Lab 10 Exercise 1

Learn how to use ASN.1 viewers.

For this exercise, you will need a dumpasn1 tool. It is available in most Linux distros. Windows and Mac users could google for 'ASN.1 Dump'.

We will practice by exploring different key formats. As you remember from Lab 6, there are several ways to store the private key. PKCS#1 and PKCS#8 are two well-known examples.

PKCS#1 private key format is defined in RFC 3447.

PKCS#8 private key format is defined in RFC 5208.

Read more about PKCS on Wikipedia.

Key generation

First, we will need to generate the keypair (refer to Lab 6 for details):

  openssl genrsa -out priv.pem 2048

Generated key is in Base64-encoding that some ASN.1 tools do not understand, so we will need to re-encode the key to DER-encoding:

  openssl rsa -in priv.pem -inform PEM -out priv.der -outform DER

dumpasn1 tool

Now we can inspect the key contents:

  dumpasn1 priv.der

Refer to man dumpasn1 to tweak the output format according to your needs. You may want to use -p and -h options.

Q:

  • What do those INTEGER's mean?

Don't have dumpasn1 installed? You can write a similar tool in Java, that's only few lines of code:

  FileInputStream in = new FileInputStream(args[0]);
  ASN1Encodable der = new ASN1InputStream(in).readObject();
  System.out.println(ASN1Dump.dumpAsString(der));

-- you will need a BouncyCastle provider library, though.

Next, we will need a key in PKCS#8 format. You can convert initial key with this command:

  openssl pkcs8 -topk8 -nocrypt -in priv.pem -out priv.pk8 -outform DER

Note the -nocrypt option. By default, OpenSSL will create a PKCS#8 structure where private key is protected by password. To access the key contents, we will need unencrypted key.

Note that storing private key unencrypted is usually a bad idea.

Use dumpasn1 (or any other tool) to inspect the key file contents.

Q:

  • How can you describe the difference between PKCS#1 and PKCS#8?

Try inspecting the encrypted key too. For that, use previous conversion command without the -nocrypt option.

Q:

  • What structure is created? Hint: RFC 5208 has answers.
  • What encryption algorithm is used? What exactly is it doing?
Sidebar
Page edit