Network Information Security of Nanjing University of Posts and Telecommunications-OpenSSL Encrypted Data Experiment (Experiment 2)
Download and compile OpenSSL
OpenSSL download
The download link of OpenSSL is http://www.openssl.org/source/ . Find the corresponding download method here. It
should be noted that there may be a ladder, otherwise the download may be quite slow, of course, you can also find it in China Mirroring is not impossible.
It should be noted that when downloading, find the right version. i386 corresponds to the IA32 architecture (32-bit system), and amd64 corresponds to the x86-64 architecture (64-bit system)
. A digression here is that amd64 is the x86-64 architecture (commonly known as 64-bit) Architecture), since the architecture was proposed by amd and developed by inter, there are two titles.
OpenSSL compilation
Unzip
Simply put the downloaded content into Ubuntu.
Then execute the decompression command
user1@ubuntu:~/Desktop$ tar -xzvf openssl-3.0.0-alpha6.tar.gz
The meaning of the xzvf parameter here is as follows:
- x: Decompress files in tar format
- v: Display detailed information when unzipping
- z: Use the gzip program to decompress
- f: Use archive
Configuration
After decompression is complete, check the
folder to run in the folder
user1@ubuntu:~/Desktop/openssl-3.0.0-alpha6$ ./Configure
This is not the same as the instructions to be entered in the original experiment. The original instructions are:
./config –prefix=/usr/local
Let me talk about it here. The -perfix parameter means to specify the installation path of the software. I choose to respect Ubuntu's specifications and not modify it. At the same time, write the default plan for the installation path as
file type | path |
---|---|
binary file | usr\local\bin |
Configuration file | usr\local\etc |
Library file | usr\local\local |
Compile
Run the make command in the original folder
user1@ubuntu: make & make install
At this time, there will be a lot of output on the screen
waiting for the output to complete, enter the instruction
user1@ubuntu: make test
You can see that the test is in progress.
It should be noted that there may be some errors in the process of testing, but with the principle that enough is good, we will not pay attention to it here, because we may not use these functions. And the final test result passed.
Then execute the command, remember to execute this command, otherwise the corresponding header file and dynamic library cannot be found... I have been debugging this place for a long time
make install
Programming with OpenSSL
Compile the test file
The test file source code is as follows
#include <stdio.h>
#include <evp.h>
int main()
{
printf("hello world!");
OpenSSL_add_all_algorithms();
return 0;
}
Compile
user1@ubuntu:~/Desktop/OpenSSL_Test$ gcc test.c -I /usr/local/include/openssl/ -lcrypto
The meaning of the parameters is as follows:
- -I: header file path
- -lxxx: link the dynamic library libxxx.so in the link phase, such as linking the libcrypto.so file here
Let me talk about if you directly follow the instructions in the experimental guide (not exactly the same, modified environment variables)
gcc test.c –o test –I /usr/local/openssl/include /usr/local/libcrypto.a –ldl
You will find that you cannot pass the link stage
Whether the test file passed
After the compilation is completed, the following files
will appear and run directly, and there will be an error
that the dynamic library cannot be found. The reason is that Ubuntu’s default dynamic library search path is /usr/lib, and my custom path is /usr/local/lib. So you need to set the following environment variables.
Set environment variables (if you install according to the experiment guide, you don’t need to set environment variables)
Open the dynamic link library configuration file
user1@ubuntu:~/Desktop/OpenSSL_Test$ sudo gedit /etc/ld.so.conf
Add your own dynamic library path to
save, and update the dynamic library cache
sudo ldconfig
Run again to succeed
Encryption test
Source code writing
If you use the source code in the experiment guide directly, the following error will appear.
After querying, it is found that after Openssl is updated to version 1.1, its API has changed a little. The modified source code is as follows
#include <stdio.h>
#include <string.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
void tEVP_Encrypt()
{
unsigned char key[EVP_MAX_KEY_LENGTH];//密钥
unsigned char iv[EVP_MAX_KEY_LENGTH];//初始化向量
/* old usage*/
//EVP_CIPHER_CTX ctx;//EVP算法上下文
/* old usage*/
/*new usage*/
//EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
/*new usage*/
unsigned char out[1024];//输出密文缓冲区
int outl;//密文长度
int outltmp;
char *msg="Hello OpenSSL";//待加密的数据
int rv;
int i;
//设置key和iv(可以采用随机数和可以是用户输入)
for(i=0;i<24;i++)
{
key[i]=i;
}
for(i=0;i<8;i++)
{iv[i]=i;
}//初始化密码算法结构体
EVP_CIPHER_CTX_init(ctx);
//设置算法和密钥以及向量
rv = EVP_EncryptInit_ex(ctx,EVP_des_ede3_cbc(),NULL,key,iv);
if(rv!=1)
{
printf("Err\n");
return;
}
//数据加密
rv = EVP_EncryptUpdate(ctx,out,&outl,(const unsigned char*)msg,strlen(msg));
if(rv!=1)
{
printf("Err\n");
return;
}//结束数据加密,把剩余数据输出
rv = EVP_EncryptFinal_ex(ctx,out+outl,&outltmp);
if(rv!=1)
{
printf("Err\n");
return;
}
outl = outl +outltmp;
printf("Original text:%s\n",msg);
//打印输出密文
printf("Length of ciphertext:%d\n Data of ciphertext:\n",outl);
for(i=0;i<outl;i++)
{
printf("0x%02x ",out[i]);
}printf("\n");
}
int main()
{
OpenSSL_add_all_algorithms();
tEVP_Encrypt();
return 0;
}
Compile and test
/usr/bin/g++ -g /home/user1/Desktop/OpenSSL_Test/test2.cpp -o /home/user1/Desktop/OpenSSL_Test/test2 -I /usr/local/include/openssl/ -lcrypto
Execution can be successful
Use Openssl for encryption
In addition to a programming interface, Openssl also provides a command line interface for customers to use
Experiment content 1: Encryption using AES
The experiment has two parts:
- Encryption with Base64 and without Base64 and observe the results
- Encryption in different modes
Base64 encoding part
First, let me explain the role of Base64. Base64 basically only does one thing: encoding binary data into ASCII codes for easy e-mail reading. It is enough to know this.
Use the following command for Base64 encryption
openssl enc -aes-256-cbc -salt -in lincoln.txt -out WithoutBase64.encn
The meaning of its parameters is as follows:
- enc: encryption
- aes-256-cbc: use aes algorithm for encryption, 256-bit key, CBC mode
- salt: add salt
- in: input file
- out: Output file.
For the encrypted file, you can see that it is a binary file and cannot be opened directly.
Open it with binary editing software and you can see that it is a bunch of binary garbled codes
that can't be passed directly through email or qq chat box.
Use the following instructions to perform Base64 encoding
openssl enc -aes-256-cbc -salt -a -in lincoln.txt -out WithBase64.encn
Among them, -a means to encode the ciphertext with base64, the encryption result is as follows, you can see, this time it is readable text
Different encryption methods
For convenience, I have adopted Base64 encoding for the ciphertext here.
First, use CBC packet link mode encryption:
openssl enc -aes-256-cbc -salt -a -in lincoln.txt -out WithBase64CBC.encn
The encrypted cipher text is as follows
EBC codebook encryption mode for encryption
openssl enc -aes-256-ebc -salt -a -in lincoln.txt -out WithBase64EBC.encn
The cipher text is as follows:
Experimental content 2: Modify the ciphertext test
I modified the ciphertext file, and there will be an error whether it is modified or added or deleted. It
should be an error of OpenSSL error control, but it may also be that I did not do it right...
Experiment content 3: RSA public key and private key production
The public and private keys of OpenSSL are produced in two steps:
- Generate private key
openssl genrsa -out private.key
- Use private key to generate public key
openssl rsa -pubout -in private.txt -out public.txt
The generated private key is as follows:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC49ZkZxQwo3ewJ
RHNco+9hfAeoxEZfoG4wGtznGInMYqGdivzhjCK3tBDWdl8bwiJUp6JqoRIeySwb
0xuG4KQMQ5uOtigrCPZ+Wcj5fs/Gve9tMLrT0xVtXltIdRCFuiXKPMJ9ava3oy7Q
cpEIBAhUneN/O+PLirZMmKODx9x46lKCab6T19VQM7f+dWi2aHsFqmQkccaaPSE3
nquRpF6bSggJh2US/v88tCUs7Z+VKpsoCEVumFXF28Nuq8VnLJddfO7KitRS4XWs
VdVNjwjWr2FRL/YzIayYDbJ614azr0uEyoEbT/NtW2AKYJMnqvNbybc55JSDOcLv
k6RVZ1HtAgMBAAECggEAOIjZg0b3sIYk37BMksSJJwMCVFOqLxCanZmYbArUE+US
AVW6djafZgdkHimQaKuuUrHqsy0InOBg2yBsCY4glp8TrUuAe6cBsR1AkQJyAA2O
YZHDiXu70PJGdJ9TrYx4gJiR2kQXpYn7hTt/mTOiWDrqjrl/p3d+wWrmkCFHAq4X
qpMuiBYIJNcKQa+LgUq71rHchjsNeDmKRdjId+4zBYWygcxoRL/p4cfhs7sWpk5n
5beGanFYhauTRxQzrsfsePQP3PLQSJljkXVhIFC0mASORR0WnYw3j3n6599scmRN
w6lpAU7JnTtXk3vS8CA7kXABCYAuhYHq9jSlOMgfAQKBgQDp8a0PRnj/qGiGDELk
e+PzbKArOHfCnGQJD+N0Kwd0t0jByJ4TY1poBwKSGP95o2byYQfSnssckiPkVeiH
VMY7EuYD5PzoTGdkUpIBfyOhlqABAd99x2AUPgR7/a689rZb+ewV6s+dw0/avSqs
K/c2uqGu97wx+hyAh0EnurtiMwKBgQDKZai8Cj66uwZMntoEA29NGa7IJ2Gi0zpk
OhhF6MblI+TABgl/RM21Cob/6dmRerJNU0cKgWOtdRjhuJCZozkHOC4dY3m268WR
NkbchqBMjqpJSQj1oHlZ1opOl9AyM1pDRkdbGoXrl/zxEuRwpStokeCjvaTObK/c
RZEdJfObXwKBgGTL0UHMnmOg3vAqpkOlsZB3VAdrPAZotZ1F8D1kMME0GzALTTiT
TSeXJZ9nD+QL6FY0QleYPXEg8j/2V8q/Vu2q9dnltqYsDTwna2sjqWl86ZGlifK6
jYYLNolpwvj935J/ex3yXuPdfDGF4bXu94PoI7OsX7S0y8UBAaypgwULAoGAGdog
UlxwpMNMy66ipE6YAd4c8B3vn6+hTroI7a0M8qnCBzD+N45fRBejJL8G9kkYyz2u
3k2moLpLQlGjzqwFlcF8Sm6xVkcJRkILjRF5Gi5C2/eDOHSV6362zdEgW7kpd1xb
suxRXMVeHqDOIwFF6SZw7hlEGsXRNK6CGZoGYrsCgYEAmQXSYcSU2WCF28fxFzNX
IB8G56o3iCPMUsdxkWeIVPRURjpY5QJ8G4r6LDZyltyRIcNEF3Ak/NiJL//LWbPQ
44KxH2KeIcOcTF6Nr65u8YFLHtUj4AUSgdjN4+jicxk2cOhwXzogpOKf4tRePYrc
mwi8n7PJhj2bgzoaxwULXnQ=
-----END PRIVATE KEY-----
The public key is as follows:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPWZGcUMKN3sCURzXKPv
YXwHqMRGX6BuMBrc5xiJzGKhnYr84Ywit7QQ1nZfG8IiVKeiaqESHsksG9MbhuCk
DEObjrYoKwj2flnI+X7Pxr3vbTC609MVbV5bSHUQhbolyjzCfWr2t6Mu0HKRCAQI
VJ3jfzvjy4q2TJijg8fceOpSgmm+k9fVUDO3/nVotmh7BapkJHHGmj0hN56rkaRe
m0oICYdlEv7/PLQlLO2flSqbKAhFbphVxdvDbqvFZyyXXXzuyorUUuF1rFXVTY8I
1q9hUS/2MyGsmA2yeteGs69LhMqBG0/zbVtgCmCTJ6rzW8m3OeSUgznC75OkVWdR
7QIDAQAB
-----END PUBLIC KEY-----
In the RSA algorithm, the longer the key length, the more resources are consumed. For a digital signature, the private key only needs to be used once, while the public key needs to be used multiple times. Therefore, from an overall perspective, the private key is better than the public key. Much longer.
Experiment 4: Digital Signature
Use the following instructions for digital signature
Review the following digital signature process: first perform Hash processing, and then sign the Hash value
openssl dgst -sha1 -sign private.txt -out mytest.dig mytest
parameter:
- dgst: digest, digital signature
- sha1: Use sha1 for hashing
- sign: signature key
It needs to be pointed out that the signature is a binary sequence, so it cannot be opened normally, and Openssl does not provide a Base64 transcoding tool in the signature tool. The following is my digital signature
The following instructions are used to verify the signature
openssl dgst -sha1 -verify pubkey.pem -signature B13040450.sha1 B13040450
Successful verification:
to sum up
Generally speaking, although this experiment involves compiling and programming under Ubuntu, it may be because there are more people using openssl, and there is no "alchemy" in the compilation process. And the test source code has been given, so overall it is relatively simple. Compared with the first experiment, because it does not involve the use of software, it is not the same as when using WireShark because everyone’s WireShark version is inconsistent.
There are two points to note:
- Dynamic library name and path settings, the dynamic library to be linked in this experiment is libcrypto.so
- Changes in Openssl API