. This enctryption only works in one direction. Only the private key can decrypt that message. You can also encrypt messages with a private key. Those messages can be unenctrypted with the public key and the private key.
Asymmetric public/private key encryption is slow and victim to attack in cases where it is used without padding or directly to encrypt larger chunks of data. Typical use cases for RSA encryption involve “wrapping” a symmetric key with the public key of the recipient who would “unwrap” that symmetric key again using their private key.
NOTE - The enctrypted messages are in binary format. If we want to encode the data for transmission accoss the net, we’ll want to use something like base64.
 pry(main)> require "base64" => true  pry(main)> enc_string = Base64.encode64(encrypted) => "iRBt6WHFYP2sn2Qv+qs16js/EJqBGaTWyxUH7iI/aj3UEw1oUHHbrFs/705W\nP+8dJ77p5gAaBpS/spCYLu/strU3uN06DTOh3neTcyDQrpIL5Zqs0Gl6/76m\nOQFGi18khnwWPAyW4+uVcZiQmZU9M0tlWywwNlkVoKAwkFlwkYF07YZazfCY\nMrAoQ6nusfjqjfU7HQeQKSCnMrBkzInsqan0PUm+UuGCMbxpQMdPA1de2nHB\neMs7OR7Pd5q5T93z240Iacjtwo/CV3Tcr1EyrfCcx05Jp4FKi9DPJf33asPx\noJ7J2XNa3QXqEbisMGT/b+6QZDm/LbfZXKuCIDYOjA==\n"
This works for small messages but if you try and encrpt a string larget than your key… you’ll hit an errors. You could break up the string into smaller chunks and encrypt each chunk individually. But this is not secure. This is what cypher block chaining is for. Below is an example.
cipher = OpenSSL::Cipher.new 'AES-128-CBC' cipher.encrypt iv = cipher.random_iv pwd = 'tRiSsmiTp' salt = OpenSSL::Random.random_bytes 16 iter = 20000 key_len = cipher.key_len digest = OpenSSL::Digest::SHA256.new key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) cipher.key = key File.open("enc-text.txt",'w') do |enc| File.open("./plain.txt") do |f| loop do r = f.read(4096) break unless r enc << cipher.update(r) end enc << cipher.final end end
Asymmetric digital signatures is a great way to verify integrity and authenticity of data. Create a keypair, send the public key to your receivers, and use this method to create a digital signature. By combining the data and the public key, you can verify that the signature was created by the owner of the private key.
require "openssl" data = "A small brown fox." digest = OpenSSL::Digest::SHA256.new # To list available digests: #OpenSSL::Digest.constants signature = private_key.sign(digest, data) public_key.verify(digest, signature, data) # => true public_key.verify(digest, signature, data + "altered") # => false public_key.verify(digest, "altered" + signature, data) # => false
Using openssl library directly we can encrypt a file.
openssl aes-256-cbc -a -e -in source-file.txt -out enc-file.txt -k private_key
And to decrypt the file.
openssl aes-256-cbc -d -a -in enc-file.txt -out unenc-file.txt -k private_key