OpenSSL symmetric encryption algorithm commands

Source: Internet
Author: User
Tags base64 encode cast5 hmac openssl des openssl enc sha1

OpenSSL symmetric encryption algorithm commands

1. symmetric encryption algorithm Overview

The openssl Encryption Algorithm Library provides a wide range of symmetric encryption algorithms. We can use the symmetric encryption algorithm commands provided by openssl, or call the APIS provided by openssl.

Openssl symmetric encryption algorithm commands are mainly used to encrypt and decrypt data. openssl provides instructions for all supported symmetric encryption algorithms, the names of these application commands are basically composed of the number of digits, encryption mode, or other attributes added to the name of the symmetric encryption algorithm. For example, in the CBC mode of the DES algorithm, the corresponding command is des-cbc. You can run the following command to view the symmetric encryption algorithms supported by the current version of openssl, for example, javast14.04 openssl and support symmetric encryption algorithms:

Bkjia @ bkjia :~ $ Openssl enc-help
Unknown option '-'
Options are
...
/**/
Cipher Types
-Aes-128-cbc-aes-128-cbc-hmac-sha1-aes-128-cfb
-Aes-128-cfb1-aes-128-cfb8-aes-128-ctr
-Aes-128-ecb-aes-128-gcm-aes-128-ofb
-Aes-128-xts-aes-192-cbc-aes-192-cfb
-Aes-192-cfb1-aes-192-cfb8-aes-192-ctr
-Aes-192-ecb-aes-192-gcm-aes-192-ofb
-Aes-256-cbc-aes-256-cbc-hmac-sha1-aes-256-cfb
-Aes-256-cfb1-aes-256-cfb8-aes-256-ctr
-Aes-256-ecb-aes-256-gcm-aes-256-ofb
Aes-256-xts-aes128-aes192
-Aes256-bf-cbc
-Bf-cfb-bf-ecb-bf-ofb
-Blowfish-camellia-128-cbc-camellia-128-cfb
-Camellia-128-cfb1-camellia-128-cfb8-camellia-128-ecb
-Camellia-128-ofb-camellia-192-cbc-camellia-192-cfb
-Camellia-192-cfb1-camellia-192-cfb8-camellia-192-ecb
-Camellia-192-ofb-camellia-256-cbc-camellia-256-cfb
-Camellia-256-cfb1-camellia-256-cfb8-camellia-256-ecb
-Camellia-256-ofb-camellia128-camellia192
-Camellia256-cast-cbc
-Cast5-cbc-cast5-cfb-cast5-ecb
-Cast5-ofb-des-cbc
-Des-fluidized bed-des-cfb1-des-cfb8
-Des-ecb-des-ede-cbc
-Des-ede-cfb-des-ede-ofb-des-ede3
-Des-ede3-cbc-des-ede3-cfb-des-ede3-cfb1
Des-ede3-cfb8-des-ede3-ofb-des-ofb
-Des3-desx-cbc
-Id-aes128-GCM-id-aes192-GCM-id-aes256-GCM
-Rc2-rc2-40-cbc-rc2-64-cbc
-Rc2-cbc-rc2-cfb-rc2-ecb
-Rc2-ofb-rc4-rc4-40
-Rc4-hmac-md5-seed-cbc
-Seed-cfb-seed-ecb-seed-ofb

We can see that the above is the enc-help command. What is enc? Openssl provides two methods to call symmetric encryption algorithms:

One is to directly call symmetric encryption commands, for example:

Openssl des-cbc-in plain.txt-out encrypt.txt-pass: 12345678

In addition, enc is used, that is, symmetric encryption commands are used as the parameters of enc commands, for example :.

Openssl enc-des-cbc-in plain.txt-out encrypt.txt-pass: 12345678

The above two commands provide the same functions and the same parameters. In the past, what was the role of enc? To save trouble .......

Openssl provides N-plus symmetric encryption algorithm commands. enc integrates N-plus symmetric encryption algorithm commands into enc commands. When you use an encryption algorithm, you only need to use enc to specify the encryption algorithm, which is the operation completed by an individual encryption algorithm command. In addition, the symmetric encryption algorithm commands that can be specified in enc may not exist in the form of separate commands. We recommend that you use enc.

Of course, although the symmetric encryption algorithm commands provided by openssl are powerful, they are not complete, for example, the symmetric encryption algorithm does not support 76-bit RC2 encryption or 84-bit RC4 encryption and decryption lamp. To use these encryption algorithms and modes flexibly, you must learn the APIS provided by openssl.

2. symmetric encryption algorithm Command Parameters

You can use the man manual of enc to view the detailed usage of enc, or you can use enc-help to view the summary of the main parameters, as shown below:

Bkjia @ bkjia :~ $ Openssl enc-help
Unknown option '-help'
Options are
-In <file> input file
-Out <file> output file
-Pass <arg> pass phrase source
-E encrypt
-D decrypt
-A/-base64 base64 encode/decode, depending on encryption flag
-K passphrase is the next argument
-Kfile passphrase is the first line of the file argument
-Md the next argument is the md to use to create a key
From a passphrase. One of md2, md5, sha or sha1
-S salt in hex is the next argument
-K/-iv key/iv in hex is the next argument
-[PP] print the iv/key (then exit if-P)
-Bufsize <n> buffer size
-Nopad disable standard block padding
-Engine e use engine e, possibly a hardware device.
Cipher Types
...

[In/out]

These two Parameters specify the input and output files. Encryption means that the input file is in plaintext, the output file is in ciphertext, the input file is in ciphertext during decryption, and the output file is in plaintext.

[Pass]

Password Input Methods: command line input (stdin), file input, environment variable input (var), and file descriptor input (fd) standard input (stdin ). The default value is standard input and input from the keyboard.

[E/d]

E: encryption. d: encryption is used by default for decryption.

[-A/-base64]

Because the file is encrypted in binary format and cannot be viewed, this parameter can be used to encode the encrypted content in base64 to make it readable. Similarly, base64 encoding is required for decryption, then perform the decryption operation.

[-K/-kfile]

Compatible with previous versions. The specified password input method has been replaced by the pass parameter.

[Md]

Specifies the Digest algorithm generated by the key. The password entered by the user cannot be directly used as the key for file encryption, but is converted by the Digest algorithm. This parameter specifies the Digest algorithm, which defaults to md5.

[-S]

To enhance security, the salt value is required when the user password is converted into an encryption key. The default salt value is randomly generated. With this parameter, the salt value is specified by the user. You can also use-nosalt to specify that the salt value is not used, but it reduces security and is not recommended.

[K/IV]

The Key and IV values of the encryption Key of the default file are generated after the user-Entered password is converted, but the Key/IV value can also be specified by the user. In this case, the pass parameter does not work.

[PP]

When the p parameter is added, the file Key and IV values are printed. When the P parameter is added, the file Key and IV values are printed, but the actual encryption and decryption operations are not performed.

[Bufsize]

Read/write file I/O cache, generally do not need to specify

[-Nopad]

Without completion, the length of the input data must be a multiple of the group size of the encryption algorithm.

[Engine]

Third-party encryption device specified, no environment, no experiment

3. Example of symmetric encryption algorithm

1. Only base64 encoding is performed on the file, instead of encryption and decryption.

/* Encode the object using base64 */
Openssl enc-base64-in plain.txt-out base64.txt
/* Decrypt a base64 file */
Openssl enc-base64-d-in base64.txt-out plain2.txt
/* Use the diff command to check whether the plaintext is the same before and after decoding */
Diff plain.txt plain2.txt

2. Different Password Input Methods

/* Enter the command line and the password is 123456 */
Openssl enc-aes-128-cbc-in plain.txt-out out.txt-pass: 123456
/* Enter the file and password 123456 */
Echo 123456> passwd.txt
Openssl enc-aes-128-cbc-in plain.txt-out out.txt-pass file: passwd.txt
/* Enter the environment variable and password 123456 */
Passswd = 123456
Export passwd
Openssl enc-aes-128-cbc-in plain.txt-out out.txt-pass env: passwd
/* Input from file Description */
Enc-aes-128-cbc-in plain.txt-out out.txt-pass fd: 1
/* Input from standard input */
Enc-aes-128-cbc-in plain.txt-out out.txt-pass stdin

3. Fixed salt value Encryption

Bkjia @ bkjia :~ $ Openssl enc-aes-128-cbc-in plain.txt-out encrypt.txt-pass: 123456-P
Salt = 32F5C360F21FC12D
Key = D7E1499A578490DF940D99CAE2E29EB1
Iv = 78EEB538897CAF045F807A97F3CFF498
Bkjia @ bkjia :~ $ Openssl enc-aes-128-cbc-in plain.txt-out encrypt.txt-pass: 123456-P
Salt = DAA482697BECAB46
Key = 9FF8A41E4AC011FA84032F14B5B88BAE
Iv = 202E38A43573F752CCD294EB8A0583E7
Bkjia @ bkjia :~ $ Openssl enc-aes-128-cbc-in plain.txt-out encrypt.txt-pass: 123456-P-S 123
Salt = 1, 1230000000000000
Key = 50E1723DC328D98F133E321FC2908B78
Iv = 1528E9AD498FF118AB7ECB3025AD0DC6
Bkjia @ bkjia :~ $ Openssl enc-aes-128-cbc-in plain.txt-out encrypt.txt-pass: 123456-P-S 123
Salt = 1, 1230000000000000
Key = 50E1723DC328D98F133E321FC2908B78
Iv = 1528E9AD498FF118AB7ECB3025AD0DC6
Bkjia @ bkjia :~ $

We can see that the-S parameter is not used, the salt parameter is randomly generated, and the key and iv values are constantly changing. When the slat value is fixed, the key and iv values are also fixed.

4. base64 encoding/decoding is used during encryption/decryption.

/* Use the-a parameter to encrypt and then use base64 encoding */
Bkjia @ bkjia :~ $ Openssl enc-aes-128-cbc-in plain.txt-a-out encrypt.txt-pass: 123456
/* Use the-a parameter to decode it using base64 */
Bkjia @ bkjia :~ $ Openssl enc-aes-128-cbc-in encrypt.txt-d-a-out plain1.txt-pass: 123456
/* Same file */
Bkjia @ bkjia :~ $ Diff plain.txt plain1.txt
/* The encrypted file uses base64 encoding */
Bkjia @ bkjia :~ $ Cat encrypt.txt
U2fsdgvkx19kbcj9gmi1tboqjp8jcefiuh1thwf/Z4 =

5. Manually specify the Key and IV values

/* Manually specify the key and iv values, and the salt is fixed */
Bkjia @ bkjia :~ $ Openssl enc-aes-128-cbc-in plain.txt-out encrypt.txt-K 1223-iv f123-p
Salt = 0B00000000000000
Key = 1, 12230000000000000000000000000000
Iv = f12300000000000000000000000000000000
/* Specifies the pass password, which does not work. Note that the Key and IV values are hexadecimal */
Bkjia @ bkjia :~ $ Openssl enc-aes-128-cbc-in plain.txt-out encrypt.txt-K 1223-iv f123-p-pass: 123456
Salt = F502F4B8DE62E0E5
Key = 1, 12230000000000000000000000000000
Iv = f12300000000000000000000000000000000

For more information about OpenSSL, see the following links:

Use OpenSSL command line to build CA and Certificate

Install OpenSSL in Ubuntu

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to generate certificates in Linux

Use OpenSSL to sign multi-domain certificates

Add a custom encryption algorithm to OpenSSL

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.