test

System Administration Guide: Security Services

ProcedureHow to Generate a Symmetric Key by Using the dd Command

A key is needed to encrypt files and to generate the MAC of a file. The key should be derived from a random pool of numbers.

If your site has a random number generator, use the generator. Otherwise, you can use the dd command with the Solaris /dev/urandom device as input. For more information, see the dd(1M) man page.

  1. Determine the key length that your algorithm requires.

    1. List the available algorithms.


      % encrypt -l
Algorithm       Keysize:  Min   Max (bits)
------------------------------------------
aes                       128   128
arcfour                     8   128
des                        64    64
3des                      192   192

% mac -l
Algorithm       Keysize:  Min   Max (bits)
------------------------------------------
des_mac                    64    64
sha1_hmac                   8   512
md5_hmac                    8   512
sha256_hmac                 8   512
sha384_hmac                 8  1024
sha512_hmac                 8  1024

    2. Determine the key length in bytes to pass to the dd command.

      Divide the minimum and maximum key sizes by 8. When the minimum and maximum key sizes are different, intermediate key sizes are possible. For example, the value 8, 16, or 64 can be passed to the dd command for the sha1_hmac and md5_hmac functions.

  2. Generate the symmetric key.


    % dd if=/dev/urandom of=keyfile bs=n count=n
    if=file

    Is the input file. For a random key, use the /dev/urandom file.

    of=keyfile

    Is the output file that holds the generated key.

    bs=n

    Is the key size in bytes. For the length in bytes, divide the key length in bits by 8.

    count=n

    Is the count of the input blocks. The number for n should be 1.

  3. Store your key in a protected directory.

    The key file should not be readable by anyone but the user.


    % chmod 400 keyfile
Example 14–1 Creating a Key for the AES Algorithm

In the following example, a secret key for the AES algorithm is created. The key is also stored for later decryption. AES mechanisms use a 128-bit key. The key is expressed as 16 bytes in the dd command.


% ls -al ~/keyf
drwx------   2 jdoe  staff        512 May 3 11:32 ./
% dd if=/dev/urandom of=$HOME/keyf/05.07.aes16 bs=16  count=1
% chmod 400 ~/keyf/05.07.aes16
Example 14–2 Creating a Key for the DES Algorithm

In the following example, a secret key for the DES algorithm is created. The key is also stored for later decryption. DES mechanisms use a 64-bit key. The key is expressed as 8 bytes in the dd command.


% dd if=/dev/urandom of=$HOME/keyf/05.07.des8 bs=8  count=1
% chmod 400 ~/keyf/05.07.des8
Example 14–3 Creating a Key for the 3DES Algorithm

In the following example, a secret key for the 3DES algorithm is created. The key is also stored for later decryption. 3DES mechanisms use a 192-bit key. The key is expressed as 24 bytes in the dd command.


% dd if=/dev/urandom of=$HOME/keyf/05.07.3des.24 bs=24 count=1
% chmod 400 ~/keyf/05.07.3des.24
Example 14–4 Creating a Key for the MD5 Algorithm

In the following example, a secret key for the MD5 algorithm is created. The key is also stored for later decryption. The key is expressed as 64 bytes in the dd command.


% dd if=/dev/urandom of=$HOME/keyf/05.07.mack64 bs=64 count=1
% chmod 400 ~/keyf/05.07.mack64