OpenSSL principle
Ssl:ssl is an abbreviation for secure Sockets layer (Secured Sockets Layer protocol) that provides covert transmission over the Internet. Netscape (Netscape) introduced the SSL protocol standard while launching its first web browser. The goal is to ensure the confidentiality and reliability of communication between two applications, enabling simultaneous support both on the server side and on the client side. has become an industry standard for secure communications on the Internet.
SSL enables communication between user/server applications to be intercepted by attackers and always authenticates the server and optionally authenticates the user. The SSL protocol is required to be based on a reliable Transport Layer protocol (TCP). The advantage of the SSL protocol is that it is independent of the application-layer protocol, and that high-level application-layer protocols (such as http,ftp,telnet, etc.) can be transparently built on top of the SSL protocol. The SSL protocol has completed the encryption algorithm, the communication key negotiation and the server authentication work before the application layer protocol communication. After this, the data transmitted by the application layer protocol will be encrypted, thus guaranteeing the privacy of the communication.
OpenSSL open Secure Sockets Layer protocol: is a powerful Secure Sockets Layer cipher library that includes key cryptographic algorithms, common key and certificate encapsulation management functions and SSL protocols, and provides a rich set of applications for testing or other purposes.
The entire OpenSSL package can be divided into three main functional parts: The SSL protocol library, the application, and the cryptographic algorithm library. The directory structure of OpenSSL is naturally planned around these three functional parts.
Basic capabilities include: Key cryptographic algorithms (MD5, SHA, DH, BASE64, etc.), common key and certificate encapsulation management functions, and SSL protocols, and provide rich applications for testing or other purposes.
Accessibility: such as the API for generating keys from passwords, the configuration file mechanism in certificate issuance and management, etc.
OpenSSL supports a number of different algorithms
Symmetric encryption:
AES, Blowfish, Camellia, SEED, CAST-128, DES, Idea, RC2, RC4, RC5, Triple DES, GOST 28147-89[3]
One-way encryption:
MD5, MD2, SHA-1, SHA-2, RIPEMD-160, MDC-2, GOST R 34.11-94[3]
Asymmetric Encryption:
RSA, DSA, Diffie–hellman key exchange, Elliptic curve, GOST R 34.10-2001[3]
These are official explanations, the simple understanding that OpenSSL is a collection, which integrates a number of cryptographic algorithms, and these cryptographic algorithms are used in different ways, so OpenSSL uses its own functions to invoke them to achieve data encryption effect.
OpenSSL basic use
OpenSSL package consists of three packages: OpenSSL, Libcrypto, Libssl
OpenSSL: Multi-purpose command-line tool, each function is implemented using sub-command
Libcrypto: Public Crypto Library (various encryption algorithms are stored)
Implementation of the LIBSSL:SSL protocol
How to use the OpenSSL command line:
OpenSSLcommand[command_options] [args]
View OpenSSL versions: OpenSSL version
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/03/wKiom1SO4unTyWJRAAEA7fbmrqk055.jpg "title=" Grab figure 10.png "alt=" Wkiom1so4untywjraaea7fbmrqk055.jpg "/>
It can be seen that the current CentOS system built-in version is 1.0.1e (not pre-upgrade version, this version with a vulnerability, if required to use the production environment, please download the 1.0.1g version later version)
OpenSSL implements symmetric encryption, using the ENC subcommand, using the method:
Encryption method:
OpenSSL enc-e-Algorithm-a-salt-in The original file-out the saved file after encryption
Decryption method:
OpenSSL enc-d-Algorithm-a-salt-in encrypted files-out saved files after decryption
-e:encrypt encryption
-d:decrypt decryption
-A: Based on base64
-salt: Add "salt", which can be understood as adding a number of random numbers, each generated is different, even if using the same password result is different.
Note: The encryption and decryption algorithms must use the same algorithm, or it will cause the decrypted content to be garbled
Example 1: Encrypt the passwd file under the ETC directory and save it to the current directory
OpenSSL enc-e-des-a-salt-in/etc/passwd-out./passwd.crypt
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/01/wKioL1SO5F6gROxYAAF_zmcLt2E831.jpg "title=" Grab figure 11.png "alt=" Wkiol1so5f6groxyaaf_zmclt2e831.jpg "/>
Continuing to edit files after encryption will reveal a bunch of passwords
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/03/wKiom1SO4-3C7SXsAAXkXLQWgC4248.jpg "title=" Grab figure 12.png "alt=" Wkiom1so4-3c7sxsaaxkxlqwgc4248.jpg "/>
Decrypt files
OpenSSL enc-d-des-a-salt-in passwd.crypt-out passwd
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/57/03/wKiom1SO5Jajr9xrAAFV6WjOTvo195.jpg "title=" Grab figure 14.png "alt=" Wkiom1so5jajr9xraafv6wjotvo195.jpg "/>
Opening this file again will send the file to normal use
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/03/wKiom1SO5Maj3G8MAAO0cjjFcOY862.jpg "title=" Grab figure 15.png "alt=" Wkiom1so5maj3g8maao0cjjfcoy862.jpg "/>
OpenSSL implements asymmetric encryption, that is, the public and private key, using the GENRSA subcommand, asymmetric encryption is generated by generating the private key to extract the public key so that the private key cannot be viewed by any user other than the current user.
Encryption method:
(Umask 077;openssl genrsa-out private key save location encryption length)
The parentheses here represent running in the child process because the Umask value is being modified and the child shell exits without affecting the umask value in the current system, using semicolons to execute the command on the same line
Extracting the public key
OpenSSL rsa-in private key-pubout
Example 2: Generate a private key file and extract the public key
(Umask 077; OpenSSL genrsa-out crypt.key 2048)
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/57/04/wKiom1SO5TWhNMrtAAGwRLVZuZk408.jpg "title=" Grab figure 16.png "alt=" Wkiom1so5twhnmrtaagwrlvzuzk408.jpg "/>
Extract the Public key:
OpenSSL rsa-in crypt.key-pubout > Pub.key
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/57/01/wKioL1SO5frwKIq8AAFEye08wz0562.jpg "title=" Grab figure 17.png "alt=" Wkiol1so5frwkiq8aafeye08wz0562.jpg "/>
OpenSSL implementation of one-way encryption is generally used to verify file integrity operations, commonly used MD5 and SHA1 and so on. (The MD5 value and SHA value change after the file has been modified)
Encryption method:
OpenSSL dgst-Encryption algorithm file path
Example 3: Get the file MD5 value
OpenSSL dgst-md5 passwd
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/57/04/wKiom1SO5c3CTVQVAAEUum4IwX4258.jpg "title=" Grab figure 18.png "alt=" Wkiom1so5c3ctvqvaaeuum4iwx4258.jpg "/>
The above encryption methods can use--HELP to get help information or you can use the Man manual page to view Help information
OpenSSL enc | Genrsa | Dgst--help or Man enc | Genrsa | Dgst
This article is from the "Yxn" blog, make sure to keep this source http://jyxnt.blog.51cto.com/9581167/1590235
The principle and basic use of OpenSSL