Openssl Generate Strong Keys Using Eecdh Rating: 3,5/5 4891 reviews
  1. Openssl Ecdh Example
  2. Openssl Dh Key
  3. Openssl Generate Strong Keys Using Ecdh Key

Apr 03, 2020 Use the following methods to generate a strong 32-character shared secret. Using OpenSSL to generate a shared secret. Run the following OpenSSL command on a Linux or macOS system to generate a shared secret: openssl rand -base64 24 Using /dev/urandom to generate a shared secret. On Linux or macOS, you can also use /dev/urandom as a pseudorandom. How to generate keys in PEM format using the OpenSSL command line tools? The JOSE standard recommends a minimum RSA key size of 2048 bits. To generate a 2048-bit RSA private + public key pair for use in RSxxx and PSxxx signatures: openssl genrsa 2048 -out rsa-2048bit-key-pair.pem Elliptic Curve keys. To generate an EC key pair the curve designation must be specified.

Permalink

Join GitHub today

GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.

Sign up
Branch:master
Find file Copy path
mattcaswellUpdate some documentation for X448/Ed448a2eecb5Mar 2, 2018
4 contributors
<DRAFT!>
HOWTO keys
1. Introduction
Keys are the basis of public key algorithms and PKI. Keys usually
come in pairs, with one half being the public key and the other half
being the private key. With OpenSSL, the private key contains the
public key information as well, so a public key doesn't need to be
generated separately.
Public keys come in several flavors, using different cryptographic
algorithms. The most popular ones associated with certificates are
RSA and DSA, and this HOWTO will show how to generate each of them.
2. To generate a RSA key
A RSA key can be used both for encryption and for signing.
Generating a key for the RSA algorithm is quite easy, all you have to
do is the following:
openssl genrsa -des3 -out privkey.pem 2048
With this variant, you will be prompted for a protecting password. If
you don't want your key to be protected by a password, remove the flag
'-des3' from the command line above.
The number 2048 is the size of the key, in bits. Today, 2048 or
higher is recommended for RSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon.
3. To generate a DSA key
A DSA key can be used for signing only. It is important to
know what a certificate request with a DSA key can really be used for.
Generating a key for the DSA algorithm is a two-step process. First,
you have to generate parameters from which to generate the key:
openssl dsaparam -out dsaparam.pem 2048
The number 2048 is the size of the key, in bits. Today, 2048 or
higher is recommended for DSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon.
When that is done, you can generate a key using the parameters in
question (actually, several keys can be generated from the same
parameters):
openssl gendsa -des3 -out privkey.pem dsaparam.pem
With this variant, you will be prompted for a protecting password. If
you don't want your key to be protected by a password, remove the flag
'-des3' from the command line above.
4. To generate an EC key
An EC key can be used both for key agreement (ECDH) and signing (ECDSA).
Generating a key for ECC is similar to generating a DSA key. These are
two-step processes. First, you have to get the EC parameters from which
the key will be generated:
openssl ecparam -name prime256v1 -out prime256v1.pem
The prime256v1, or NIST P-256, which stands for 'X9.62/SECG curve over
a 256-bit prime field', is the name of an elliptic curve which generates the
parameters. You can use the following command to list all supported curves:
openssl ecparam -list_curves
When that is done, you can generate a key using the created parameters (several
keys can be produced from the same parameters):
openssl genpkey -des3 -paramfile prime256v1.pem -out private.key
With this variant, you will be prompted for a password to protect your key.
If you don't want your key to be protected by a password, remove the flag
'-des3' from the command line above.
You can also directly generate the key in one step:
openssl ecparam -genkey -name prime256v1 -out private.key
or
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256
5. NOTE
If you intend to use the key together with a server certificate,
it may be reasonable to avoid protecting it with a password, since
otherwise someone would have to type in the password every time the
server needs to access the key.
For X25519 and X448, it's treated as a distinct algorithm but not as one of
the curves listed with 'ecparam -list_curves' option. You can use
the following command to generate an X25519 key:
openssl genpkey -algorithm X25519 -out xkey.pem
  • Copy lines
  • Copy permalink

The code in this repo relies on OpenSSL's C code library and command line tool. The commands in this README.md mirror the same function as the C code but use OpenSSL's command line tool. The C code represents my User 1 and the command line pieces represent User 2. This is useful as it helps demo how ECDH works and validates that both sides are deriving the same key. NOTE - the HMAC operation, after the ECDH piece has completed, has been verified against https://tools.ietf.org/html/rfc4231

Background - Diffie-Hellman

Diffie-Hellman is a Key Agreement protocol. It is used when two parties want to derive the same shared secret over an insecure channel. The secret key cannot be observed by intercepting the communication between the two parties.

  • Each party MUST share their own EC Public Key with the other party.
  • Each party MUST agree on the Named Curved being used before generating the EC Key Pair.
  • The two parties NEVER exchange the derived key.

Background - Diffie-Hellman alone is not enough

Diffie-Hellman provides no mechanism for ensuring that the entity on the other end of the connection is who you think it is. For mobile apps, this is where the value of other Data in Transit controls such as Certificate Pinning, HTTP Basic Auth, Access Token schemes come into play.

Background - Why use ECDH?

Elliptic Curve Diffie-Hellman (ECDH) is an Elliptic Curve variant of the standard Diffie Hellman algorithm. I like it over traditional DH which uses RSA for two reasons:

  • Key generation is quicker. This is important for mobile apps when you might rotate your keys or even generate new EC Key Pairs for each session.
  • A slightly simpler Key Derivation process. You only need the other side's Public Key as you both have already agreed on a Named Curve [and the parameters to use in Key Generation].

Setup OpenSSL's Command Line Tool

Print version (and All information) regarding OpenSSL install

openssl version -a

This will spit out your version which is likely to look like:

OpenSSL 1.0.2h 3 May 2016

Find out where it located on your machine:which openssl

Smoke test it works:openssl

and then type:speed

Select a well known, well tested Curve

To generate a ECDH key pair (not a DH key pair), with the OpenSSL command-line tool you must first select one of the available curves. A named curve is simply a well defined and well known set of parameters that define an elliptic curve.

Print them here:

openssl ecparam -list_curves

User 1: Setup is all done in C code

Generate a ECDH Key Pair in C code based on the selected Curve. Just build run the C code. It will create the required PEM files.

Checkpoints

Ok, the OpenSSL list is very misleading. Better read this [article] for the actual truth. Now generate a curve PEM file:

openssl ecparam -out ec_param.pem -name prime256v1

Check the curve was ok.openssl ecparam -in secp256k1.pem -text -check

Mar 13, 2014  INSTRUCTIONS TO DOWNLOAD: Download the file from link below. Open Keygen of Call Of Duty:Ghost. Click Generate button to get your key for game. Copy and paste the generated key in. Call of duty ghost cd key generator download. CleanFiles Download: Call Of Duty Ghosts Beta Key Generator V 4 5.rar. Download File: Call Of Duty Ghosts Beta Key Generator V 4 5.rar From CleanFiles with our secure downloading platform. Call of Duty Ghosts Key Generator for PS4 PS3 PC X360 XONE Download. Call of Duty Ghosts Key Generator generates original serial code Created by ProHackTeam. Nov 05, 2013  DOWNLOADS: game: crack: RAM FIX - DOWNLOAD THIS. Nov 06, 2013  Download:Call of Duty GHOSTS Keygen Generator for PC November 05, 2013 Call of Duty GHOSTS Free Keygen for CoD Ghosts.

This will print something like:ASN1 OID: prime256v1NIST CURVE: P-256

Note - you cannot put a key file into this command.

Checkpoint: Print out the C code

Print out the C code that was used to generate the EC Parameters.

openssl ecparam -in ec_param.pem -text -C

User 2: Setup

Generate a ECDH Key Pair and state Explicit parameters.

openssl ecparam -in ec_paramprime256v1.pem -genkey -noout -out appKey.pem -param_enc explicit

Now you can read the Public, Private and Named Curve by typing:openssl pkey -in appKey.pem -text -noout

Now extract the public key in preparation for sharing.openssl pkey -in appKey.pem -pubout -out appPubKey.pem

Checkpoint: Check your Key Pair, Public Key

Print the newly extracted public key.openssl ec -in appPubKey.pem -pubin -text -noout

Note - iIt will tell you the Private Key Length (256 bit).

A slightly abbreviated version (due to compression) is:openssl ec -in appPubKey.pem -pubin -text -noout -conv_form compressed

Checkpoint: Check your Key Pair, Private Key

Check your EC Private Key details by typing the following command.openssl pkey -in appKey.pem -text -noout

Notice the Private Key elements that are excluded from the public key file.

User 2: get Server’s Public Key

This is the tricker piece. As it requires a login and callback. Stubbed for now.

User 2: attempt to generate the Secret Key

The magic step.
openssl pkeyutl -derive -inkey appKey.pem -peerkey serPubKey.pem -out appBinaryKey.bin

Print the binary secret key into hex.xxd appBinaryKey.bin

Checkpoint - almost there - Keys must be equal

If your keys match, you can perform the last step. The Hmac.

Openssl Ecdh Example

Now add Authenticity to your Derived Secret

This step assumes both parties shared - out of band - a shared key that is used to create a Keyed-hash (mac).$ openssl dgst -sha256 -mac HMAC -macopt hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b appSecret.bin

Final test to ensure keys match

$ cmp secret1.bin secret2.bin

Openssl Dh Key

Checkpoint : make keys readable

Convert the binary key to a b64 keyopenssl base64 -in serBinaryKey.bin -out serB64Key.txt

Openssl Generate Strong Keys Using Ecdh Key

You don’t need the following step but it shows the step is reversible$ openssl base64 -d -in secret1.b64 -out secret3.bin