About OpenSSL OpenSSL
SSL is an abbreviation for the Secure Socket Layer protocol, which provides covert transmission over the Internet. Netscape Company introduced the SSL protocol standard at the same time as the first web browser, there are now 3.0 versions. SSL employs public key technology. The goal is to ensure the confidentiality and reliability of communication between two applications, enabling simultaneous support both on the server side and on the client side. At present, the SSL protocol using public key technology has become the industry standard of secure communication on the Internet. The Secure Sockets Layer protocol enables communication between user/server applications to be intercepted by attackers, always authenticating the server, and optionally authenticating users. The SSL protocol is required to be based on a reliable Transport Layer protocol (TCP). The advantage of the SSL protocol is that it is independent of the application-layer protocol, and that high-level application-layer protocols (such as http,ftp,telnet, etc.) can be transparently built on top of the SSL protocol. The SSL protocol has completed the encryption algorithm, the communication key negotiation and the server authentication work before the application layer protocol communication. After this, the data transmitted by the application layer protocol will be encrypted, thus guaranteeing the privacy of the communication. Through the above description, the SSL protocol provides the following three features: 1. The encryption of the data confidentiality is to convert the plaintext input files into encrypted files to achieve the confidentiality of the data. The encryption process requires a key to encrypt the data and then decrypt it. Without the key, you cannot unlock the encrypted data. After the data is encrypted, only the key must be transmitted in a secure way. Encrypted data can be transmitted in a public manner. 2. Consistent data encryption also ensures consistency of data. For example: Message verification Code (MAC), the ability to verify user-provided encryption information, the receiver can use the MAC to verify the encrypted data, to ensure that the data has not been tampered with during transmission. 3. Another use of secure authentication encryption is used as a personal identity, and the user's key can be used as the identity of his security verification. SSL is a cryptographic protocol that leverages public key cryptography (RSA) as the encrypted communication protocol between the client and server when transmitting confidential information.
What is OpenSSL
Many cryptographic algorithms, public key infrastructure standards, and SSL protocols, perhaps these interesting features will give you the idea of implementing all of these algorithms and standards. If so, you will not be tempted to remind you that this is a daunting process. The job is no longer simply to read a few cryptographic monographs and protocol documents, but to understand every detail of all of these algorithms, standards, and protocol documents, and to implement these definitions and processes one at a time with the C-language characters you might be familiar with. We don't know how much time you will need to finish this interesting and horrible job, but it's certainly not a two-year problem.
First, we should thank Eric A. Young and Tim J. Hudson, who have been writing the OpenSSL package since 1995 that has had a huge impact, and what is even more gratifying is that this is an open source package without too many restrictions, This allows us to use this package to do a lot of things. Eric A. Young and Tim J. Hudson were Canadian and later made a fortune in a big company after writing about OpenSSL. In 1998, the OpenSSL team took over the development of OpenSSL and launched the 0.9.1 version of OpenSSL, so far, the OpenSSL algorithm has been very well-supported for SSL2.0, SSL3.0, and TLS1.0.
OpenSSL uses the C language as the development language, which makes OpenSSL an excellent cross-platform performance, which is a wonderful thing for the technical staff to use the same familiar things on different platforms. OpenSSL supports Linux, Windows, BSD, MAC, VMS and other platforms, which makes OpenSSL widely adaptable. However, for the new C + + programmers that are currently growing up, it may not be customary for C-language code, but getting used to C is a lot easier than using C + + to re-write a package that features the same functionality as OpenSSL.
The entire OpenSSL package can be divided into three main functional parts: The cryptographic algorithm library, the SSL protocol library, and the application. The directory structure of OpenSSL is naturally planned around these three functional parts.
As a cryptography-based security development package, OpenSSL provides a powerful and comprehensive feature that encompasses key cryptographic algorithms, common key and certificate encapsulation management capabilities, and SSL protocols, and provides a rich range of applications for testing or other purposes.
1. Symmetric encryption algorithm
OpenSSL provides a total of 8 symmetric encryption algorithms, of which 7 are packet encryption algorithms, and only one stream encryption algorithm is RC4. These 7 packet encryption algorithms are AES, DES, Blowfish, CAST, Idea, RC2, RC5, all of which support electronic cipher mode (ECB), encrypted packet link mode (CBC), Cryptographic feedback mode (CFB) and output feedback mode (OFB) four commonly used block cipher encryption modes. Where AES uses the cryptographic feedback mode (CFB) and output feedback mode (OFB) packet length is 128 bits, the other algorithm uses 64 bits. In fact, the DES algorithm is not only a common des algorithm, but also supports three keys and two key 3DES algorithms.
2. Asymmetric Encryption algorithm
OpenSSL has implemented 4 asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and Elliptic curve algorithm (EC). DH Algorithm general user key exchange. The RSA algorithm can be used for both key exchange and digital signature, and of course, if you can tolerate its slow speed, it can also be used for data encryption. The DSA algorithm is generally used only for digital signatures.
3. Information Digest algorithm
OpenSSL implements 5 information digest algorithms, namely MD2, MD5, MDC2, SHA (SHA1), and RIPEMD. The SHA algorithm actually includes the SHA and SHA1 two kinds of information digest algorithms, in addition, OpenSSL implements two kinds of information digest algorithms, DSS and DSS1, as stipulated in the DSS standard.
4. Key and certificate management
Key and certificate management is an important part of PKI, and OpenSSL provides a wide range of functions to support multiple standards.
First, OpenSSL implements the ASN.1 certificate and key-related standards, providing the codec capabilities of Der, PEM, and BASE64 for data objects such as certificates, public keys, private keys, certificate requests, and CRLs. OpenSSL provides methods, functions, and applications that generate a variety of public key pairs and symmetric keys, while providing DER codec functionality for public and private keys. and realizes the pkcs#12 of the private key and the codec function of pkcs#8. OpenSSL provides cryptographic protection of the private key in the standard so that the key can be stored and distributed securely.
On this basis, OpenSSL implements the standard encoding and decoding of the certificate, the codec of the pkcs#12 format, and the codec function of the pkcs#7. and provides a text database, supporting the management of certificates, including certificate key generation, request generation, certificate issuance, revocation and verification functions.
In fact, the CA application provided by OpenSSL is a small certificate Management Center (CA) that implements the entire process of certificate issuance and most of the mechanisms for certificate management.
5.SSL and TLS protocols
OpenSSL implements the SSLv2 and SSLv3 of the SSL protocol, and supports most of the algorithm protocols. OpenSSL has also achieved the TLSV1.0,TLS is a standardized version of SSLv3, although the difference is not small, but after all, a lot of details are different.
Although there are already many software implementations of OpenSSL, the SSL protocol implemented in OpenSSL allows us to have a clearer understanding of the SSL protocol because there are at least two points: one is that the SSL protocol implemented by OpenSSL is open source, We can investigate every detail of the SSL protocol implementation, and the other is that the SSL protocol implemented by OpenSSL is a purely SSL protocol that does not combine with other protocols (such as HTTP) to clarify the true nature of the SSL protocol.
6. Application
OpenSSL's application has become an important part of OpenSSL, and its importance is probably not what OpenSSL developers are beginning to think about. Today, many of OpenSSL's applications are based on OpenSSL, not its API, such as OpenCA, which is implemented entirely using OpenSSL's applications. OpenSSL's application is based on the OpenSSL Cipher algorithm library and the SSL protocol library, so it is also a good example of the use of OpenSSL APIs to read all of these examples, your understanding of the API usage of OpenSSL is more comprehensive, of course, It's also a job of exercising your willpower.
OpenSSL's applications provide a relatively comprehensive set of capabilities, and for a considerable number of people, OpenSSL has done everything for itself and does not need to do much more development work, so they are also turning these applications into OpenSSL instructions. OpenSSL's applications primarily include key generation, certificate management, format conversion, data encryption and signing, SSL testing, and other auxiliary configuration features.
7.Engine mechanism The engine mechanism appears in OpenSSL 0.9.6 version of the thing, the beginning is the normal version with the support engine version, to the 0.9.7 version of OpenSSL, engine mechanism integrated into the OpenSSL kernel, is an indispensable part of OpenSSL. The engine mechanism is designed to enable OpenSSL to transparently encrypt using a software encryption library provided by a third party or a hardware encryption device. The OpenSSL engine mechanism has succeeded in achieving this goal, which makes OpenSSL not only a cryptographic repository, but a universal encryption interface that works with most cryptographic or cryptographic devices. Of course, to make a particular cryptographic library or encryption device more OpenSSL coordination work, you need to write a small number of interface code, but this workload is not big, although still need a bit of knowledge of cryptography. The capabilities of the engine mechanism are essentially the same as those provided by Windows for CSP functionality. Currently, the 0.9.7 version of OpenSSL supports 8 types of embedded third-party encryption devices, including: Cryptoswift, NCipher, Atalla, Nuron, Ubsec, Aep, Sureware, and hardware encryption devices for IBM 4758 CCA. There are also engine interfaces that support the Pkcs#11 interface, and the interfaces that support Microsoft CryptoAPI are also being developed. Of course, all of the above engine interface support is not necessarily comprehensive, for example, may support one or two of these public key algorithms.
8. Auxiliary functions
The bio mechanism is a high-level IO interface provided by OpenSSL that encapsulates almost all types of IO interfaces, such as memory access, file access, and sockets. This greatly improves the reusability of the code, and the complexity of OpenSSL provides the API a lot less.
OpenSSL also provides a complete set of workarounds and support API functions for the generation and management of random numbers. The quality of random numbers is an important precondition to determine whether a key is safe or not.
OpenSSL also provides additional accessibility features, such as the API for generating keys from passwords, the configuration file mechanism in certificate issuance and management, and so on. If you have enough patience, you will find a lot of such small features in the process of using OpenSSL in depth, so that you continue to have new surprises.
This article mainly introduces the PHP implementation based on OpenSSL encryption and decryption method, combined with the example form analysis of PHP custom function implementation based on OpenSSL encryption and decryption operations related skills, the need for friends can refer to the next
In this paper, an example of PHP implementation based on OpenSSL encryption and decryption method is described. Share to everyone for your reference, as follows:
Encryption and decryption method via OpenSSL
1. OpenSSL encryption Method:
function Encrypt ($id) { $id =serialize ($id); $key = "1112121212121212121212"; $data [' IV ']=base64_encode (substr (' Fdakinel;injajdji ', 0,16)); $data [' Value ']=openssl_encrypt ($id, ' AES-256-CBC ', $key, 0,base64_decode ($data [' IV '])); $encrypt =base64_encode (Json_encode ($data)); return $encrypt;}
2. OpenSSL decryption Method:
function Decrypt ($encrypt) {$key = ' 1112121212121212121212 ';//decryption Key $encrypt = Json_decode (Base64_decode ($encrypt), true); $iv = Base64_decode ($encrypt [' IV ']); $decrypt = Openssl_decrypt ($encrypt [' Value '], ' AES-256-CBC ', $key, 0, $iv); $id = Unserialize ($decrypt); if ($id) {return $id; }else{return 0; }}
