Lab - Asymmetric Cryptography
In this guide we will develop programs that use cryptographic methods,
relying in the Python3 Cryptography module.
The module can be installed using the typical package management methods
python3-cryptography), or using the
pip3 install cryptography).
It will be useful to visualize and edit files in binary format. For that
purpose, if you are using Linux, you may install
from the repositories.
We will be exploring the low level interface of the
python cryptography library, for educational purposes.
If you plan to use this library in real world application, stay with the Fernet interface.
As the documentation clearly states:
This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.
Key pair generation
Create a small program to generate an
RSA key pair, with a key length specified by
the user, that could be one of the following values: 1024, 2048, 3072
and 4096. The program must save the key pair in two files, one for the
private key and the other for the public key, whose names should also be
specified by the user. The keys can be saved as binary blobs, but
PEM format will be more appropriate.
Run the program, several times, varying the key length.
- What do you think of using 4096 bit keys by default in relation to speed?
- How the actual key size varies with the number of bits?
Create a small program to encrypt a file using
The user must indicate the following data: (i) the name of the original file to encrypt, (ii) the name of the file with the public key, (iii) the name for the encrypted file.
Note: Pay attention to the size of the original file, i.e., the file
to encrypt. Using the PKCS#1, the block size is equal to
the key size minus eleven bytes (eleven bytes for padding). So, using
RSA key (128 bytes) the block size is 117 bytes (128 - 11).
Other methods may be able to encrypt a different number of bytes at once.
Create a small program to decrypt the contents of a file, whose name is
provided by the user, using the
RSA algorithm. The user must also indicate
(i) the name of the file containing the private key to use, and (ii) the
name for the file to save the decrypted content.
RSA encryption program you developed, to encrypt a file. Run again the
program to encrypt the same file, using the same key, and save the
encrypted content in another file. Using a binary file editor, open the
two encrypted files you just generated and compare them. Are they
similar or exactly the same?
Now use the
RSA decryption program you developed, and decrypt the two encrypted files
you generated. What is the result? Are the decrypted files equal to the
- Can you explain the reason for what you observed in this exercise?
How to encrypt a very large file?
Has you know, by now,
RSA encryption is not efficient and is not
used to encrypt data bigger than its block size. If you wish to see how
inefficient it is, just take some data and measure the time it takes to
encrypt and decrypt that data with
Imagine you have a large file (500 MBytes, for example) that you want to
send to some person, with the guarantee that only that person can
decrypt the file. More, you have the public key of that person, and you
are not able to contact the person before sending the file. So, you have
a big file to transmit to a person, from which you know the public key,
but the process will be very slow if you encrypt the file using
RSA . However, you
can use any other encryption algorithm to encrypt the file, but remember
you want that only the receiver must be able to decrypt the file.
Can you imagine some combination of encryption technologies that allows you to efficiently send the file to the other person, with the guarantee that only that person can decrypt the file?
A typical solution is called Hybrid Encryption, which combines two ciphers, a symmetric to encrypt the file with a random key, and a asymmetric to encrypt the key used in the previous step. Implement a function that applies this method.
- With this method, what is sent to the destination?
- Should we always send the pubic key?