The symmetric cryptographic algorithm for OpenSSL command detail

1. Overview of symmetric encryption algorithms

OpenSSL's cryptographic algorithm library provides a rich symmetric encryption algorithm that can be used in the form of symmetric cryptographic algorithm directives provided by OpenSSL, or by invoking the API provided by OpenSSL.

OpenSSL's symmetric cryptographic algorithm directives are primarily used to encrypt and decrypt data, and OpenSSL basically provides the application of instructions to all of its supported symmetric cryptographic algorithms, with the names of the application directives essentially prefixed with the name of the symmetric cryptographic algorithm itself, Combination of encryption mode or other attributes. For example, the CBC mode of DES algorithm, the corresponding instruction is DES-CBC. You can view the current version of OpenSSL supported symmetric encryption algorithms by command, such as the Ubunt14.04 OpenSSL version and the support symmetric cryptographic algorithm directive as follows:

[Email protected]:~$ OpenSSL enc-helpunknown option'-'options are ...
/**/cipher Types-aes- --cbc-aes- --cbc-hmac-sha1-aes- --CFB-aes- --cfb1-aes- --cfb8-aes- --Ctr-aes- --ecb-aes- --gcm-aes- --OFB-aes- --xts-aes-192-cbc-aes-192-CFB-aes-192-cfb1-aes-192-cfb8-aes-192-Ctr-aes-192-ecb-aes-192-gcm-aes-192-OFB-aes- the-cbc-aes- the-cbc-hmac-sha1-aes- the-CFB-aes- the-cfb1-aes- the-cfb8-aes- the-Ctr-aes- the-ecb-aes- the-gcm-aes- the-OFB-aes- the-XTS-AES128-aes192-aes256-bf-bf-CBC-bf-cfb-bf-ecb-bf-OFB-blowfish-camellia- --cbc-camellia- --CFB-camellia- --cfb1-camellia- --cfb8-camellia- --ECB-camellia- --ofb-camellia-192-cbc-camellia-192-CFB-camellia-192-cfb1-camellia-192-cfb8-camellia-192-ECB-camellia-192-ofb-camellia- the-cbc-camellia- the-CFB-camellia- the-cfb1-camellia- the-cfb8-camellia- the-ECB-camellia- the-OFB-CAMELLIA128-camellia192-camellia256-cast-cast-CBC-cast5-cbc-cast5-cfb-cast5-ECB-cast5-ofb-des-des-CBC-des-cfb-des-cfb1-des-Cfb8-des-ecb-des-ede-des-ede-CBC-des-ede-cfb-des-ede-ofb-des-Ede3-des-ede3-cbc-des-ede3-cfb-des-ede3-CFB1-des-ede3-cfb8-des-ede3-ofb-des-OFB-des3-desx-desx-CBC-id-aes128-gcm-id-aes192-gcm-id-aes256-GCM-rc2-rc2- +-cbc-rc2- --CBC-rc2-cbc-rc2-cfb-rc2-ECB-rc2-ofb-rc4-rc4- +-rc4-hmac-md5-seed-seed-CBC-seed-cfb-seed-ecb-seed-ofb

You can see that we are doing the enc-help command, what is ENC? The original OpenSSL provides two ways to invoke the symmetric encryption algorithm:

One is to call the symmetric encryption directive directly, for example:

OpenSSL DES-CBC- in Plain.txt- out Encrypt.txt-pass pass:12345678

Another is the use of enc, that is, using symmetric cryptographic instructions as parameters of the ENC directive, for example:.

OpenSSL ENC-DES-CBC- in Plain.txt- out Encrypt.txt-pass pass:12345678

The above two instructions complete the same function, and the parameters are the same. The original enc is the role of what? Simply put, for the sake of convenience ....

OpenSSL provides n-more symmetric cryptographic algorithm directives, ENC is to integrate these N-symmetric cryptographic algorithm directives uniformly into the ENC directive. When using the user, only use ENC, specify the encryption algorithm, is to complete the individual cryptographic algorithm instructions to complete the operation. Furthermore, the symmetric cryptographic algorithm directives that can be specified in enc may not exist in the form of a separate instruction. All authors recommend using enc this way.

Of course, although the symmetric cryptographic algorithm instructions provided by OpenSSL are powerful, but not complete, for example, the symmetric encryption algorithm does not support the 76-bit RC2 plus decryption or 84-bit RC4 plus decryption light function. If you want to use these encryption algorithms and patterns flexibly, you will need to learn the API provided by OpenSSL.

2. Symmetric cryptographic Algorithm instruction parameters

Detailed usage of the enc can be viewed through the ENC Man manual, as well as a summary of the main parameters can be viewed Enc-help, as follows

[Email protected]:~$ OpenSSL enc-helpunknown Option'-help'Options are-inch<file>input File- out<file>Output File-pass <arg>Pass phrase source-e Encrypt-D Decrypt-A/-BASE64 Base64 encode/decode, depending on encryption flag-K Passphrase isThe next argument-kfile Passphrase isThe first line of the file argument-md the next argument isThe MD to use to create a key froma passphrase. One of MD2, MD5, SHA or SHA1-S saltinchHex isThe next argument-k/-iv Key/ivinchHex isThe next argument-[PP] Print the Iv/key (then exitif-P)-bufsize <n>Buffer size-nopad Disable standard block padding-engine e Use engine E, possibly a hardware device. Cipher Types ...

[In/out]

These two parameters specify the input file and output file, the encryption is the input file is plaintext, the output file is ciphertext, the input file is ciphertext when decrypting, the output file is clear text.

[Pass]

There are five ways to specify how passwords are entered: command line input (stdin), file input (files), environment variable input (VAR), file descriptor input (FD), standard input (stdin). The default is standard input, and input from the keyboard.

[E/D]

E: Encryption, D: Decryption is encrypted by default

[-a/-base64]

Since the file encryption is binary form, inconvenient to view, using this parameter can make the encrypted content is Base64 encoded to make it readable, as well, the decryption needs to be base64 first, and then the decryption operation.

[-k/-kfile]

Compatible with previous version, specify password input mode, now replaced by pass parameter

[MD]

Specifies the digest algorithm generated by the key, the user input password can not be directly as a file encryption key, but the digest algorithm to do the conversion, this parameter specifies the digest algorithm, the default MD5

[-S]

To enhance security, the salt value is used when converting a user's password to an encryption key, and the default salt value is randomly generated. With this parameter, the salt value is specified by the user. You can also refer to using-nosalt to specify not to use salt values, but to reduce the security, not recommended.

[K/iv]

The key and IV values of the encryption key for the default file are converted and generated by the user-entered password, but can also be specified by the user key/iv value, at which time the pass parameter does not work

[PP]

Plus the P parameter prints the file key keys and IV values, plus the p parameter prints the file key key and the IV value, but does not perform a real encryption and decryption operation

[BufSize]

I/O caching for read-write files is generally not required

[-nopad]

Do not use, this requires the input length of the data is a multiple of the packet size using the encryption algorithm

[Engine]

Specify a three-party encryption device, no environment, no experiment

3. Example of symmetric encryption algorithm use

1, only base64 encoding the file, without the use of encryption and decryption

/* base64 encoding of a file */  -base64- in Plain.txt- out base64.txt/* decrypt the base64 format file */-base64-d -in Base64.txt -out plain2.txt/*  Use the diff command to see the plaintext before and after decoding */diff plain.txt Plain2.txt

2, different ways of password input mode

/ * command line input, password 123456*/OpenSSL enc-aes- --CBC-inchPlain.txt- out  out. Txt-pass Pass:123456/ * file input, password 123456*/Echo123456>Passwd.txtopenssl Enc-aes- --CBC-inchPlain.txt- out  outtxtPass File:passwd.txt/ * environment variable input, password 123456*/
passwd=123456
Export passwd
OpenSSL enc-aes-128-cbc-in plain.txt-out Out.txt-pass env:passwd
/ * Input from File description * / 
OpenSSL enc-aes- --CBC-inchPlain.txt- out  out. Txt-pass FD:1  
/ * input from standard input * / 
OpenSSL enc-aes- --CBC-inchPlain.txt- out  out. Txt-pass stdin

3. Fixed salt value encryption

[Email protected]:~$ OpenSSL enc-aes- --CBC-inchPlain.txt- outEncrypt.txt-pass Pass:123456-Psalt=32f5c360f21fc12dkey=D7e1499a578490df940d99cae2e29eb1iv=78eeb538897caf045f807a97f3cff498[email protected]:~$ OpenSSL enc-aes- --CBC-inchPlain.txt- outEncrypt.txt-pass Pass:123456-Psalt=Daa482697becab46key=9ff8a41e4ac011fa84032f14b5b88baeiv=202e38a43573f752ccd294eb8a0583e7[email protected]:~$ OpenSSL enc-aes- --CBC-inchPlain.txt- outEncrypt.txt-pass Pass:123456-p-s123Salt=1230000000000000Key=50e1723dc328d98f133e321fc2908b78iv=1528e9ad498ff118ab7ecb3025ad0dc6[email protected]:~$ OpenSSL enc-aes- --CBC-inchPlain.txt- outEncrypt.txt-pass Pass:123456-p-s123Salt=1230000000000000Key=50e1723dc328d98f133e321fc2908b78iv=1528e9ad498ff118ab7ecb3025ad0dc6[email protected]:~$

As you can see, the salt parameter is randomly generated without using the-s parameter, and the key and IV values are constantly changing, and the key and IV values are fixed when the slat value is fixed.

4, encryption and decryption process using Base64 codec

/*Use base64 encoding after encrypting with -a parameter*/[email protected]:~$ OpenSSL enc-aes- --CBC-inchPlain.txt-a- outEncrypt.txt-pass Pass:123456/*use Base64 decoding before decrypting with -a parameter*/[email protected]:~$ OpenSSL enc-aes- --CBC-inchEncrypt.txt-d-A- outPlain1.txt-pass Pass:123456/*file as*/[email protected]:~$ diff plain.txt Plain1.txt/*the file uses Base64 encoding after encryption*/[email protected]:~$ cat Encrypt.txt u2fsdgvkx19kbcj9gmi1tboqjp8jjcefiuh1thwf/z4=

5. Manually specify key and IV values

/*manually specify key and IV values, salt fixed*/[email protected]:~$ OpenSSL enc-aes- --CBC-inchPlain.txt- outEncrypt.txt-k1223-iv f123-Psalt=0b00000000000000key=12230000000000000000000000000000IV=F1230000000000000000000000000000/*Specify pass password, no effect, note key and IV value is 16 binary*/[email protected]:~$ OpenSSL enc-aes- --CBC-inchPlain.txt- outEncrypt.txt-k1223-iv f123-p-pass Pass:123456Salt=F502f4b8de62e0e5key=12230000000000000000000000000000IV=f1230000000000000000000000000000

The symmetric cryptographic algorithm for OpenSSL command detail