I have generated an EC public/private key pair using openssl with the following commands:
openssl ecparam -name brainpoolP512t1 -param_enc explicit -genkey -out mykey.pem
openssl ec -in mykey.pem -pubout -out mykey.pub
How can I encrypt / decrypt a file using the new keys that I've just generated using the (linux) terminal?
Best Answer
The high level strategy for this is as follows:
openssl ec
openssl pkeyutl
openssl enc
using the derived secret keyopenssl ecparam
openssl dgst
The manual flow for this should roughly look at follows:
The script doing the encryption should roughly look like the following:
The above code should work, but may not be optimal. The final message is composed from
temppubkey.pem
,ciphertext.enc
andMAC.bin
, you may combine this in whatever way you prefer. Note that my choice for AES-256-OFB is no accident but intentional as CTR, CCM and GCM mode aren't available via the command line. Note further that I preferred AES-256 over the standard choice of AES-128 here because we can simply plug the output of SHA-256 in there. Note even further that using an all-zero IV is secure here as OFB "only" requires unique IVs per key and each key is fully random.As for the security considerations: This method will generate a temporary private key for each file, ensuring all encryptions are unique and leakage of one shared secret won't leak all shared secrets for the same pair of communication partners. You could use digital signatures to ensure the message actually came from the same source.