Lab: Encryption

Congrats! You verified that these are the actual lab instructions.

In this part of the lab, you're going to use a CLI tool called openssl. You used ssh-keygen and other utilities to create key pairs before, but those are formatted just for SSH. We need openssl for other formats. There are better tools out there, but this one is already installed.

Part I: Symmetric Encryption

You'll start by replicating what I just did: sending password protected files. First, you'll need a partner. Find someone from across the room.

Write your message in a file called [from-name]_to_[to-name].txt with your name first and the name of the recipient second. Alice would write her message to Bob in alice_to_bob.txt.

Use the following command to encrypt your message and store the result in another file:

$ openssl aes-256-cbc -e -in alice_to_bob.txt -out alice_to_bob.enc.txt
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

The command will ask for a password and then verify it. Pick a good one and don't forget it!
Now you can upload the encrypted file to Slack. Send it in #CSET-170. Everyone will be able to see it, but only people with the password can read it.
Here's the hard part: figure out a way to get your password to your partner.
Once you receive an encrypted message, you can run this command to decrypt the file and store the original message in a third file:
```
$ openssl aes-256-cbc -d -in alice_to_bob.enc.txt -out alice_to_bob.dec.txt
```

Things To Think About

Open up the encrypted file in your text editor just to see what it looks like.
Also, try reading the man page for openssl. It's a long read because it can do a lot of stuff.
You used the AES algorithm with a key of 256 bits. Check the man page to see other symmetric algorithms.
If you're curious about how these things work, watch this explanation of the AES algorithm.

Part II: Asymmetric Encryption

The hardest part was getting the password to the other person, right? Symmetric encryption is perfect when you can keep the password or keyfile all to yourself, but not when you're trying to communicate with someone. So try that again but using a public/private keypair this time.

Generate Keys

You'll use openssl to generate keys. Do NOT use the public/private keys you've already created for SSH. You'll create new temporary keys just for the purpose of this exercise, then you'll delete them. Add your name to the file so we know who it belongs to.

$ openssl genpkey -algorithm RSA -out name_private.pem -pkeyopt rsa_keygen_bits:2048
.........................................+++
...............................+++
$ openssl rsa -pubout -in name_private.pem -out name_public.pem
writing RSA key

Open both key files in your editor to verify they're in the right format. The first lines should be:
- Public = -----BEGIN PUBLIC KEY-----
- Private = -----BEGIN PRIVATE KEY-----
Now upload your public key to Slack so your partner can use it to send you a message.

Send Message

Go find your partner's public key on Slack and download it. You'll use it to encrypt your message. In this command, Alice is using Bob's public key to encrypt her message:

$ openssl rsautl -encrypt -inkey bob_public.pem -pubin -in alice_to_bob.txt -out alice_to_bob.asym_enc.txt

Send the encrypted file over Slack for your partner to decrypt. Here, Bob is using his private key to decrypt Alice's message and store the result in a file:

$ openssl rsautl -decrypt -inkey bob_private.pem -in alice_to_bob.asym_enc.txt -out alice_to_bob.asym_dec.txt

Things To Think About

If you got an error saying "data too large for key size", write a smaller message and try again. The message needs to be smaller than the key. (I told you there were better tools than openssl!)
Openssl can use stdin and stdout instead of reading/writing files. I just wanted you to be able to look at all the results.
Just because you got an encrypted message from someone, how could you know it was from them? If you have time, try this again but sign your message with your private key so they can verify the signature with your public key.

What's Next?

Crypto has come a long way in the last few years, it's not just for developers. Many apps come with end-to-end encryption out of the box like Signal for secure text messaging. You can also use a key server like Keybase to store your keys, publicly verify them, and allow all sorts of encrypted communications. The HackBlossom cybersecurity guide has a whole list of other tools and practices you can look into.

Organizations like the Electronic Frontier Foundation have put together a ton of guides to help keep you secure. They also have a deep dive on how public key encryption works to help you understand this lab better.