Related knowledge and application of OpenSSL

About OpenSSL

SSL is an abbreviation for the Secure Socket Layer protocol, which provides covert transmission over the Internet. Netscape Company introduced the SSL protocol standard at the same time as the first web browser, there are now 3.0 versions. SSL employs public key technology. The goal is to ensure the confidentiality and reliability of communication between two applications, enabling simultaneous support both on the server side and on the client side. SSL is a protocol that provides cryptographic mechanisms for clear-text applications, and OpenSSL is an implementation of the SSL protocol and, of course, implements many other things, and is open source, although OpenSSL is a library of SSL, but its own functionality is quite powerful. OpenSSL has two modes of operation: interactive mode and batch processing mode. Enter OpenSSL directly into interactive mode and enter OpenSSL with the command option into batch mode. The entire OpenSSL package can be divided into three main functional parts: The cryptographic algorithm library, the SSL protocol library, and the application. The directory structure of OpenSSL is naturally planned around these three functional parts. 1. Symmetric encryption algorithm OpenSSL provides a total of 8 symmetric encryption algorithms, of which 7 are packet encryption algorithms, and only one stream encryption algorithm is RC4. These 7 packet encryption algorithms are AES, DES, Blowfish, CAST, Idea, RC2, RC5, all of which support electronic cipher mode (ECB), encrypted packet link mode (CBC), Cryptographic feedback mode (CFB) and output feedback mode (OFB) four commonly used block cipher encryption modes. Where AES uses the cryptographic feedback mode (CFB) and output feedback mode (OFB) packet length is 128 bits, the other algorithm uses 64 bits. In fact, the DES algorithm is not only a common des algorithm, but also supports three keys and two key 3DES algorithms. 2. Asymmetric Encryption algorithm OpenSSL has implemented 4 asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and Elliptic curve algorithm (EC). DH Algorithm general user key exchange. The RSA algorithm can be used for both key exchange and digital signature, and of course, if you can tolerate its slow speed, it can also be used for data encryption. The DSA algorithm is generally used only for digital signatures. 3. Information Digest algorithm OpenSSL implements 5 information digest algorithms, namely MD2, MD5, MDC2, SHA (SHA1), and RIPEMD. The SHA algorithm actually includes the SHA and SHA1 two kinds of information digest algorithms, in addition, OpenSSL implements two kinds of information digest algorithms, DSS and DSS1, as stipulated in the DSS standard. 4. Key and certificate management Key and certificate management is an important part of PKI, and OpenSSL provides a wide range of functions to support multiple standards. First, OpenSSL implements the ASN.1 certificate and key-related standards, providing the codec capabilities of Der, PEM, and BASE64 for data objects such as certificates, public keys, private keys, certificate requests, and CRLs. OpenSSL provides methods, functions, and applications that generate a variety of public key pairs and symmetric keys, while providing DER codec functionality for public and private keys. and realizes the pkcs#12 of the private key and the codec function of pkcs#8. OpenSSL provides cryptographic protection of the private key in the standard so that the key can be stored and distributed securely. On this basis, OpenSSL implements the standard encoding and decoding of the certificate, the codec of the pkcs#12 format, and the codec function of the pkcs#7. and provides a text database, supporting the management of certificates, including certificate key generation, request generation, certificate issuance, revocation and verification functions. In fact, the CA application provided by OpenSSL is a small certificate Management Center (CA) that implements the entire process of certificate issuance and most of the mechanisms for certificate management.

The composition of OpenSSL

Libcrypto: Cryptographic libraries for common functions LIBSSL: Functions to implement TLX/SSL OpenSSL: Multifunction command tool for generating keys, creating digital certificates, and manually encrypting and decrypting data

Features of the SSL protocol

SSL protocol before the Application Layer protocol communication (the work area of SSL is to add a half layer between the application layer and the transport layer, because some protocols do not need encryption) has completed the encryption algorithm, communication key negotiation and server certification work. After this, the data transmitted by the application layer protocol will be encrypted, thus guaranteeing the privacy of the communication. As described above, the SSL protocol provides a secure channel with the following three features: 1. Confidentiality of data Information encryption is the use of plaintext files to convert redact files using encryption algorithm to achieve the confidentiality of data. The encryption process requires a private key to encrypt the data and then decrypt it through the public key, although the public key is public, but without the private key, the encrypted data cannot be undone. After the data is encrypted, the encrypted data can be transmitted in a public manner. 2. Consistency of data Encryption also ensures consistency of data. For example: Message verification Code (MAC), the ability to verify user-provided encryption information, the receiver can use the MAC to verify the encrypted data, to ensure that the data has not been tampered with during transmission. 3. Identity authentication Another use of encryption is to authenticate as an individual, and the user's public key can be used as an identity for his security verification. SSL is the use of public key encryption Technology (RSA) as the client and server in the transmission of confidential information when the encrypted communication protocol, when the other party receives the data, the sender's public key is decrypted after the data is obtained. (Note: The public key is extracted from the private key)

Terminology for configuring SSL in real-world projects

1. File format description for various keys and certificates JKS (Java KeyStore): Java's key store file, binary format, which can contain public keys, private keys, and X509 certificates, is a Java-specific key file format. PEM (Privacy enhanced mail): Enhanced private message, text format, which can contain public keys, private keys, and X509 certificates. It stores ASC header-wrapped BASE64 encoded DER Format data DER (distinguished Encoding Rules): Text format, which can also contain public keys, private keys, and X509 certificates. is the default format for most of the time Cer:der encoded binary format CRT: Text format, X509 standard suffix name PFX file, binary. Public key encryption technology standard 12th 2, related terms PKI (Public key Infrastructure): Key Infrastructure SSL: Using public key system and X509 digital authentication technology, is the initial web-based protocol proposed by Netscape Includes server authentication, customer authentication (optional), SSL link integrity and confidentiality Disadvantage: Do not digitally sign application-level messages RSA Public Key cryptography: Asymmetric password encryption and decryption Certificate: is a protocol that binds a public key and a name (domain name). In layman's terms, the information is attached to the application organization, plus the public key after the digital signature. Generally include: organization name; IP; public key; expiry date; CA organization name; serial number; root CA signature (e.g. VeriSign) SSL Handshake: IE Access HTTPS site >> confirm webserver If there is a key associated with the SSL certificate >> success >> Communication Certification authority (CA Certificate Authority) a trusted third party issuing a certificate, the institution used to issue the certificate. Each certification center will have a signature of the highest certification authority (CA root) Highest Certification Center: will not be issued directly to the certificate, but authorized to the Intermediate Certification center, is a self-signed agency certificate. Know the public key of the highest certification center in advance SSL uses the X509 top-down Pyramid certificate system: Ca.root CA Certification Center ... CA Certification Center ... User Certificate ... User Certificate ... User Certificate ... User Certificate ... GSKit Used by the WebSphere Webserver plug-in and IHS (IBM HTTP Server) to use the IBM/C + + implementation of SSL. PKCS12 PKCS represents the "Public Key Cryptography standard". PKCS12 is the standard key file format 3, the current domestic CA certification fees (only consulted this home): Tianwei Integrity (Root CA is VeriSign) SSL 40-bit: 5000 yuan/year SSL128 bit: 8000 yuan/year

Application of OpenSSL

1), Message Digest commands (Information digest algorithm can also be called one-way encryption algorithm) One-way encryption algorithms are: MD2, MD4, MD5, rmd160, SHA, SHA1 Command: OpenSSL dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1][-out filename]/path/to/somefile Function: Used to ensure the integrity of the data transmitted in network communication

[email protected] ~]# OpenSSL dgst-sha1-out/a.cipher/a.txt Using one-way encryption, the algorithm SHA1, the output file is/a.cipher, the source file is/a.txt [Email protected] ~]# Ll/a.cipher -rw-r--r--. 1 root root 9 04:56/a.cipher

2), Cipher commands (symmetric encryption) Common algorithms are: DES, des3, base64, etc.

[[email  protected] ~] #openssl enc-base64-a-salt-in/etc/passwd  -out/passwd.cipher encrypt [[email  Protected] ~] #openssl enc-d-base64-a-salt-in/passwd.cipher  -out/passwd decrypt #-d means decrypting #-a-salt for adding salt

Note: User authentication: Public key encryption, private key decryption. Digital Signature: Private key encryption, public key decryption.

3), certificate (x509 format) 650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/8B/wKiom1SFvSuAssSvAAGDY4E4BRg562.jpg "title=" x 2E509 certificate structure and authentication protocol standard (1). jpg "alt=" wkiom1sfvsuasssvaagdy4e4brg562.jpg "/>

OpenSSL building a private CA

First, establish the CA server Modifying a configuration file # VIM/ETC/PKI/TLS/OPENSSL.CNF ################################### [Ca_default] DIR =/etc/pki/ca//Directory Certs = $dir/certs//Issue Certificate Location Crl_dir = $dir/crl//Revocation Certificate Location Database = $dir/index.txt//Index Table New_certs_dir = $dir/newcerts//New certificate location Certificate = $dir/cacert.pem//CA The location of your own certificate serial = $dir/serial//Certificate serial number Crlnumber = $dir/crlnumber//Certificate Revocation List Number ########################################## Creating Directories and files # CD/ETC/PKI/CA # mkdir certs newcerts CRL # Touch Index.txt Serial # echo > Serial//Import initial serial number Generate key # (Umsk 077; OpenSSL genrsa-out Private/cakey.pem 2048) Issue a certificate to yourself, self-signed # OpenSSL Req-x509-new-key private/cakey.pem-out cacert.pem-days 365 Country name: CN Province: City: Company Name: XX Organization Department Name: XXX User name or server name: ca.baidu.com to correspond to the method used e-mail address: XXX Second, the client application certificate Create an SSL directory in the corresponding configuration file directory, taking VSFTPD as an example: # MKDIR/ETC/VSFTPD/SSL//Create SSL Directory # Cd/etc/vsftpd/ssl # (Umask 077; OpenSSL genrsa 1024x768 > Vsftpd.key)//Generate key # OpenSSL Req-new-key vsftpd.key-out VSFTPD.CSR//Generate request Countries.... Province.... .... Password//encryption password # SCP VSFTPD.CSR [email protected]:/tmp//Pass the request to the CA in some way Third, CA sign certificate # OpenSSL CA-IN/TMP/VSFTPD.CSR-OUT/TMP/VSFTPD.CRT//Signing certificate # SCP/TMP/VSFTPD.CRT [Email protected]:/etc/vsftpd/ssl//Pass the signed certificate to the client Iv. Revocation of certificates #openssl CA-REVOKE/PATH/TO/FILE.CRT

Related knowledge and application of OpenSSL