As studied in class, symmetric ciphers provide two functions to encrypt and decrypt data. In this lab we use openssl
command-line tools to perform encryption and decryption using the Advanced Encryption Standard (AES) cipher.
The first argument of openssl
is a command that specifies what cryptographic action we are going to perform. For example, rand
manages random numbers and enc
performs cryptographic operations, as we will see below.
The first step is to generate a random AES (symmetric) key:
$ openssl rand -hex 16 090f93176b110bcc72e8c7461bb09de1
We are asking openssl to generate a random number (command rand
) of 16 bytes (parameter 16
), written in hexadecimal format (option -hex
). The result is 090f93176b110bcc72e8c7461bb09de1
. Of course, running this command different times will generate different, random output. In the following, we will use this key but feel free of replacing it with your own freshly generated one!
Exercise: try running the command multiple times to observe that it generates different random numbers.
It is easy to encrypt a message from the linux shell using openssl
:
$ echo 'Security course is great!!' | openssl enc -e -aes-128-ecb -K 090f93176b110bcc72e8c7461bb09de1 U<?w?g??%?h?-??? ?t??^? ?4T?
Explanation:
echo 'Security course is great!!'
printsSecurity course is great!!
;| openssl enc -e -aes-128-ecb -K 090f93176b110bcc72e8c7461bb09de1
takes the output of previous command and computes theaes-128-ecb
encryption on it.ecb
stands for Electronic Code Book. It is a mode of operation that splits the plaintext into blocks (of 128 bits) and encrypt them independently;- option
-e
stands for encrypt, in order to decrypt it is enough to use option-d
instead of-e
.
Notice that the output is unreadable as it is pure bytes, with no hex formatting. Add
| hexdump
at the end of the command to see the output as hexadecimal numbers. Do not usehexdump
for solving the following exercise.
Exercise
Add another | openssl enc...
command on the same line that decrypts the ciphertext using the same symmetric key. You should re-obtain the plaintext sentence:
$ echo 'Security course is great!!' | openssl enc -e -aes-128-ecb -K 090f93176b110bcc72e8c7461bb09de1 | openssl ... (complete this part ...) Security course is great!!
The full | openssl enc... -K
command up to -K
(i.e., without the actual key value) is the password for task 2!