September 30, 2020

The Crypto Magic Behind OpenSSL

We talked about introductory OpenSSL in a previous blog Dipping Our Toes into OpenSSL, that covered how it supports rich cryptographic-centric operations, which are needed for all sorts of things in the security domain and even outside of it. Today, let’s take the next step and understand some of the crypto arithmetic behind it, without making the topic too complicated.

SSL Basics

The most common operations we use day in day out are the SSL (Secure Socket Layer) enabled websites that use certificate verification and public key decryption all the time. To use SSL in your browser, be it for Internet banking, youtube, or any ordinary web traffic, the HTTP protocol needs to use encrypted payloads. (They use some fast encryption algorithm like AES, which uses a 256-bit symmetric key often.) An encryption algorithm works by using confusion and diffusion, and it uses many rounds of encryption and several round keys. Overall the symmetric operations are what makes fast encryption and decryption in HTTPS traffic possible.

But for the fast symmetric encryption and decryption operation to work, we first have to figure out a way to exchange the even secret AES key. That’s the reason why we need to use prime numbers, random numbers, and public-key cryptography. That is a slow and expensive operation, but that’s fine. It is used only to verify the website/certificate’s authenticity and then mostly only for signing and key exchange.

Public Key Infrastructure (PKI)

The utility of prime numbers is limited to PKI alone, and in this article, we will explore popular algorithms like RSA, DSA, DH, and Elliptic curve (EC) crypto. The way PKI uses public-key operations is fundamentally different from how traffic is encrypted. One uses symmetric encryption, while the other uses asymmetric encryption, which means it uses a public and a private key to encrypt and decrypt.

Both public and private key components use the same modulus, and thereby, they are related. So data encrypted with the public key is decrypted with the private key and vice versa. But since it involves prime number arithmetic involving many bits (4096 bits are standard), the exponentiation operations are used sparingly, and the encryption speeds are also slow.

Using OpenSSL to run the math

OpenSSL is the open-source toolkit widely available on all Linux, Mac, and Windows platforms, examining and performing above crypto arithmetic. Since public key cryptography employs a public and a private component, its keys are often called keypairs. There can be many possible combinations for these keypairs, and you can use different approaches like one public key with three private keys (or another mix), but the everyday use is one public and one private key. The public key is signed and used as a certificate, and the private key is encrypted with a passphrase and kept secret.

Generating and inspecting RSA private key

The way you use OpenSSL is like this:

$ openssl genpkey -out priv.pem 4096

Generating RSA private key, 4096 bit long modulus (2 primes) ................................++++ ....................................................................................................................++++ e is 65537 (0x010001)

Then you could inspect the key using these commands:

$ openssl pkey -in priv.pem -text

-----BEGIN PRIVATE KEY-----

MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCaeWaxg0LTNQviEzbGZQQbQ3QMT6ZfyjBOLX2zMOv1Ww519ICuyedNXzCa/pF6yM9RTiFM2rKh8CZMFzASFUraAIBFrndZmQnrOTCqvuJf0KRcb5cILIgkGK2EB27HvE8TdmeTAHOk9NDVgiHNkbAvm3zh3e8qpqvbhLfOVIi1lixdx7Tz+ApmeGVAMjEwLXtAo8ZQI/wCF9Zn2LmLQ50ggBbVCEM1L2BLa6FcSVBK1wqVF7+LB2qlqt1Qt8QBIshlzVab/pSJhTHxn6s220ehWcsHPTPFcLTCYFxcOm4sKtGVKVFNrqe0LgPPwJkgy1axZI6O8JQjfxC2i++JxkIEIVYSoxnBR3oIhaoxZDaTvTdXsKRY/zIBaWA1fCU3tbUEYfzygl76gFhynixXyH+hT28J7Jp8JF6NRCD83di0f33SWajT61XfIG9K0Usi2qcwlAB89l6i5Yd0PXbzjv/UCMxGKkMnOYIHrTZJikQ3R8JWBfeCQsJgDVkS29SNWd9OKwoZCQyvHdojjP4+lg8I0N4I1+RA4y/erkYQpLw0iL2fLBas2h+PzdKyukFsIF420LSKjZwq5E94qIslk7kYTBwBRyiYv0hOFBrYcv6L6oAVxepGTvhHsb+pDJY2dBhkH6z2oR51gtId2bmeXqE2SM+mjHFpQ3HWLQ4edL6t5QIDAQABAoICAGDpoT/k9dvD//yJyWeWoIjqPLgskFiwZLXnXGE7ZA2+Xsgp6UG/cdncyoWzCFpb+ZUsyz+IRWHLZHuAYKw3p4o1nkQZPM99b/efHaVBtIwgPb2wVLTQG2lqAhI/B4VP4tx3AGv9cJAg95O73LE3oa18g1DBB/deMZu7HAXaixpBaPw8+o3FI+E9z2gDFVEAd78KALTunoBBrEXidiWk+cMWGTz1vhRz8JngoI9hf3o0h3MaPxVeRc5B8C9f2xxLUiZsONYNVeshIUBRx/zWfY4A45tbDkvkdcMs6UUDc3NKOcq27UcrOBOWetWwI2GrsGwChl2vGYFbioS8Lj/lniw3pzv1Rma8HAwgtkt1BbtgD1onFqQXEdTGHuKwKdkyzp7DXHEw1TC08dXnGN8a4RmdyNThNXccuojD66uqE97XQQtWf0yWFZxCdHnikM3o9lIHr18LUi8nuQ4OKe5NIJ7vxvgX+l9Iu3bavmhmOR1LS3F5Pugb242SytOAFWVKkWaC/gYswrk7JJARawbCnRFPYr7nTjv1tUOuTRPrMR4pgmuxyXdeuEH4yjPLgkZyUta9fkkPNzKyhg5mqVA2zY06KNUbyo4uBLgYiP9HVg9yEyGXcDMrQLp5jISOEsW5XzaeLamxAQVv2tyUiboNAexH5ScWCDL9SO0AIJ4viEWBAoIBAQDH/BhgtCDATKQrc7hb+wnO+l16zUtm5D4BThgF/LGU3gEabaTGNRGFLibPmzlqDTrI3ALxwvGjstF5sxlGYbjcWKgqrZ71R55uhLrJa0mEywfeVBZfW0Wi32u+PXZrq/kskJgfY/5dL99ItEkdyRcwy3shrrQ/2EcURflFC8NVFT58EKOf+zauyFrmu9nHsfwk9B5TiTmm51vV7mklaaxuH7a3+wtso9VLCn4RHY6fvcfNQlODn6ySyV9Df2IcdKxYhZHj4e87BPEp54VKms4j36JAKH7I7b66ATawXtY5e+SwB0H1d5l5hdz3mRfyIShhhmJ7lV1G7N257uAx5CJ5AoIBAQDFvflib2orXBARkwTtueFPxlDD8aHLeMzlS8P1WHU2rs5eYLpDgiOxtEC+Qvo7rZJwvf84vdZAGz/fUmvWOohOl8l6zRA3qsRX2suo3pNqZ8I2ZkA4Hew0PChuI8TFZF3b32HW2rsotnpw+jlgvb/nSo50G/ePlLBbUqskNw+BGVo/PyLOwBfKT42vx1x6QoandJLc76RQBoD62zB/tuQWVFsKc/yhEG7RTpC5cKkZKaeFa3Mmk2geA+oLqcTPXuVKiyhavFOj3+dOEDWxYm3N+45tz9wGIQN8pOGFSgGWp6fGF1+nE8eIr5KND8XQt/u2HVCMZL6r7UiwAUr2OuvNAoIBAQCtiNcKiyPkWl0XC4qN3m/reBvH5P8qIKKhdUepYlYibOaeLUiPahty6tJo0jRnD2XUR/4SFeyi9ReKuFwVU9Ua95+tsQ0/oE8dbfW7tGqOXbPNPEBRrJznsWIIKcNpuUg2YJ5wls9xw4nIyBCuVQHXqKqHVtc4k49SS0n7nTJ50T5wX+vsdgxEbL1cfOOEwrCezGrIaEprx1VMdV4uRd2HjeN7ENAgDKaYQFmWtoQ9n2wSdByOGe+hTDZrFs1nDeNDyVwIV9TE7QvsJefnDiAUxwk/DSS/bHZVZ5oyP4k7RoPyL8oPnCHEbuGIxQMfa6BjyD4LKVhQpFfe8ScAhAtZAoIBAHvvFEV4lO82FTAemAEy9h8cqXQVlpVDUhAIS3oTBevO5bLLJxK2lw6Cbe2RZupOYDDfM/3pJUYqjf621rV/G/0+Lt4Tdi2djs+NZwWg8n3HKDcWIPvK7UbTyXc2XdZlkFoFCHozvwfGTrlOavXSF1usI9pryN4pj9q81lytUb9VF3X6aSNxy7dV4vSfm7tYxLJhYsasP6yUVvRiumPhSdUg66qChXyhIwN2HUjMbn9B1yfM72/nBWOCiobi0WIzFLyCuTkdPcLAy2TmzfAuQ6nNFziGBV2mBVxyrpHuj05QJ9wEvEOoJu/pMo3Mq+uj1FQQzXIglkyFPIBrXwMybKUCggEAMt+tsxuq+DnZBdS+WvDnGdJ4S2XStL4lCvGH4NPb6l7aghvSC+nMli1NUAGeVRMNIAeimZoTF2rf2Eix35FpC9fpsDEPxEMZDaNowgf/GYJrYGnYS71RSeNn0bT07e1SEWjm4f+7XD5A3it40WTeUpQlE7hLTcTKcWOyjCpPI7g45osBqPw0qvmbY9qxmvgouBmiutmDLET/D8pkarPGaWVJSpjNqaY1+KAiM2upc7ZRU9eF/VKhPsLmOIn/Jv6y6GVNbH075mEYObhGQXvZQPA/ILazcsX25CPn02zfveKCI2b7D1P1TJaS0dJRk5c6aCtWH29gXQYKs5qSykumoQ==

-----END PRIVATE KEY-----

RSA Private-Key: (4096 bit, 2 primes)

modulus:

00:9a:79:66:b1:83:42:d3:35:0b:e2:13:36:c6:65: 04:1b:43:74:0c:4f:a6:5f:ca:30:4e:2d:7d:b3:30: eb:f5:5b:0e:75:f4:80:ae:c9:e7:4d:5f:30:9a:fe: 91:7a:c8:cf:51:4e:21:4c:da:b2:a1:f0:26:4c:17: 30:12:15:4a:da:00:80:45:ae:77:59:99:09:eb:39: 30:aa:be:e2:5f:d0:a4:5c:6f:97:08:2c:88:24:18: ad:84:07:6e:c7:bc:4f:13:76:67:93:00:73:a4:f4: d0:d5:82:21:cd:91:b0:2f:9b:7c:e1:dd:ef:2a:a6: ab:db:84:b7:ce:54:88:b5:96:2c:5d:c7:b4:f3:f8: 0a:66:78:65:40:32:31:30:2d:7b:40:a3:c6:50:23: fc:02:17:d6:67:d8:b9:8b:43:9d:20:80:16:d5:08: 43:35:2f:60:4b:6b:a1:5c:49:50:4a:d7:0a:95:17: bf:8b:07:6a:a5:aa:dd:50:b7:c4:01:22:c8:65:cd: 56:9b:fe:94:89:85:31:f1:9f:ab:36:db:47:a1:59: cb:07:3d:33:c5:70:b4:c2:60:5c:5c:3a:6e:2c:2a: d1:95:29:51:4d:ae:a7:b4:2e:03:cf:c0:99:20:cb: 56:b1:64:8e:8e:f0:94:23:7f:10:b6:8b:ef:89:c6: 42:04:21:56:12:a3:19:c1:47:7a:08:85:aa:31:64: 36:93:bd:37:57:b0:a4:58:ff:32:01:69:60:35:7c: 25:37:b5:b5:04:61:fc:f2:82:5e:fa:80:58:72:9e: 2c:57:c8:7f:a1:4f:6f:09:ec:9a:7c:24:5e:8d:44: 20:fc:dd:d8:b4:7f:7d:d2:59:a8:d3:eb:55:df:20: 6f:4a:d1:4b:22:da:a7:30:94:00:7c:f6:5e:a2:e5: 87:74:3d:76:f3:8e:ff:d4:08:cc:46:2a:43:27:39: 82:07:ad:36:49:8a:44:37:47:c2:56:05:f7:82:42: c2:60:0d:59:12:db:d4:8d:59:df:4e:2b:0a:19:09: 0c:af:1d:da:23:8c:fe:3e:96:0f:08:d0:de:08:d7: e4:40:e3:2f:de:ae:46:10:a4:bc:34:88:bd:9f:2c: 16:ac:da:1f:8f:cd:d2:b2:ba:41:6c:20:5e:36:d0: b4:8a:8d:9c:2a:e4:4f:78:a8:8b:25:93:b9:18:4c: 1c:01:47:28:98:bf:48:4e:14:1a:d8:72:fe:8b:ea: 80:15:c5:ea:46:4e:f8:47:b1:bf:a9:0c:96:36:74: 18:64:1f:ac:f6:a1:1e:75:82:d2:1d:d9:b9:9e:5e: a1:36:48:cf:a6:8c:71:69:43:71:d6:2d:0e:1e:74: be:ad:e5

publicExponent: 65537 (0x10001)

privateExponent:

60:e9:a1:3f:e4:f5:db:c3:ff:fc:89:c9:67:96:a0: 88:ea:3c:b8:2c:90:58:b0:64:b5:e7:5c:61:3b:64: 0d:be:5e:c8:29:e9:41:bf:71:d9:dc:ca:85:b3:08: 5a:5b:f9:95:2c:cb:3f:88:45:61:cb:64:7b:80:60: ac:37:a7:8a:35:9e:44:19:3c:cf:7d:6f:f7:9f:1d: a5:41:b4:8c:20:3d:bd:b0:54:b4:d0:1b:69:6a:02: 12:3f:07:85:4f:e2:dc:77:00:6b:fd:70:90:20:f7: 93:bb:dc:b1:37:a1:ad:7c:83:50:c1:07:f7:5e:31: 9b:bb:1c:05:da:8b:1a:41:68:fc:3c:fa:8d:c5:23: e1:3d:cf:68:03:15:51:00:77:bf:0a:00:b4:ee:9e: 80:41:ac:45:e2:76:25:a4:f9:c3:16:19:3c:f5:be: 14:73:f0:99:e0:a0:8f:61:7f:7a:34:87:73:1a:3f: 15:5e:45:ce:41:f0:2f:5f:db:1c:4b:52:26:6c:38: d6:0d:55:eb:21:21:40:51:c7:fc:d6:7d:8e:00:e3: 9b:5b:0e:4b:e4:75:c3:2c:e9:45:03:73:73:4a:39: ca:b6:ed:47:2b:38:13:96:7a:d5:b0:23:61:ab:b0: 6c:02:86:5d:af:19:81:5b:8a:84:bc:2e:3f:e5:9e: 2c:37:a7:3b:f5:46:66:bc:1c:0c:20:b6:4b:75:05: bb:60:0f:5a:27:16:a4:17:11:d4:c6:1e:e2:b0:29: d9:32:ce:9e:c3:5c:71:30:d5:30:b4:f1:d5:e7:18: df:1a:e1:19:9d:c8:d4:e1:35:77:1c:ba:88:c3:eb: ab:aa:13:de:d7:41:0b:56:7f:4c:96:15:9c:42:74: 79:e2:90:cd:e8:f6:52:07:af:5f:0b:52:2f:27:b9: 0e:0e:29:ee:4d:20:9e:ef:c6:f8:17:fa:5f:48:bb: 76:da:be:68:66:39:1d:4b:4b:71:79:3e:e8:1b:db: 8d:92:ca:d3:80:15:65:4a:91:66:82:fe:06:2c:c2: b9:3b:24:90:11:6b:06:c2:9d:11:4f:62:be:e7:4e: 3b:f5:b5:43:ae:4d:13:eb:31:1e:29:82:6b:b1:c9: 77:5e:b8:41:f8:ca:33:cb:82:46:72:52:d6:bd:7e: 49:0f:37:32:b2:86:0e:66:a9:50:36:cd:8d:3a:28: d5:1b:ca:8e:2e:04:b8:18:88:ff:47:56:0f:72:13: 21:97:70:33:2b:40:ba:79:8c:84:8e:12:c5:b9:5f: 36:9e:2d:a9:b1:01:05:6f:da:dc:94:89:ba:0d:01: ec:47:e5:27:16:08:32:fd:48:ed:00:20:9e:2f:88: 45:81

prime1:

00:c7:fc:18:60:b4:20:c0:4c:a4:2b:73:b8:5b:fb: 09:ce:fa:5d:7a:cd:4b:66:e4:3e:01:4e:18:05:fc: b1:94:de:01:1a:6d:a4:c6:35:11:85:2e:26:cf:9b: 39:6a:0d:3a:c8:dc:02:f1:c2:f1:a3:b2:d1:79:b3: 19:46:61:b8:dc:58:a8:2a:ad:9e:f5:47:9e:6e:84: ba:c9:6b:49:84:cb:07:de:54:16:5f:5b:45:a2:df: 6b:be:3d:76:6b:ab:f9:2c:90:98:1f:63:fe:5d:2f: df:48:b4:49:1d:c9:17:30:cb:7b:21:ae:b4:3f:d8: 47:14:45:f9:45:0b:c3:55:15:3e:7c:10:a3:9f:fb: 36:ae:c8:5a:e6:bb:d9:c7:b1:fc:24:f4:1e:53:89: 39:a6:e7:5b:d5:ee:69:25:69:ac:6e:1f:b6:b7:fb: 0b:6c:a3:d5:4b:0a:7e:11:1d:8e:9f:bd:c7:cd:42: 53:83:9f:ac:92:c9:5f:43:7f:62:1c:74:ac:58:85: 91:e3:e1:ef:3b:04:f1:29:e7:85:4a:9a:ce:23:df: a2:40:28:7e:c8:ed:be:ba:01:36:b0:5e:d6:39:7b: e4:b0:07:41:f5:77:99:79:85:dc:f7:99:17:f2:21: 28:61:86:62:7b:95:5d:46:ec:dd:b9:ee:e0:31:e4: 22:79

prime2:

00:c5:bd:f9:62:6f:6a:2b:5c:10:11:93:04:ed:b9: e1:4f:c6:50:c3:f1:a1:cb:78:cc:e5:4b:c3:f5:58: 75:36:ae:ce:5e:60:ba:43:82:23:b1:b4:40:be:42: fa:3b:ad:92:70:bd:ff:38:bd:d6:40:1b:3f:df:52: 6b:d6:3a:88:4e:97:c9:7a:cd:10:37:aa:c4:57:da: cb:a8:de:93:6a:67:c2:36:66:40:38:1d:ec:34:3c: 28:6e:23:c4:c5:64:5d:db:df:61:d6:da:bb:28:b6: 7a:70:fa:39:60:bd:bf:e7:4a:8e:74:1b:f7:8f:94: b0:5b:52:ab:24:37:0f:81:19:5a:3f:3f:22:ce:c0: 17:ca:4f:8d:af:c7:5c:7a:42:86:a7:74:92:dc:ef: a4:50:06:80:fa:db:30:7f:b6:e4:16:54:5b:0a:73: fc:a1:10:6e:d1:4e:90:b9:70:a9:19:29:a7:85:6b: 73:26:93:68:1e:03:ea:0b:a9:c4:cf:5e:e5:4a:8b: 28:5a:bc:53:a3:df:e7:4e:10:35:b1:62:6d:cd:fb: 8e:6d:cf:dc:06:21:03:7c:a4:e1:85:4a:01:96:a7: a7:c6:17:5f:a7:13:c7:88:af:92:8d:0f:c5:d0:b7: fb:b6:1d:50:8c:64:be:ab:ed:48:b0:01:4a:f6:3a: eb:cd

exponent1:

00:ad:88:d7:0a:8b:23:e4:5a:5d:17:0b:8a:8d:de: 6f:eb:78:1b:c7:e4:ff:2a:20:a2:a1:75:47:a9:62: 56:22:6c:e6:9e:2d:48:8f:6a:1b:72:ea:d2:68:d2: 34:67:0f:65:d4:47:fe:12:15:ec:a2:f5:17:8a:b8: 5c:15:53:d5:1a:f7:9f:ad:b1:0d:3f:a0:4f:1d:6d: f5:bb:b4:6a:8e:5d:b3:cd:3c:40:51:ac:9c:e7:b1: 62:08:29:c3:69:b9:48:36:60:9e:70:96:cf:71:c3: 89:c8:c8:10:ae:55:01:d7:a8:aa:87:56:d7:38:93: 8f:52:4b:49:fb:9d:32:79:d1:3e:70:5f:eb:ec:76: 0c:44:6c:bd:5c:7c:e3:84:c2:b0:9e:cc:6a:c8:68: 4a:6b:c7:55:4c:75:5e:2e:45:dd:87:8d:e3:7b:10: d0:20:0c:a6:98:40:59:96:b6:84:3d:9f:6c:12:74: 1c:8e:19:ef:a1:4c:36:6b:16:cd:67:0d:e3:43:c9: 5c:08:57:d4:c4:ed:0b:ec:25:e7:e7:0e:20:14:c7: 09:3f:0d:24:bf:6c:76:55:67:9a:32:3f:89:3b:46: 83:f2:2f:ca:0f:9c:21:c4:6e:e1:88:c5:03:1f:6b: a0:63:c8:3e:0b:29:58:50:a4:57:de:f1:27:00:84: 0b:59

exponent2:

7b:ef:14:45:78:94:ef:36:15:30:1e:98:01:32:f6: 1f:1c:a9:74:15:96:95:43:52:10:08:4b:7a:13:05: eb:ce:e5:b2:cb:27:12:b6:97:0e:82:6d:ed:91:66: ea:4e:60:30:df:33:fd:e9:25:46:2a:8d:fe:b6:d6: b5:7f:1b:fd:3e:2e:de:13:76:2d:9d:8e:cf:8d:67: 05:a0:f2:7d:c7:28:37:16:20:fb:ca:ed:46:d3:c9: 77:36:5d:d6:65:90:5a:05:08:7a:33:bf:07:c6:4e: b9:4e:6a:f5:d2:17:5b:ac:23:da:6b:c8:de:29:8f: da:bc:d6:5c:ad:51:bf:55:17:75:fa:69:23:71:cb: b7:55:e2:f4:9f:9b:bb:58:c4:b2:61:62:c6:ac:3f: ac:94:56:f4:62:ba:63:e1:49:d5:20:eb:aa:82:85: 7c:a1:23:03:76:1d:48:cc:6e:7f:41:d7:27:cc:ef: 6f:e7:05:63:82:8a:86:e2:d1:62:33:14:bc:82:b9: 39:1d:3d:c2:c0:cb:64:e6:cd:f0:2e:43:a9:cd:17: 38:86:05:5d:a6:05:5c:72:ae:91:ee:8f:4e:50:27: dc:04:bc:43:a8:26:ef:e9:32:8d:cc:ab:eb:a3:d4: 54:10:cd:72:20:96:4c:85:3c:80:6b:5f:03:32:6c: a5

coefficient:

32:df:ad:b3:1b:aa:f8:39:d9:05:d4:be:5a:f0:e7: 19:d2:78:4b:65:d2:b4:be:25:0a:f1:87:e0:d3:db: ea:5e:da:82:1b:d2:0b:e9:cc:96:2d:4d:50:01:9e: 55:13:0d:20:07:a2:99:9a:13:17:6a:df:d8:48:b1: df:91:69:0b:d7:e9:b0:31:0f:c4:43:19:0d:a3:68: c2:07:ff:19:82:6b:60:69:d8:4b:bd:51:49:e3:67: d1:b4:f4:ed:ed:52:11:68:e6:e1:ff:bb:5c:3e:40: de:2b:78:d1:64:de:52:94:25:13:b8:4b:4d:c4:ca: 71:63:b2:8c:2a:4f:23:b8:38:e6:8b:01:a8:fc:34: aa:f9:9b:63:da:b1:9a:f8:28:b8:19:a2:ba:d9:83: 2c:44:ff:0f:ca:64:6a:b3:c6:69:65:49:4a:98:cd: a9:a6:35:f8:a0:22:33:6b:a9:73:b6:51:53:d7:85: fd:52:a1:3e:c2:e6:38:89:ff:26:fe:b2:e8:65:4d: 6c:7d:3b:e6:61:18:39:b8:46:41:7b:d9:40:f0:3f: 20:b6:b3:72:c5:f6:e4:23:e7:d3:6c:df:bd:e2:82: 23:66:fb:0f:53:f5:4c:96:92:d1:d2:51:93:97:3a: 68:2b:56:1f:6f:60:5d:06:0a:b3:9a:92:ca:4b:a6: a1

As you can see from above, the private key is quite big and has many mathematical components/properties.

Deriving and inspecting the RSA public key

The public key derived from the private key looks like this:

$ openssl pkey -in priv.pem -out pub.pem -pubout

The above command puts the public key into the file pub.pem file. The pem extension stands for enhanced privacy mail from the old PGP days, and there are several other formats for a key like PKCS8 or PKCS12 and DER, and so on.

For now, let us focus on crypto mathematics.

To inspect the public key do this:

$ openssl pkey -in pub.pem -pubin -text

-----BEGIN PUBLIC KEY-----

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmnlmsYNC0zUL4hM2xmUEG0N0DE+mX8owTi19szDr9VsOdfSArsnnTV8wmv6ResjPUU4hTNqyofAmTBcwEhVK2gCARa53WZkJ6zkwqr7iX9CkXG+XCCyIJBithAdux7xPE3ZnkwBzpPTQ1YIhzZGwL5t84d3vKqar24S3zlSItZYsXce08/gKZnhlQDIxMC17QKPGUCP8AhfWZ9i5i0OdIIAW1QhDNS9gS2uhXElQStcKlRe/iwdqpardULfEASLIZc1Wm/6UiYUx8Z+rNttHoVnLBz0zxXC0wmBcXDpuLCrRlSlRTa6ntC4Dz8CZIMtWsWSOjvCUI38QtovvicZCBCFWEqMZwUd6CIWqMWQ2k703V7CkWP8yAWlgNXwlN7W1BGH88oJe+oBYcp4sV8h/oU9vCeyafCRejUQg/N3YtH990lmo0+tV3yBvStFLItqnMJQAfPZeouWHdD12847/1AjMRipDJzmCB602SYpEN0fCVgX3gkLCYA1ZEtvUjVnfTisKGQkMrx3aI4z+PpYPCNDeCNfkQOMv3q5GEKS8NIi9nywWrNofj83SsrpBbCBeNtC0io2cKuRPeKiLJZO5GEwcAUcomL9IThQa2HL+i+qAFcXqRk74R7G/qQyWNnQYZB+s9qEedYLSHdm5nl6hNkjPpoxxaUNx1i0OHnS+reUCAwEAAQ==

-----END PUBLIC KEY-----

RSA Public-Key: (4096 bit) Modulus: 00:9a:79:66:b1:83:42:d3:35:0b:e2:13:36:c6:65: 04:1b:43:74:0c:4f:a6:5f:ca:30:4e:2d:7d:b3:30: eb:f5:5b:0e:75:f4:80:ae:c9:e7:4d:5f:30:9a:fe: 91:7a:c8:cf:51:4e:21:4c:da:b2:a1:f0:26:4c:17: 30:12:15:4a:da:00:80:45:ae:77:59:99:09:eb:39: 30:aa:be:e2:5f:d0:a4:5c:6f:97:08:2c:88:24:18: ad:84:07:6e:c7:bc:4f:13:76:67:93:00:73:a4:f4: d0:d5:82:21:cd:91:b0:2f:9b:7c:e1:dd:ef:2a:a6: ab:db:84:b7:ce:54:88:b5:96:2c:5d:c7:b4:f3:f8: 0a:66:78:65:40:32:31:30:2d:7b:40:a3:c6:50:23: fc:02:17:d6:67:d8:b9:8b:43:9d:20:80:16:d5:08: 43:35:2f:60:4b:6b:a1:5c:49:50:4a:d7:0a:95:17: bf:8b:07:6a:a5:aa:dd:50:b7:c4:01:22:c8:65:cd: 56:9b:fe:94:89:85:31:f1:9f:ab:36:db:47:a1:59: cb:07:3d:33:c5:70:b4:c2:60:5c:5c:3a:6e:2c:2a: d1:95:29:51:4d:ae:a7:b4:2e:03:cf:c0:99:20:cb: 56:b1:64:8e:8e:f0:94:23:7f:10:b6:8b:ef:89:c6: 42:04:21:56:12:a3:19:c1:47:7a:08:85:aa:31:64: 36:93:bd:37:57:b0:a4:58:ff:32:01:69:60:35:7c: 25:37:b5:b5:04:61:fc:f2:82:5e:fa:80:58:72:9e: 2c:57:c8:7f:a1:4f:6f:09:ec:9a:7c:24:5e:8d:44: 20:fc:dd:d8:b4:7f:7d:d2:59:a8:d3:eb:55:df:20: 6f:4a:d1:4b:22:da:a7:30:94:00:7c:f6:5e:a2:e5: 87:74:3d:76:f3:8e:ff:d4:08:cc:46:2a:43:27:39: 82:07:ad:36:49:8a:44:37:47:c2:56:05:f7:82:42: c2:60:0d:59:12:db:d4:8d:59:df:4e:2b:0a:19:09: 0c:af:1d:da:23:8c:fe:3e:96:0f:08:d0:de:08:d7: e4:40:e3:2f:de:ae:46:10:a4:bc:34:88:bd:9f:2c: 16:ac:da:1f:8f:cd:d2:b2:ba:41:6c:20:5e:36:d0: b4:8a:8d:9c:2a:e4:4f:78:a8:8b:25:93:b9:18:4c: 1c:01:47:28:98:bf:48:4e:14:1a:d8:72:fe:8b:ea: 80:15:c5:ea:46:4e:f8:47:b1:bf:a9:0c:96:36:74: 18:64:1f:ac:f6:a1:1e:75:82:d2:1d:d9:b9:9e:5e: a1:36:48:cf:a6:8c:71:69:43:71:d6:2d:0e:1e:74: be:ad:e5 Exponent: 65537 (0x10001)

What you can observe above is that the modulus is the same in both cases. If the modulus changes, then the keypair is not correct. This is a convenient rule of thumb to identify keypairs. But in OpenSSL, there is no such problem since the private key alone is enough.

This is quite similar to the physical door lock and key we have at home in which for locking, no key is required, but to open, you need the key. This physical world analogy works in the case of RSA private keys in OpenSSL.

Same operations using Elliptic Curve (EC) keys

Nowadays, the EC keys are more common as they have much smaller key lengths and also lend to easier computation. To explore that, we can use these commands:

$ openssl ecparam -list_curves

secp112r1 : SECG/WTLS curve over a 112 bit prime field secp112r2 : SECG curve over a 112 bit prime field secp128r1 : SECG curve over a 128 bit prime field secp128r2 : SECG curve over a 128 bit prime field secp160k1 : SECG curve over a 160 bit prime field secp160r1 : SECG curve over a 160 bit prime field secp160r2 : SECG/WTLS curve over a 160 bit prime field secp192k1 : SECG curve over a 192 bit prime field secp224k1 : SECG curve over a 224 bit prime field secp224r1 : NIST/SECG curve over a 224 bit prime field secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field prime192v2: X9.62 curve over a 192 bit prime field prime192v3: X9.62 curve over a 192 bit prime field prime239v1: X9.62 curve over a 239 bit prime field prime239v2: X9.62 curve over a 239 bit prime field prime239v3: X9.62 curve over a 239 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field sect113r1 : SECG curve over a 113 bit binary field sect113r2 : SECG curve over a 113 bit binary field sect131r1 : SECG/WTLS curve over a 131 bit binary field sect131r2 : SECG curve over a 131 bit binary field sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field sect163r1 : SECG curve over a 163 bit binary field sect163r2 : NIST/SECG curve over a 163 bit binary field sect193r1 : SECG curve over a 193 bit binary field sect193r2 : SECG curve over a 193 bit binary field sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field sect239k1 : SECG curve over a 239 bit binary field sect283k1 : NIST/SECG curve over a 283 bit binary field sect283r1 : NIST/SECG curve over a 283 bit binary field sect409k1 : NIST/SECG curve over a 409 bit binary field sect409r1 : NIST/SECG curve over a 409 bit binary field sect571k1 : NIST/SECG curve over a 571 bit binary field sect571r1 : NIST/SECG curve over a 571 bit binary field c2pnb163v1: X9.62 curve over a 163 bit binary field c2pnb163v2: X9.62 curve over a 163 bit binary field c2pnb163v3: X9.62 curve over a 163 bit binary field c2pnb176v1: X9.62 curve over a 176 bit binary field c2tnb191v1: X9.62 curve over a 191 bit binary field c2tnb191v2: X9.62 curve over a 191 bit binary field c2tnb191v3: X9.62 curve over a 191 bit binary field c2pnb208w1: X9.62 curve over a 208 bit binary field c2tnb239v1: X9.62 curve over a 239 bit binary field c2tnb239v2: X9.62 curve over a 239 bit binary field c2tnb239v3: X9.62 curve over a 239 bit binary field c2pnb272w1: X9.62 curve over a 272 bit binary field c2pnb304w1: X9.62 curve over a 304 bit binary field c2tnb359v1: X9.62 curve over a 359 bit binary field c2pnb368w1: X9.62 curve over a 368 bit binary field c2tnb431r1: X9.62 curve over a 431 bit binary field wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field Oakley-EC2N-3: IPSec/IKE/Oakley curve #3 over a 155 bit binary field. Not suitable for ECDSA. Questionable extension field! Oakley-EC2N-4: IPSec/IKE/Oakley curve #4 over a 185 bit binary field. Not suitable for ECDSA. Questionable extension field! brainpoolP160r1: RFC 5639 curve over a 160 bit prime field brainpoolP160t1: RFC 5639 curve over a 160 bit prime field brainpoolP192r1: RFC 5639 curve over a 192 bit prime field brainpoolP192t1: RFC 5639 curve over a 192 bit prime field brainpoolP224r1: RFC 5639 curve over a 224 bit prime field brainpoolP224t1: RFC 5639 curve over a 224 bit prime field brainpoolP256r1: RFC 5639 curve over a 256 bit prime field brainpoolP256t1: RFC 5639 curve over a 256 bit prime field brainpoolP320r1: RFC 5639 curve over a 320 bit prime field brainpoolP320t1: RFC 5639 curve over a 320 bit prime field brainpoolP384r1: RFC 5639 curve over a 384 bit prime field brainpoolP384t1: RFC 5639 curve over a 384 bit prime field brainpoolP512r1: RFC 5639 curve over a 512 bit prime field brainpoolP512t1: RFC 5639 curve over a 512 bit prime field SM2 : SM2 curve over a 256 bit prime field

Then you do this to generate the private key:

$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:brainpoolP512r1 -out ecpriv.pem

-----BEGIN PRIVATE KEY-----

MIHsAgEAMBQGByqGSM49AgEGCSskAwMCCAEBDQSB0DCBzQIBAQRApTqxhEQqnAW7xzplpCPngxEn3qjpndipIiX2F97KLKn9geWco8raFI1ItwXmdYI0l/4uoIH32p1sDQElfatnM6GBhQOBggAEjTbTbsVoabgdioho9mS1sVl6lhnGICHCN/T3ejHb5XNlvaTW1Jj22dyHnAZQK0UInePJE8OtZg2buaHL1rfH7khb9sn1G4UXHMquiwtF76TPfI946ziPbywvQ4TcqnFWrutvMtXeWc2rgguOHQ2EA7UrIYeyb7R3iXP6lKKt6dc=

-----END PRIVATE KEY-----

This generates an unencrypted private key which is not very useful right?

So we do this:

$ openssl genpkey -aes256 -algorithm EC -pkeyopt ec_paramgen_curve:brainpoolP512r1

Enter PEM pass phrase:

Verifying – Enter PEM pass phrase:

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIBTDBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIR0bcxHjoqVQCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAChA9iAyDu0WTrwT9hZ7WIBIHw8XI6iZWDX8JDrXLefOtO+wsIFSX78ajt5kp/+R8dJAF7lf5h9iLqPx8FFwQRey5m/os6nAAN07045tSn0vlZGkILBi/MqU4kcenyGrAZZ/vxfGKwBhkyU+RnHeHoaJ9jHD3FCnSeNffAnPu4Wy18QobFUAlhznk23CexiTtFCqiM4VXlC3pZjAL+/PBBAeQDxadOcOjjgj6/5/R4gG+hc2JOA79dyesGL8SsUlV2Dxogdup7FyMDYmJDNMWLVkvpxbacT6i9JIXYPPAUeZZ7wzsK4w3LMQEGDYYdebwE48WjKPA5JOfQ7/ohcdo0FfzA

-----END ENCRYPTED PRIVATE KEY-----

To inspect the private key, we do this:

$ openssl pkey -in ecpriv.pem -text

-----BEGIN PRIVATE KEY-----

MIHsAgEAMBQGByqGSM49AgEGCSskAwMCCAEBDQSB0DCBzQIBAQRADR40pjESmjKliO6km/585r2Jh0+3UtZkC+MU/Y1NiXsfJb08TfZ7fo8EB+67NGZwSypA7Aj7aprmRPjhKRGTlKGBhQOBggAEFHD0OoOhUBAErv5x3q+suec7O9qT+4wtb6S7QhwpsFsPnnF/oaHoZUHpJ4N3elgJCslblS/YLlvxNHla1MT4X5Lz+tGBCq6wP/gKImgpWs/tUWLDLOsfTkIgk0iGsBjtJpK4x72m4iiFCZ9X7kjR+RNvORcyVAAriZ1xdG9r/jQ=

-----END PRIVATE KEY-----

Private-Key: (512 bit)

priv:

0d:1e:34:a6:31:12:9a:32:a5:88:ee:a4:9b:fe:7c: e6:bd:89:87:4f:b7:52:d6:64:0b:e3:14:fd:8d:4d: 89:7b:1f:25:bd:3c:4d:f6:7b:7e:8f:04:07:ee:bb: 34:66:70:4b:2a:40:ec:08:fb:6a:9a:e6:44:f8:e1: 29:11:93:94 pub: 04:14:70:f4:3a:83:a1:50:10:04:ae:fe:71:de:af: ac:b9:e7:3b:3b:da:93:fb:8c:2d:6f:a4:bb:42:1c: 29:b0:5b:0f:9e:71:7f:a1:a1:e8:65:41:e9:27:83: 77:7a:58:09:0a:c9:5b:95:2f:d8:2e:5b:f1:34:79: 5a:d4:c4:f8:5f:92:f3:fa:d1:81:0a:ae:b0:3f:f8: 0a:22:68:29:5a:cf:ed:51:62:c3:2c:eb:1f:4e:42: 20:93:48:86:b0:18:ed:26:92:b8:c7:bd:a6:e2:28: 85:09:9f:57:ee:48:d1:f9:13:6f:39:17:32:54:00: 2b:89:9d:71:74:6f:6b:fe:34 ASN1 OID: brainpoolP512r1

As you can see, the above private key has fewer components than the RSA counterpart.

Conclusion

Hopefully, this article gives you an idea about the serious math that goes behind the OpenSSL toolkit, which is used worldwide for almost all crypto operations like certificate generation, verification, etc. and is used day in day out for SSL websites. We ran the operations manually for both RSA and EC keys.

We shall close the article with a simple prime number generation using OpenSSL, which is, after all, at the base of all these advanced real-life uses:

$ openssl prime -generate -bits 30

817978963

Did you enjoy this content? Follow our LinkedIn page!

Contributed by:

Dhiraj Sharan

Chief Scientist & Founder, Query