OpenSSLPublished on 30 Jan 2005
The OpenSSL library provides access to SSL encrypted tunnels. Most of its functionality is accessible via the
openssl command which is shipped with the OpenSSL package.
A digest is a one-way transformation of a string (into a hash) that can be used to ensure the integrity of the string. For example, this technique is used in PGP to sign messages. Commonly used algorithms include MD5 and SHA-1.
The following command demonstrates how to generate a MD5 hash of the content of a file:
openssl -md5 -in INFILE -out OUTFILE
openssl command can be used to generate hashed password as well as strings which are insusceptible by dictionary-based attacks against passwords.
The crypt3 hash algorithm was formerly used to hash passwords on Unix systems but has been superseded by the md5-crypt hash algorithm, at least on linux systems.
openssl passwd -salt SALT PASSWORD
Similar to the above command, a hash password is generated from a password and a salt, though, the format of the output, the modular crypt format (MCF), is more sophisticated to allow for a variety of hash algorithms. The simple format which is discussed here begins with a
$and consists of three fields separated by
$where the first fields indicates which hash algorithm is used (md5-crypt was assigned 1), the second and third contain the salt and the password, respectively.
openssl passwd -1 -salt SALT PASSWORD
Please note, that there is a huge difference between a simple MD5 hash and a md5-crypt’ed password. Although the md5-crypt hash algorithm is based on the MD5 hash algorithm, the two can not be transformed into each other without knowledge of the plaintext password.
Generation of N chars
opensslcan also be used to create a string of pseudo-randomly chosen characters of a custom length:</p>
openssl rand -base64 N | head -c N
What is Base64
openssl enc -base64 -e -in INFILE -out OUTFILE
openssl enc -base64 -d -in INFILE -out OUTFILE
Often the privacy of data that is transmitted over a private network is of major concern to the participating parties. The
openssl also provides commonly used symmetrical encryption algorithms (asymmetrical encryption algorithms are covered by gnupg) which are two-way transformations of strings based on a password.
The following commands demonstrate the use of the
openssl command to encrypt the content of a file using the Advanced Encryption Standard (AES) algorithm. The user is prompted for the password on the current terminal.
openssl enc -aes256 -e -in INFILE -out OUTFILE
openssl enc -aes256 -d -in INFILE -out OUTFILE
In addition, the
openssl command can be used to open a SSL tunnel to a remote host which can be used to tunnel sensitive protocol data:
openssl s_client -connect HOST:PORT