Skip to content

Practical Cryptography

Theory is great but you need working commands
These are the tools and commands you'll actually use for crypto operations in security work

OpenSSL

OpenSSL is the command-line crypto Swiss army knife:

# Generate RSA key pair
openssl genrsa -out private.pem 4096

# Extract public key
openssl rsa -pubout -in private.pem -out public.pem

# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# View certificate details
openssl x509 -in cert.pem -text -noout

# Test TLS connection
openssl s_client -connect example.com:443 -tls1_3

# File encryption with password
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

# Decrypt file
openssl enc -d -aes-256-cbc -in file.enc -out file.txt

# Generate random bytes
openssl rand -hex 32

GnuPG (GPG)

GPG implements OpenPGP standard:

# Generate key pair
gpg --gen-key

# Export public key
gpg --export -a "user@example.com" > public.key

# Import public key
gpg --import public.key

# Encrypt file for recipient
gpg --encrypt --recipient "user@example.com" file.txt

# Decrypt file
gpg --decrypt file.txt.gpg

# Sign file
gpg --sign file.txt

# Verify signature
gpg --verify file.txt.gpg

# Encrypt and sign
gpg --encrypt --sign --recipient "user@example.com" file.txt

SSH Key Operations

# Generate SSH key pair
ssh-keygen -t ed25519 -C "user@example.com"

# Generate RSA key
ssh-keygen -t rsa -b 4096 -C "user@example.com"

# Extract public key from private
ssh-keygen -y -f ~/.ssh/id_ed25519

# View key fingerprint
ssh-keygen -lf ~/.ssh/id_ed25519.pub

# Convert key formats
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Certificate Verification

# Verify certificate chain
openssl verify -CAfile ca-chain.pem server.crt

# Check certificate expiry
openssl x509 -in cert.pem -noout -dates

# Verify against CRL/OCSP
openssl ocsp -issuer ca.pem -cert server.pem -url http://ocsp.example.com

Password Generation

# Generate random password (Linux)
openssl rand -base64 32

# Generate with pwgen
pwgen -s 32 1

# Diceware passphrase
shuf -n 6 /usr/share/dict/words | tr '\n' '-'

Common Mistakes

  • Hardcoding keys in source code (scan for "-----BEGIN" in commits)
  • Using ECB mode (patterns visible in ciphertext)
  • Weak random generation (random not secrets in Python)
  • Self-signed certs in production (browser trust issues)
  • Old protocols (SSLv3, TLS 1.0) enabled for compatibility
  • Expired certificates causing outages
  • Wildcard certificates increase attack surface