Loading
OpenSSL Hacks
OpenSSL contains a command-line tool to do nearly everything possible within the OpenSSL library. Even better, it's probably already installed on your system.
OpenSSL is a powerful Secure Sockets Layer cryptographic library. Apache uses it for HTTPS encryption, and OpenSSH uses it for SSH encryption. But, you don't have to use it as a library. It's also a multipurpose, cross-platform crypto tool.
Here's a little background on OpenSSL. Before OpenSSL, there was ssleay, an SSL implementation written by Eric A. Young. It was successively improved and eventually became OpenSSL, similar to how NCSA HTTPd became the Apache Web server. Today, OpenSSL supports dozens of cryptographic algorithms and protocols with hundreds of options.
OpenSSL has a lot of features. In addition to the SSL client and server features, OpenSSL also has:
US federal government NIST FIPS 140-2 Level 1 validation.
TLS, the next generation of SSL.
X.509 key and certificate generation.
X.509 certificate authority.
S/MIME encryption.
File encryption and hashing.
UNIX password hashes.
Nine different commercial cryptographic hardware devices.
Cryptographic performance testing.
Thirty-six commands.
Six message digest algorithms.
Nine cipher algorithms with four block modes (where applicable).
Multiple crypto protocols.
Although OpenSSL is complex, a lot of that complexity can be avoided. The remainder of this article concentrates on features that are easy to use, and in only a few lines of shell code.
This article uses the same section titles as in my earlier GnuPG article (“GnuPG Hacks”, Linux Journal, March 2006, page 52) to make it easier to compare OpenSSL and GnuPG.
First, let's confirm that OpenSSL is installed and in your path. Many Linux distributions, even some small distributions, include OpenSSL. Usually OpenSSL is located in /usr/bin/, like most bundled packages.
In all of the examples, the shell prompt is set to $.
First, type:
$ openssl version
Note that there are no leading dashes for the version option.
You should get something like this:
OpenSSL 0.9.7d 17 Mar 2004
The exact version number, date and other details may vary. At the time of this writing, the current version is OpenSSL 0.9.8a. The examples we're using should work for most versions of OpenSSL.
If you typed openssl with no command-line option, you'll get this:
OpenSSL>
If this happens, simply type quit or press Ctrl-C to exit safely. It's only the OpenSSL internal command-line prompt. It doesn't have command-line editing and has no explicit help function. But, it will type a list of commands if you type a command it doesn't know. It's better to avoid it for now.
Binary files typically are sent in e-mail using MIME. However, if your e-mail software doesn't support MIME, like most command-line e-mail, you're stuck with uuencode, or you can use OpenSSL's base64 encoding. Base64 is the same encoding used by the much more complicated MIME protocol, but it's not directly MIME-compatible.
To wrap a file in base64 text encoding, type:
$ openssl base64 < filename.bin > filename.txt
To unwrap a base64-encoded file, type:
$ openssl base64 -d < filename.txt > filename.bin
Note that OpenSSL doesn't care about the filename extension.
OpenSSL, unlike GnuPG or MIME, also can encode short strings, as follows:
$ echo "The Linux Journal" | openssl base64 VGhlIExpbnV4IEpvdXJuYWwK
Decoding is similar:
$ echo "VGhlIExpbnV4IEpvdXJuYWwK" | openssl base64 -d The Linux Journal
sum and cksum are the traditional UNIX checksum programs. They work fine, as long as as you don't need cross-platform compatibility or security, and you don't mind that occasionally two completely different files will have the same checksum value.
Although Linux systems often have md5sum installed, the MD5 algorithm suffers from a relatively new vulnerability and shouldn't be used anymore.
If it's installed, the more secure sha1sum should be used. Several different programs go by this name, however. Some versions can hash only one file at a time, some can't handle stdin or have some other deficiency. If you run into any of these problems or simply want consistent, known, good cross-platform software, consider OpenSSL.
The OpenSSL hash output format is a bit different from GnuPG, but numerically identical. OpenSSL format always identifies the algorithm used and also outputs a lowercase hexadecimal string with no whitespace. Some find this format easier to use.
Here are some examples:
$ openssl sha1 filename SHA1(filename)= e83a42b9bc8431a6645099be50b6341a35d3dceb $ openssl md5 filename MD5(filename)= 26e9855f8ad6a5906fea121283c729c4
As in my previous “GnuPG Hacks” article, the above examples use a file that contains the string: “The Linux Journal”. Note that there is no period in the string.
If you have a problem replicating these results, here is the ASCII-annotated hexadecimal representation of the file. Note the newline at the end automatically added by vi:
T h e L i n u x J o u r n a l \n 54 68 65 20 4c 69 6e 75 78 20 4a 6f 75 72 6e 61 6c 0a
OpenSSL, unlike GnuPG, doesn't have SHA-512, but OpenSSL does have MD2, MD4 and MDC2. These are older algorithms that are provided for backward compatibility. Like MD5, they shouldn't be used anymore.
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- New Products
- RSS Feeds
- This is the easiest tutorial
5 hours 57 min ago - Ahh, the Koolaid.
11 hours 35 min ago - git-annex assistant
17 hours 35 min ago - direct cable connection
17 hours 57 min ago - Agreed on AirDroid. With my
18 hours 8 min ago - I just learned this
18 hours 12 min ago - enterprise
18 hours 42 min ago - not living upto the mobile revolution
21 hours 33 min ago - Deceptive Advertising and
22 hours 9 min ago - Let\'s declare that you have
22 hours 10 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Comments
In relation to the password
In relation to the password hash, surely the server needs to know the salt too? When I run the example I don't get the salt returned, so how can the hash be used?? Can the salt be derived from the hash somehow, and if so, doesn't knowledge of the salt make the hash much, much weaker?
I'm sure I've missed something obvious!
As far as I know, the salt
As far as I know, the salt is stored between two dollar signs. So it's part of the hash. At least for the MD5 (openssl passwd -1).
MD5 passwd hash
I need a cc or gcc source file that I can compile on an HP running HPUX 11. I want to compile it into an existing process that currently generates and hashes 8 digit passwords using DES i.e., the old crypt(). I nust now increase that password from 8 positions to 15 for security purposes. I'd guess that a perl script would do also as long as it had the proper hooks to the MD5 hash.
I will really appreciate any help on this item.
RE:
Great Article Anthony!
Very interesting and informational.
Can you expand a little on where you say:
"...run the above example multiple times. The output is the cryptographic hash of your password. The hash is randomly salted so that every time it's run, the output will be different, even if the password is the same."
Why will the output be different?
Thanks!
-John
salt
Basically, salt is a random string appended to your password. So instead of hash(password), we do hash(password | salt). The server keeps both salt and hash value. The purpose of salt is to prevent pre-calculated table attack.
Ref: http://en.wikipedia.org/wiki/Salt_%28cryptography%29
Page is rendered too wide
The lines on this page are too wide, I have to scroll horizontally to read each line, hence I haven't read the article.
The problem seems to be Table 2, and specifically the header lines, but Table 3 may also be wide on some screens.
I'm sure someone can find a number of creative ways to solve the problem.
Randy Kramer
Page is rendered too wide
In most browsers, those capable of handling cascading style sheets (CSS) that table displays with a horizontal scroll bar at the bottom and does not extend the page width.
What browser are you using and what version?
Webmaster
Linux Journal
I forgot to ask
Have you changed the settings in your browser so you use a default or customized style sheet for it? This is common with Opera.
Webmaster
Linux Journal
"I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone."
-- Bjarne Stroustrup
Width problem
The width problem on this page as commented by others is still there. Using Konqueror 3.5.4 on Kubuntu with stylesheet set as default. Browser as-is passes the acid style test 100%. The problem is with your site.
Sorry.
Allan Morris.
Width problem
There were two problems here. Though I made the page quit showing so wide, the problems still exist.
Problem #1 Konqueror will not obey the CSS rule (overflow: auto;) for a table which would make a horizontal scroll bar appear only underneath the over sized table and the screen would not display wide. All other browsers I tested do this.
Problem #2 Konqueror obeyed a CSS rule for table headers (th{white-space: nowrap;}) that none of the other browsers paid any attention to. I killed the white-space rule and the page no longer over extends your screen (or at least not as much, there is still a point where the table headers will not continue to wrap). If the other browsers had obeyed this rule I would have found this problem much earlier.
Webmaster
"I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone."
-- Bjarne Stroustrup