[CRYPTOGRAPHY] OpenSSL

OpenSSL

OpenSSL is a software library for applications that secure communications over computer networks. Is a C library that implements the main cryptographic operations like symmetric encryption, public-key encryption, digital signature, hash functions, etc. Cryptography Foundations

OpenSSL contains an open-source implementation of the SSL and TLS protocols.

The OpenSSL Software Foundation (OSF) represents the OpenSSL project in most legal capacities including contributor license agreements, managing donations, and so on. OpenSSL Software Services (OSS) also represents the OpenSSL project, for Support Contracts.

OpenSSL is available for most Unix-like operating systems (including Linux, macOS, and BSD) and Microsoft Windows.

The source code can be downloaded from www.openssl.org

There are several forks of OpenSSL project.

• LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

• BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs. Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is.

Installing OpenSSL

On Ubuntu Linux distribution

On Ubuntu Linux distribution, OpenSSL is usually already available; however, it can be installed using the following commands:

$ sudo apt-get install openssl

On MacOS

• Install Homebrew
• To install OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the terminal:

  $ brew install openssl
  

On Windows

• Install Chocolatey
• To install OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the command line or from PowerShell:

  choco install openssl.light --version=1.0.1.3
  

Checking the version of OpenSSL

$ openssl version -a

OpenSSL commands

To list OpenSSL commands run the following command on a terminal.

$ openssl list-standard-commands

See a brief description of each command: STANDARD COMMANDS

OpenSSL secret key encryption algorithms

To list OpenSSL secret key encryption algorithms run the following command on a terminal.

$ openssl list-cipher-commands

See a brief description of each command: ENCODING AND CIPHER COMMANDS

How to encrypt and decrypt using AES

Encrypting Using Passwords

OpenSSL makes it easy to encrypt/decrypt files using a passphrase. Unfortunately, pass phrases are usually “terrible” and difficult to manage and distribute securely.

$ openssl aes-256-cbc -in secret.txt -out secret.txt.enc
...
enter aes-256-cbc encryption password: ****
Verifying - enter aes-256-cbc encryption password: ****

Note that secret.txt.enc is a binary file; sometimes, it is desirable to encode this binary file into a text format for compatibility/interoperability reasons. The following command can be used to do that:

$ openssl enc -base64 -in secret.txt.enc -out secret.txt.enc.b64
$ cat secret.txt.enc.b64
...
U2FsdGVkX19rgggeH83tOHp0kpmseWLw0tBJqvYA9QRtYuj9pHn5u30T5A5pBcwH

In order to decode from base64, the following commands are used. Take the secret.txt.enc.b64 file from the previous example:

$ openssl enc -d -base64 -in secret.txt.enc.b64 -out secret.txt.enc

Decrypting Using Passwords

$ openssl aes-256-cbc -d -in secret.txt.enc -out secret.txt.dec
...
enter aes-256-cbc decryption password: ****

Encrypting Using pseudo-random bytes key.

$ openssl rand 192 -out key
$ openssl aes-256-cbc -in secret.txt -out secret.txt.enc -pass file:key
$ tar -zcvf secret.tgz *.enc

Decrypting Using pseudo-random bytes key.

$ tar -xzvf secret.tgz
$ openssl aes-256-cbc -d -in secret.txt.enc -out secret.txt.dec -pass file:key

Sharing the file:key using rsautl

Assuming that id_rsa.pub is the public key you want to use and that id_rsa is the private key the recipient will use, and secret.txt is the data you want to transmit…

Encrypting

$ openssl rand 192 -out key
$ openssl aes-256-cbc -in secret.txt -out secret.txt.enc -pass file:key
$ openssl rsautl -encrypt -pubin -inkey ~/.ssh/id_rsa.pub -in key -out key.enc
$ tar -zcvf secret.tgz *.enc

Decrypting

$ tar -xzvf secret.tgz
$ openssl rsautl -decrypt -ssl -inkey ~/.ssh/id_rsa -in key.enc -out key
$ openssl aes-256-cbc -d -in secret.txt.enc -out secret.txt.dec -pass file:key

How to encrypt and decrypt using RSA

Generating the private key

$ openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:1024
............++++++
........++++++

After executing the command, a file named privatekey.pem is produced, which contains the generated private key. This is shown as follows:

$ cat privatekey.pem
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALtVw+eLI95poiqN
YOJlt3udH5rq70K0pwx6nXJhhZRsMD767RAFjbZThhJ3QCDvd8K7s/IvR29Jeq3L
IEDN2uM+nB1ZE5I5Hq901Qc1aLneQ4BMzSlzjYTIFfrpYX07EqWtAfOouk+zxp5I
12z4vV1kAU/W2WK4P98xZc9xd8WjAgMBAAECgYBigtxNA1cuW0AivkvHYhPVli+L
iKWe317E6imnf27+ONI6HDvTZAg8a7miNkFr0GGa7pfW8FPRSsOPZrSkP1wtourj
LVmENjKaUuSyIxxSTJ8sD70KFJ5xNRZe7bPgekF+q5TXUQzMLub31z+/iYca76Sy
kdptaxBPD8OlC4XQWQJBAOnY4Mv3tpvLcQBxpUaRxUOGoVJ1+OCzpFIKHtgAlCMa
pGXxPDXs89kePa8RNPn/vZDiswe/2WM2imfYAu8A0i8CQQDNFObubb4n/WRIdvxJ
QMSYlmcFB3Lhe5ONbRpS1JMWmigtxpVWtSnKN8Y5nHOEAZyYYxeQcynta/ZwxCFr
uGrNAkBl7L7GiFjSfRDq5Z3pLV4yuXqVK5BnuEUV8Q1SjqYCyvj+6e+ZfYcnilPO
e4yAruRcQ0NPTGKfKMWYz4Ev1UbHAkEAqRn+HUXCUUkgIpxyBJjyQntp8PymXoS+
MxRuazQ7IJz2WmBvjXKORd7dhW2a1pNZo1G6AXLkdI/cQjmG8UK8VQJAJ2GmzyPL
fwO9P1IFhBFV7eYAeoma3UuoeqH1/nDarPT6HPGVIZWILimgjKJSb8nNcYLSGijX
eL0GJ/rWk5BgUw==
-----END PRIVATE KEY-----

Generating the public key

As the private key is mathematically linked to the public key, it is possible to generate or derive the public key out of the private key. Taking the example of the preceding private key, the public key can be generated as shown here:

$ openssl rsa -pubout -in privatekey.pem -out publickey.pem
writing RSA key

Public key can be viewed using a file reader or any text viewer, as shown here:

$ cat publickey.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7VcPniyPeaaIqjWDiZbd7nR+a
6u9CtKcMep1yYYWUbDA++u0QBY22U4YSd0Ag73fCu7PyL0dvSXqtyyBAzdrjPpwd
WROSOR6vdNUHNWi53kOATM0pc42EyBX66WF9OxKlrQHzqLpPs8aeSNds+L1dZAFP
1tliuD/fMWXPcXfFowIDAQAB
-----END PUBLIC KEY-----

Encrypting

Taking the public key generated, the command to encrypt a text file secret.txt can be constructed, as shown here:

openssl rsautl -encrypt -inkey publickey.pem -pubin -in secret.txt -out secret.txt.rsa.enc

Decrypting

In order to decrypt the RSA-encrypted file, using the private key, the following command can be used:

openssl rsautl -decrypt -inkey privatekey.pem -in secret.txt.rsa.enc -out secret.txt.rsa.dec

References

• A Guide to Encrypting Files with Mac OS X
• An Introduction to the OpenSSL command line tool