Asymmetric Encryption & Digital Signatures

TL;DR

This guide shows how to securely send a message using asymmetric encryption (for confidentiality) and digital signatures (for authenticity). We’ll cover key generation, encryption, decryption, signing, and verification.

Key Generation

1. Generate Key Pair: Each participant needs a public/private key pair. Use OpenSSL or similar tools.

   openssl genrsa -out private.pem 2048

   openssl rsa -in private.pem -pubout -out public.pem

2. Share Public Key: The sender shares their *public* key with the receiver. Keep your *private* key secret!

Encryption Workflow

1. Sender Encrypts Message: The sender uses the receiver’s public key to encrypt the message.

   openssl rsautl -encrypt -inkey receiver_public.pem -pubin -in message.txt -out encrypted.enc

2. Sender Sends Encrypted Message: The sender sends the encrypted.enc file to the receiver.
3. Receiver Decrypts Message: The receiver uses their *private* key to decrypt the message.

   openssl rsautl -decrypt -inkey private.pem -in encrypted.enc -out decrypted.txt

Digital Signature Workflow

1. Sender Signs Message: The sender uses their *private* key to create a digital signature of the message.

   openssl dgst -sha256 -sign private.pem -out signature.sig message.txt

2. Sender Sends Message & Signature: The sender sends both the original message (message.txt) and the signature file (signature.sig) to the receiver.
3. Receiver Verifies Signature: The receiver uses the sender’s public key to verify the signature.

   openssl dgst -sha256 -verify sender_public.pem -signature signature.sig message.txt

   • If verification is successful, it confirms that:
     • The message hasn’t been tampered with.
     • The message was indeed sent by the owner of the corresponding private key (authenticity).

Combined Encryption & Signature

For maximum security, combine both techniques:

1. Sign then Encrypt: First sign the message with your private key. Then encrypt the signed message (and signature) using the receiver’s public key.
2. Encrypt then Sign: First encrypt the message with the receiver’s public key, then sign the encrypted message with your private key. This is generally preferred as it protects the integrity of the ciphertext itself.

Important Considerations

• Key Length: Use at least 2048-bit RSA keys for strong security.
• Hashing Algorithm: SHA-256 or stronger is recommended for digital signatures.
• Secure Key Storage: Protect your private key! Store it securely (e.g., using a hardware security module).
• Public Key Infrastructure (PKI): For real-world applications, consider using PKI to manage and distribute public keys reliably.