Symmetric encryption tool, understanding the principle of symmetric encryption is very simple, the principle section is shown below.

OpenSSL enc-ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-k password] [-S SALT] [-salt] [-MD] [-p/-p]

Option Description:

-ciphername: Specifies a symmetric encryption algorithm (such as DES3)that can be used directly from enc, such as OpenSSL des3 or OpenSSL enc-des3. Recommended for use after enc, so do not rely on hardware

-MD: Specifies a one-way encryption algorithm , default MD5. The algorithm is used to encrypt the key part, see the following article analysis.

-in FileName: Input file, default is stdin when not specified

-out FileName: Output file, default is stdout when not specified

-e: encrypt The input file, **which is the default option** when not specified

-D: decrypt The input file, only the display specifies that the option is decrypted

-pass: Pass the plaintext password when adding and decrypting. if the public or private key file used to verify the signature is encrypted, a password is required to decrypt it.

-K: Has been replaced by "-pass" and is now reserved for compatibility with older versions of OpenSSL

-BASE64: base64 encoding or decryption before and after encryption, default is binary when not specified . Note that the encoding is not part of the decryption, but rather the format of the data before and after the decryption "collation"

-A: equivalent to-base64

-salt: One-way encryption uses salt to complicate the results of one-way encryption, which is the default option and uses a random salt value

-S salt: instead of using a random salt value, you can customize the salt value, but only a combination of characters in the 16-in range, which is any one or more combinations of "0-9a-fa-f"

-P: The salt value, the key value and the IV initialization vector value (which is also a way of complicating encryption) are printed and decrypted, and the decryption results are also output, as shown in the example below

-P: The same as the-p option, but exits the tool directly when printing, without encrypting or decrypting the operation

The supported one-way encryption algorithms are:

-MD4 to use the MD4 message digest algorithm-md5 to use the MD5 message digest algorithm-ripemd160 RIPEMD160 Message digest Algorithm-sha to use the Sha Message digest algorithm-sha1 to use the SHA1 message digest algorithm-sha224 to use the sha224 message digest algorithm-sha256 to use the sha256 message digest Algorithm-sha 384 to use the sha384 message digest algorithm-sha512 to use the sha512 message digest Algorithm-whirlpool to Use the Whirlpool message digest algorithm

The supported symmetric encryption algorithms are:

-aes-128-cbc-aes-128-cbc-hmac-sha1-aes-128-cfb-aes-128-cfb1-aes-128-cfb8 -aes-128-ctr-aes-128-ecb-aes-128-gcm-aes-128-ofb-aes-12 8-xts-aes-192-cbc-aes-192-cfb-aes-192-cfb1-aes-192-cfb8 -aes-192-ctr-aes-192-ecb-aes-192-gcm-aes-192-ofb-aes-256-cbc -aes-256-cbc-hmac-sha1-aes-256-cfb-aes-256-cfb1-aes-256-cfb8-ae S-256-ctr-aes-256-ecb-aes-256-gcm-aes-256-ofb-aes-256-xts -aes128-aes192-aes256-bf-bf-cbc -bf-cfb-bf-ecb-bf-ofb-blowfish- Camellia-128-cbc -camellia-128-cfb-camellia-128-cfb1-camellia-128-cfb8-camellia-128-ecb-camellia-128-of B-camellia-192-cbc-camellia-192-cfb-camellia-192-cfb1-camellia-192-cfb8-came Llia-192-ecb-camellia-192-ofb-camellia-256-cbc-camellia-256-cfb-camellia-256-cfb1 -camellia-256-cfb8-camellia-256-ecb-camellia-256-ofb-camellia128-camellia192 -camellia256-cast-cast-cbc-cast5-cbc-ca St5-cfb-cast5-ecb-cast5-ofb-des-des-cbc -des-cfb-des-cfb1-des-cfb8-des-ecb-des-ede -des-ede-cbc-des-ede-cfb-des-ede-ofb-des-ede3- Des-ede3-cbc -des-ede3-cfb-des-ede3-cfb1-des-ede3-cfb8-des-ede3-ofb-des-ofb -des3-desx-desx-cbc-id-aes128-gcm-id-ae S128-wrap-id-aes128-wrap-pad-id-aes192-gcm-id-aes192-wrap-id-aes192-wrap-pad -id-aes256-gcm-id-aes256-wrap-id-aes256-wrap-pad-id-smime-alg-cms3deswrap-idea -idea-cbc-idea-cfb-idea-ecb-idea-ofb-rc 2-rc2-40-cbc-rc2-64-cbc-rc2-cbc-rc2-cfb -rc2-ecb-rc2-ofb-rc4-rc4-40-rc4-hmac- Md5-seed-seed-cbc-seed-cfb-seed-ecb -seed-ofb

Before you give the OpenSSL enc command usage example, explain the principles and procedures for symmetric encryption and decryption:

symmetric plus decryption, they use the same password , such as "123456", but this is a password, and is a plaintext password, very insecure, so should be complex for this simple password. The most direct method is to use one-way encryption to calculate the hash value of the plaintext password, one-way encryption after the newly generated password is more secure (known as the key is better), can be used as symmetric encryption of the symmetric key.

In addition, because the same one-way encryption algorithm for the same plaintext password calculation results are fully consistent , so that the decryption using the same one-way encryption algorithm can be used to calculate the exact same key, that is, the decryption of the symmetric key.

**If you want to be more secure, you can also re-encode encrypted files after symmetric encryption ** , such as the use of "base64", binary or hex encoding, **but the corresponding decryption before you need to decode, decoding before decryption** .

Therefore, the mechanism of symmetric addition and decryption is briefly summarized as follows:

**Symmetric encryption Mechanism:**

1, according to the specified one-way encryption algorithm, the input plaintext password for one-way encryption (default is MD5), get a fixed-length encryption key, that is, symmetric key,

2, and then according to the specified symmetric encryption algorithm, the use of symmetric key encryption file ,

3, finally re -encode the encrypted file .

**That is, one-way encrypted plaintext password results as a symmetric key, using a symmetric key to encrypt the file , re-encode the file .**

**Symmetric decryption mechanism (encrypted reverse operation):**

**1. decode the file first**

**2, and then based on the one-way encryption algorithm to decrypt the plaintext password entered to calculate the symmetric key**

**3, according to this symmetric key symmetric decryption decoded files .**

**Therefore, the decoding method used in the decryption process, the one-way encryption and the symmetric encryption algorithm must be consistent, and the password entered must be the correct password.**

However, it is important to note that you ** can not specify a salt when decrypting, because the salt used when encrypting is recorded and can be read when decrypted.**

As shown, the encryption and decryption processes are respectively.

According to the specified one-way encryption Algorithm (-MD-MD5), the input plaintext password (123456) is encrypted one-way to obtain a fixed-length encryption key, that is, the symmetric key (f447b ... 15AF), then encrypt the file using the symmetric key according to the specified symmetric encryption Algorithm (-DES3), and finally re-encode (-A--abse64) the encrypted file

Example:

Take the backup file/tmp/test.txt of the encrypted/etc/fstab as an example.

**(1). First Test the encoding function of the OpenSSL enc. Because the password option "-K" or "-pass" is not specified, it is only encoded without encryption (because there is no password and no symmetric key is obtained), so you are not prompted to enter the password.**

[email protected] ssl]# cat B.txt

123456

[email protected] ssl]# OpenSSL enc-a-in b.txt-out b_base64.txt

[email protected] ssl]# cat B_base64.txt

mtizndu2cg==

It is then decoded in the base64 format.

[email protected] ssl]# OpenSSL enc-a-d-in b_base64.txt

123456

[email protected] ssl]# OpenSSL enc-a-d-in b_base64.txt-out bd_base64.txt

[email protected] ssl]# cat Bd_base64.txt

123456

In fact, the above encoding and decoding process is strictly symmetric encryption and decryption, because the OpenSSL enc default will be with the encryption option "-E", only because no input password option is specified, the encryption password used is empty, and the one-way encryption algorithm uses the default value. The same is true when decrypting .

**(2). The test encrypts the Test.txt file using the DES3 symmetric encryption algorithm.**

[[email protected] ssl]# echo "To is or not to be" > test.txt

[email protected] ssl]# OpenSSL enc-pass pass:123456-md md5-des3-a-in test.txt-out e_test.txt

-pass Specifying plaintext passwords

-MD specifies an algorithm for one-way encryption of plaintext passwords, resulting in symmetric keys

-des3 symmetric encryption of files using symmetric keys

-A base64 encoding of encrypted files

After you encrypt, view the results of the encrypted file Test.1.

[email protected] ssl]# cat E_test.txt

u2fsdgvkx19qkanxged1ug1beax99vktj2geihsihzsmmae/rdgo8a==

Decrypt files

[email protected] ssl]# OpenSSL enc-d-a-pass pass:123456-md md5-des3-in e_test.txt-out de_test.txt

[email protected] ssl]# cat De_test.txt

To is or not to IS

**(3). When encrypting, bring some salt salts. In fact, when not written by default has been added (-salt option), but is added to the random salt value. use-S to specify the value of the salt to be used explicitly. However, the value of the salt can only be a combination of characters in the 16-in range, which is either one or more combinations of "0-9a-fa-f" .**

[email protected] ssl]# OpenSSL enc-pass pass:123456-md md5-des3-s ' abcdef123 '-a-in test.txt-out e2_test.txt

[email protected] ssl]# cat E2_test.txt

u2fsdgvkx1+rze8smaaaaems219zsqxgpmegf5ff2u1u4celkcm2ng==

Decryption, which **does not specify a salt value when decrypted, and does not affect the decryption result even if specified** .

[email protected] ssl]# OpenSSL enc-d-pass pass:123456-md md5-des3-a-in e2_test.txt-out de2_test.txt

[email protected] ssl]# cat De2_test.txt

To is or not to IS

[email protected] ssl]# OpenSSL enc-d-pass pass:123456-md md5-des3-s ' abcdef123 '-a-in e2_test.txt-out sde2_test.t Xt

[email protected] ssl]# cat Sde2_test.txt

To is or not to IS

**(4). The output function of the "-P" and "-p" options under test. The lowercase p not only outputs the results of the key algorithm, but also outputs the decrypted content, while the uppercase letter P only outputs the results of the key algorithm.**

When encryption is in progress.

[[email protected] tmp]# OpenSSL enc-a-des3- s ' fabc ' -in test.txt-out test.1 -pass pass:123456-md MD5 -psalt=fabc000000000000key=885fc58e6c822aefc8032b4b98fa0355f8482bd654739f3div =5128FDED01EE1499

Where **key is a one-way encrypted plaintext password obtained after the symmetric** key,IV is a cryptographic operation using the vector value .

Look at the decryption situation, here is a salt

[[email protected] tmp]# OpenSSL enc-a-des3-d- s ' fabc ' -in test.1-pass pass:123456-md MD5 -psalt=f Abc000000000000key=885fc58e6c822aefc8032b4b98fa0355f8482bd654739f3div =5128fded01ee1499

If you do not specify a salt when decrypting, or if you arbitrarily specify a salt, the result is as follows.

[email protected] tmp]# OpenSSL enc-a-des3-d-in test.1-pass pass:123456-md md5-p salt=fabc000000000000key=885 Fc58e6c822aefc8032b4b98fa0355f8482bd654739f3div =5128fded01ee1499

[email protected] tmp]# OpenSSL enc-a-des3-s ' fabm '-d-in test.1-pass pass:123456-md Md5-psalt=fabc000000000000key =885fc58e6c822aefc8032b4b98fa0355f8482bd654739f3div =5128fded01ee1499

Visible, when decrypting, as long as the same encoding format and one-way encryption algorithm is specified and encrypted, the result of the key is the same, and the decryption of the explicit specified salt is meaningless, because it can read to encrypt the salt used.

**Even when decryption specifies a different symmetric encryption algorithm, the key result is the same** .

[email protected] tmp]# OpenSSL enc-a-desx-d-in test.1-pass pass:123456-md md5-p salt=fabc000000000000key=885fc58e 6c822aefc8032b4b98fa0355f8482bd654739f3div =5128fded01ee1499

Therefore, it is irrelevant to infer the symmetric **key and symmetric algorithm used in symmetric encryption** .

(9) OpenSSL enc (symmetric encryption)