OpenSSL – Diffie Hellman and Elliptic Curve Cryptography with Digital Certificates

OpenSSL is a leading open-source SSL solution that offers many features; from client and server communication, to certificates generation and self-signing. The OpenSSL allows a user to issue CA certificates and use them to sign other certificates for both testing and production scenarios. Visit OpenSSL website: https://www.openssl.org/

Diffie Hellman is one of the most common and known key exchange algorithms. When two parties, which have no prior knowledge, want to communicate in a secure way and use asymmetric encryption they first need to perform cryptographic key exchange. The process involves information that passes in clear text through an insecure channel (such as the internet), producing a shared secret and then secure communication is established.

For more information: http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

Elliptic curve cryptography is based on the algebraic structure of elliptic curves over finite fields  for more information:

http://en.wikipedia.org/wiki/Elliptic_curve_cryptography

The two algorithms can work together: The elliptic curve Diffie–Hellman (ECDH) key agreement scheme is based on the Diffie–Hellman scheme.

OpenSSL and Diffie Hellman

Some of the OpenSSL processes require Diffie Hellman for key exchange.

Generating the prime number (‘p’) and the primitive root (‘g’) for each exchange takes time so in some cases, the OpenSSL enables the extraction from a certificate.

However, Diffie Hellman doesn’t offer certificate signing so the process seems rather difficult.

Here is a clean way to produce the certificates and the parameters:

Optional – Create Root authority

Create root Key

openssl genrsa -out AppSecTestCA.key 4098

Create root key with AES

openssl genrsa -out AppSecTestCA.key 4098 –aes

Create SelfSigned RootCa

openssl req -x509 -new -nodes -key AppSecTestCA.key -days 4098 -out AppSecTestCA.pem

• OpenSSL will prompt for information about the certificate

Generating DH certificates

Generating DH params

openssl dhparam -out AppSecTestdhParam.pem 4098

• Note that this takes some time

openssl genpkey -paramfile AppSecTestdhParam.pem -out AppSecTestdhkey.pem

Create the public key

openssl pkey -in AppSecTestdhkey.pem -pubout -out AppSecTestpubkey.pem

Create CSR file

openssl genrsa -out AppSecTestrsakey.pem 4098

openssl req -new –key AppSecTestrsakey.pem -out AppSecTestrsa.csr

Generating the DH cert from the RSA CSR and the DH public key

openssl x509 -req -in AppSecTestrsa.csr  -CAkey AppSecTestCA.key -CA AppSecTestCA.pem  -force_pubkey AppSecTest.pem -out AppSecTestdhcert.pem -CAcreateserial

• force_pubkey is only available in an OpenSSL vesion 1.0.2 and above

Generating Elliptic Curve CA

Listing Elliptic Curve Ciphers

openssl ecparam –list_curves

Create a Self-Signed CA certificate

This example uses sec283k1, a NIST/SECG standard curve over a 283 bit binary field

openssl ecparam -out AppSecECCAKey.key -name sect283k1 -genkey

openssl req -x509 -new -key AppSecECCAKey.key -out AppSecECCA.pem -outform PEM -days 3650

Create a private key and a request for the EC certificate

openssl ecparam -out AppSecECKey.key -name sect283k1 -genkey

openssl req -new -nodes -key AppSecECKey.key -outform pem -out AppSecECRequest.req

Generating the EC signed certificate from the AppSecECRequest request in the local directory

openssl ca -keyfile AppSecECKey.key -cert AppSecECCA.pem -in AppSecECRequest.req -out AppSecECCert.pem –outdir .

I hope this was helpful!

References:

Creating CA Certificates: http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

DH Certificates: http://security.stackexchange.com/questions/44251/openssl-generate-different-type-of-self-signed-certificate

EC Certificates: http://this.is.thoughtcrime.org.nz/elliptic-curve-ca-guide