OpenSSL User Guide

Directory

• Introduction

• Compile

• Run openssl.exe

• Algorithm Programming API

 

•Introduction

OpenSSL is a widely used open-source SSL implementation. Because various encryption algorithms are implemented for SSL, OpenSSL is also a widely used encryption function library.

1.1 SSL

The SSL (Secure Socket Layer) security protocol was first proposed by Netscape to protect the HTTP Communication (https) between the Navigator browser and the web server ). Later, the SSL protocol became the de facto standard for Transport Layer Security Communications and was improved to the Transport Layer Security Protocol by IETF. The SSL/TLS protocol is located between the TCP protocol and the application layer protocol. It provides security services such as authentication, encryption, and integrity protection for both transmission parties. As a Protocol framework, both parties can use suitable symmetric algorithms, public key algorithms, Mac algorithms, and other cryptographic algorithms to implement security services.

1.2 OpenSSL

OpenSSL is a well-known open-source implementation of SSL, which is implemented in C language.

The predecessor of OpenSSL is ssleay, an open-source SSL implementation developed by Eric Young. It supports SSLv2, V3, and tlsv1.

With the popularization of the SSL protocol, OpenSSL is widely used in TCP/socket-based network programs, especially the combination of OpenSSL and Apache. It is a typical configuration of many e-commerce website servers.

•Compile and install OpenSSL

OpenSSL Open Source Code provides the opportunity to learn, analyze SSL and various cryptographic algorithms, and facilitate further development.

2.1Obtain OpenSSL

To the OpenSSL website http://www.openssl.org/source/ to download the current version of OpenSSL source code compressed package. The current version of OpenSSL-1.0.0 beta3. Among them, the crypto sub-directory contains many cryptographic algorithm implementations, And the SSL sub-directory contains the implementation of the SSL protocol.

Decompress the package in Linux:

$ Tar zxfOpenssl-1.0.0-beta3.tar.gz,In Windows, you can use WinZip or WinRAR.

2.2Compilation tool

Compiling OpenSSL requires the Perl and C compilers. In Windows, if you want to implement the encryption algorithm's assembly code, you also need the MASM or NASM assembler. (Assembly code can significantly improve the password calculation speed than C code)

Active Perl is recommended in windows.

The C compiler can use GCC. You can use the Visual C compiler under W indows.

NASM is recommended for assembler.

The directory where these tools are located must be added to the PATH environment variable.

2.3Compilation and Installation Steps

Reading readme is a good habit. Read readme to learn more about the install and install. w32 files.

In Windows:

> Perl configure VC-WIN32

> MS "do_nasm (if it is not implemented using assembly code,> MS" do_ms)

> Nmake-F ms "NTDLL. Mak

> Cd out32dll

> .. "Ms" Test

The header file, Link Library, Runtime Library, and openssl.exe tool are obtained after compilation. The header file is located in the./inc32 or./inculde directory and has an OpenSSL subdirectory containing dozens of. H files. The Link Library is libeay32.lib and ssleay32.lib in the./out32dll Directory, which are related to cryptographic algorithms and SSL Protocols respectively. The runtime libraries are libeay32.dll and ssleay32.dll in the./out32dll Directory, which correspond to the linked libraries. Openssl.exe is also a tool in./out32dll that can be used directly to test performance, generate RSA keys, encrypt and decrypt files, and even maintain a CA for testing.

In Linux, the compilation and installation steps are relatively simple:

$./Config

$ Make

$ Make test

$ Make install

In Linux, the header files, library files, and tools have been installed and placed in a proper location. The library file is in. A or. So format.

•Use openssl.exe

Openssl.exe (the executable file name in Linux is OpenSSL) is a good tool for testing and debugging.

3.1Version and compilation Parameters

Show version and compilation parameters:> OpenSSL version-

3.2Supported sub-commands and cryptographic algorithms

View supported sub-commands:> OpenSSL?

SSL password combination list:> OpenSSL ciphers

3.3Test cryptographic algorithm speed

Test the speed of all algorithms:> OpenSSL speed

Test RSA speed:> OpenSSL Speed RSA

Test des speed:> OpenSSL speed des

3.4 RSAKey operation

Generate an RSA key pair:> OpenSSL genrsa-out 1.key 1024

Retrieve the RSA public key:> OpenSSL RSA-In 1.key-pubout-out 1. pubkey

3.5Encrypted File

Encrypted File:> OpenSSL ENC-e-RC4-In 1.key-out 1. Key. enc

Decrypt the file:> OpenSSL ENC-D-RC4-in 1. Key. enc-out 1. Key. Dec

3.6Calculate the hash value

Calculate the MD5 value of the file:> OpenSSL MD5 <1.key

Calculate the sha1 value of the file:> OpenSSL sha1 <1.key

•Algorithm Programming API

OpenSSL supports many cryptographic algorithms and provides good encapsulation and interfaces. Cryptographic algorithms include symmetric algorithms, public key algorithms, hash algorithms, and random number generation algorithms.

OpenSSL is designed to implement security protocols. Related protocols and standards include: SSL/TLS, PKCS #1, pcks #10, X.509, PEM, and OCSP.

4.1Symmetric algorithm interface

There are too many symmetric algorithms implemented in OpenSSL. For example, Des, AES, and RC4.

4.1.1Des

The DES encryption algorithm is a grouping algorithm. The basic operation of DES is to encrypt 64-bit plain text into 64-bit ciphertext under the guidance of 56-bit keys. In actual use, it is more convenient to regard the key as 64-bit.

Des (in, key) = out

(1) des ECBMode

In OpenSSL, the function corresponding to the ECB operation mode is des_ecb_encrypt (), which encrypts an 8-byte plaintext group input into an 8-byte ciphertext group output. In the parameter, the key structure KS is prepared using the des_set_key () function, and the key is a 64 random bit generated by the random number algorithm. The ENC parameter indicates whether to encrypt or decrypt the data. This function only encrypts one group at a time, so it is not convenient to encrypt a lot of data.

Void des_ecb_encrypt (const_des_cblock * input, des_cblock * output, des_key_schedule * KS, int ENC );

Int des_set_key (const_des_cblock * Key, des_key_schedule * Schedule );

(2) des CBCMode

Des_ncbc_encrypt () is the encryption and decryption function in the CBC operation mode of the DES algorithm (). The length parameter indicates the length of input bytes. If the length is not a multiple of 8 bytes, it will be filled with 0 to a multiple of 8 bytes. Therefore, the output may be longer than the length, and must be a multiple of 8 bytes.

Void des_ncbc_encrypt (const unsigned char * input, unsigned char * output, long length, des_key_schedule * schedule, des_cblock * ivec, int ENC );

(3) des CFBMode

Des_cfb_encrypt () is the encryption and decryption function in the CFB operation mode of the DES algorithm (). The length parameter indicates the length of input bytes. The numbits parameter indicates the number of plaintext bits encrypted in every cycle of CFB, that is, the number of BITs fed back by ciphertext. Ivec is the initial vector. It is regarded as 0th ciphertext groups. It is an 8-byte that does not need to be kept confidential but should be randomly set. If des_cfb_encrypt () is called several times in a session, you should remember ivec. Because the basic des operation in CFB mode only encrypts numbits bit plaintext, the efficiency is too low if numbits is too small.

Void des_cfb_encrypt (const unsigned char * In, unsigned char * Out, int numbits, long length, des_key_schedule * schedule, des_cblock * ivec, int ENC );

Another numbit version is a 64-bit version, which is both efficient and free of fill. We recommend that you use it. The return value in num indicates the status in ivec, which is connected to the next call.

Void des_cfb64_encrypt (const unsigned char * In, unsigned char * Out, long length, des_key_schedule * schedule, des_cblock * ivec, int * num, int ENC );

(4) des ofBMode

OfB is similar to CFB, and there are two functions in the same usage.

Void des_ofb_encrypt (const unsigned char * In, unsigned char * Out, int numbits, long length, des_key_schedule * schedule, des_cblock * ivec );

Void des_ofb64_encrypt (const unsigned char * In, unsigned char * Out, long length, des_key_schedule * schedule, des_cblock * ivec, int * num );

(5) desFunction example Program

See Attachment A.1.

4.1.2Es

The AES encryption algorithm is a grouping algorithm. The basic operation of AES for typical parameters is to encrypt 128-bit plaintext into 128-bit ciphertext under the guidance of 128-bit keys.

AES (in, key) = out

The function name and parameter interface of AES in OpenSSL are the same as those of DES. The related function name is as follows (the parameter is omitted ).

Int aes_set_encrypt_key ();

Int aes_set_decrypt_key ();

Void aes_ecb_encrypt ();

Void aes_cbc_encrypt ();

Void aes_cfb128_encrypt ();

Void aes_ofb128_encrypt ();

For the AES sample program, see Appendix A.2.

4.1.3RC4

RC4 cryptographic algorithms are stream algorithms, also called sequence algorithms. Stream algorithms use keys as seeds to generate encrypted streams. plaintext bit streams and encrypted streams are both unique or encrypted. The RC4 algorithm is concise, fast, variable-length key, and not difficult to fill. Therefore, it is highly recommended in many cases.

In OpenSSL, The RC4 algorithm has two functions: rc4_set_key () setting key and RC4 () encryption and decryption. RC4 can be seen as an exclusive or, so encryption is decrypted twice.

Void rc4_set_key (rc4_key * Key, int Len, const unsigned char * data );

Void RC4 (rc4_key * Key, unsigned long Len, const unsigned char * indata, unsigned char * outdata );

For the RC4 sample program, see Appendix A.3.

Example A.3. (1) uses the OpenSSL dynamic library function. Example A.3. (2) separates the implementation code of RC4 from OpenSSL. Example A.3. (3) is another demo implementation.

4.2Public Key Algorithm

OpenSSL implements RSA, DSA, ECDSA, and other public key algorithms.

4.2.1RSA

RSA is a grouping algorithm. A typical key modulo with a length of 1024 bits means 1024 bits, or 128 bytes.

(1) RSAKey

The RSA key generation function rsa_generate_key () needs to specify the Modulo-long bits and public key index E. The other two parameters are null.

RSA * rsa_generate_key (INT bits, unsigned long e, void (* callback) (INT, Int, void *), void * cb_arg );

If you want to read the key from a file, you can use the pem_read_bio_privatekey ()/pem_read_bio_pubkey (); evp_pkey contains an RSA structure that can be referenced.

Evp_pkey * pem_read_bio_privatekey (Bio * bp, evp_pkey ** X, pem_password_cb * CB, void * U );

(2) RSAEncryption and decryption

The RSA encryption function rsa_public_encrypt () uses the public key. The decryption function rsa_private_decrypt () uses the private key. There are two common filling methods: rsa_pkcs1_padding and rsa_pkcs1_oaep_padding. -1 is returned when an error occurs. The input must be at least 11 bytes longer than the RSA key modulo (when rsa_pkcs1_padding ?). The output length is equal to the modulo length of the RSA key.

Int rsa_public_encrypt (int flen, const unsigned char * From, unsigned char * To, RSA * RSA, int padding );

Int rsa_private_decrypt (int flen, const unsigned char * From, unsigned char * To, RSA * RSA, int padding );

(3)Signature and Verification

The private key is used for signature verification. The RSA signature uses the private key to encrypt the hash value of the signed message. Therefore, the type parameter in the function is used to indicate the type of the hash function, which is generally nid_md5 or nid_sha1. 0 is returned if the value is correct.

Int rsa_sign (INT type, const unsigned char * m, unsigned int m_length, unsigned char * sigret, unsigned int * siglen, RSA * RSA );

Int rsa_verify (INT type, const unsigned char * m, unsigned int m_length, unsigned char * sigbuf, unsigned int siglen, RSA * RSA );

(4) RSAFunction example Program

For the RSA sample program, see Appendix A.4.

Example A.4. (1) is an example of encryption and decryption. Example A.4. (2) is an example of signature verification.

4.2.2DSA

(Tobe)

4.2.2ECDSA

(Or not tobe)

4.3 hashAlgorithm

The hash algorithm uses two examples: MD5 and sha1. The hash algorithm repeatedly receives user input and outputs the hash result until the last end.

4.3.1MD5

The hash value output by the MD5 algorithm is 16 bytes.

Int md5_init (md5_ctx * C );

Int md5_update (md5_ctx * C, const void * data, size_t Len );

Int md5_final (unsigned char * MD, md5_ctx * C );

4.3.2Sha1

The hash value output by the sha1 algorithm is 20 bytes.

Int sha1_init (sha_ctx * C );

Int sha1_update (sha_ctx * C, const void * data, size_t Len );

Int shaw.final (unsigned char * MD, sha_ctx * C );

4.3.3MD5Example

For the MD5 sample program, see Attachment A.5.

Md5sum is a utility tool that can calculate the MD5 value of a file.

4.4Random Number Algorithm

Randomness is the cornerstone of password security. To generate secure pseudo-random numbers, good random factors must be used as seeds. OpenSSL has made efforts internally, but we recommend that you add a random factor before generating a function using a random number.

The rand_add () function can add random factors to the internal state. Then, you can use rand_bytes () to obtain the random number.

Void rand_add (const void * Buf, int num, double entropy );

Int rand_bytes (unsigned char * Buf, int num );

•Reference URL

SSL 3.0 specification

Http://www.netscape.com/eng/ssl3/

Transp ort layer security (TLS) Charter

Http://www.ietf.org/html.charters/tls-charter.html

OpenSSL: the open source toolkit for SSL/TLS

Http://www.openssl.org/

Ssleay

Http://www2.psy.uq.edu.au /~ FTP/crypto/

OpenSSL Chinese Forum

Http://openssl.cn/

Perl

Http://www.cpan.org/src/README.html

Http://www.activestate.com/Products/ActivePerl/

NASM

Http://www.perl.com/