OpenSSL

Introduction to OpenSSL

OpenSSL is an open-source cryptographic library that provides a robust toolkit

for securing communications and creating, managing, and verifying digital
certificates It is widely used for implementing Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols to encrypt connections between clients
and servers.
 its open source s/w
 its available for all OS
Has implementation for SSL and TLS
Widely used by web server and other network security program
The openssl program is a command line tool for using the various cryptography
functions of OpenSSL’s crypto library from the shell.
 CONT….

 It can be used for Creation and management of private keys, public keys and
parameters
Public key cryptographic operations
Calculation of Message Digests
 Encryption and Decryption with Ciphers
 SSL/TLS Client and Server Tests
 Handling of encrypted mail
 Time Stamp requests, generation and verification
 Openssl installation on windows

 first download the openssl setup //http:openssl.org

 Run setup
 Accept agreement and click next
 Cont…
 provide location where you want to install setup and click next

Click next again

 Cont…
 then accept the default the windows system directory then next

Click on install
 CONT…
 then uncheck the selected box and finish

Then check whether the setup is installed correctly or not

Open cmd(command prompt)
 then write openssl version to see the version of your openssl
 Cont…
 if it works correctly it gives you the version of your setup

Otherwise, you will got the error

If we get this error we must have to add openssl into environmental variable
Open environmental variable from your system
 to do that right click on this PC
 Cont…
 then select properties
Then select advance system setting
 then click on environment variable
 from system variable select path add new path
 after that copy the path were you install your openssl and paste on
new environmental variable
 then click Ok
After you create a environmental variable then check its version
 you get directly its version
 How to use the command-line tool

 The command-line tool openssl provides access to the different tools

implemented in the OpenSSL libraries.
You can obtain the list of openssl commands with
 openssl help //to open help page of openssl
Information about an individual openssl command (e.g. enc) and its
arguments can be retrieved with(shows all command on openssl)
 They are divided into three section
1. Standard command
2. Message digest command and
3. Cipher command
 Cont…
 openssl version --help
 it execute different command
 openssl version -a
it shows all data
 openssl version -b //show build date
openssl version –d // show configuration directory
 openssl version –v //show library version etc
openssl enc –help
As usual, the detailed information can be found at the corresponding manual page
 Cont…
 man openssl
 The different crypto algorithms implemented in your version of OpenSSL can be
listed with
 openssl list-cipher-algorithms
or with
 openssl enc -ciphers
depending on the OpenSSL version.
 Verifying security using openssl
Secret information is called confidential
Using cryptography we achieve confidentiality
To encrypt data first we need keys
Integrity=It requires that messages should be modified or altered only by
authorized parties.
Confidentiality=It requires that the message can only be accessible for reading by
authorized parties.
Authentication=It means that correct identity is known to communicating parties.
 Authorization=This property gives access rights to different types of users.
 Generating symmetric/secret key
Symmetric key is called secret key
 to generate a secret key in openssl we use a command called rand
 openssl rand –hex 10// openssl rand –hex key size
openssl rand –hex –out encryption.key 32//Generate 32 bytes of random hex
formatted data and save it to a file.
 type encryption.key //now we can use this key for any data we want.
 openssl rand -base64 32//Generate 32 bytes of random base64 encoded data
openssl rand -hex -out some_data 32//Generate 32 bytes of random hex
formatted data and save it to a file.
 Generating RSA private keys/Asymmetric keys

to generate rsa private key write command

Generating a RSA private key
openssl genrsa
Openssl genrsa 1024(key size) or
Openssl genrsa > key.pri//to generate private key or Storing private key to a file.
type key.pri
rm key.pri//used to remove key
openssl genrsa -out key.pri 1024// to generate private key
type key.pri
openssl rsa -in key.pri -noout –text//to examine generated key
Generate public key RSA
 openssl rsa -in key.pri -pubout -out key.pub//to generate public key
type key.pub//this public key is also use to encrypt some data
List of supporting algorithm in openssl
 openssl list –commands//List of all available commands which is supported
by openssl
 openssl list -digest-algorithms//list digest algorithm available on openssl
 openssl list -cipher-algorithms// list cipher algorithm available on openssl
openssl list –public-key-algorithms//list public key algorithm available on
openssl
openssl list –disabled//List disabled algorithm
openssl list -options aria-128-ctr//List options for a command.
We can also use openssl to get usage of individual algorithm
openssl list -options aes-256-cbc
openssl list -options rsa
Encryption using Openssl
 After we generated a private and public key it easy to encrypt and
decrypt data.
 to encrypt data use this command
 dir//to view your directory
 openssl aes-256-cbc –in<in_file> -out<o_file> -e –kfile< key
file>//command used to encrypt data
 openssl aes-256-cbc -in data.txt -out data.enc -e -kfile
encryption.key// command used to encrypt data
 dir//to view your directory
type data.enc//view encrypted data
Decryption using Openssl
 use same command with encryption but bit small change
Command to decrypt data
openssl aes-256-cbc -in data.enc -out data.dec -d -kfile
encryption.key//command to decrypt data
dir//view your directory
 type data.dec//view your data
 eg.2 use other algorithm
 openssl des-ede3-cbc -in data.txt -out data.enc -e –a//des algorithm
encryption command where –a stands for base64
Des asks password and take that password key
 type data.enc//view data
Cont…
 to decrypt that datas
openssl des-ede3-cbc -in data.enc -out data.dec -d –a//decryption
command
Type data.dec//view decrypted data
What happen if you enter wrong password?
 in here password is used to generate secret key
Let us use pbkdf2(password base key derivation format 2)
Encryption:- openssl aes-256-cbc –in data.txt -out data.enc -e -a -kfile
encryption.key -pbkdf2
 type dat.enc
openssl rsautl -encrypt -inkey key.pub -pubin -in data.txt -out
data.enc// Encrypting using RSA public key
Cont…
 Decryption:
openssl aes-256-cbc -in data.enc -out data.dec -d -a -kfile encryption.key -
pbkdf2
 type data.dec
openssl rsautl -decrypt -inkey key.pri -in data.enc -out data.dec//
Decrypting using RSA private key
**** Encrypting a secret key using RSA keypair***.
openssl rand -hex -out secret.key 32
openssl rsautl -encrypt -inkey key.pub -pubin -in secret.key -out
secret.key.enc
openssl rsautl -decrypt -inkey key.pri -in secret.key.enc -out
secret.key.dec
Generating Key Pairs using OpenSSL

 Generate RSA keys of various sizes

openssl genrsa//to generate RSA private key
openssl genrsa 1024// to generate RSA private key size 1024
openssl genrsa 4096
Size of generated rsa private key must be greater or equal to 512
Generate RSA private and store it to a file.
openssl genrsa -out key.pri// to generate RSA private key
openssl genrsa > key.pri// to generate RSA private key
 type key.pri
Cont…
 Generate a RSA public key
openssl rsa -in key.pri –pubout//to generate rsa public key
openssl rsa -in key.pri -pubout > key.pub// rsa public key
openssl rsa -in key.pri -pubout -out key.pub// rsa public key
Examining RSA private key
openssl rsa -in key.pri -noout –text//generate in text format
 Examine RSA public key
openssl rsa -in key.pub -pubin -noout –text// generate in text format
Generating encrypted private key file.
openssl genrsa -aes-256-cbc -out rsa.pri.enc 2048//
type rsa.pri.enc
Generate DSA keys pairs
 first Generate DSA parameter file
openssl dsaparam -out dsa.param 2048// DSA parameter file
Second Generate DSA keypair
openssl gendsa -out dsa.pri dsa.param//DSA private key
Generating DSA public key
openssl dsa -in dsa.pri –pubout// DSA public key
openssl dsa -in dsa.pri -pubout > dsa.pub
openssl dsa -in dsa.pri -pubout -out dsa.pub
Examining DSA
openssl dsa -in dsa.pri -noout –text//examine DSA
Alternate ways to generate private keys
 Generate RSA key
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -
pkeyopt rsa_keygen_pubexp:17 -out rsa.pri
Examining RSA private key
openssl pkey -in rsa.pri -noout –text
Generate RSA Public key
openssl pkey -in rsa.pri -pubout -out rsa.pub
Generating Digital Certificates using OpenSSL
• Non repudiation ensure that no party can deny that it sent or received a
message via encryption.
• non repudiation used for proof of Authenticity. This is done using
generating digital signature.
• digital signature is generated by using private key.
Generating a digital signature
• Simple RSA Sign/Verify
• openssl rsautl -sign -inkey key.pri -in dta.txt -out digital.sig//used to
generate RSA signature
• openssl rsautl -verify -inkey key.pub -pubin -in digital.sig//used to
verify RSA
• Those two mathed is used only for small data which is only used to
sign rsa key – eleven byte.
• To sign a large file we use a hash based signature
Cont…
• Using hash based signing methods to sign/verify
• openssl sha1 -sign key.pri -out dgtal.sig dta.txt//sign
• openssl sha1 -verify key.pub -signature dgtal.sig dta.txt//verify
• Get the list of all supported digest command
• openssl dgst –list//to get dgst command
• Alternate way to sign/verify using hashed based signing algorithm
• openssl dgst -sha256 -sign key.pri -out dta1.sig dta.txt
• openssl dgst -sha256 -verify key.pub -signature dta1.sig dta.txt
Cont..
• Using openssl pkeyutl option to sign
• openssl pkeyutl -sign -in hash -inkey key.pri -out dgthash.sig -pkeyopt
digest:sha256//to sign data using pkutil
• openssl pkeyutl -verify -inkey key.pub -pubin -sigfile dgthash.sig -in
hash -pkeyopt digest:sha256//to verify data
Generating Digital Certificates using OpenSSL
• Generating a self-signed certificate
• To generate a certificate we need private key
• Generate a private key.
• openssl genrsa -out rsa.pri//RSA private key
• Generate self signed certificate
• openssl req -x509 -key rsa.pri -sha256 -days 365 -out test.cer//to
generate self signed certificate
• Viewing a certificate
• openssl x509 -in test.cer -noout -text
Cont..
• Generating RSA private key and certificate all in one go.
• openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 365 -out
test.cer
• Adding subject to a certificate
• openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 365 -out
test.cer -subj “/CN=Test”