• ## Cryptography Engineering

These are my notes on the book Cryptography Engineering by
Niels Ferguson, Bruce Schneier, Tadayoshi Kohno
Paperback: 384 pages
Publisher: John Wiley & Sons; March 2010
ISBN: 978-0470474242

“The world is full of bad security systems designed by people who have read Applied Cryptography.” Cryptography Engineering could have the same effect.

## Randomness

Generate 33 random bytes (wrapped in 44 characters)

openssl rand -base64 33 -out pass.txt


Output random bytes in hex format

openssl rand -hex 33


## Certificate Authority

Create a CA certificate (refer to openssl-ca.cnf file)

openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -days 3000 -out cacert.pem -keyout cakey.pem -passout file:pass.txt


## RFC8017 (PKCS #1 v.2.2)

Defines the traditional format for RSA keys. Two structures:

and

Commands

Generate RSA private key

openssl genrsa -out private.pem 2048


Extract public key from RSA private key

openssl rsa -in private.pem -out public.pem -RSAPublicKey_out

• ## RSA Private Key

“What I cannot create, I do not understand” — Richard Feynman

As a fun exercise I wanted to know how to build an RSA private key file from scratch. It turned out that it was not complicated. In fact it was very educational to learn about the PKCS #1 and X.609 standards. By the end of this post you should be able to read DER files without the openssl command, too.

From a mathematical perspective an RSA private key is just a pair of numbers satisfying a few conditions. The first step is to choose two prime numbers. If we want our key to be $k$-bit long then each prime should be $k/2$-bit long. Here are two primes 1024-bit long:

p = 188658351657909995564241240465674883756750911978965594406091265432265641964092435440867010496656290185915042088848864982944624560228571535282140345941898374783486396513112284924130530433476612244870421527834092351771495657957917171265855063528745445693207773620468819387929613829761428627329588653924255089451
q = 314178598271171309643469864042809599136290738797354680579453738873053976803051841787567944451717551290169456210178094252448060684978774667964812128639960504040754248179131205124174037497556941333232996617690501240860884613659741212508891734662698093999296965839284246675187499601986034176733136066305345935229

• ## Spring OAuth 2

This post is a quick analysis of the Spring implementation of OAuth 2.0 code flow (RFC6749 Section 4.1) with the minumum application code. The setup consists of the authorization server, the resource server, and the client.

The flow starts when a user hits localhost:9999/client/resource