# Looking for public/private key encryption port/program/app



## PacketMan (Jul 17, 2020)

Well, it's been a while since I have logged in and chatted with you folks.  All is well with me, just full time busy with raising a family, my career, and sport fishing for de-stress. That just said I still make heavy use of my FreeBSD home server, and I continue to promote it every chance I get.

So, my son is proving to be really interested in computers, not just mouse clicking, but coding, and so on.  Anyway I got to thinking me and him could have a bit of fun with some PKI stuff.  So my ask to you folks is quite simple.  I'm looking for some ports/programs/apps that me and him can use to:


Generate strong encryption public and private key pairs.
Exchange those public keys (using the program itself, or usb stick, ftp, email, etc, don't really care.)
Use the private key with strong encryption to encrypt/decrypt our fun text messages.
Ideally we would use the same program on our all devices (FreeBSD, linux, windows (yes it kills me he is using Windows in my house), Android, ios, etc.) but I know that is not the case.  So as long as we can we can do the above using a common strong encryption algorithm I am fine using different programs for different devices.  I'm not looking to encrypt disks, voip calls, etc, ....just text based messages.  Then we can copy/paste the messages (clear or encrypted) into what ever communications 'channel' we so desire....email, ftp a file containing the text, etc, etc.

I was scanning Freshports, but so many ports seem to be broken, and many are not really what I require anyway. So thought you fine folks could help me out.


Thanks,
Packet Man


----------



## Lamia (Jul 17, 2020)

You reminded me of RetroShare - https://www.freshports.org/net-p2p/retroshare.


----------



## a6h (Jul 17, 2020)

It may seem rather odd, but go with OpenSSL. It is cross-platform, free, easy to install and you will find it everywhere. it encrypt/decrypt (s) text messages, files and directories (_openssl enc_ ... ), generate private key (_genrsa_), making certificate request (_req -new_) and play with signing (_x509_). It covers asymmetric cryptography, hashes and different ciphers.
You can setup a simple localhost website, setting up a SSL version of it (https), with different hosts (with/without www), sign and request certificate, import it to Firefox (_*.crt_), register it to Windows (_pkcs12_).... You'll have some fun, without wasting any time. There are lots of tutorials on internet, covering these topics. Start with text/file encryption with OpenSSL.


----------



## PacketMan (Jul 17, 2020)

Gee now I feel like a ding dong.   I used OpenSSL the other day, but only to generate a set of keys for something else. I did not know that it actually could be used to encrypt text messages, files and folders.


----------



## jomonger (Jul 17, 2020)

Check also LibreSSL, some say it is better choice.


----------



## Lamia (Jul 18, 2020)

PGP (Pretty Good People). It's actually Privacy not People.



			https://www.gnupg.org/gph/en/manual/x135.html


----------



## Lamia (Jul 18, 2020)

Lamia said:


> PGP (Pretty Good People). It's actually Privacy not People.
> 
> 
> 
> https://www.gnupg.org/gph/en/manual/x135.html








						How To Use GPG to Encrypt and Sign Messages  | DigitalOcean
					

GPG, or GNU Privacy Guard, is a public key cryptography implementation. This allows for the secure transmission of information between parties and can be use…




					www.digitalocean.com


----------



## PacketMan (Jul 24, 2020)

Thanks everyone, I have been using OpenSSL the past few days, and all seems to be working well, but will check in on this thread for the additional feedback and see where that takes me. Neat stuff to say the least.


----------



## PacketMan (Jul 31, 2020)

So I have been playing with PGP and OpenSSL and some neat stuff there to say the least.  But I am stuck on something.  When doing public key encryption with OpenSSL the result is a binary file.  I'm trying to get the output to be a ASCII text file, but I have to do that as a 2nd step.

Since it seems pkeyutl" is the new way to do it, I encrypt my text with:
`openssl pkeyutl -encrypt.......`

Then I convert the binary file to ascii:
`openssl enc -base64 -in binaryfile.txt -out textfile.txt`

I have tried to include the "enc -base64" as an option in the `openssl pkeyutl -encrypt.......` so that it does in one 'step' but it aborts on error. Various tries results in various errors. Anyone know off the top of their head how to have `openssl pkeyutl -encrypt.......` write out the encrypted file into an ascii text file?

I'm thinking OpenSSL does not support that and maybe I need to write a config script that can suck in the various configuration parameters, etc.


----------



## msplsh (Jul 31, 2020)

Use unix pipes.

openssl pkeyutl -encrypt .... | openssl enc -base64 -out textfile.txt

(DO NOT use -out on pkeyutl and DO NOT use -in on enc)

Also, use GPG instead of this crazyness.


----------



## PacketMan (Jul 31, 2020)

msplsh said:


> Use unix pipes.
> 
> openssl pkeyutl -encrypt .... | openssl enc -base64 -out textfile.txt
> 
> ...



Thanks I tried the pipe stuff but it didn't work I will have to see where my type is.
And why should I not use the -out and -in options with pkeyutl ?
GPG is neat indeed but only does key size up to 4096.  Suppose I wanted to go bigger.....I know I know, and just amuse me please.

...and how would you use unix pipe to do the reverse.....decode the -base64 file? I thought pipes were for outputs only.

openssl enc -d base64 -in textfile.txt | openssl pkeyutl -decrypt -inkey my_private_key.pem   ????


----------



## Sevendogsbsd (Jul 31, 2020)

So, you are referring to RSA key size - probably no need to increase beyond 4096 right now. Cryptography is always a chase against hardware capability and pretty sure 2048 is still quite safe as far as RSA keys go but I am not a cryptanalyst so can't say for sure.


----------



## PacketMan (Jul 31, 2020)

Yes I am....but I am tinkering with something and want to try larger keys. 16192 just as an example.

I was farting around trying to reverse the order of using "|" but still getting errors.  I'll keep at it, but using the two-step process is not 'broken' for me.


----------



## Sevendogsbsd (Jul 31, 2020)

That should keep your RSA keys safe until the year 4100


----------



## PacketMan (Jul 31, 2020)

All depends on how you use it....most security errors are actually human errors.


----------



## msplsh (Jul 31, 2020)

If you go to an RSA key size that is obnoxious, you're just wasting CPU cycles.  If somebody wanted to read your message, they would simply take your device and extract the key from it via various methods instead of trying to break the encryption.  GPG is designed to be more ergonomic for your use case.

Please post the full command lines instead of snippets with ... if you want them debugged.


----------



## PacketMan (Jul 31, 2020)

I'm learning....which is not obnoxious.  And you don't know my device / use case scenario / tinkering. But I do see what you are saying. 

`openssl enc -d base64 -in textfile.txt -out | openssl pkeyutl -decrypt -inkey privatekey.pem -out decryptedtext.txt`


```
Enter pass phrase for privatekey.pem:
Public Key operation error
139741386933912:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error:rsa_pk1.c:273:
139741386933912:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:rsa_eay.c:602:
```


----------



## msplsh (Jul 31, 2020)

Do not use -out on "enc" in that specific example.


----------



## PacketMan (Jul 31, 2020)

Yeah I did that too already. Same result.


----------



## msplsh (Jul 31, 2020)

Before I recreate your setup for my own entertainment, use "-keyform PEM" on pkeyutl


----------



## PacketMan (Jul 31, 2020)

Still get the same padding check error.  I tried -nopad in the enc part but no difference.


----------



## msplsh (Jul 31, 2020)

You tell me what's different from your setup here

`openssl -out justfinekeysize.key 3072`
`echo "HELLO ENCRYPTION" | openssl pkeyutl -encrypt -inkey justfinekeysize.key | openssl enc -base64 | openssl enc -base64 -d | openssl pkeyutl -decrypt -inkey justfinekeysize.key`


----------



## PacketMan (Jul 31, 2020)

For starters `openssl -out justfinekeysize.key 3072` does not work on my machine.

```
openssl:Error: '-out' is an invalid command.
```

Secondly I am using a public and private key, but your example doesn't seem to be doing that.
It's not a big deal, I just thought there was a built in -flag option that I was just getting wrong.


----------



## msplsh (Jul 31, 2020)

Sorry, I cut & pasted my typo

`openssl genrsa -out justfinekeysize.key 3072`

_Generating RSA private key, 3072 bit long modulus (2 primes)_
Yes, my example is doing that


----------



## msplsh (Jul 31, 2020)

PacketMan said:


> I just thought there was a built in -flag option that I was just getting wrong.



That is the case.









						Looking for public/private key encryption port/program/app
					

Well, it's been a while since I have logged in and chatted with you folks.  All is well with me, just full time busy with raising a family, my career, and sport fishing for de-stress. That just said I still make heavy use of my FreeBSD home server, and I continue to promote it every chance I...




					forums.freebsd.org
				




"openssl enc -d base64"

should be

"openssl enc -base64 -d"


----------



## PacketMan (Jul 31, 2020)

I want to use pkeyutl because I was sure I read that genrsa has been superceded by pkeyutil.
When I use your above command exactly the way you did it, by swapping in the public and private keys I get a few errors.

```
unable to load Private Key
padding check failed
```

I appreciate you trying, but don't blow some brains over it.


----------



## PacketMan (Jul 31, 2020)

msplsh said:


> That is the case.
> 
> 
> 
> ...




I meant -flag option on the pkeyutl command.  I'll try that just the same with the "|".


----------



## PacketMan (Jul 31, 2020)

msplsh said:


> "openssl enc -d base64"
> should be
> "openssl enc -base64 -d"



Thanks for catching that, that was it.

So the 'solution' to getting it all on one line is:

Encrypt:
`openssl pkeyutl -encrypt -pubin -inkey publickey.pem -in cleartext.txt | openssl enc -base64 -out encryptedtext.txt`
Decrypt
`openssl enc -base64 -d -in encryptedtext.txt | openssl pkeyutl -decrypt -inkey privatekey.pem -out decryptedtext.txt`

Thanks a ton.


----------



## msplsh (Jul 31, 2020)

genrsa is just a primitive the pkeyutl works with.

You should _still_ should *not* do this and use GPG because this method limits your message size to your key size / 8 minus some other junk and does not control for padding oracle attacks.


----------



## PMc (Jul 31, 2020)

I found openssl a rather tough beast - not really user-friendly and comfortable in the every-day use, and expecting an experienced user to already precisely know what they are doing. So I had a very slow approach unto these matters, and only when being forced to. 
Probably it is rather meant to be used as a library, under some other program - so that the coder would know what they are doing, and the gory details then hidden from the user.

Concerning RSA: yesterday I ran into another error, RSA encryption suddenly spitting failure, and a close look then showing this one: `data greater than mod len`. From what it seems, that whole encryption method seems to be limited to payloads about twitter size (with keylen 2560 bits). Still investigating what that means (its a low-importance side-project), but as here is a discussion already. I thought to just share this.


----------

