openssl
Powerful Secure Sockets Layer Cryptography Library
Linux command online tools: linux online tools
personal blog site: blog site
Supplementary Note
OpenSSL is a powerful Secure Sockets Layer cryptographic library, including main cryptographic algorithms, common key and certificate encapsulation management functions and SSL protocol, and provides rich applications for testing or other purposes. After OpenSSL was exposed to serious security vulnerabilities, it was found that most websites encrypted through the SSL protocol use an open source software package called OpenSSL. Since this is the most widely used secure transmission method on the Internet, it is widely used by important websites such as online banking, online payment, e-commerce websites, portal websites, and emails, so the vulnerability affects a wide range.
OpenSSL has two modes of operation: interactive mode and batch mode.
Directly enter openssl and press Enter to enter the interactive mode, and enter openssl with command options to enter the batch mode.
The entire software package of OpenSSL can be roughly divided into three main functional parts: the cryptographic algorithm library, the SSL protocol library, and the application program. The directory structure of OpenSSL is naturally planned around these three functional parts.
Symmetric encryption algorithm
OpenSSL provides a total of 8 symmetric encryption algorithms, 7 of which are block encryption algorithms, and the only stream encryption algorithm is RC4. The seven block encryption algorithms are AES, DES, Blowfish, CAST, IDEA, RC2, and RC5, all of which support electronic codebook mode (ECB), encryption block chaining mode (CBC), encryption feedback mode (CFB) and output feedback mode (OFB) Four commonly used block cipher encryption modes. Among them, the encryption feedback mode (CFB) and output feedback mode (OFB) packet length used by AES is 128 bits, and other algorithms use 64 bits. In fact, the DES algorithm is not only the commonly used DES algorithm, but also supports three-key and two-key 3DES algorithms.
Asymmetric encryption algorithm
OpenSSL implements a total of four asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and elliptic curve algorithm (EC). The DH algorithm is generally used for key exchange. The RSA algorithm can be used for both key exchange and digital signature, and of course, if you can tolerate its slow speed, it can also be used for data encryption. The DSA algorithm is generally only used for digital signatures.
Information Digest Algorithm
OpenSSL implements five information digest algorithms, namely MD2, MD5, MDC2, SHA (SHA1) and RIPEMD. The SHA algorithm actually includes two information digest algorithms, SHA and SHA1. In addition, OpenSSL also implements the two information digest algorithms DSS and DSS1 specified in the DSS standard.
Key and certificate management
Key and certificate management is an important part of PKI, for which OpenSSL provides rich functions and supports multiple standards.
First of all, OpenSSL implements the ASN.1 certificate and key related standards, and provides DER, PEM and BASE64 encoding and decoding functions for data objects such as certificates, public keys, private keys, certificate requests, and CRLs. OpenSSL provides methods, functions and applications for generating various public key pairs and symmetric keys, and provides DER encoding and decoding functions for public and private keys. And realize the codec function of PKCS#12 and PKCS#8 of the private key. OpenSSL provides the encryption protection function for the private key in the standard, so that the key can be safely stored and distributed.
On this basis, OpenSSL implements the X.509 standard codec, PKCS#12 format codec and PKCS#7 codec for certificates. It also provides a text database that supports certificate management functions, including certificate key generation, request generation, certificate issuance, revocation, and verification.
In fact, the CA application provided by OpenSSL is a small certificate management center (CA), which implements the entire process of certificate issuance and most of the certificate management mechanisms.
example
1. Use openssl to generate a password
Almost all Linux distributions include openssl. We can take advantage of its random feature to generate random strings of letters that can be used as passwords.
openssl rand -base64 10
# nU9LlHO5nsuUvw==
nU9LlHO5nsuUvw==
2. Application example of message digest algorithm
Use the SHA1 algorithm to calculate the hash value of the file file.txt and output it to stdout:
# openssl dgst -sha1 file.txt
Use the SHA1 algorithm to calculate the hash value of the file file.txt and output it to the file digest.txt:
# openssl sha1 -out digest.txt file.txt
Use the DSS1 (SHA1) algorithm to sign the file file.txt and output it to the file dsasign.bin. The signed private key must be generated by the DSA algorithm and saved in the file dsakey.pem.
# openssl dgst -dss1 -sign dsakey.pem -out dsasign.bin file.txt
Use the dss1 algorithm to verify the digital signature dsasign.bin of file.txt, and the verified private key is the file dsakey.pem generated by the DSA algorithm.
# openssl dgst -dss1 -prverify dsakey.pem -signature dsasign.bin file.txt
Use the sha1 algorithm to sign the file file.txt and output it to the file rsasign.bin. The private key of the signature is the file rsaprivate.pem generated by the RSA algorithm.
# openssl sha1 -sign rsaprivate.pem -out rsasign.bin file.txt
Use the sha1 algorithm to verify the digital signature rsasign.bin of file.txt, and the verified public key is rsapublic.pem generated by the RSA algorithm.
# openssl sha1 -verify rsapublic.pem -signature rsasign.bin file.txt
3. Symmetric encryption application example
Symmetric encryption application example, use the CBC mode of the DES3 algorithm to encrypt the file plaintext.doc, and output the encrypted result to the file ciphertext.bin.
# openssl enc -des3 -salt -in plaintext.doc -out ciphertext.bin
Use the OFB mode of the DES3 algorithm to decrypt the file ciphertext.bin, provide the password as trousers, and output it to the file plaintext.doc. Note: Because of the different modes, this command cannot decrypt the above files.
# openssl enc -des-ede3-ofb -d -in ciphertext.bin -out plaintext.doc -pass pass:trousers
Use Blowfish's CFB mode to encrypt plaintext.doc, take the password from the environment variable PASSWORD, and output it to the file ciphertext.bin.
# openssl bf-cfb -salt -in plaintext.doc -out ciphertext.bin -pass env:PASSWORD
Encode the file ciphertext.bin with base64 and output to the file base64.txt.
# openssl base64 -in ciphertext.bin -out base64.txt
Use the CBC mode of the RC5 algorithm to encrypt the file plaintext.doc, output to the file ciphertext.bin, and specify the salt, key, and initialization vector (iv) on the command line.
# openssl rc5 -in plaintext.doc -out ciphertext.bin -S C62CB1D49F158ADC -iv E9EDACA1BD7090C6 -K 89D4B1678D604FAA3DBFFD030A314B29
4. Diffie-Hellman application example
Generate D0ffie-Hellman parameters using a generator factor of 2 and a random 1024-bit prime number, and save the output to the file dhparam.pem
# openssl dhparam -out dhparam.pem -2 1024
Read Diffie-Hell parameters from dhparam.pem, output to stdout in the form of C code.
# openssl dhparam -in dhparam.pem -noout -C
5. DSA application example application example
Generate a 1024-bit DSA parameter set and output to the file dsaparam.pem.
# openssl dsaparam -out dsaparam.pem 1024
Use the parameter file dsaparam.pem to generate a DSA private key, encrypt it with 3DES and output it to the file dsaprivatekey.pem
# openssl gendsa -out dsaprivatekey.pem -des3 dsaparam.pem
Use the private key dsaprivatekey.pem to generate a public key and output it to dsapublickey.pem
# openssl dsa -in dsaprivatekey.pem -pubout -out dsapublickey.pem
Read the private key from dsaprivatekey.pem, decrypt it and enter a new password to encrypt it, then write back to the file dsaprivatekey.pem
# openssl dsa -in dsaprivatekey.pem -out dsaprivatekey.pem -des3 -passin
6. RSA application example
Generate a 1024-bit RSA private key, encrypt it with 3DES, the password is trousers, and output it to the file rsaprivatekey.pem
# openssl genrsa -out rsaprivatekey.pem -passout pass:trousers -des3 1024
Read the private key from the file rsaprivatekey.pem, decrypt it with the password trousers, and output the generated public key to the file rsapublickey.pem
# openssl rsa -in rsaprivatekey.pem -passin pass:trousers -pubout -out rsapubckey.pem
Encrypt the file plain.txt with the public key rsapublickey.pem and output to the file cipher.txt
# openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in plain.txt -out cipher.txt
Use the private key rsaprivatekey.pem to decrypt the ciphertext cipher.txt and output it to the file plain.txt
# openssl rsautl -decrypt -inkey rsaprivatekey.pem -in cipher.txt -out plain.txt
Sign the file plain.txt with the private key rsaprivatekey.pem and output it to the file signature.bin
# openssl rsautl -sign -inkey rsaprivatekey.pem -in plain.txt -out signature.bin
Use the public key rsapublickey.pem to verify the signature signature.bin and output to the file plain.txt
# openssl rsautl -verify -pubin -inkey rsapublickey.pem -in signature.bin -out plain
Obtain the public key from the X.509 certificate file cert.pem, encrypt mail.txt with 3DES, and output it to the file mail.enc
# openssl smime -encrypt -in mail.txt -des3 -out mail.enc cert.pem
Obtain the recipient's public key from the X.509 certificate file cert.pem, decrypt the S/MIME message mail.enc with the private key key.pem, and output the result to the file mail.txt
# openssl smime -decrypt -in mail.enc -recip cert.pem -inkey key.pem -out mail.txt
cert.pem is an X.509 certificate file, signed with a private key, pem is mail.txt, the certificate is included in the S/MIME message, and output to the file mail.sgn
# openssl smime -sign -in mail.txt -signer cert.pem -inkey key.pem -out mail.sgn
Validate S/MIME message mail.sgn, output to file mail.txt, signer's certificate should be included in mail.sgn as part of S/MIME message
# openssl smime -verify -in mail.sgn -out mail.txt
More examples:
openssl version -a
openssl help
openssl genrsa -aes128 -out fd.key 2048 # pem format
openssl rsa -text -in fd.key