Posted in Access restrictions, Digital Certificate, OpenSSL use cases

Protecting sensitive information using OpenSSL

   Published Date: May 31, 2017

Description

You want to send some sensitive information to somebody who is not part of your network, so the information should no go unprotected through the environment. This post describes the case where you add sensitive data encrypted on a CD, DVD or even on a hard disk, send that information to the destination by assuring the confidentiality of the data. At destination only designated person will be able to decrypt the information.

Explanation

- If you are using a Unix like environment, you have the necessary tools to accomplish the proposed task.

- OpenSSL is a tool that is able to generate keys, encrypt data, generate random data, use public key cryptography and much more (https://www.openssl.org/).

- In this post I'll describe one of the procedures that can be used to protect data in transit (or at rest ) using public/private key cryptography.

Implementation

It is assumed that you are running a Unix like distribution so the OpenSSL tool is already installed.

The whole process is split into 3 steps: at receiver, sender and again at the receiver.

On receiver end

First you have to generate a pair of keys - public and private using OpenSSL. Please keep the private key safe and protected since this is the key that is used to decrypt traffic. This key can be used also for digital signature.

Second, you have to send the public key using any communication environment to the sender. This key, as its name says, it's public, so no special protection is needed.

1. Generate rsa key (public/private)
     openssl genrsa -aes256 -out user 2048
2. Extract the public key from the file
     openssl rsa -in user -pubout > user.pub

Generation process is asking for a pass phrase. This pass phrase is actually protecting your private key, so it's important that pass phrase to be a strong one. It's also important to store it on a protected manner since access to your private key depends on it.

On sender end

Get the public key of the receiver - user.pub public key and store it on your system. Using OpenSSL generate a secret, which will act a secret key, and will be use to encrypt symmetric sensitive data.
Store the secret in a file and encrypt asymmetric the secret file using user.pub public key.

1.Generate a random secret key
     openssl rand 48 -base64 -out password_file
2. Encrypt the password file using user.pub public key
       openssl rsautl -in password_file -out password_encrypted -pubin -inkey user.pub -encrypt
3. Encrypt the traffic using a symmetric algorithm (aes256) with secret key 
       openssl enc -e -in client.tgz -out client.tgz.enc -aes256 -kfile password_file

client.tgz is the content which should be protected.

Send the protected information (client.tgz.enc) and password_encrypted file to the receiver, so all information are protected during transport.

On receiver end

At the reception the process is quite in reverse order: first you have to decrypt the secret key file using your private key and after that you can decrypt the sensitive data using the secret key from the file.

1.Decrypt secret key file 
    openssl rsautl -decrypt -inkey user -in password_encrypted -out password_file_decrypted
2. Decrypt sensitive information
    openssl enc -d -in client.tgz.enc -out client.tgz -aes256 -kfile password_file_decrypted

 

Author: techwritter