Looking for public/private key encryption port/program/app

PacketMan

PacketMan

Well, it's been a while since I have logged in and chatted with you folks. All is well with me, just full time busy with raising a family, my career, and sport fishing for de-stress. That just said I still make heavy use of my FreeBSD home server, and I continue to promote it every chance I get.

So, my son is proving to be really interested in computers, not just mouse clicking, but coding, and so on. Anyway I got to thinking me and him could have a bit of fun with some PKI stuff. So my ask to you folks is quite simple. I'm looking for some ports/programs/apps that me and him can use to:

  • Generate strong encryption public and private key pairs.
  • Exchange those public keys (using the program itself, or usb stick, ftp, email, etc, don't really care.)
  • Use the private key with strong encryption to encrypt/decrypt our fun text messages.
Ideally we would use the same program on our all devices (FreeBSD, linux, windows (yes it kills me he is using Windows in my house), Android, ios, etc.) but I know that is not the case. So as long as we can we can do the above using a common strong encryption algorithm I am fine using different programs for different devices. I'm not looking to encrypt disks, voip calls, etc, ....just text based messages. Then we can copy/paste the messages (clear or encrypted) into what ever communications 'channel' we so desire....email, ftp a file containing the text, etc, etc.

I was scanning Freshports, but so many ports seem to be broken, and many are not really what I require anyway. So thought you fine folks could help me out.


Thanks,
Packet Man
 
It may seem rather odd, but go with OpenSSL. It is cross-platform, free, easy to install and you will find it everywhere. it encrypt/decrypt (s) text messages, files and directories (openssl enc ... ), generate private key (genrsa), making certificate request (req -new) and play with signing (x509). It covers asymmetric cryptography, hashes and different ciphers.
You can setup a simple localhost website, setting up a SSL version of it (https), with different hosts (with/without www), sign and request certificate, import it to Firefox (*.crt), register it to Windows (pkcs12).... You'll have some fun, without wasting any time. There are lots of tutorials on internet, covering these topics. Start with text/file encryption with OpenSSL.
 
Gee now I feel like a ding dong. :p I used OpenSSL the other day, but only to generate a set of keys for something else. I did not know that it actually could be used to encrypt text messages, files and folders.
 
Thanks everyone, I have been using OpenSSL the past few days, and all seems to be working well, but will check in on this thread for the additional feedback and see where that takes me. Neat stuff to say the least.
 
  • Thanks
Reactions: a6h
So I have been playing with PGP and OpenSSL and some neat stuff there to say the least. But I am stuck on something. When doing public key encryption with OpenSSL the result is a binary file. I'm trying to get the output to be a ASCII text file, but I have to do that as a 2nd step.

Since it seems pkeyutl" is the new way to do it, I encrypt my text with:
openssl pkeyutl -encrypt.......

Then I convert the binary file to ascii:
openssl enc -base64 -in binaryfile.txt -out textfile.txt

I have tried to include the "enc -base64" as an option in the openssl pkeyutl -encrypt....... so that it does in one 'step' but it aborts on error. Various tries results in various errors. Anyone know off the top of their head how to have openssl pkeyutl -encrypt....... write out the encrypted file into an ascii text file?

I'm thinking OpenSSL does not support that and maybe I need to write a config script that can suck in the various configuration parameters, etc.
 
msplsh said:
Use unix pipes.

openssl pkeyutl -encrypt .... | openssl enc -base64 -out textfile.txt

(DO NOT use -out on pkeyutl and DO NOT use -in on enc)

Also, use GPG instead of this crazyness.
Click to expand...

Thanks I tried the pipe stuff but it didn't work I will have to see where my type is.
And why should I not use the -out and -in options with pkeyutl ?
GPG is neat indeed but only does key size up to 4096. Suppose I wanted to go bigger.....I know I know, and just amuse me please.

...and how would you use unix pipe to do the reverse.....decode the -base64 file? I thought pipes were for outputs only.

openssl enc -d base64 -in textfile.txt | openssl pkeyutl -decrypt -inkey my_private_key.pem ????
 
So, you are referring to RSA key size - probably no need to increase beyond 4096 right now. Cryptography is always a chase against hardware capability and pretty sure 2048 is still quite safe as far as RSA keys go but I am not a cryptanalyst so can't say for sure.
 
Yes I am....but I am tinkering with something and want to try larger keys. 16192 just as an example.

I was farting around trying to reverse the order of using "|" but still getting errors. I'll keep at it, but using the two-step process is not 'broken' for me.
 
If you go to an RSA key size that is obnoxious, you're just wasting CPU cycles. If somebody wanted to read your message, they would simply take your device and extract the key from it via various methods instead of trying to break the encryption. GPG is designed to be more ergonomic for your use case.

Please post the full command lines instead of snippets with ... if you want them debugged.
 
I'm learning....which is not obnoxious. And you don't know my device / use case scenario / tinkering. But I do see what you are saying. :)

openssl enc -d base64 -in textfile.txt -out | openssl pkeyutl -decrypt -inkey privatekey.pem -out decryptedtext.txt


Code: 
Enter pass phrase for privatekey.pem:
Public Key operation error
139741386933912:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error:rsa_pk1.c:273:
139741386933912:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:rsa_eay.c:602:
 
You tell me what's different from your setup here

openssl -out justfinekeysize.key 3072
echo "HELLO ENCRYPTION" | openssl pkeyutl -encrypt -inkey justfinekeysize.key | openssl enc -base64 | openssl enc -base64 -d | openssl pkeyutl -decrypt -inkey justfinekeysize.key
 
For starters openssl -out justfinekeysize.key 3072 does not work on my machine.
Code: 
openssl:Error: '-out' is an invalid command.

Secondly I am using a public and private key, but your example doesn't seem to be doing that.
It's not a big deal, I just thought there was a built in -flag option that I was just getting wrong.
 
Sorry, I cut & pasted my typo

openssl genrsa -out justfinekeysize.key 3072

Generating RSA private key, 3072 bit long modulus (2 primes)
Yes, my example is doing that
 
PacketMan said:
I just thought there was a built in -flag option that I was just getting wrong.
Click to expand...

That is the case.

forums.freebsd.org

Looking for public/private key encryption port/program/app

Well, it's been a while since I have logged in and chatted with you folks. All is well with me, just full time busy with raising a family, my career, and sport fishing for de-stress. That just said I still make heavy use of my FreeBSD home server, and I continue to promote it every chance I...
forums.freebsd.org forums.freebsd.org

"openssl enc -d base64"

should be

"openssl enc -base64 -d"
 
You must log in or register to reply here.
Back
Top