OpenSSL
Published on 30 Jan 2005Tags #AES #Base64 #MD5 #OpenSSL #PGP #Salt #SHA1 #SSL
The OpenSSL library provides access to SSL encrypted tunnels. Most of its functionality is accessible via the openssl
command which is shipped with the OpenSSL package.
Digests
A digest is a one-way transformation of a string (into a hash) that can be used to ensure the integrity of the string. For example, this technique is used in PGP to sign messages. Commonly used algorithms include MD5 and SHA-1.
The following command demonstrates how to generate a MD5 hash of the content of a file:
openssl -md5 -in INFILE -out OUTFILE
Passwords
The openssl
command can be used to generate hashed password as well as strings which are insusceptible by dictionary-based attacks against passwords.
-
crypt3
The crypt3 hash algorithm was formerly used to hash passwords on Unix systems but has been superseded by the md5-crypt hash algorithm, at least on linux systems.
openssl passwd -salt SALT PASSWORD
-
md5-crypt
Similar to the above command, a hash password is generated from a password and a salt, though, the format of the output, the modular crypt format (MCF), is more sophisticated to allow for a variety of hash algorithms. The simple format which is discussed here begins with a
$
and consists of three fields separated by$
where the first fields indicates which hash algorithm is used (md5-crypt was assigned 1), the second and third contain the salt and the password, respectively.openssl passwd -1 -salt SALT PASSWORD
Please note, that there is a huge difference between a simple MD5 hash and a md5-crypt’ed password. Although the md5-crypt hash algorithm is based on the MD5 hash algorithm, the two can not be transformed into each other without knowledge of the plaintext password.
-
Generation of N chars
The
openssl
can also be used to create a string of pseudo-randomly chosen characters of a custom length:</p>openssl rand -base64 N | head -c N
Base64 encoding
What is Base64
-
Encoding
openssl enc -base64 -e -in INFILE -out OUTFILE
-
Decoding
openssl enc -base64 -d -in INFILE -out OUTFILE
Data encryption
Often the privacy of data that is transmitted over a private network is of major concern to the participating parties. The openssl
also provides commonly used symmetrical encryption algorithms (asymmetrical encryption algorithms are covered by gnupg) which are two-way transformations of strings based on a password.
The following commands demonstrate the use of the openssl
command to encrypt the content of a file using the Advanced Encryption Standard (AES) algorithm. The user is prompted for the password on the current terminal.
-
Encrypt
openssl enc -aes256 -e -in INFILE -out OUTFILE
-
Decrypt
openssl enc -aes256 -d -in INFILE -out OUTFILE
SSL client
In addition, the openssl
command can be used to open a SSL tunnel to a remote host which can be used to tunnel sensitive protocol data:
openssl s_client -connect HOST:PORT