Task 1: Create and use RSA public/private key pair

First you will create a RSA key pair.

1.    Create a python file

2. Import

a. from cryptography.hazmat.backends import default_backend

b. from cryptography.hazmat.primitives.asymmetric import rsa

c. from cryptography.hazmat.primitives import serialization

3.    Set the backend

a. backend = default_backend()

4.    Generate a private key/public key pair for RSA

a. private_key = rsa.generate_private_key(

b. public_exponent=65537,

c. key_size=2048,

d. backend=backend)

i. The exponent is the public key value

ii. The key size is the number of bits of the key

iii. Use the openSSL backend

5.    Get the public key part

a. public_key = private_key.public_key()

6.    Encode the keys for serialization and saving, first the private key (which should be kept encrypted for security)

a. password = ‘hello’

b. pem_kr = private_key.private_bytes(

c.            encoding=serialization.Encoding.PEM,

d. format=serialization.PrivateFormat.PKCS8,

e.            encryption_algorithm=serialization.BestAvailableEncryption(password.encode())

i.    Encoding is PEM (Privacy Enhanced Mail), base64 encoded DER (Distinguished Encoding Rules) data

ii.    Format is PKCS#8  - private key serialization format (see RFC5208) iii.    Encryption is provided by a built-in algorithm

7.    Now the public key (is not encrypted)

a. pem_ku = public_key.public_bytes(

encoding=serialization.Encoding.PEM,

format=serialization.PublicFormat.SubjectPublicKeyInfo)

8.    Save the results to two separate files (these will act as your keyring)

a.    Save pem_kr to _kr.pem

b. Save pem_ku to _ku.pem

9.    Make sure that you can reload these keys

a.    with open(kr_fname,'rb') as file:

b. private_key = serialization.load_pem_private_key(

data=file.read(),

password=password.encode(),

backend=backend)

c. with open(ku_fname,'rb') as file:

d. public_key = serialization.load_pem_public_key(

e.                data=file.read(),

f. backend=backend)

Task 2: Encrypt and Decrypt with the Public and Private keys

Now you will test encrypting and decrypting using the public and private keys.

1.    Create a python file

2. Import

a. from cryptography.hazmat.backends import default_backend

b. from cryptography.hazmat.primitives.asymmetric import rsa

c. from cryptography.hazmat.primitives import serialization

3.    Set the backend

a. backend = default_backend()

4.    Load the keys

a.    with open(kr_fname,'rb') as file:

b. private_key = serialization.load_pem_private_key(

data=file.read(),

password=password.encode(),

backend=backend)

c. with open(ku_fname,'rb') as file:

d. public_key = serialization.load_pem_public_key(

data=file.read(),

backend=backend)

5. Encrypt some data with the public key

a. message = b’some test data’

b. ciphertext = public_key.encrypt(

message,

padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None))

6. Decrypt the data with the private key

a. plaintext = private_key.decrypt(

ciphertext,

padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None))

7.    Compare the resulting plaintext and the original message

Try reversing the operation, i.e. encrypt with the private key and decrypt with the public key, comment on the results.

Task 3: Create a Keystore

Now that you can encrypt and decrypt, you can try to encrypt using another person’s public key so that they can decrypt. Download the nigel_ku.pem public key from Blackboard as indicated.

Create a directory structure to store:

1.    Your encrypted private key

2.    Your public key

3.    Public key of any recipients of your messages

4.    Create a directory structure to store:

When you encrypt with another person’s public key, you cannot decrypt it yourself, you need to get them to decrypt it for you. You can add more public keys to your keystore as needed.

Task 4: Create and encrypt the symmetric key and IV

For this task, you want to encrypt the symmetric key and IV used to encrypt a file using the public key of the intended recipient of the file.

First you want to create a format to store the symmetric key and IV in their unencrypted form. You will use the PEM (Privacy Enhanced Mail) format for this. The data is formatted as follows:

-----BEGIN -----

-----END -----

Each Object you want to encode has its own section in the file with a BEGIN and END line. The objects are base64 encoded between those lines. The specific sections you will use are:

-----BEGIN SKEY-----

-----END SKEY-----

-----BEGIN IV-----

-----END IV-----

1. Adjust your encrypting program from CryptoLab1 to write out the symmetric key and IV into the PEM encoded format

a. Filename encrypted file: encrypted_file_name.enc

b. Filename SKIV: .skiv

2. Use your public_key to encrypt this file

3. Save this encrypted data to a file <encrypted_file_name>_skiv.enc using the following format:

a. -----BEGIN SKIVENC-----

b.

c.    -----END SKIVENC-----

4. Modify your decrypting program from CryptoLab1 to:

a. Read the private key file that corresponds to the public key used in 2

b. Read the _skiv.enc file and decrypt it to the .skiv file

c. Read the .skiv file and extract the key and IV

d. Decrypt the encrypted file using the extracted key and IV