The principle and basic use of OpenSSL

Source: Internet
Author: User
Tags crypt openssl enc openssl rsa openssl version asymmetric encryption

OpenSSL principle

Ssl:ssl is an abbreviation for secure Sockets layer (Secured Sockets Layer protocol) that provides covert transmission over the Internet. Netscape (Netscape) introduced the SSL protocol standard while launching its first web browser. The goal is to ensure the confidentiality and reliability of communication between two applications, enabling simultaneous support both on the server side and on the client side. has become an industry standard for secure communications on the Internet.

SSL enables communication between user/server applications to be intercepted by attackers and always authenticates the server and optionally authenticates the user. The SSL protocol is required to be based on a reliable Transport Layer protocol (TCP). The advantage of the SSL protocol is that it is independent of the application-layer protocol, and that high-level application-layer protocols (such as http,ftp,telnet, etc.) can be transparently built on top of the SSL protocol. The SSL protocol has completed the encryption algorithm, the communication key negotiation and the server authentication work before the application layer protocol communication. After this, the data transmitted by the application layer protocol will be encrypted, thus guaranteeing the privacy of the communication.

OpenSSL open Secure Sockets Layer protocol: is a powerful Secure Sockets Layer cipher library that includes key cryptographic algorithms, common key and certificate encapsulation management functions and SSL protocols, and provides a rich set of applications for testing or other purposes.

The entire OpenSSL package can be divided into three main functional parts: The SSL protocol library, the application, and the cryptographic algorithm library. The directory structure of OpenSSL is naturally planned around these three functional parts.

Basic capabilities include: Key cryptographic algorithms (MD5, SHA, DH, BASE64, etc.), common key and certificate encapsulation management functions, and SSL protocols, and provide rich applications for testing or other purposes.

Accessibility: such as the API for generating keys from passwords, the configuration file mechanism in certificate issuance and management, etc.

OpenSSL supports a number of different algorithms

Symmetric encryption:

AES, Blowfish, Camellia, SEED, CAST-128, DES, Idea, RC2, RC4, RC5, Triple DES, GOST 28147-89[3]

One-way encryption:

MD5, MD2, SHA-1, SHA-2, RIPEMD-160, MDC-2, GOST R 34.11-94[3]

Asymmetric Encryption:

RSA, DSA, Diffie–hellman key exchange, Elliptic curve, GOST R 34.10-2001[3]

These are official explanations, the simple understanding that OpenSSL is a collection, which integrates a number of cryptographic algorithms, and these cryptographic algorithms are used in different ways, so OpenSSL uses its own functions to invoke them to achieve data encryption effect.

OpenSSL basic use

OpenSSL package consists of three packages: OpenSSL, Libcrypto, Libssl

OpenSSL: Multi-purpose command-line tool, each function is implemented using sub-command

Libcrypto: Public Crypto Library (various encryption algorithms are stored)

Implementation of the LIBSSL:SSL protocol


How to use the OpenSSL command line:

OpenSSLcommand[command_options] [args]

View OpenSSL versions: OpenSSL version

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/03/wKiom1SO4unTyWJRAAEA7fbmrqk055.jpg "title=" Grab figure 10.png "alt=" Wkiom1so4untywjraaea7fbmrqk055.jpg "/>

It can be seen that the current CentOS system built-in version is 1.0.1e (not pre-upgrade version, this version with a vulnerability, if required to use the production environment, please download the 1.0.1g version later version)

OpenSSL implements symmetric encryption, using the ENC subcommand, using the method:

Encryption method:

OpenSSL enc-e-Algorithm-a-salt-in The original file-out the saved file after encryption

Decryption method:

OpenSSL enc-d-Algorithm-a-salt-in encrypted files-out saved files after decryption

-e:encrypt encryption

-d:decrypt decryption

-A: Based on base64

-salt: Add "salt", which can be understood as adding a number of random numbers, each generated is different, even if using the same password result is different.

Note: The encryption and decryption algorithms must use the same algorithm, or it will cause the decrypted content to be garbled

Example 1: Encrypt the passwd file under the ETC directory and save it to the current directory

OpenSSL enc-e-des-a-salt-in/etc/passwd-out./passwd.crypt

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/01/wKioL1SO5F6gROxYAAF_zmcLt2E831.jpg "title=" Grab figure 11.png "alt=" Wkiol1so5f6groxyaaf_zmclt2e831.jpg "/>

Continuing to edit files after encryption will reveal a bunch of passwords

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/03/wKiom1SO4-3C7SXsAAXkXLQWgC4248.jpg "title=" Grab figure 12.png "alt=" Wkiom1so4-3c7sxsaaxkxlqwgc4248.jpg "/>

Decrypt files

OpenSSL enc-d-des-a-salt-in passwd.crypt-out passwd

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/57/03/wKiom1SO5Jajr9xrAAFV6WjOTvo195.jpg "title=" Grab figure 14.png "alt=" Wkiom1so5jajr9xraafv6wjotvo195.jpg "/>

Opening this file again will send the file to normal use

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/03/wKiom1SO5Maj3G8MAAO0cjjFcOY862.jpg "title=" Grab figure 15.png "alt=" Wkiom1so5maj3g8maao0cjjfcoy862.jpg "/>

OpenSSL implements asymmetric encryption, that is, the public and private key, using the GENRSA subcommand, asymmetric encryption is generated by generating the private key to extract the public key so that the private key cannot be viewed by any user other than the current user.

Encryption method:

(Umask 077;openssl genrsa-out private key save location encryption length)

The parentheses here represent running in the child process because the Umask value is being modified and the child shell exits without affecting the umask value in the current system, using semicolons to execute the command on the same line

Extracting the public key

OpenSSL rsa-in private key-pubout

Example 2: Generate a private key file and extract the public key

(Umask 077; OpenSSL genrsa-out crypt.key 2048)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/57/04/wKiom1SO5TWhNMrtAAGwRLVZuZk408.jpg "title=" Grab figure 16.png "alt=" Wkiom1so5twhnmrtaagwrlvzuzk408.jpg "/>

Extract the Public key:

OpenSSL rsa-in crypt.key-pubout > Pub.key

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/01/wKioL1SO5frwKIq8AAFEye08wz0562.jpg "title=" Grab figure 17.png "alt=" Wkiol1so5frwkiq8aafeye08wz0562.jpg "/>

OpenSSL implementation of one-way encryption is generally used to verify file integrity operations, commonly used MD5 and SHA1 and so on. (The MD5 value and SHA value change after the file has been modified)

Encryption method:

OpenSSL dgst-Encryption algorithm file path


Example 3: Get the file MD5 value

OpenSSL dgst-md5 passwd

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/57/04/wKiom1SO5c3CTVQVAAEUum4IwX4258.jpg "title=" Grab figure 18.png "alt=" Wkiom1so5c3ctvqvaaeuum4iwx4258.jpg "/>

The above encryption methods can use--HELP to get help information or you can use the Man manual page to view Help information

OpenSSL enc | Genrsa | Dgst--help or Man enc | Genrsa | Dgst

This article is from the "Yxn" blog, make sure to keep this source http://jyxnt.blog.51cto.com/9581167/1590235

The principle and basic use of OpenSSL

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.