OpenSSL

Published on 30 Jan 2005
Tags #AES #Base64 #MD5 #OpenSSL #PGP #Salt #SHA1 #SSL

The OpenSSL library provides access to SSL encrypted tunnels. Most of its functionality is accessible via the openssl command which is shipped with the OpenSSL package.

Digests

A digest is a one-way transformation of a string (into a hash) that can be used to ensure the integrity of the string. For example, this technique is used in PGP to sign messages. Commonly used algorithms include MD5 and SHA-1.

The following command demonstrates how to generate a MD5 hash of the content of a file:

openssl -md5 -in INFILE -out OUTFILE

Passwords

The openssl command can be used to generate hashed password as well as strings which are insusceptible by dictionary-based attacks against passwords.

crypt3

The crypt3 hash algorithm was formerly used to hash passwords on Unix systems but has been superseded by the md5-crypt hash algorithm, at least on linux systems.

openssl passwd -salt SALT PASSWORD
md5-crypt

Similar to the above command, a hash password is generated from a password and a salt, though, the format of the output, the modular crypt format (MCF), is more sophisticated to allow for a variety of hash algorithms. The simple format which is discussed here begins with a $ and consists of three fields separated by $ where the first fields indicates which hash algorithm is used (md5-crypt was assigned 1), the second and third contain the salt and the password, respectively.

openssl passwd -1 -salt SALT PASSWORD

Please note, that there is a huge difference between a simple MD5 hash and a md5-crypt’ed password. Although the md5-crypt hash algorithm is based on the MD5 hash algorithm, the two can not be transformed into each other without knowledge of the plaintext password.
Generation of N chars

The openssl can also be used to create a string of pseudo-randomly chosen characters of a custom length:</p>

openssl rand -base64 N | head -c N

Base64 encoding

What is Base64

Encoding

openssl enc -base64 -e -in INFILE -out OUTFILE
Decoding

openssl enc -base64 -d -in INFILE -out OUTFILE

Data encryption

Often the privacy of data that is transmitted over a private network is of major concern to the participating parties. The openssl also provides commonly used symmetrical encryption algorithms (asymmetrical encryption algorithms are covered by gnupg) which are two-way transformations of strings based on a password.

The following commands demonstrate the use of the openssl command to encrypt the content of a file using the Advanced Encryption Standard (AES) algorithm. The user is prompted for the password on the current terminal.

Encrypt

openssl enc -aes256 -e -in INFILE -out OUTFILE
Decrypt

openssl enc -aes256 -d -in INFILE -out OUTFILE

SSL client

In addition, the openssl command can be used to open a SSL tunnel to a remote host which can be used to tunnel sensitive protocol data:

openssl s_client -connect HOST:PORT

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.

Nicholas Dille

OpenSSL

Digests

Passwords

Base64 encoding

Data encryption

SSL client

Related Posts

Talk about automated dependency upates using #Renovate @devsmeetup31 Jan 2024

New two day workshop about #GitLab CI (German)30 Nov 2023

Workshop about operating #GitLab (German)23 Nov 2023