The Crypto Magic Behind OpenSSL

Posted by Dhiraj Sharan
Dhiraj Sharan

We talked about introductory OpenSSL in a previous blog Dipping Our Toes into OpenSSL, that covered how it supports rich cryptographic-centric operations, which are needed for all sorts of things in the security domain and even outside of it. Today, let's take the next step and understand some of the crypto arithmetic behind it, without making the topic too complicated.
The crypto magic behind OpenSSL- Featured
Photo by Vanna Phon on Unsplash

SSL Basics

The most common operations we use day in day out are the SSL (Secure Socket Layer) enabled websites that use certificate verification and public key decryption all the time. To use SSL in your browser, be it for Internet banking, youtube, or any ordinary web traffic, the HTTP protocol needs to use encrypted payloads. (They use some fast encryption algorithm like AES, which uses a 256-bit symmetric key often.) An encryption algorithm works by using confusion and diffusion, and it uses many rounds of encryption and several round keys. Overall the symmetric operations are what makes fast encryption and decryption in HTTPS traffic possible.

But for the fast symmetric encryption and decryption operation to work, we first have to figure out a way to exchange the even secret AES key. That's the reason why we need to use prime numbers, random numbers, and public-key cryptography. That is a slow and expensive operation, but that's fine. It is used only to verify the website/certificate's authenticity and then mostly only for signing and key exchange.


Public Key Infrastructure (PKI)

The utility of prime numbers is limited to PKI alone, and in this article, we will explore popular algorithms like RSA, DSA, DH, and Elliptic curve (EC) crypto. The way PKI uses public-key operations is fundamentally different from how traffic is encrypted. One uses symmetric encryption, while the other uses asymmetric encryption, which means it uses a public and a private key to encrypt and decrypt.

Both public and private key components use the same modulus, and thereby, they are related. So data encrypted with the public key is decrypted with the private key and vice versa. But since it involves prime number arithmetic involving many bits (4096 bits are standard), the exponentiation operations are used sparingly, and the encryption speeds are also slow.


Using OpenSSL to run the math

OpenSSL is the open-source toolkit widely available on all Linux, Mac, and Windows platforms, examining and performing above crypto arithmetic. Since public key cryptography employs a public and a private component, its keys are often called keypairs. There can be many possible combinations for these keypairs, and you can use different approaches like one public key with three private keys (or another mix), but the everyday use is one public and one private key. The public key is signed and used as a certificate, and the private key is encrypted with a passphrase and kept secret.


Generating and inspecting RSA private key

The way you use OpenSSL is like this:

$ openssl genpkey -out priv.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
................................++++
....................................................................................................................++++
e is 65537 (0x010001)

Then you could inspect the key using these commands:

$ openssl pkey -in priv.pem -text

-----BEGIN PRIVATE KEY-----

MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCaeWaxg0LTNQviEzbGZQQbQ3QMT6ZfyjBOLX2zMOv1Ww519ICuyedNXzCa/pF6yM9RTiFM2rKh8CZMFzASFUraAIBFrndZmQnrOTCqvuJf0KRcb5cILIgkGK2EB27HvE8TdmeTAHOk9NDVgiHNkbAvm3zh3e8qpqvbhLfOVIi1lixdx7Tz+ApmeGVAMjEwLXtAo8ZQI/wCF9Zn2LmLQ50ggBbVCEM1L2BLa6FcSVBK1wqVF7+LB2qlqt1Qt8QBIshlzVab/pSJhTHxn6s220ehWcsHPTPFcLTCYFxcOm4sKtGVKVFNrqe0LgPPwJkgy1axZI6O8JQjfxC2i++JxkIEIVYSoxnBR3oIhaoxZDaTvTdXsKRY/zIBaWA1fCU3tbUEYfzygl76gFhynixXyH+hT28J7Jp8JF6NRCD83di0f33SWajT61XfIG9K0Usi2qcwlAB89l6i5Yd0PXbzjv/UCMxGKkMnOYIHrTZJikQ3R8JWBfeCQsJgDVkS29SNWd9OKwoZCQyvHdojjP4+lg8I0N4I1+RA4y/erkYQpLw0iL2fLBas2h+PzdKyukFsIF420LSKjZwq5E94qIslk7kYTBwBRyiYv0hOFBrYcv6L6oAVxepGTvhHsb+pDJY2dBhkH6z2oR51gtId2bmeXqE2SM+mjHFpQ3HWLQ4edL6t5QIDAQABAoICAGDpoT/k9dvD//yJyWeWoIjqPLgskFiwZLXnXGE7ZA2+Xsgp6UG/cdncyoWzCFpb+ZUsyz+IRWHLZHuAYKw3p4o1nkQZPM99b/efHaVBtIwgPb2wVLTQG2lqAhI/B4VP4tx3AGv9cJAg95O73LE3oa18g1DBB/deMZu7HAXaixpBaPw8+o3FI+E9z2gDFVEAd78KALTunoBBrEXidiWk+cMWGTz1vhRz8JngoI9hf3o0h3MaPxVeRc5B8C9f2xxLUiZsONYNVeshIUBRx/zWfY4A45tbDkvkdcMs6UUDc3NKOcq27UcrOBOWetWwI2GrsGwChl2vGYFbioS8Lj/lniw3pzv1Rma8HAwgtkt1BbtgD1onFqQXEdTGHuKwKdkyzp7DXHEw1TC08dXnGN8a4RmdyNThNXccuojD66uqE97XQQtWf0yWFZxCdHnikM3o9lIHr18LUi8nuQ4OKe5NIJ7vxvgX+l9Iu3bavmhmOR1LS3F5Pugb242SytOAFWVKkWaC/gYswrk7JJARawbCnRFPYr7nTjv1tUOuTRPrMR4pgmuxyXdeuEH4yjPLgkZyUta9fkkPNzKyhg5mqVA2zY06KNUbyo4uBLgYiP9HVg9yEyGXcDMrQLp5jISOEsW5XzaeLamxAQVv2tyUiboNAexH5ScWCDL9SO0AIJ4viEWBAoIBAQDH/BhgtCDATKQrc7hb+wnO+l16zUtm5D4BThgF/LGU3gEabaTGNRGFLibPmzlqDTrI3ALxwvGjstF5sxlGYbjcWKgqrZ71R55uhLrJa0mEywfeVBZfW0Wi32u+PXZrq/kskJgfY/5dL99ItEkdyRcwy3shrrQ/2EcURflFC8NVFT58EKOf+zauyFrmu9nHsfwk9B5TiTmm51vV7mklaaxuH7a3+wtso9VLCn4RHY6fvcfNQlODn6ySyV9Df2IcdKxYhZHj4e87BPEp54VKms4j36JAKH7I7b66ATawXtY5e+SwB0H1d5l5hdz3mRfyIShhhmJ7lV1G7N257uAx5CJ5AoIBAQDFvflib2orXBARkwTtueFPxlDD8aHLeMzlS8P1WHU2rs5eYLpDgiOxtEC+Qvo7rZJwvf84vdZAGz/fUmvWOohOl8l6zRA3qsRX2suo3pNqZ8I2ZkA4Hew0PChuI8TFZF3b32HW2rsotnpw+jlgvb/nSo50G/ePlLBbUqskNw+BGVo/PyLOwBfKT42vx1x6QoandJLc76RQBoD62zB/tuQWVFsKc/yhEG7RTpC5cKkZKaeFa3Mmk2geA+oLqcTPXuVKiyhavFOj3+dOEDWxYm3N+45tz9wGIQN8pOGFSgGWp6fGF1+nE8eIr5KND8XQt/u2HVCMZL6r7UiwAUr2OuvNAoIBAQCtiNcKiyPkWl0XC4qN3m/reBvH5P8qIKKhdUepYlYibOaeLUiPahty6tJo0jRnD2XUR/4SFeyi9ReKuFwVU9Ua95+tsQ0/oE8dbfW7tGqOXbPNPEBRrJznsWIIKcNpuUg2YJ5wls9xw4nIyBCuVQHXqKqHVtc4k49SS0n7nTJ50T5wX+vsdgxEbL1cfOOEwrCezGrIaEprx1VMdV4uRd2HjeN7ENAgDKaYQFmWtoQ9n2wSdByOGe+hTDZrFs1nDeNDyVwIV9TE7QvsJefnDiAUxwk/DSS/bHZVZ5oyP4k7RoPyL8oPnCHEbuGIxQMfa6BjyD4LKVhQpFfe8ScAhAtZAoIBAHvvFEV4lO82FTAemAEy9h8cqXQVlpVDUhAIS3oTBevO5bLLJxK2lw6Cbe2RZupOYDDfM/3pJUYqjf621rV/G/0+Lt4Tdi2djs+NZwWg8n3HKDcWIPvK7UbTyXc2XdZlkFoFCHozvwfGTrlOavXSF1usI9pryN4pj9q81lytUb9VF3X6aSNxy7dV4vSfm7tYxLJhYsasP6yUVvRiumPhSdUg66qChXyhIwN2HUjMbn9B1yfM72/nBWOCiobi0WIzFLyCuTkdPcLAy2TmzfAuQ6nNFziGBV2mBVxyrpHuj05QJ9wEvEOoJu/pMo3Mq+uj1FQQzXIglkyFPIBrXwMybKUCggEAMt+tsxuq+DnZBdS+WvDnGdJ4S2XStL4lCvGH4NPb6l7aghvSC+nMli1NUAGeVRMNIAeimZoTF2rf2Eix35FpC9fpsDEPxEMZDaNowgf/GYJrYGnYS71RSeNn0bT07e1SEWjm4f+7XD5A3it40WTeUpQlE7hLTcTKcWOyjCpPI7g45osBqPw0qvmbY9qxmvgouBmiutmDLET/D8pkarPGaWVJSpjNqaY1+KAiM2upc7ZRU9eF/VKhPsLmOIn/Jv6y6GVNbH075mEYObhGQXvZQPA/ILazcsX25CPn02zfveKCI2b7D1P1TJaS0dJRk5c6aCtWH29gXQYKs5qSykumoQ==

-----END PRIVATE KEY-----

RSA Private-Key: (4096 bit, 2 primes)

modulus:

    00:9a:79:66:b1:83:42:d3:35:0b:e2:13:36:c6:65:

    04:1b:43:74:0c:4f:a6:5f:ca:30:4e:2d:7d:b3:30:

    eb:f5:5b:0e:75:f4:80:ae:c9:e7:4d:5f:30:9a:fe:

    91:7a:c8:cf:51:4e:21:4c:da:b2:a1:f0:26:4c:17:

    30:12:15:4a:da:00:80:45:ae:77:59:99:09:eb:39:

    30:aa:be:e2:5f:d0:a4:5c:6f:97:08:2c:88:24:18:

    ad:84:07:6e:c7:bc:4f:13:76:67:93:00:73:a4:f4:

    d0:d5:82:21:cd:91:b0:2f:9b:7c:e1:dd:ef:2a:a6:

    ab:db:84:b7:ce:54:88:b5:96:2c:5d:c7:b4:f3:f8:

    0a:66:78:65:40:32:31:30:2d:7b:40:a3:c6:50:23:

    fc:02:17:d6:67:d8:b9:8b:43:9d:20:80:16:d5:08:

    43:35:2f:60:4b:6b:a1:5c:49:50:4a:d7:0a:95:17:

    bf:8b:07:6a:a5:aa:dd:50:b7:c4:01:22:c8:65:cd:

    56:9b:fe:94:89:85:31:f1:9f:ab:36:db:47:a1:59:

    cb:07:3d:33:c5:70:b4:c2:60:5c:5c:3a:6e:2c:2a:

    d1:95:29:51:4d:ae:a7:b4:2e:03:cf:c0:99:20:cb:

    56:b1:64:8e:8e:f0:94:23:7f:10:b6:8b:ef:89:c6:

    42:04:21:56:12:a3:19:c1:47:7a:08:85:aa:31:64:

    36:93:bd:37:57:b0:a4:58:ff:32:01:69:60:35:7c:

    25:37:b5:b5:04:61:fc:f2:82:5e:fa:80:58:72:9e:

    2c:57:c8:7f:a1:4f:6f:09:ec:9a:7c:24:5e:8d:44:

    20:fc:dd:d8:b4:7f:7d:d2:59:a8:d3:eb:55:df:20:

    6f:4a:d1:4b:22:da:a7:30:94:00:7c:f6:5e:a2:e5:

    87:74:3d:76:f3:8e:ff:d4:08:cc:46:2a:43:27:39:

    82:07:ad:36:49:8a:44:37:47:c2:56:05:f7:82:42:

    c2:60:0d:59:12:db:d4:8d:59:df:4e:2b:0a:19:09:

    0c:af:1d:da:23:8c:fe:3e:96:0f:08:d0:de:08:d7:

    e4:40:e3:2f:de:ae:46:10:a4:bc:34:88:bd:9f:2c:

    16:ac:da:1f:8f:cd:d2:b2:ba:41:6c:20:5e:36:d0:

    b4:8a:8d:9c:2a:e4:4f:78:a8:8b:25:93:b9:18:4c:

    1c:01:47:28:98:bf:48:4e:14:1a:d8:72:fe:8b:ea:

    80:15:c5:ea:46:4e:f8:47:b1:bf:a9:0c:96:36:74:

    18:64:1f:ac:f6:a1:1e:75:82:d2:1d:d9:b9:9e:5e:

    a1:36:48:cf:a6:8c:71:69:43:71:d6:2d:0e:1e:74:

    be:ad:e5

publicExponent: 65537 (0x10001)

privateExponent:

    60:e9:a1:3f:e4:f5:db:c3:ff:fc:89:c9:67:96:a0:

    88:ea:3c:b8:2c:90:58:b0:64:b5:e7:5c:61:3b:64:

    0d:be:5e:c8:29:e9:41:bf:71:d9:dc:ca:85:b3:08:

    5a:5b:f9:95:2c:cb:3f:88:45:61:cb:64:7b:80:60:

    ac:37:a7:8a:35:9e:44:19:3c:cf:7d:6f:f7:9f:1d:

    a5:41:b4:8c:20:3d:bd:b0:54:b4:d0:1b:69:6a:02:

    12:3f:07:85:4f:e2:dc:77:00:6b:fd:70:90:20:f7:

    93:bb:dc:b1:37:a1:ad:7c:83:50:c1:07:f7:5e:31:

    9b:bb:1c:05:da:8b:1a:41:68:fc:3c:fa:8d:c5:23:

    e1:3d:cf:68:03:15:51:00:77:bf:0a:00:b4:ee:9e:

    80:41:ac:45:e2:76:25:a4:f9:c3:16:19:3c:f5:be:

    14:73:f0:99:e0:a0:8f:61:7f:7a:34:87:73:1a:3f:

    15:5e:45:ce:41:f0:2f:5f:db:1c:4b:52:26:6c:38:

    d6:0d:55:eb:21:21:40:51:c7:fc:d6:7d:8e:00:e3:

    9b:5b:0e:4b:e4:75:c3:2c:e9:45:03:73:73:4a:39:

    ca:b6:ed:47:2b:38:13:96:7a:d5:b0:23:61:ab:b0:

    6c:02:86:5d:af:19:81:5b:8a:84:bc:2e:3f:e5:9e:

    2c:37:a7:3b:f5:46:66:bc:1c:0c:20:b6:4b:75:05:

    bb:60:0f:5a:27:16:a4:17:11:d4:c6:1e:e2:b0:29:

    d9:32:ce:9e:c3:5c:71:30:d5:30:b4:f1:d5:e7:18:

    df:1a:e1:19:9d:c8:d4:e1:35:77:1c:ba:88:c3:eb:

    ab:aa:13:de:d7:41:0b:56:7f:4c:96:15:9c:42:74:

    79:e2:90:cd:e8:f6:52:07:af:5f:0b:52:2f:27:b9:

    0e:0e:29:ee:4d:20:9e:ef:c6:f8:17:fa:5f:48:bb:

    76:da:be:68:66:39:1d:4b:4b:71:79:3e:e8:1b:db:

    8d:92:ca:d3:80:15:65:4a:91:66:82:fe:06:2c:c2:

    b9:3b:24:90:11:6b:06:c2:9d:11:4f:62:be:e7:4e:

    3b:f5:b5:43:ae:4d:13:eb:31:1e:29:82:6b:b1:c9:

    77:5e:b8:41:f8:ca:33:cb:82:46:72:52:d6:bd:7e:

    49:0f:37:32:b2:86:0e:66:a9:50:36:cd:8d:3a:28:

    d5:1b:ca:8e:2e:04:b8:18:88:ff:47:56:0f:72:13:

    21:97:70:33:2b:40:ba:79:8c:84:8e:12:c5:b9:5f:

    36:9e:2d:a9:b1:01:05:6f:da:dc:94:89:ba:0d:01:

    ec:47:e5:27:16:08:32:fd:48:ed:00:20:9e:2f:88:

    45:81

prime1:

    00:c7:fc:18:60:b4:20:c0:4c:a4:2b:73:b8:5b:fb:

    09:ce:fa:5d:7a:cd:4b:66:e4:3e:01:4e:18:05:fc:

    b1:94:de:01:1a:6d:a4:c6:35:11:85:2e:26:cf:9b:

    39:6a:0d:3a:c8:dc:02:f1:c2:f1:a3:b2:d1:79:b3:

    19:46:61:b8:dc:58:a8:2a:ad:9e:f5:47:9e:6e:84:

    ba:c9:6b:49:84:cb:07:de:54:16:5f:5b:45:a2:df:

    6b:be:3d:76:6b:ab:f9:2c:90:98:1f:63:fe:5d:2f:

    df:48:b4:49:1d:c9:17:30:cb:7b:21:ae:b4:3f:d8:

    47:14:45:f9:45:0b:c3:55:15:3e:7c:10:a3:9f:fb:

    36:ae:c8:5a:e6:bb:d9:c7:b1:fc:24:f4:1e:53:89:

    39:a6:e7:5b:d5:ee:69:25:69:ac:6e:1f:b6:b7:fb:

    0b:6c:a3:d5:4b:0a:7e:11:1d:8e:9f:bd:c7:cd:42:

    53:83:9f:ac:92:c9:5f:43:7f:62:1c:74:ac:58:85:

    91:e3:e1:ef:3b:04:f1:29:e7:85:4a:9a:ce:23:df:

    a2:40:28:7e:c8:ed:be:ba:01:36:b0:5e:d6:39:7b:

    e4:b0:07:41:f5:77:99:79:85:dc:f7:99:17:f2:21:

    28:61:86:62:7b:95:5d:46:ec:dd:b9:ee:e0:31:e4:

    22:79

prime2:

    00:c5:bd:f9:62:6f:6a:2b:5c:10:11:93:04:ed:b9:

    e1:4f:c6:50:c3:f1:a1:cb:78:cc:e5:4b:c3:f5:58:

    75:36:ae:ce:5e:60:ba:43:82:23:b1:b4:40:be:42:

    fa:3b:ad:92:70:bd:ff:38:bd:d6:40:1b:3f:df:52:

    6b:d6:3a:88:4e:97:c9:7a:cd:10:37:aa:c4:57:da:

    cb:a8:de:93:6a:67:c2:36:66:40:38:1d:ec:34:3c:

    28:6e:23:c4:c5:64:5d:db:df:61:d6:da:bb:28:b6:

    7a:70:fa:39:60:bd:bf:e7:4a:8e:74:1b:f7:8f:94:

    b0:5b:52:ab:24:37:0f:81:19:5a:3f:3f:22:ce:c0:

    17:ca:4f:8d:af:c7:5c:7a:42:86:a7:74:92:dc:ef:

    a4:50:06:80:fa:db:30:7f:b6:e4:16:54:5b:0a:73:

    fc:a1:10:6e:d1:4e:90:b9:70:a9:19:29:a7:85:6b:

    73:26:93:68:1e:03:ea:0b:a9:c4:cf:5e:e5:4a:8b:

    28:5a:bc:53:a3:df:e7:4e:10:35:b1:62:6d:cd:fb:

    8e:6d:cf:dc:06:21:03:7c:a4:e1:85:4a:01:96:a7:

    a7:c6:17:5f:a7:13:c7:88:af:92:8d:0f:c5:d0:b7:

    fb:b6:1d:50:8c:64:be:ab:ed:48:b0:01:4a:f6:3a:

    eb:cd

exponent1:

    00:ad:88:d7:0a:8b:23:e4:5a:5d:17:0b:8a:8d:de:

    6f:eb:78:1b:c7:e4:ff:2a:20:a2:a1:75:47:a9:62:

    56:22:6c:e6:9e:2d:48:8f:6a:1b:72:ea:d2:68:d2:

    34:67:0f:65:d4:47:fe:12:15:ec:a2:f5:17:8a:b8:

    5c:15:53:d5:1a:f7:9f:ad:b1:0d:3f:a0:4f:1d:6d:

    f5:bb:b4:6a:8e:5d:b3:cd:3c:40:51:ac:9c:e7:b1:

    62:08:29:c3:69:b9:48:36:60:9e:70:96:cf:71:c3:

    89:c8:c8:10:ae:55:01:d7:a8:aa:87:56:d7:38:93:

    8f:52:4b:49:fb:9d:32:79:d1:3e:70:5f:eb:ec:76:

    0c:44:6c:bd:5c:7c:e3:84:c2:b0:9e:cc:6a:c8:68:

    4a:6b:c7:55:4c:75:5e:2e:45:dd:87:8d:e3:7b:10:

    d0:20:0c:a6:98:40:59:96:b6:84:3d:9f:6c:12:74:

    1c:8e:19:ef:a1:4c:36:6b:16:cd:67:0d:e3:43:c9:

    5c:08:57:d4:c4:ed:0b:ec:25:e7:e7:0e:20:14:c7:

    09:3f:0d:24:bf:6c:76:55:67:9a:32:3f:89:3b:46:

    83:f2:2f:ca:0f:9c:21:c4:6e:e1:88:c5:03:1f:6b:

    a0:63:c8:3e:0b:29:58:50:a4:57:de:f1:27:00:84:

    0b:59

exponent2:

    7b:ef:14:45:78:94:ef:36:15:30:1e:98:01:32:f6:

    1f:1c:a9:74:15:96:95:43:52:10:08:4b:7a:13:05:

    eb:ce:e5:b2:cb:27:12:b6:97:0e:82:6d:ed:91:66:

    ea:4e:60:30:df:33:fd:e9:25:46:2a:8d:fe:b6:d6:

    b5:7f:1b:fd:3e:2e:de:13:76:2d:9d:8e:cf:8d:67:

    05:a0:f2:7d:c7:28:37:16:20:fb:ca:ed:46:d3:c9:

    77:36:5d:d6:65:90:5a:05:08:7a:33:bf:07:c6:4e:

    b9:4e:6a:f5:d2:17:5b:ac:23:da:6b:c8:de:29:8f:

    da:bc:d6:5c:ad:51:bf:55:17:75:fa:69:23:71:cb:

    b7:55:e2:f4:9f:9b:bb:58:c4:b2:61:62:c6:ac:3f:

    ac:94:56:f4:62:ba:63:e1:49:d5:20:eb:aa:82:85:

    7c:a1:23:03:76:1d:48:cc:6e:7f:41:d7:27:cc:ef:

    6f:e7:05:63:82:8a:86:e2:d1:62:33:14:bc:82:b9:

    39:1d:3d:c2:c0:cb:64:e6:cd:f0:2e:43:a9:cd:17:

    38:86:05:5d:a6:05:5c:72:ae:91:ee:8f:4e:50:27:

    dc:04:bc:43:a8:26:ef:e9:32:8d:cc:ab:eb:a3:d4:

    54:10:cd:72:20:96:4c:85:3c:80:6b:5f:03:32:6c:

    a5

coefficient:

    32:df:ad:b3:1b:aa:f8:39:d9:05:d4:be:5a:f0:e7:

    19:d2:78:4b:65:d2:b4:be:25:0a:f1:87:e0:d3:db:

    ea:5e:da:82:1b:d2:0b:e9:cc:96:2d:4d:50:01:9e:

    55:13:0d:20:07:a2:99:9a:13:17:6a:df:d8:48:b1:

    df:91:69:0b:d7:e9:b0:31:0f:c4:43:19:0d:a3:68:

    c2:07:ff:19:82:6b:60:69:d8:4b:bd:51:49:e3:67:

    d1:b4:f4:ed:ed:52:11:68:e6:e1:ff:bb:5c:3e:40:

    de:2b:78:d1:64:de:52:94:25:13:b8:4b:4d:c4:ca:

    71:63:b2:8c:2a:4f:23:b8:38:e6:8b:01:a8:fc:34:

    aa:f9:9b:63:da:b1:9a:f8:28:b8:19:a2:ba:d9:83:

    2c:44:ff:0f:ca:64:6a:b3:c6:69:65:49:4a:98:cd:

    a9:a6:35:f8:a0:22:33:6b:a9:73:b6:51:53:d7:85:

    fd:52:a1:3e:c2:e6:38:89:ff:26:fe:b2:e8:65:4d:

    6c:7d:3b:e6:61:18:39:b8:46:41:7b:d9:40:f0:3f:

    20:b6:b3:72:c5:f6:e4:23:e7:d3:6c:df:bd:e2:82:

    23:66:fb:0f:53:f5:4c:96:92:d1:d2:51:93:97:3a:

    68:2b:56:1f:6f:60:5d:06:0a:b3:9a:92:ca:4b:a6:

    a1



As you can see from above, the private key is quite big and has many mathematical components/properties.


Deriving and inspecting the RSA public key

The public key derived from the private key looks like this:

$ openssl pkey -in priv.pem -out pub.pem -pubout

The above command puts the public key into the file pub.pem file. The pem extension stands for enhanced privacy mail from the old PGP days, and there are several other formats for a key like PKCS8 or PKCS12 and DER, and so on.

For now, let us focus on crypto mathematics.

To inspect the public key do this:

$ openssl pkey -in pub.pem -pubin -text

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmnlmsYNC0zUL4hM2xmUEG0N0DE+mX8owTi19szDr9VsOdfSArsnnTV8wmv6ResjPUU4hTNqyofAmTBcwEhVK2gCARa53WZkJ6zkwqr7iX9CkXG+XCCyIJBithAdux7xPE3ZnkwBzpPTQ1YIhzZGwL5t84d3vKqar24S3zlSItZYsXce08/gKZnhlQDIxMC17QKPGUCP8AhfWZ9i5i0OdIIAW1QhDNS9gS2uhXElQStcKlRe/iwdqpardULfEASLIZc1Wm/6UiYUx8Z+rNttHoVnLBz0zxXC0wmBcXDpuLCrRlSlRTa6ntC4Dz8CZIMtWsWSOjvCUI38QtovvicZCBCFWEqMZwUd6CIWqMWQ2k703V7CkWP8yAWlgNXwlN7W1BGH88oJe+oBYcp4sV8h/oU9vCeyafCRejUQg/N3YtH990lmo0+tV3yBvStFLItqnMJQAfPZeouWHdD12847/1AjMRipDJzmCB602SYpEN0fCVgX3gkLCYA1ZEtvUjVnfTisKGQkMrx3aI4z+PpYPCNDeCNfkQOMv3q5GEKS8NIi9nywWrNofj83SsrpBbCBeNtC0io2cKuRPeKiLJZO5GEwcAUcomL9IThQa2HL+i+qAFcXqRk74R7G/qQyWNnQYZB+s9qEedYLSHdm5nl6hNkjPpoxxaUNx1i0OHnS+reUCAwEAAQ==
-----END PUBLIC KEY-----


RSA Public-Key: (4096 bit)
Modulus:
00:9a:79:66:b1:83:42:d3:35:0b:e2:13:36:c6:65:
04:1b:43:74:0c:4f:a6:5f:ca:30:4e:2d:7d:b3:30:
eb:f5:5b:0e:75:f4:80:ae:c9:e7:4d:5f:30:9a:fe:
91:7a:c8:cf:51:4e:21:4c:da:b2:a1:f0:26:4c:17:
30:12:15:4a:da:00:80:45:ae:77:59:99:09:eb:39:
30:aa:be:e2:5f:d0:a4:5c:6f:97:08:2c:88:24:18:
ad:84:07:6e:c7:bc:4f:13:76:67:93:00:73:a4:f4:
d0:d5:82:21:cd:91:b0:2f:9b:7c:e1:dd:ef:2a:a6:
ab:db:84:b7:ce:54:88:b5:96:2c:5d:c7:b4:f3:f8:
0a:66:78:65:40:32:31:30:2d:7b:40:a3:c6:50:23:
fc:02:17:d6:67:d8:b9:8b:43:9d:20:80:16:d5:08:
43:35:2f:60:4b:6b:a1:5c:49:50:4a:d7:0a:95:17:
bf:8b:07:6a:a5:aa:dd:50:b7:c4:01:22:c8:65:cd:
56:9b:fe:94:89:85:31:f1:9f:ab:36:db:47:a1:59:
cb:07:3d:33:c5:70:b4:c2:60:5c:5c:3a:6e:2c:2a:
d1:95:29:51:4d:ae:a7:b4:2e:03:cf:c0:99:20:cb:
56:b1:64:8e:8e:f0:94:23:7f:10:b6:8b:ef:89:c6:
42:04:21:56:12:a3:19:c1:47:7a:08:85:aa:31:64:
36:93:bd:37:57:b0:a4:58:ff:32:01:69:60:35:7c:
25:37:b5:b5:04:61:fc:f2:82:5e:fa:80:58:72:9e:
2c:57:c8:7f:a1:4f:6f:09:ec:9a:7c:24:5e:8d:44:
20:fc:dd:d8:b4:7f:7d:d2:59:a8:d3:eb:55:df:20:
6f:4a:d1:4b:22:da:a7:30:94:00:7c:f6:5e:a2:e5:
87:74:3d:76:f3:8e:ff:d4:08:cc:46:2a:43:27:39:
82:07:ad:36:49:8a:44:37:47:c2:56:05:f7:82:42:
c2:60:0d:59:12:db:d4:8d:59:df:4e:2b:0a:19:09:
0c:af:1d:da:23:8c:fe:3e:96:0f:08:d0:de:08:d7:
e4:40:e3:2f:de:ae:46:10:a4:bc:34:88:bd:9f:2c:
16:ac:da:1f:8f:cd:d2:b2:ba:41:6c:20:5e:36:d0:
b4:8a:8d:9c:2a:e4:4f:78:a8:8b:25:93:b9:18:4c:
1c:01:47:28:98:bf:48:4e:14:1a:d8:72:fe:8b:ea:
80:15:c5:ea:46:4e:f8:47:b1:bf:a9:0c:96:36:74:
18:64:1f:ac:f6:a1:1e:75:82:d2:1d:d9:b9:9e:5e:
a1:36:48:cf:a6:8c:71:69:43:71:d6:2d:0e:1e:74:
be:ad:e5
Exponent: 65537 (0x10001)

What you can observe above is that the modulus is the same in both cases. If the modulus changes, then the keypair is not correct. This is a convenient rule of thumb to identify keypairs. But in OpenSSL, there is no such problem since the private key alone is enough.

This is quite similar to the physical door lock and key we have at home in which for locking, no key is required, but to open, you need the key. This physical world analogy works in the case of RSA private keys in OpenSSL.


Same operations using Elliptic Curve (EC) keys

Nowadays, the EC keys are more common as they have much smaller key lengths and also lend to easier computation. To explore that, we can use these commands:

$ openssl ecparam -list_curves
secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
sect113r1 : SECG curve over a 113 bit binary field
sect113r2 : SECG curve over a 113 bit binary field
sect131r1 : SECG/WTLS curve over a 131 bit binary field
sect131r2 : SECG curve over a 131 bit binary field
sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
sect163r1 : SECG curve over a 163 bit binary field
sect163r2 : NIST/SECG curve over a 163 bit binary field
sect193r1 : SECG curve over a 193 bit binary field
sect193r2 : SECG curve over a 193 bit binary field
sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect239k1 : SECG curve over a 239 bit binary field
sect283k1 : NIST/SECG curve over a 283 bit binary field
sect283r1 : NIST/SECG curve over a 283 bit binary field
sect409k1 : NIST/SECG curve over a 409 bit binary field
sect409r1 : NIST/SECG curve over a 409 bit binary field
sect571k1 : NIST/SECG curve over a 571 bit binary field
sect571r1 : NIST/SECG curve over a 571 bit binary field
c2pnb163v1: X9.62 curve over a 163 bit binary field
c2pnb163v2: X9.62 curve over a 163 bit binary field
c2pnb163v3: X9.62 curve over a 163 bit binary field
c2pnb176v1: X9.62 curve over a 176 bit binary field
c2tnb191v1: X9.62 curve over a 191 bit binary field
c2tnb191v2: X9.62 curve over a 191 bit binary field
c2tnb191v3: X9.62 curve over a 191 bit binary field
c2pnb208w1: X9.62 curve over a 208 bit binary field
c2tnb239v1: X9.62 curve over a 239 bit binary field
c2tnb239v2: X9.62 curve over a 239 bit binary field
c2tnb239v3: X9.62 curve over a 239 bit binary field
c2pnb272w1: X9.62 curve over a 272 bit binary field
c2pnb304w1: X9.62 curve over a 304 bit binary field
c2tnb359v1: X9.62 curve over a 359 bit binary field
c2pnb368w1: X9.62 curve over a 368 bit binary field
c2tnb431r1: X9.62 curve over a 431 bit binary field
wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
Oakley-EC2N-3:
IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
Oakley-EC2N-4:
IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
SM2 : SM2 curve over a 256 bit prime field

Then you do this to generate the private key:

$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:brainpoolP512r1 -out ecpriv.pem
-----BEGIN PRIVATE KEY-----
MIHsAgEAMBQGByqGSM49AgEGCSskAwMCCAEBDQSB0DCBzQIBAQRApTqxhEQqnAW7xzplpCPngxEn3qjpndipIiX2F97KLKn9geWco8raFI1ItwXmdYI0l/4uoIH32p1sDQElfatnM6GBhQOBggAEjTbTbsVoabgdioho9mS1sVl6lhnGICHCN/T3ejHb5XNlvaTW1Jj22dyHnAZQK0UInePJE8OtZg2buaHL1rfH7khb9sn1G4UXHMquiwtF76TPfI946ziPbywvQ4TcqnFWrutvMtXeWc2rgguOHQ2EA7UrIYeyb7R3iXP6lKKt6dc=
-----END PRIVATE KEY-----

This generates an unencrypted private key which is not very useful right?
So we do this:

$ openssl genpkey -aes256 -algorithm EC -pkeyopt ec_paramgen_curve:brainpoolP512r1

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBTDBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIR0bcxHjoqVQCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAChA9iAyDu0WTrwT9hZ7WIBIHw8XI6iZWDX8JDrXLefOtO+wsIFSX78ajt5kp/+R8dJAF7lf5h9iLqPx8FFwQRey5m/os6nAAN07045tSn0vlZGkILBi/MqU4kcenyGrAZZ/vxfGKwBhkyU+RnHeHoaJ9jHD3FCnSeNffAnPu4Wy18QobFUAlhznk23CexiTtFCqiM4VXlC3pZjAL+/PBBAeQDxadOcOjjgj6/5/R4gG+hc2JOA79dyesGL8SsUlV2Dxogdup7FyMDYmJDNMWLVkvpxbacT6i9JIXYPPAUeZZ7wzsK4w3LMQEGDYYdebwE48WjKPA5JOfQ7/ohcdo0FfzA
-----END ENCRYPTED PRIVATE KEY-----

To inspect the private key, we do this:

$ openssl pkey -in ecpriv.pem -text
-----BEGIN PRIVATE KEY-----
MIHsAgEAMBQGByqGSM49AgEGCSskAwMCCAEBDQSB0DCBzQIBAQRADR40pjESmjKliO6km/585r2Jh0+3UtZkC+MU/Y1NiXsfJb08TfZ7fo8EB+67NGZwSypA7Aj7aprmRPjhKRGTlKGBhQOBggAEFHD0OoOhUBAErv5x3q+suec7O9qT+4wtb6S7QhwpsFsPnnF/oaHoZUHpJ4N3elgJCslblS/YLlvxNHla1MT4X5Lz+tGBCq6wP/gKImgpWs/tUWLDLOsfTkIgk0iGsBjtJpK4x72m4iiFCZ9X7kjR+RNvORcyVAAriZ1xdG9r/jQ=
-----END PRIVATE KEY-----
Private-Key: (512 bit)
priv:
0d:1e:34:a6:31:12:9a:32:a5:88:ee:a4:9b:fe:7c:
e6:bd:89:87:4f:b7:52:d6:64:0b:e3:14:fd:8d:4d:
89:7b:1f:25:bd:3c:4d:f6:7b:7e:8f:04:07:ee:bb:
34:66:70:4b:2a:40:ec:08:fb:6a:9a:e6:44:f8:e1:
29:11:93:94
pub:
04:14:70:f4:3a:83:a1:50:10:04:ae:fe:71:de:af:
ac:b9:e7:3b:3b:da:93:fb:8c:2d:6f:a4:bb:42:1c:
29:b0:5b:0f:9e:71:7f:a1:a1:e8:65:41:e9:27:83:
77:7a:58:09:0a:c9:5b:95:2f:d8:2e:5b:f1:34:79:
5a:d4:c4:f8:5f:92:f3:fa:d1:81:0a:ae:b0:3f:f8:
0a:22:68:29:5a:cf:ed:51:62:c3:2c:eb:1f:4e:42:
20:93:48:86:b0:18:ed:26:92:b8:c7:bd:a6:e2:28:
85:09:9f:57:ee:48:d1:f9:13:6f:39:17:32:54:00:
2b:89:9d:71:74:6f:6b:fe:34
ASN1 OID: brainpoolP512r1

As you can see, the above private key has fewer components than the RSA counterpart.


Conclusion

Hopefully, this article gives you an idea about the serious math that goes behind the OpenSSL toolkit, which is used worldwide for almost all crypto operations like certificate generation, verification, etc. and is used day in day out for SSL websites. We ran the operations manually for both RSA and EC keys.

We shall close the article with a simple prime number generation using OpenSSL, which is, after all, at the base of all these advanced real-life uses:

$ openssl prime -generate -bits 30
817978963

 

Did you enjoy this content? Follow our linkedin page!

Looking for similar content?

Dhiraj Sharan

Written by Dhiraj Sharan

Dhiraj is the founder and CEO of Query.AI. He is an innovator and expert developer with 18 years of problem solving and solutions development in cybersecurity including over 10 patents. He has lead engineering for companies like ArcSight, HPE, Niara and Aruba.