Shulou(Shulou.com)06/01 Report--

OpenSSL principle

SSL:SSL is an acronym for Secure Sockets Layer (secure Sockets layer Protocol) and provides secret transmission over Internet. Netscape (Netscape) put forward the SSL protocol standard while launching the first Web browser. Its goal is to ensure the confidentiality and reliability of communication between the two applications, which can be supported on both the server side and the user side. It has become the industry standard for secure communications on Internet.

SSL can prevent the communication between user / server applications from eavesdropping, and always authenticate the server, and can also choose to authenticate the user. The SSL protocol is based on a reliable transport layer protocol (TCP). The advantage of SSL protocol is that it is independent of application layer protocols, and high-level application layer protocols (such as HTTP,FTP,TELNET, etc.) can be transparently based on SSL protocol. SSL protocol has completed the encryption algorithm, communication key negotiation and server authentication before the application layer protocol communication. After that, the data transmitted by the application layer protocol will be encrypted to ensure the privacy of the communication.

OpenSSL Open secure Sockets layer Protocol: a powerful secure socket layer cipher library that includes major cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides rich applications for testing or other purposes.

The whole OpenSSL package can be divided into three main functional parts: the SSL protocol library, the application program, and the cryptographic algorithm library. The directory structure of OpenSSL is naturally planned around these three functional parts.

The basic functions are: main cryptographic algorithms (MD5, SHA, DH, BASE64, etc.), commonly used key and certificate encapsulation management functions and SSL protocol, and provides rich applications for testing or other purposes.

Auxiliary functions: such as API for generating keys from passwords, configuration file mechanism in certificate issuance and management, etc.

OpenSSL supports many different algorithms

Symmetric encryption:

AES, Blowfish, Camellia, SEED, CAST-128, DES, IDEA, RC2, RC4, RC5, Triple DES, GOST 28147-89 [3]

One-way encryption:

MD5, MD2, SHA-1, SHA-2, RIPEMD-160, MDC-2, GOST R 34.11-94 [3]

Asymmetric encryption:

RSA, DSA, Diffie-Hellman key exchange, Elliptic curve, GOST R 34.10-2001 [3]

These are official explanations, simply understood as openssl is a collection, this collection integrates many encryption algorithms, and these encryption algorithms are used in different ways, so openssl uses its own functions to call them to achieve the effect of data encryption.

Basic use of OpenSSL

The OpenSSL package consists of three software packages: openssl, libcrypto and libssl.

Openssl: a versatile command line tool that uses subcommands to implement each function

Libcrypto: public encryption library (contains various encryption algorithms)

Implementation of libssl:ssl Protocol

OpenSSL command line usage:

Openssl command [command_options] [args]

View openssl version: openssl version

You can see that the current built-in version of the centos system is 1.0.1e (the version before upgrading has vulnerabilities. If you need to use it in the production environment, please download the version after 1.0.1g.)

OpenSSL implements symmetric encryption, using enc as a subcommand, using the following methods:

Encryption method:

Openssl enc-e-algorithm-a-salt-in original file-file saved after out encryption

Decryption method:

Openssl enc-d-algorithm-a-salt-in encrypted files-files saved after out decryption

-e:encrypt encryption

-d:decrypt decryption

-a: based on base64

-salt: adding "salt" can be understood as adding a random number, and the random number generated each time is different, even if you use the same password.

Note: encryption and decryption algorithms must use the same algorithm, otherwise the decrypted content will be garbled.

Example 1: encrypt the passwd file in the etc directory and save it to the current directory

Openssl enc-e-des-a-salt-in / etc/passwd-out. / passwd.crypt

If you continue to edit the file after encryption, you will find that it is a bunch of passwords

Decrypt a file

Openssl enc-d-des-a-salt-in passwd.crypt-out passwd

Opening this file again will send the file for normal use.

OpenSSL implements asymmetric encryption, that is, the so-called public and private keys. Using the genrsa subcommand, asymmetric encryption extracts the public key by generating the private key, so the private key cannot be seen by any user other than the current user.

Encryption method:

(umask 077position OpenSSL genrsa-out private key storage location encryption length)

The parentheses here represent running in the child process because the umask value is to be modified and the child shell exits after the command has been run, which does not affect the umask value in the current system. Use the semicolon to execute the command on the same line.

Extract public key

Openssl rsa-in private key-pubout

Example 2: generate a private key file and extract the public key

(umask 077; openssl genrsa-out crypt.key 2048)

Extract the public key:

Openssl rsa-in crypt.key-pubout > pub.key

OpenSSL one-way encryption is generally used to verify file integrity operations, such as md5 and sha1. (both MD5 and sha values will change after the file is modified.)

Encryption method:

Openssl dgst-encryption algorithm file path

Example 3: get the file MD5 value

Openssl dgst-md5 passwd

All of the above encryption methods can be used-- help to get help information, or you can use the man man page to view help information

Openssl enc | genrsa | dgst-- help or man enc | genrsa | dgst

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.