openssl

Powerful Secure Sockets Layer cryptographic library

Supplementary instructions

OpenSSL is a powerful Secure Sockets Layer cryptographic library, including major cryptographic algorithms, commonly used key and certificate encapsulation management functions, and SSL protocols, and provides a wealth of applications for testing or other purposes. After OpenSSL was exposed to serious security vulnerabilities, it was discovered that most websites encrypted through the SSL protocol use an open source software package called OpenSSL. Since this is the most widely used secure transmission method on the Internet and is widely used by important websites such as online banking, online payment, e-commerce websites, portals, and emails, the vulnerability has a wide impact.

OpenSSL has two operating modes: interactive mode and batch mode.

Directly enter openssl and press Enter to enter interactive mode, enter openssl with command options to enter batch mode.

The entire OpenSSL software package can be roughly divided into three main functional parts: cryptographic algorithm library, SSL protocol library and applications. The directory structure of OpenSSL is naturally planned around these three functional parts. ​

Symmetric encryption algorithm

OpenSSL provides a total of 8 symmetric encryption algorithms, 7 of which are block cipher algorithms, and the only stream cipher algorithm is RC4. These seven block encryption algorithms are AES, DES, Blowfish, CAST, IDEA, RC2, and RC5. They all support electronic codebook mode (ECB), encrypted block chaining mode (CBC), encryption feedback mode (CFB), and output feedback mode. (OFB) Four commonly used block cipher encryption modes. Among them, the encryption feedback mode (CFB) and output feedback mode (OFB) packet length used by AES is 128 bits, while other algorithms use 64 bits. In fact, the DES algorithm is not only the commonly used DES algorithm, but also supports three-key and two-key 3DES algorithms. ​

Asymmetric encryption algorithm

OpenSSL implements a total of 4 asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and elliptic curve algorithm (EC). The DH algorithm is generally used for key exchange. The RSA algorithm can be used for both key exchange and digital signatures, and of course, if you can tolerate its slow speed, it can also be used for data encryption. The DSA algorithm is generally only used for digital signatures.

Information Digest Algorithm

OpenSSL implements 5 information digest algorithms, namely MD2, MD5, MDC2, SHA (SHA1) and RIPEMD. The SHA algorithm actually includes two information digest algorithms, SHA and SHA1. In addition, OpenSSL also implements the two information digest algorithms DSS and DSS1 specified in the DSS standard. ​

Key and Certificate Management

Key and certificate management is an important part of PKI, and OpenSSL provides rich functions and supports multiple standards. ​

First of all, OpenSSL implements the ASN.1 certificate and key related standards, and provides DER, PEM and BASE64 encoding and decoding functions for certificates, public keys, private keys, certificate requests, CRL and other data objects. OpenSSL provides methods, functions and applications for generating various public key pairs and symmetric keys, and also provides DER encoding and decoding functions for public keys and private keys. And implements the PKCS#12 and PKCS#8 encoding and decoding functions of the private key. OpenSSL provides encryption protection for private keys in the standard, so that keys can be stored and distributed securely. ​

On this basis, OpenSSL implements the X.509 standard encoding and decoding of certificates, the encoding and decoding of PKCS#12 format, and the encoding and decoding of PKCS#7. It also provides a text database that supports certificate management functions, including certificate key generation, request generation, certificate issuance, revocation, and verification. ​

In fact, the CA application provided by OpenSSL is a small certificate management center (CA), which implements the entire certificate issuance process and most of the certificate management mechanisms.

Example

1. Use openssl to generate password

Almost all Linux distributions include openssl. We can leverage its random feature to generate a random string of letters that can be used as a password.

openssl rand -base64 10
#nU9LlHO5nsuUvw==

nU9LlHO5nsuUvw==

2. Application example of message digest algorithm

Use the SHA1 algorithm to calculate the hash value of the file file.txt and output it to stdout:

# openssl dgst -sha1 file.txt

Use the SHA1 algorithm to calculate the hash value of the file file.txt and output it to the file digest.txt:

# openssl sha1 -out digest.txt file.txt

Use the DSS1 (SHA1) algorithm to sign the file file.txt and output it to the file dsasign.bin. The signature private key must be generated by the DSA algorithm and saved in the file dsakey.pem.

# openssl dgst -dss1 -sign dsakey.pem -out dsasign.bin file.txt

Use the dss1 algorithm to verify the digital signature dsasign.bin of file.txt. The verified private key is the file dsakey.pem generated by the DSA algorithm.

# openssl dgst -dss1 -prverify dsakey.pem -signature dsasign.bin file.txt

Use the sha1 algorithm to sign the file file.txt and output it to the file rsasign.bin. The private key of the signature is the file rsaprivate.pem generated by the RSA algorithm.

# openssl sha1 -sign rsaprivate.pem -out rsasign.bin file.txt

Use the sha1 algorithm to verify the digital signature rsasign.bin of file.txt. The verified public key is rsapublic.pem generated by the RSA algorithm.

# openssl sha1 -verify rsapublic.pem -signature rsasign.bin file.txt

3. Symmetric encryption application examples

An application example of symmetric encryption uses the CBC mode of the DES3 algorithm to encrypt the file plaintext.doc, and the encryption result is output to the file ciphertext.bin.

# openssl enc -des3 -salt -in plaintext.doc -out ciphertext.bin

Use the OFB mode of the DES3 algorithm to decrypt the file ciphertext.bin, the provided password is trousers, and output it to the file plaintext.doc. Note: Because of different modes, this command cannot decrypt the above files.

# openssl enc -des-ede3-ofb -d -in ciphertext.bin -out plaintext.doc -pass pass:trousers

Use Blowfish's CFB mode to encrypt plaintext.doc, take the password from the environment variable PASSWORD, and output it to the file ciphertext.bin.

# openssl bf-cfb -salt -in plaintext.doc -out ciphertext.bin -pass env:PASSWORD

Encode the file ciphertext.bin with base64 and output it to the file base64.txt.

# openssl base64 -in ciphertext.bin -out base64.txt

Use the CBC mode of the RC5 algorithm to encrypt the file plaintext.doc and output it to the file ciphertext.bin. The salt, key and initialization vector (iv) are specified on the command line.

# openssl rc5 -in plaintext.doc -out ciphertext.bin -S C62CB1D49F158ADC -iv E9EDACA1BD7090C6 -K 89D4B1678D604FAA3DBFFD030A314B29

4. Diffie-Hellman application example

Generate D0ffie-Hellman parameters using a generation factor of 2 and a random 1024-bit prime number, and save the output to the file dhparam.pem

# openssl dhparam -out dhparam.pem -2 1024

Read the Diffie-Hell parameters from dhparam.pem, in the form of C code, and output to stdout.

# openssl dhparam -in dhparam.pem -noout -C

5. DSA application examples Application examples

Generate a 1024-bit DSA parameter set and output it to the file dsaparam.pem.

# openssl dsaparam -out dsaparam.pem 1024

Use the parameter file dsaparam.pem to generate the DSA private key, encrypt it with 3DES and output it to the file dsaprivatekey.pem.

# openssl gendsa -out dsaprivatekey.pem -des3 dsaparam.pem

Use the private key dsaprivatekey.pem to generate the public key and output it to dsapublickey.pem

# openssl dsa -in dsaprivatekey.pem -pubout -out dsapublickey.pem

Read the private key from dsaprivatekey.pem, decrypt it and enter the new password to encrypt it, then write back the file dsaprivatekey.pem

# openssl dsa -in dsaprivatekey.pem -out dsaprivatekey.pem -des3 -passin

6. RSA application example

Generate a 1024-bit RSA private key, encrypt it with 3DES, the password is trousers, and output it to the file rsaprivatekey.pem

# openssl genrsa -out rsaprivatekey.pem -passout pass:trousers -des3 1024

Read the private key from the file rsaprivatekey.pem, decrypt it with the password trousers, and output the generated public key to the file rsapublickey.pem

# openssl rsa -in rsaprivatekey.pem -passin pass:trousers -pubout -out rsapubckey.pem

Use the public key rsapublickey.pem to encrypt the file plain.txt and output it to the file cipher.txt

# openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in plain.txt -out cipher.txt

Use the private key rsaprivatekey.pem to decrypt the ciphertext cipher.txt and output it to the file plain.txt

# openssl rsautl -decrypt -inkey rsaprivatekey.pem -in cipher.txt -out plain.txt

Use the private key rsaprivatekey.pem to sign the file plain.txt and output it to the file signature.bin

# openssl rsautl -sign -inkey rsaprivatekey.pem -in plain.txt -out signature.bin

Use the public key rsapublickey.pem to verify the signature signature.bin and output it to the file plain.txt

# openssl rsautl -verify -pubin -inkey rsapublickey.pem -in signature.bin -out plain

Obtain the public key from the X.509 certificate file cert.pem, encrypt mail.txt with 3DES, and output it to the file mail.enc.

# openssl smime -encrypt -in mail.txt -des3 -out mail.enc cert.pem

Obtain the recipient's public key from the X.509 certificate file cert.pem, use the private key key.pem to decrypt the S/MIME message mail.enc, and output the result to the file mail.txt

# openssl smime -decrypt -in mail.enc -recip cert.pem -inkey key.pem -out mail.txt

cert.pem is an X.509 certificate file, signed with the private key, pem is mail.txt, the certificate is included in the S/MIME message, and is output to the file mail.sgn

# openssl smime -sign -in mail.txt -signer cert.pem -inkey key.pem -out mail.sgn

Verify the S/MIME message mail.sgn, output to the file mail.txt, the signer's certificate should be included in mail.sgn as part of the S/MIME message

# openssl smime -verify -in mail.sgn -out mail.txt

More examples:

openssl version -a
openssl help
openssl genrsa -aes128 -out fd.key 2048 # pem format
openssl rsa -text -in fd.key