OpenSSL encryption principle

Source: Internet
Author: User
Tags openssl enc openssl x509 ssl certificate asymmetric encryption
SSL Overview
SSL is securesocketlayer ( SecuritySocket Layer Protocol), which can provide confidential transmission over the Internet. Netscape released the first web browser and put forward the SSL protocol standard, which currently has version 3.0. SSL uses public key technology. The goal is to ensure the confidentiality and reliability of communications between two applications, and support can be achieved at the same time on the server side and the client side. Currently, the SSL protocol using public key technology has become an industrial standard for secure communication on the Internet. SecurityThe socket layer protocol keeps the communication between users and server applications from being eavesdropped by attackers, and always authenticates the server. You can also choose to authenticate the user. The SSL protocol must be built on a reliable transport layer protocol (TCP. The advantage of the SSL protocol is that it is independent from the application layer protocol. The High-level application layer protocol (such as HTTP, FTP, and telnet) can be transparently built on the SSL protocol. The SSL protocol has completed encryption algorithms, communication key negotiation, and server authentication before the application layer protocol communication. After that, the data transmitted by the application layer protocol will be encrypted to ensure the privacy of the communication.
As described above, the secure channel provided by the SSL protocol has the following three features:
1. Data Confidentiality information encryption is to convert plaintext input files into encrypted files using encryption algorithms to achieve data confidentiality. The encryption process requires keys to encrypt data and then decrypt the data. Without a key, the encrypted data cannot be unlocked. After data encryption, only the key must be transmitted in a secure way. Encrypted data can be publicly transmitted.

2. Data Integrity encryption can also ensure data consistency. For example, the message Verification Code (MAC) can verify the encrypted information provided by the user. the receiver can use Mac to verify the encrypted data to ensure that the data has not been tampered with during transmission.

3. Another purpose of Security Authentication Encryption is to serve as a personal identity, and the user's key can be used as the identity for security authentication. SSL uses public key encryption technology (RSA) as the encrypted communication protocol between the client and the server when transmitting confidential data.
OpenSSL Overview
Currently, one of the most popular Authentication servers is the OpenSSL authentication server, which is an open-source SSL implementation. It is a session-based TLS/SSL library that implements identity authentication, data confidentiality, and session integrity. It also helps us implement private certificate issuance and other functions. Based on the ssleay package developed by ericyoung, the OpenSSL Project develops a robust, commercial-grade, open-source toolkit that uses powerful encryption algorithms to implement Secure Socket Layer and Transport Layer Security, this project manages and develops OpenSSL Toolkit and related documents by volunteers around the world. It provides numerous and complex API functions. Unfortunately, its documentation is incomplete and only programmers can do more work on their own. Its URL is:

Symmetric encryption algorithm:
OpenSSL provides eight symmetric encryption algorithms, 7 of which are group encryption algorithms, and the only stream encryption algorithm is RC4. These seven grouping encryption algorithms are AES, Des, blowfish, cast, idea, RC2, and RC5, all of which support the electronic cipher book mode (ECB) and the encrypted group link mode (CBC) the packet encryption mode is commonly used, including the encrypted feedback mode (CFB) and the output feedback mode (ofB. Among them, AES uses the encryption feedback mode (CFB) and output feedback mode (ofB). The group length is 128 bits, while other algorithms use 64 bits. In fact, the DES algorithm is not only a common DES algorithm, but also supports three keys and two key 3DES algorithms.

Asymmetric encryption algorithm:
OpenSSL implements four asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm, and elliptic curve algorithm (EC ). DH algorithms are generally used for User Key Exchange. The RSA algorithm can be used for both key exchange and digital signature. Of course, if you can tolerate its slow speed, it can also be used for data encryption. The DSA algorithm is generally used only for digital signatures.

The above content comes from OpenSSL and search in Baidu encyclopedia. It is mainly presented as a reference definition... It is a coincidence that there is no infringement...

The following describes how SSL works, how to use OpenSSL encryption, and how to issue certificates.

SSL protocol workflow (SSL principle ):
Server Authentication phase: 1) the client sends a start message to the server (for example, "Hello, are you there ?") In order to start a new session connection; 2) the server determines whether to generate a new master key based on the customer's information. If necessary, the server is responding to the customer's ("Hello, are you there? ") The information will contain the information required to generate the CMK. 3) the customer generates a CMK Based on the server response information received and encrypts it with the public key of the server before sending it to the server. 4) the server restores the CMK and returns a message for the customer to authenticate the server with the CMK.

User authentication stage: before that, the server has passed the customer authentication, which completes the customer authentication. The authenticated server sends a question to the customer, and the customer returns the question signed by (number) and the Public Key to provide the server with authentication.
SSL sessions are established based on IP addresses.

Redhat5.8 is used in this experiment.
First install OpenSSL, (YUM install OpenSSL) I use the version of the openssl-0.9.8e-22.e15.i386.rpm (you can view the local installation version through rpm-Q OpenSSL) is currently officially updated to OpenSSL 1.0.1c, for more information, see compile and install...

You can use rpm-QL OpenSSL to view various files generated by OpenSSL.
The configuration file of OpenSSL on Redhat is stored in/etc/pki/tls/OpenSSL. CNF.

OpenSSL encryption and decryption of files:

First, check the help information of ENC: (first whatis ENC, then man ENC) Result:

OpenSSL ENC-ciphername [-in Filename] [-out filename] [-pass Arg] [-E] [-D] [-A] [-A] [-K Password] [-kfile filename] [-K key] [-IV] [-p]

[-P] [-bufsize number] [-nopad] [-Debug]

-Chipername option: encryption algorithm. The Algorithms supported by OpenSSL are listed above. You only need to select one of them to implement file encryption.

-In option: indicates the input file. For encryption, the input file should be a plaintext file; for decryption, the input file should be an encrypted file. This option is followed by the file name.

-Out option: output file. For encryption, the output should be the encrypted file name; for decryption, the output should be the plaintext file name.

-Pass option: select the password input method. The input source can be a standard input device, command line input, files, variables, and so on.

-E Option: implements the encryption function (if the-D option is not used, the encryption option is used by default ).

-D option: Implements decryption.

-A and-A options: Perform base64 encoding/Decoding on the file.

-K option: Enter the encryption key manually. (If this option is not used, OpenSSL uses a password to automatically extract the encryption key ).

-IV option: Enter the initial variable. (If this option is not used, OpenSSL uses a password to automatically extract the initial variable ).

-Salt option: whether to use the salt value. It is used by default.

-P option: print the encryption key used by the encryption algorithm.

Instance resolution:
Symmetric encryption: one-way encryption algorithm

Encrypt initta files
Copy inittab to the root directory.
OpenSSL ENC-des3-salt-a-in inittab-out inittab. des3
Enter the password, and enter the password for confirmation.

View the encryption result:

Decrypts an initta File
OpenSSL ENC-des3-D-salt-a-in inittab. des3-out inittab
Enter the encrypted password
View results: CAT inittab

Use OpenSSL to extract the signature:

OpenSSL DGST-sha1 inittab

If the inittab content is updated, the signature is also updated.

Use OpenSSL to generate a password string
OpenSSL passwd-1

If the-salt password string is consistent

OpenSSL implements private CA:

1. Generate a key pair
Generate an RSA and CA private key. The CA private key is used to issue a CA root certificate. The CA root certificate must be provided to others for download so that it can use this certificate
OpenSSL genrsa 1024> server. Key
Chmod 600 server. Key change permission
2. Generate a self-signed certificate
OpenSSL req-New-X509-key server1024.key-out server. CRT-days 365
The following is the information of the input owner.
1: Country name
2: province name
3: city name
4: Company Name
5. Organization Name
6: Host Name
7. Administrator email address

This completes the self-signed certificate.

View certificate content: OpenSSL X509-text-in server. CRT

CA Server:
Set the OpenSSL configuration file before issuing the certificate.
Vim/etc/pki/tls/OpenSSL. CNF
Change dir =.../../CA to/etc/pki/CA

The above is the default setting.
Then, access the/pki/CA file for operations.

First generate a pair of keys
The key generation method can also be used (ukask 077; OpenSSL genrsa-out private/cakey. pem 2048)
Then generate the self-signed certificate

OpenSSL req-New-X509-key private/cakey. pem-out cacert. pem

Then, several directories must be created under this Directory, which are the required directories and two files in the OpenSSL configuration file.
Mkdir certs newcerts CRL
Touch index.txt
Touch serial: Give this file a start number echo 01> serial
This is the CA server.

Below we use web for testing (this operation is only executed on the local machine)
Assume that all our web configuration files are under the httpd file, so mkdir/etc/httpd/
Create an SSL Certificate key in this directory.
Then create a private key to extract the Public Key (any certificate must have a private key and a public key)
(Ukask 077; Open SSL genrsa-out httpd. Key 1024)
Then go to the CA server to apply for a certificate
First fill in the application form:
OpenSSL req-New-key httpd. Key-out httpd. CSR

Then let the CA issue the certificate

OpenSSL ca-in httpd. CSR-out httpd. CET-days 365
By now, the Ca has issued a certificate.
The process may not be detailed. If you have any questions, please leave a message... Thank you for your support...

Compilation: OpenSSL encryption and SSL principles


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.