Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use the openssl command in Linux. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Linux common command OpenSSL is a powerful secure socket layer password library, including major cryptographic algorithms, commonly used key and certificate encapsulation management functions and SSL protocol, and provides rich applications for testing or other purposes.

Openssl's powerful secure socket layer password library

Add that after OpenSSL was exposed to serious security vulnerabilities, it was found that most websites encrypted through the SSL protocol used an open source software package called OpenSSL. As this is the most widely used secure transmission method on the Internet, and is widely used by important websites such as online banking, online payment, e-commerce websites, portals, e-mail and so on, the vulnerability affects a wide range of areas.

OpenSSL has two modes of operation: interactive mode and batch mode.

Enter openssl directly to enter interactive mode, and enter openssl with command options to enter batch mode.

The whole software package of OpenSSL can be divided into three main functional parts: cryptographic algorithm library, SSL protocol library and application program. The directory structure of OpenSSL is naturally planned around these three functional parts.

Symmetric encryption algorithm

OpenSSL provides a total of eight symmetric encryption algorithms, of which seven are block encryption algorithms, and the only stream encryption algorithm is RC4. The seven block encryption algorithms are AES, DES, Blowfish, CAST, IDEA, RC2 and RC5. They all support four commonly used block cipher encryption modes: electronic codebook mode (ECB), encryption block link mode (CBC), encryption feedback mode (CFB) and output feedback mode (OFB). Among them, the encryption feedback mode (CFB) and output feedback mode (OFB) packet length used by AES is 128 bits, while other algorithms use 64 bits. In fact, the DES algorithm is not only the commonly used DES algorithm, but also supports three keys and two keys 3DES algorithm.

Asymmetric encryption algorithm

OpenSSL implements four asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and elliptic curve algorithm (EC). DH algorithm general user key exchange. The RSA algorithm can be used for both key exchange and digital signatures, and of course, if you can put up with its slow speed, it can also be used for data encryption. DSA algorithm is generally only used for digital signatures.

Information summary algorithm

OpenSSL implements five kinds of information summary algorithms, which are MD2, MD5, MDC2, SHA (SHA1) and RIPEMD. In fact, SHA algorithm includes two kinds of information summary algorithms: SHA and SHA1. In addition, OpenSSL also implements two information summary algorithms, DSS and DSS1, which are specified in DSS standard.

Key and certificate management

Key and certificate management is an important part of PKI. OpenSSL provides rich functions and supports a variety of standards.

First of all, OpenSSL implements the certificate and key related standards of ASN.1, and provides the coding and decoding functions of certificate, public key, private key, certificate request and DER, PEM and BASE64 of data objects such as CRL. OpenSSL provides methods, functions and applications for generating a variety of public key pairs and symmetric keys, as well as DER coding and decoding of public and private keys. And the codec function of PKCS#12 and PKCS#8 of private key is realized. OpenSSL provides encryption protection for private keys in the standard, so that keys can be stored and distributed securely.

On this basis, OpenSSL implements the functions of X.509 standard codec, PKCS#12 format codec and PKCS#7 codec of the certificate. It also provides a text database to support certificate management functions, including certificate key generation, request generation, certificate issuance, revocation and verification.

In fact, the CA application provided by OpenSSL is a small certificate authority (CA) that implements the entire certificate issuance process and most of the certificate management mechanisms.

Example 1. Use openssl to generate passwords

Almost all Linux distributions include openssl. We can use its random function to generate random letter strings that can be used as passwords.

Openssl rand-base64 10 # nU9LlHO5nsuUvw==nU9LlHO5nsuUvw==

2. Application example of message digest algorithm.

Use the SHA1 algorithm to calculate the hash value of the file file.txt and output it to stdout:

# openssl dgst-sha1 file.txt uses the SHA1 algorithm to calculate the hash value of the file file.txt, and outputs it to the file digest.txt:

# openssl sha1-out digest.txt file.txt uses the DSS1 (SHA1) algorithm to sign the file file.txt and output it to the file dsasign.bin. The private key of the signature must be generated by the DSA algorithm and saved in the file dsakey.pem.

# openssl dgst-dss1-sign dsakey.pem-out dsasign.bin file.txt uses the dss1 algorithm to verify the digital signature dsasign.bin of file.txt, and the verified private key is the file dsakey.pem generated by the DSA algorithm.

# openssl dgst-dss1-prverify dsakey.pem-signature dsasign.bin file.txt uses the sha1 algorithm to sign the file file.txt and outputs it to the file rsasign.bin. The signed private key is the file rsaprivate.pem generated by the RSA algorithm.

# openssl sha1-sign rsaprivate.pem-out rsasign.bin file.txt uses the sha1 algorithm to verify the digital signature rsasign.bin of file.txt, and the verified public key is the rsapublic.pem generated by the RSA algorithm.

# openssl sha1-verify rsapublic.pem-signature rsasign.bin file.txt3, symmetric encryption application example

Symmetric encryption application example, using the CBC mode of the DES3 algorithm to encrypt the file plaintext.doc, the encryption result is output to the file ciphertext.bin.

# openssl enc-des3-salt-in plaintext.doc-out ciphertext.bin decrypts the file ciphertext.bin using the OFB mode of the DES3 algorithm. The password provided is trousers and output to the file plaintext.doc. Note: this command cannot decrypt the above files because of different modes.

# openssl enc-des-ede3-ofb-d-in ciphertext.bin-out plaintext.doc-pass pass:trousers encrypts plaintext.doc with Blowfish's CFB mode, and the password is taken from the environment variable PASSWORD and output to the file ciphertext.bin.

# openssl bf-cfb-salt-in plaintext.doc-out ciphertext.bin-pass env:PASSWORD encodes the file ciphertext.bin with base64 and outputs it to the file base64.txt.

# openssl base64-in ciphertext.bin-out base64.txt encrypts the file plaintext.doc with the CBC mode of the RC5 algorithm, and outputs to the file ciphertext.bin,salt, key, and initialization vector (iv) specified on the command line.

# openssl rc5-in plaintext.doc-out ciphertext.bin-S C62CB1D49F158ADC-iv E9EDACA1BD7090C6-K 89D4B1678D604FAA3DBFFD030A314B294, Diffie-Hellman application example

Generate D0ffie-Hellman parameters using generation factor 2 and random primes of 1024-bit, and save the output to the file dhparam.pem

# openssl dhparam-out dhparam.pem-2 1024 reads Diffie-Hell parameters from dhparam.pem and outputs them to stdout in the form of C code.

# openssl dhparam-in dhparam.pem-noout-C5, DSA application examples

The 1024-bit DSA parameter set is generated and output to the file dsaparam.pem.

# openssl dsaparam-out dsaparam.pem 1024 uses the parameter file dsaparam.pem to generate DSA private keys, which are encrypted with 3DES and exported to the file dsaprivatekey.pem

# openssl gendsa-out dsaprivatekey.pem-des3 dsaparam.pem uses a private key dsaprivatekey.pem to generate a public key, which is exported to dsapublickey.pem

# openssl dsa-in dsaprivatekey.pem-pubout-out dsapublickey.pem reads the private key from dsaprivatekey.pem, decrypts it and enters a new password to encrypt it, and then writes back to the file dsaprivatekey.pem

# examples of openssl dsa-in dsaprivatekey.pem-out dsaprivatekey.pem-des3-passin6 and RSA applications

Generate a 1024-bit RSA private key, encrypt it with 3DES, password is trousers, and output to file rsaprivatekey.pem

# openssl genrsa-out rsaprivatekey.pem-passout pass:trousers-des3 1024 reads the private key from the file rsaprivatekey.pem, decrypts it with the password trousers, and outputs the generated public key to the file rsapublickey.pem

# openssl rsa-in rsaprivatekey.pem-passin pass:trousers-pubout-out rsapubckey.pem encrypts the file plain.txt with the public key rsapublickey.pem and outputs it to the file cipher.txt

# openssl rsautl-encrypt-pubin-inkey rsapublickey.pem-in plain.txt-out cipher.txt uses private key rsaprivatekey.pem to decrypt the ciphertext cipher.txt and output it to the file plain.txt

# openssl rsautl-decrypt-inkey rsaprivatekey.pem-in cipher.txt-out plain.txt sign the file plain.txt with the private key rsaprivatekey.pem and export it to the file signature.bin

# openssl rsautl-sign-inkey rsaprivatekey.pem-in plain.txt-out signature.bin verifies the signature signature.bin with the public key rsapublickey.pem, and outputs it to the file plain.txt

# openssl rsautl-verify-pubin-inkey rsapublickey.pem-in signature.bin-out plain obtains the public key from the X.509 certificate file cert.pem, encrypts the mail.txt with 3DES, and outputs it to the file mail.enc

# openssl smime-encrypt-in mail.txt-des3-out mail.enc cert.pem obtains the recipient's public key from the X.509 certificate file cert.pem, decrypts the S/MIME message mail.enc with the private key key.pem, and outputs the result to the file mail.txt

# openssl smime-decrypt-in mail.enc-recip cert.pem-inkey key.pem-out mail.txtcert.pem is the X.509 certificate file. The mail.txt is signed with the private key key,pem. The certificate is included in the S/MIME message and output to the file mail.sgn.

# openssl smime-sign-in mail.txt-signer cert.pem-inkey key.pem-out mail.sgn verifies the S/MIME message mail.sgn, which is output to the file mail.txt. The signer's certificate should be included in the mail.sgn as part of the S/MIME message

# openssl smime-verify-in mail.sgn-out mail.txt more instances:

Openssl version-an openssl help openssl genrsa-aes128-out fd.key 2048 # pem format openssl rsa-text-in fd.key on "how to use openssl commands in Linux" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.