Listen to this Post
Introduction:
Asymmetric encryption revolutionizes data protection by using a pair of mathematically linked keys—public and private—to secure communications over untrusted networks like the internet. Unlike symmetric encryption, which shares a single key between parties, this model ensures that only the holder of the private key can decrypt what the public key encrypts, forming the backbone of HTTPS, digital signatures, and PKI.
Learning Objectives:
- Understand the fundamental difference between symmetric and asymmetric encryption and when to use each.
- Generate and manage RSA key pairs using command-line tools on Linux and Windows.
- Apply asymmetric encryption to real-world scenarios including file protection, TLS handshakes, and API authentication.
You Should Know:
- Generating RSA Key Pairs with OpenSSL (Linux & Windows)
Asymmetric encryption begins with key generation. OpenSSL is the industry standard for creating RSA key pairs. Below are verified commands for both Linux and Windows environments.
Linux / macOS (and Windows with OpenSSL installed):
Generate a 2048-bit private key (store securely) openssl genrsa -out private_key.pem 2048 Extract the corresponding public key openssl rsa -in private_key.pem -pubout -out public_key.pem Verify key contents openssl rsa -in private_key.pem -text -1oout openssl rsa -pubin -in public_key.pem -text -1oout
Windows (using OpenSSL for Windows or WSL):
If OpenSSL is in PATH, same commands work openssl genrsa -out C:\keys\private_key.pem 2048 openssl rsa -in C:\keys\private_key.pem -pubout -out C:\keys\public_key.pem
Step‑by‑step guide:
- Install OpenSSL (Linux:
sudo apt install openssl, Windows: download from Shining Light Productions). - Run the `genrsa` command to create a private key. Never share this file.
- Extract the public key using the `rsa -pubout` command. The public key can be distributed freely.
- Use `-text -1oout` to inspect the modulus and exponent values, confirming correct generation.
2. Encrypting and Decrypting Messages Using Public/Private Keys
Once keys exist, you can encrypt a file with the recipient’s public key and decrypt only with their private key. OpenSSL handles this via RSA encryption (though note: RSA is typically used for small data; for large files, hybrid encryption is recommended).
Encrypt (sender uses recipient’s public key):
Create a plaintext message echo "Confidential: Project X launch date is 2026-07-01" > message.txt Encrypt using public key (RSA) openssl rsautl -encrypt -inkey public_key.pem -pubin -in message.txt -out encrypted.bin
Decrypt (recipient uses their private key):
openssl rsautl -decrypt -inkey private_key.pem -in encrypted.bin -out decrypted.txt cat decrypted.txt
Step‑by‑step guide:
- The sender obtains the recipient’s public key file (
public_key.pem). - Run the `rsautl -encrypt` command, specifying `-pubin` to indicate a public key. Output is binary ciphertext.
- Transfer `encrypted.bin` over any channel (e.g., email, cloud).
- The recipient uses `rsautl -decrypt` with their private key to recover the original text.
- Important: RSA encryption is limited by key size (e.g., 2048-bit key encrypts ~245 bytes of data). For larger files, use hybrid encryption (e.g., generate a random symmetric key, encrypt the file with AES, then encrypt only that symmetric key with RSA).
3. Understanding Digital Signatures for Authentication
Asymmetric encryption also enables digital signatures—proving that a message originated from the holder of a private key without revealing the key. This ensures integrity and non-repudiation.
Sign a file (using sender’s private key):
openssl dgst -sha256 -sign private_key.pem -out signature.bin message.txt
Verify the signature (using sender’s public key):
openssl dgst -sha256 -verify public_key.pem -signature signature.bin message.txt
Expected output: `Verified OK`
Step‑by‑step guide:
- The sender computes a SHA-256 hash of `message.txt` and signs it with their private key, creating
signature.bin. - The recipient (or anyone) uses the sender’s public key to verify that the signature matches the message.
- If the message is altered even by one byte, verification fails. This is the foundation of code signing, Git commit signatures, and JWT authentication.
-
Implementing Asymmetric Encryption in Secure Web Browsing (TLS/SSL)
HTTPS/TLS uses asymmetric encryption only during the handshake to exchange a symmetric session key (hybrid approach). The server’s certificate contains its public key. Clients verify the certificate chain using built-in root CAs.
View a website’s certificate and extract its public key (Linux/Windows):
Using openssl s_client echo | openssl s_client -connect google.com:443 -servername google.com 2>/dev/null | openssl x509 -pubkey -1oout Save the server's public key to a file echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -pubkey -1oout > google_pubkey.pem
Windows PowerShell alternative:
Using .NET to retrieve certificate
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$req = [System.Net.WebRequest]::Create("https://google.com")
$req.GetResponse() | Out-1ull
$cert = $req.ServicePoint.Certificate
$cert.GetPublicKeyString()
Step‑by‑step guide:
- Run the `s_client` command to connect to a TLS‑enabled server and dump its certificate.
- Pipe to `x509 -pubkey` to extract the server’s RSA/ECC public key.
- In a real TLS handshake, the client encrypts a random session key with this public key; only the server’s private key can decrypt it.
- This demonstrates why stealing a server’s private key breaks HTTPS—attackers can decrypt past sessions if forward secrecy isn’t used.
-
Common Pitfalls and Mitigation Strategies (Key Length, Padding Attacks)
Weak implementations destroy the security of asymmetric encryption. Attackers exploit short key lengths, obsolete padding, and side-channel leaks.
| Pitfall | Mitigation |
||-|
| 1024-bit RSA keys | Use at least 2048 bits (or 3072 for long-term). Generate with `openssl genrsa -out key.pem 3072` |
| PKCS1 v1.5 padding (vulnerable to Bleichenbacher attack) | Use OAEP padding: `openssl rsautl -encrypt -oaep -inkey pub.pem -pubin -in data.txt -out enc.bin` |
| Private key world‑readable | Restrict permissions: `chmod 600 private_key.pem` (Linux) or `icacls private_key.pem /inheritance:r /grant:r %USERNAME%:F` (Windows) |
| No key rotation | Replace keys every 1–2 years using automated scripts |
Check your key security:
Check key length and modulus openssl rsa -in private_key.pem -text -1oout | grep "Private-Key" Test for weak primes (using external tool like rsa-bleichenbacher-test) For demonstration, check if key uses proper padding when encrypting: openssl rsautl -encrypt -oaep -inkey pub.pem -pubin -in test.txt -out test_oaep.bin
Step‑by‑step guide:
- Always use the `-oaep` flag with `rsautl` (or `-pkeyopt rsa_padding_mode:oaep` in newer OpenSSL).
- Audit existing keys: `ssh-keygen -l -f ~/.ssh/id_rsa.pub` shows bit length for SSH keys.
- Implement key expiration in your PKI. For self‑signed certificates, use `openssl ca` to manage validity periods.
-
Integrating Asymmetric Encryption in Cloud Security and API Authentication
Cloud providers and APIs rely on asymmetric keys for identity and access control. Examples: AWS uses key pairs for EC2 instance logins; Google Cloud IAM uses service account keys; JWT tokens can be signed with RSA.
Generate an RSA key pair for AWS EC2 (Linux/Windows):
ssh-keygen -t rsa -b 2048 -f my-ec2-key -C "[email protected]" my-ec2-key (private) and my-ec2-key.pub (public) Upload the public key to AWS EC2 -> Key Pairs
Use RSA to sign and verify a JWT token (Python example):
import jwt
import json
Load private key
with open("private_key.pem", "rb") as f:
private_key = f.read()
payload = {"user": "admin", "exp": 1620000000}
token = jwt.encode(payload, private_key, algorithm="RS256")
print(f"JWT: {token}")
Verification using public key
with open("public_key.pem", "rb") as f:
public_key = f.read()
decoded = jwt.decode(token, public_key, algorithms=["RS256"])
print(json.dumps(decoded, indent=2))
Step‑by‑step guide:
- Create RSA keys via `ssh-keygen` (for SSH authentication) or OpenSSL (for JWTs).
- For API authentication, the client signs a request (e.g., OAuth 1.0a) or a JWT assertion.
- The server validates the signature using the client’s public key, ensuring the request comes from the legitimate private key holder without transmitting secrets.
- In cloud hardening, store private keys in hardware security modules (HSMs) or secrets managers (AWS Secrets Manager, HashiCorp Vault). Never embed private keys in source code.
7. Future of Asymmetric Cryptography: Post-Quantum Threats
Shor’s algorithm, run on a sufficiently powerful quantum computer, could break RSA and ECC. Post‑quantum cryptography (PQC) is developing new asymmetric algorithms (e.g., CRYSTALS‑Kyber, Falcon). NIST has standardized several for 2024‑2030 transition.
Current mitigation:
- Use hybrid key exchange in TLS 1.3 (classical + PQC) when available.
- Inventory all asymmetric keys: `find / -1ame “.pem” -o -1ame “.key” -o -1ame “id_rsa” 2>/dev/null`
- Plan for crypto‑agility: design systems where algorithms can be swapped without major rewrites.
Check if your OpenSSL supports PQC (experimental):
openssl list -public-key-algorithms | grep -i "kyber|dilithium"
(Currently, use liboqs or BoringSSL forks for testing.)
Step‑by‑step guide:
- Identify long‑lived RSA keys (e.g., code signing, root CAs, VPN certificates).
- Monitor NIST PQC standardization progress and vendor announcements.
- For new projects, consider implementing a crypto‑agile abstraction layer (e.g., use Google Tink).
- Run quantum risk assessment: data that needs confidentiality for 10+ years (e.g., health records, state secrets) is most vulnerable to “harvest now, decrypt later” attacks.
What Undercode Say:
- Asymmetric encryption is not a magic bullet — it’s computationally expensive and limited in payload size. Real systems always pair it with symmetric encryption (hybrid cryptosystem). Misunderstanding this leads to broken implementations.
- Key management is the weakest link — generating keys is easy; storing, rotating, and revoking them securely is where most breaches occur (exposed private keys on GitHub, no HSM, hardcoded credentials). Automate key lifecycle with tools like HashiCorp Vault or AWS KMS.
- Education must include practical commands — theory alone fails. Cybersecurity professionals must be able to generate keys, encrypt a file, sign a document, and extract a certificate from a live website. The OpenSSL and `ssh-keygen` tutorials above are non‑negotiable skills for SOC analysts, cloud engineers, and penetration testers.
Prediction:
- +1 Demand for post‑quantum cryptography skills will surge by 2028, creating new training courses and certifications (e.g., PQCA, NIST PQC workshops).
- -1 Legacy RSA‑1024 and outdated padding (PKCS1 v1.5) will continue to be exploited in high‑profile breaches, especially in IoT and embedded systems where key rotation is ignored.
- +1 Cloud providers will bake asymmetric encryption into serverless APIs (e.g., AWS Nitro Enclaves, Azure Confidential Computing) making it easier for developers to adopt without deep crypto expertise.
- -1 Attackers will increasingly target the key generation entropy (RNG flaws) and side‑channel leaks (Spectre‑type, power analysis) rather than brute‑forcing RSA, rendering many textbook deployments vulnerable.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: How Asymmetric – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
