• Cryptography Engineering

    These are my notes on the book Cryptography Engineering by
    Niels Ferguson, Bruce Schneier, Tadayoshi Kohno
    Paperback: 384 pages
    Publisher: John Wiley & Sons; March 2010
    ISBN: 978-0470474242

    “The world is full of bad security systems designed by people who have read Applied Cryptography.” Cryptography Engineering could have the same effect.

  • Cryptography Tools

    Randomness

    Generate 33 random bytes (wrapped in 44 characters)

    openssl rand -base64 33 -out pass.txt
    

    Output random bytes in hex format

    openssl rand -hex 33
    

    Certificate Authority

    Create a CA certificate (refer to openssl-ca.cnf file)

    openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -days 3000 -out cacert.pem -keyout cakey.pem -passout file:pass.txt
    
  • PKCS #1, PKCS #8, X.509

    RFC8017 (PKCS #1 v.2.2)

    Defines the traditional format for RSA keys. Two structures:

    -----BEGIN RSA PRIVATE KEY-----
    RSAPrivateKey
    -----END RSA PRIVATE KEY-----

    and

    -----BEGIN RSA PUBLIC KEY-----
    RSAPublicKey
    -----END RSA PUBLIC KEY-----

    Commands

    Generate RSA private key

    openssl genrsa -out private.pem 2048
    

    Extract public key from RSA private key

    openssl rsa -in private.pem -out public.pem -RSAPublicKey_out
    
  • RSA Private Key

    “What I cannot create, I do not understand” — Richard Feynman

    As a fun exercise I wanted to know how to build an RSA private key file from scratch. It turned out that it was not complicated. In fact it was very educational to learn about the PKCS #1 and X.609 standards. By the end of this post you should be able to read DER files without the openssl command, too.

    From a mathematical perspective an RSA private key is just a pair of numbers satisfying a few conditions. The first step is to choose two prime numbers. If we want our key to be $k$-bit long then each prime should be $k/2$-bit long. Here are two primes 1024-bit long:

    p = 188658351657909995564241240465674883756750911978965594406091265432265641964092435440867010496656290185915042088848864982944624560228571535282140345941898374783486396513112284924130530433476612244870421527834092351771495657957917171265855063528745445693207773620468819387929613829761428627329588653924255089451
    q = 314178598271171309643469864042809599136290738797354680579453738873053976803051841787567944451717551290169456210178094252448060684978774667964812128639960504040754248179131205124174037497556941333232996617690501240860884613659741212508891734662698093999296965839284246675187499601986034176733136066305345935229
    
  • Spring OAuth 2

    This post is a quick analysis of the Spring implementation of OAuth 2.0 code flow (RFC6749 Section 4.1) with the minumum application code. The setup consists of the authorization server, the resource server, and the client.

    The flow starts when a user hits localhost:9999/client/resource