So, I will give some notes and quotes.
Key Generation
Key algorithm
For SSL keys everyone uses RSA and ECDSA keys are yet to be widely supported by CAsKey size
When generating a key use a longer length than the default. Bit for bit Eliptic Curve keys are stronger.Today, 2048-bit RSA keys are considered secure, and that’s what you should use. Aim also to use 2048 bits for DSA keys and at least 224 bits for ECDSA
Passphrase
Using a passphrase with a key is optional, but strongly recommended ... passphrases should be viewed only as a mechanism for protecting private keys when they are not installed on production systems. In other words, it’s all right to keep passphrases on production systems, next to the keys.
Command Line Key Generation
RSA Keys
To generate private key use the following command, new file is fd.key. Don't forget your passphrase!
c:\OpenSSL-Win64\bin\openssl genrsa -aes128 -out fd.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..........................................................................+++
e is 65537 (0x10001)
Enter pass phrase for fd.key:
Verifying - Enter pass phrase for fd.key:
Generating RSA private key, 2048 bit long modulus
.......+++
..........................................................................+++
e is 65537 (0x10001)
Enter pass phrase for fd.key:
Verifying - Enter pass phrase for fd.key:
To generate corresponding public key use the following command, new file is fd-public.key. Don't forget your passphrase!
c:\OpenSSL-Win64\bin\openssl rsa -in fd.key -pubout -out -fd-public.key
Enter pass phrase for fd.key:
writing RSA key
Enter pass phrase for fd.key:
writing RSA key
I skipped showing output because RSA keys are long hence the attraction of elliptic curve keys.
Elliptic Curve Keys
Here how to generate an elliptic curve key.
> openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
using curve name prime256v1 instead of secp256r1
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
using curve name prime256v1 instead of secp256r1
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
and to show its output
C:\OpenSSL-Win64\bin> openssl ec -in ec.key -text -noout
read EC key
Enter PEM pass phrase:
Private-Key: (256 bit)
priv:
00:a8:bc:2b:6e:9a:15:98:b5:5b:66:56:4e:8c:54:
ab:1a:df:85:25:60:d4:39:6e:b0:88:4f:ee:ea:fd:
e9:f5:93
pub:
04:8e:8b:a6:6f:97:8b:a7:30:59:72:7d:e1:f2:2e:
bd:7e:7e:ee:61:29:3e:a9:3d:41:2f:da:d0:71:67:
30:63:f8:86:dd:42:bd:0a:7b:67:7b:a1:93:12:61:
d0:aa:14:4e:c4:5e:97:64:7d:ae:75:97:c4:66:42:
87:14:08:d6:01
ASN1 OID: prime256v1
NIST CURVE: P-256
read EC key
Enter PEM pass phrase:
Private-Key: (256 bit)
priv:
00:a8:bc:2b:6e:9a:15:98:b5:5b:66:56:4e:8c:54:
ab:1a:df:85:25:60:d4:39:6e:b0:88:4f:ee:ea:fd:
e9:f5:93
pub:
04:8e:8b:a6:6f:97:8b:a7:30:59:72:7d:e1:f2:2e:
bd:7e:7e:ee:61:29:3e:a9:3d:41:2f:da:d0:71:67:
30:63:f8:86:dd:42:bd:0a:7b:67:7b:a1:93:12:61:
d0:aa:14:4e:c4:5e:97:64:7d:ae:75:97:c4:66:42:
87:14:08:d6:01
ASN1 OID: prime256v1
NIST CURVE: P-256
Referencing David DeRosa for extracting public key only
C:\OpenSSL-Win64\bin> openssl ec -in ec.key -pubout -out ec-pub.key
read EC key
Enter PEM pass phrase:
writing EC key
read EC key
Enter PEM pass phrase:
writing EC key
And to show the output of this reduced file use this
C:\OpenSSL-Win64\bin>openssl ec -in ec-pub.key -pubin -text -noout
read EC key
Private-Key: (256 bit)
pub:
04:8e:8b:a6:6f:97:8b:a7:30:59:72:7d:e1:f2:2e:
bd:7e:7e:ee:61:29:3e:a9:3d:41:2f:da:d0:71:67:
30:63:f8:86:dd:42:bd:0a:7b:67:7b:a1:93:12:61:
d0:aa:14:4e:c4:5e:97:64:7d:ae:75:97:c4:66:42:
87:14:08:d6:01
ASN1 OID: prime256v1
NIST CURVE: P-256
Private-Key: (256 bit)
pub:
04:8e:8b:a6:6f:97:8b:a7:30:59:72:7d:e1:f2:2e:
bd:7e:7e:ee:61:29:3e:a9:3d:41:2f:da:d0:71:67:
30:63:f8:86:dd:42:bd:0a:7b:67:7b:a1:93:12:61:
d0:aa:14:4e:c4:5e:97:64:7d:ae:75:97:c4:66:42:
87:14:08:d6:01
ASN1 OID: prime256v1
NIST CURVE: P-256
Obviously keep the file with the private key secret [and not on a blog :) ]. You distribute the public key because that is what your client side digital signature validation code will use.
DSA Keys
I skipped the DSA section as I'm not interested in it.Signing a licence file
So we give an example licence file which articulates the hardware fingerprint (unique to each machine), customer and the software components sold (or being evaluated). And we have chosen JSON as our file format.
{
"hardwareFingerprint":{
"volC":"4715-932C"
},
"customer":{
"name":"W Churchill"
},
"softwareLicences":[
{
"name":"spellChecker",
"licenceType":"90 day evaluation",
"expiryDate":"2017-Nov-05"
},
{
"name":"Chess",
"licenceType":"paid",
"expiryDate":"Never"
}
]
}
No comments:
Post a Comment