Encrypt message for sending over non secure network

Question

wRecently needed to swap keys with a colleague on the other side of the country.

This script encrypts a file using the other persons public key that is stored on github. It outputs a script that will re-generate the original message (if you have the private key).

#!/bin/bash # # Usage: # ./crypt <GitHub User> <File To Encrypt> # # 1) Github User # 2) File to be encrypted # # Requires: # On the creators end: # curl # python # python pyasn1 (sudo easy_install pyasn1) # base64 # openssl # # On the receivers end # base64 # openssl # # Get the users public Key curl -s -o /tmp/ssh.pub https://github.com/${1}.keys # # ssh-keygen -f /tmp/ssh.pub -e -m PKCS8 # > /tmp/pem.pub # # The following is required because ssh-keygen -m PKCS8 has # been removed from the Mac. The following python script # performs the same operation. # python - <<CREATEPEM > /tmp/pem.pub import sys, base64, struct from pyasn1.type import univ from pyasn1.codec.der import encoder as der_encoder keydata = base64.b64decode( open("/tmp/ssh.pub").readlines()[0].split()[1]) parts = [] while keydata: dlen = struct.unpack('>I', keydata[:4])[0] data, keydata = keydata[4:dlen+4], keydata[4+dlen:] parts.append(data) e_val = long(parts[1].encode('hex'), 16) n_val = long(parts[2].encode('hex'), 16) pkcs1_seq = univ.Sequence() pkcs1_seq.setComponentByPosition(0, univ.Integer(n_val)) pkcs1_seq.setComponentByPosition(1, univ.Integer(e_val)) pkcs1_val = der_encoder.encode(pkcs1_seq) head_seq = univ.Sequence() head_seq.setComponentByPosition(0, univ.ObjectIdentifier('1.2.840.113549.1.1.1')) head_seq.setComponentByPosition(1, univ.Null('')) out_seq = univ.Sequence() out_seq.setComponentByPosition(0, head_seq) out_seq.setComponentByPosition(1, univ.BitString("'%s'H" % pkcs1_val.encode('hex'))) print '-----BEGIN PUBLIC KEY-----' print base64.encodestring(der_encoder.encode(out_seq)).strip() print '-----END PUBLIC KEY-----' CREATEPEM # # Echo out the script # That can be used to get the original message echo echo echo "# Execute the following command to decrypt the file" echo "# It assumes the private version of you key is in ~/.ssh/id_rsa" echo "# If this is not true the alter to point at the correct file" echo "#" echo "# The file has been encrypted using the public key for github user: ${1}" echo "#" echo echo "cat - <<CRYPT | base64 -D | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa " openssl rsautl -encrypt -pubin -inkey /tmp/pem.pub -ssl -in ${2} | base64 echo "CRYPT" 

Usage Example:

> ./bin/crypt retailcoder T 

This encrypts the file "T" using the public key of the github user "retailcoder". You know who you are come and see if it works. The output of the above command is:

# Execute the following command to decrypt the file # It assumes the private version of you key is in ~/.ssh/id_rsa # If this is not true the alter to point at the correct file # # The file has been encrypted using the public key for github user: retailcoder # cat - <<CRYPT | base64 -D | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa TyMCN1xl3GIrpYnCdxjYgV/9y5AVyK/G57y952SA6W8/Q9lTxPOIWcsBLO2gvEHM5Df7CFcN/p4n+SxPct2O4AWV0to9+Ch219Bh1+1dy+iYJ8GytrQQx3qC31rpueIt3EIZVwOR0199jGxHViGIJ18tO0A2YHlRIw3DoG7AiJR8zPiTvomvdB2i6EZa+89I/KgK7IL+ADwci50fnnLmGCQ0JR9WbjdkOfeRmYgtO4qFlgBWNdEJFjRhoW6vLjsD7VUE0xcTyK8O01/EPkvhfTroSxRcM5gnIDCOgaRWX7waLwDMkraqeWQjcWIn2n4R6v0Vtk071cAfgfPm7qdvOA== CRYPT 

This can be pasted into e-mail or a slack channel. And if you have a terminal cut and pasted to decode.

One more test:

> ./bin/crypt Zomis T 

Please stand up Zomis and tell me it worked :-)

# Execute the following command to decrypt the file # It assumes the private version of you key is in ~/.ssh/id_rsa # If this is not true the alter to point at the correct file # # The file has been encrypted using the public key for github user: Zomis # cat - <<CRYPT | base64 -D | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa ZXSmyNYaj+t6PO5bQUPSqw+UuvVWKRgUFLMoO015/RspysEaMTz32BlzuMf3DqMXXGdTufrUOGjPjDy07dL4UW2yZ0rVkwEqDJC6Ws1MfwGVwS8XP4n53VgCL/E26GfLRGwaEQGWkcb7/HndwAadzTasu4ZIXEFKWMy4TUb+2/sQDVKArdbv6TrQUgBw6tgPYKZw6jqIpbF+PIrYFYoxS8TXBQkjZw5V2f8/TdQk+qA+xb6aTfaD52ZdDK+UmfkTvZcTTxmGpaHHpAqm40mRTQOcFZvPm1aUoQwq7+zj7LhMXRc2aANVDZxPAR34X56bFcvr/dfSsSNuQ+4pbFshfg== CRYPT 

@Mast

A message constructed with your public key ShipsWithCannons

# Execute the following command to decrypt the file # It assumes the private version of you key is in ~/.ssh/id_rsa # If this is not true the alter to point at the correct file # # The file has been encrypted using the public key for github user: ShipsWithCannons # cat - <<CRYPT | base64 -D | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa jzBVfg+4QDmfPsSJ4YupIMc5vmY/9Xvo2GH6QIkfrOGQZFZzoKDh7y/4Wl99+P19yf8RGwuhNJPiKRZvtvfPrO1XpXCuYKL9/4guUtYaSea1Bc5itv6Q6n22xLAp+T/d+bOniEO/RjHu6mf1EqoO51vt8YtLHn3PN6xVkzIcsIyOjWlxOu2h+j6HQ+JeIq5yD04hZ7qiiZgNZG3lc7da5cUjOrMdufaG83CApYAt8hYAdU2qWTD+dboVhcIR+JtX5YCO+BayjTwz1a3RLjM8qdiEQu46LLqwfsm6xZU9SGV73KJyON2ju8MBkz0jiXTnzNdTfTfm9V0q6CpoYcWNPg== CRYPT 

Answer 1

• Hardcoding /tmp/ssh.pub in doesn't look right. Makes the script vulnerable to all kinds of failures and race conditions. tempfile, perhaps?

• Similar concern applies to /tmp/pem.pub. Strongly recommend to derive pem name from $1.

• I am not sure I understand the significance of '1.2.840.113549.1.1.1'.

• Is there a reason to have a bash/python mixture (vs pure python)?