Detailed explanation of the DSA commands of the OpenSSL asymmetric encryption algorithm
1. Overview of DSA Algorithms
The DSA algorithm is a national standard digital signature algorithm in the United States. It can only be used for digital signatures, but not for data encryption and key exchange.
The generation method of DSA is different from that of RSA. RSA uses commands provided by openssl to generate a key (including a public key) at a time. Generally, DSA is a key parameter of the DSA, then, the DSA key (including the public key) is generated based on the key parameters. The key parameters determine the length of the DSA key, and one key parameter can generate multiple pairs of DSA key pairs.
The key parameters generated by DSA are p, q, and g. To use a DSA key, you must first share the key parameters. For details about the principle of DSA encryption, refer.
2. DSA algorithm instructions and usage
In openssl, there are three main DSA algorithm commands:
Command |
Function |
Dsaparam |
Generate and process the DSA key parameters, or directly generate the DSA key. |
Dsa |
Convert the DSA key format |
Gendsa |
Generate a DSA key based on the DSA Key Parameters |
As shown in the preceding table, the RSA and genrsa commands in dsa and gendsa are similar in usage, but the DSA commands do not provide the dsautl command for signature and verification, therefore, if you need to use DSA for signature and verification, you need to use the dgst command, which will be described in subsequent chapters.
2.1 dsaparam instructions
Dsaparam is used to generate key parameters or DSA keys.
Bkjia @ bkjia :~ /Test $ openssl dsaparam-
Unknown option-
Dsaparam [options] [bits] <infile> outfile
Where options are
-Inform arg input format-DER or PEM //
-Outform arg output format-DER or PEM //
-In arg input file //
-Out arg output file //
-Text print as text //
-C Output C code //
-Noout no output //
-Genkey generate a DSA key //
-Rand files to use for random number input //
-Engine e use engine e, possibly a hardware device .//
Number of bits to use for generating private key //
Bkjia @ bkjia :~ /Test $
Its parameters are similar to those of RSA commands and are not described one by one. The following describes how to use them in an instance.
1. generate key parameters and view their parameter values
/* Generate a 1024-bit key parameter */
Bkjia @ bkjia :~ /Test $ openssl dsaparam-out DSAP. pem 1024
Generating DSA parameters, 1024 bit long prime
This cocould take some time
....
/* View the key parameter value in plaintext */bkjia @ bkjia :~ /Test $ openssl dsaparam-in DSAP. pem-text-noout
2. Conversion between key parameter formats
/* Convert the key parameters in pem format to der format */bkjia @ bkjia :~ /Test $ openssl dsaparam-in DSAP. pem-out DSAP. der-outform der/* der convert the key parameters to pem format */bkjia @ bkjia :~ /Test $ openssl dsaparam-in DSAP. der-inform der-out R_DSAP.pembkjia @ bkjia :~ /Test $ diff DSAP. pem R_DSAP.pem
3. Generate the DSA key directly.
/* Generate the DSA key directly */
Bkjia @ bkjia :~ /Test $ openssl dsaparam-genkey-out DSA. pem 1024
Generating DSA parameters, 1024 bit long prime
...
/* View the DSA key. We can see that the parameters and keys are stored in the output file, which means they are essentially parameters and can be used to generate keys */
Bkjia @ bkjia :~ /Test $ cat DSA. pem
----- Begin dsa parameters -----
MIIBHgKBgQDAG1CFQRqKgrDa21dT2SO0OtvR0wtKo4GWEH + zikTt6eh6S0CdhtqX
PdPiboZdYAJy7HzKHLe0BUkf4dfOOPZBcQrr9sYkJ6q2Zz/jssa9enpu1_stde8a
Bytes
Bytes
Bytes
22Sodbu7lUx3YMU1QRvk42IudIevi6LWq4zk + sxraAZ3h5rvo8/pKayxtRuKq8Ep
5kU =
----- End dsa parameters -----
----- Begin dsa private key -----
MIIBugIBAAKBgQDAG1CFQRqKgrDa21dT2SO0OtvR0wtKo4GWEH + zikTt6eh6S0Cd
HtqXPdPiboZdYAJy7HzKHLe0BUkf4dfOOPZBcQrr9sYkJ6q2Zz/jSSA9EnpuQfst
Bytes
Bytes
Bytes
ZuzZ22Sodbu7lUx3YMU1QRvk42IudIevi6LWq4zk + sxraAZ3h5rvo8/pKayxtRuK
Q8Ep5kUCgYAh50mq26xMHfVxb/EkZzH + ouM3zPk6x8f9GFZzuUtGfNCzopTxEmw3
YYPaBwiojhZnK/LXVdEui97 + D/rqAPCXAfwFhXLR9w7oikid + Ai1A1B + lycCJrim
GyF/dzha7uYGzaA1 + rAftE76aeGlZYnoO42CgkxuYsxYxCzTJF8swQIUcrqFkFhN
Z2th/k4mzwy4qw6xupa =
----- End dsa private key---2.1 gendsa instruction
Gendsa command is simple, that is, the input key parameters are used to generate the DSA key.
Bkjia @ bkjia :~ /Test $ openssl gendsa-
Usage: gendsa [args] dsaparam-file
-Out file-output the key to 'file'
-Des-encrypt the generated key with DES in cbc mode
-Des3-encrypt the generated key with DES in ede cbc mode (168 bit key)
-Seed
Encrypt PEM output with cbc seed
-Aes128,-aes192,-aes256 encrypt PEM output with cbc aes-camellia128,-camellia192,-camellia256
Encrypt PEM output with cbc camellia
-Engine e-use engine e, possibly a hardware device.
-Rand file :...
-Load the file (or the files in the directory)
The random number generator
Dsaparam-file
-A DSA parameter file as generated by the dsaparam command
Example:
1. Generate a key based on key parameters
/* Generate a key based on key parameters */
Bkjia @ bkjia :~ /Test $ openssl gendsa-out DSA1.pem DSAP. pem
Generating DSA key, 1024 bits
Bkjia @ bkjia :~ /Test $ openssl gendsa-out DSA2.pem DSAP. pem
Generating DSA key, 1024 bits
/* Same key parameters, different keys generated each time */
Bkjia @ bkjia :~ /Test $ diff DSA1.pem DSA2.pem
8, 11c8, 11
<TWcw1 + XFAoGAEA1DLnv5efzB + ipIQ29q0ZedLVPyxdB44jpZES + esBQtU04HdI2N
<BClgwj8c9M6Y/9rL1uy3NqKaGHM + mjLyAXVceigFx7v15r5LRmWjialdqkcVG/3 S
<Qo530ui/tXgFbFV9iA6C8L + nHDMPOf5v6oGyICmxN8DWzhQAsmy9mkICFBeqMbZM
<9qBeG0BaS/6 PucBxObsv
---
> TWcw1 + XFAoGALWkjJeFunfvkiarJ1/pw8Lqvuyu/Glt3g/hURPPlrOIhA0pFXDmC
> UzCM1x6wrHWFc0jmUNk6FtnjGyiCLxVJGzeB7/4MA35aInHkiHwzX7a + B0At8bMq
> WEkWtzxhvTxTqWTAcC02Qr2mNNfJwWWVV0jVzMtm3Gb6YwhNnUvxp0ACFHrXO/8 h
> DIwr6pSuj6vdNpHFDlY2
/* Generate the key and use des3 to encrypt the storage */
Bkjia @ bkjia :~ /Test $ openssl gendsa-out DSA. pem-des3-passout pass: 123456 DSAP. pem
Generating DSA key, 1024 bits2.1 dsa instruction description
The functions of dsa and rsa commands are similar as follows:
Bkjia @ bkjia :~ /Test $ openssl dsa-
Unknown option-
Dsa [options] <infile> outfile
Where options are
-Inform arg input format-DER or PEM
-Outform arg output format-DER or PEM
-In arg input file
-Passin arg input file pass phrase source
-Out arg output file
-Passout arg output file pass phrase source-engine e use engine e, possibly a hardware device.
-Des encrypt PEM output with cbc des
-Des3 encrypt PEM output with ede cbc des using 168 bit key
-Aes128,-aes192,-aes256
Encrypt PEM output with cbc aes
-Camellia128,-camellia192,-camellia256
Encrypt PEM output with cbc camellia
-Seed encrypt PEM output with cbc seed
-Text print the key in text
-Noout don't print key out
-Modulus print the DSA public value
Example:
1. encryption key and decryption key
/* Generate an unencrypted DSA key */
Bkjia @ bkjia :~ /Test $ openssl dsaparam-out DSA. pem-genkey 1024
/* Use des3 to encrypt the DSA key */
Bkjia @ bkjia :~ /Test $ openssl dsa-in DSA. pem-out E_DSA.pem-des3-passout pass: 123456
Read DSA key
Writing DSA key
/* Decrypt the DSA key */
Bkjia @ bkjia :~ /Test $ openssl dsa-in E_DSA.pem-out DSA1.pem-passin pass: 123456
Read DSA key
Writing DSA key
2. Extract the public key of DSA
bkjia@bkjia:~/test$ openssl dsa -in DSA.pem -out pub.pem -puboutread DSA keywriting DSA key
3. Summary
As you can see, the commands of DSA and RSA are very similar and familiar with one of them, and the other is easy to use. Openssl provides many commands, but there are so many parameters that come and go back. In most cases, the same parameters of different commands have the same meanings.
So far, we have introduced symmetric encryption algorithm commands, asymmetric encryption algorithms RSA and DSA commands, which are basic commands in practical application, most of the tasks we use openssl are CA-related signatures, verification, encryption, and decryption. Therefore, the following content is related to the actual application, such as self-signed certificate, second-level certificate issuance, terminal certificate issuance, and certificate verification.
For more information about OpenSSL, see the following links:
Use OpenSSL command line to build CA and Certificate
Install OpenSSL in Ubuntu
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
Use OpenSSL to generate certificates in Linux
Use OpenSSL to sign multi-domain certificates
Add a custom encryption algorithm to OpenSSL
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: