OpenSSL Hacks

OpenSSL contains a command-line tool to do nearly everything possible within the OpenSSL library. Even better, it's probably already installed on your system.

OpenSSL is a powerful Secure Sockets Layer cryptographic library. Apache uses it for HTTPS encryption, and OpenSSH uses it for SSH encryption. But, you don't have to use it as a library. It's also a multipurpose, cross-platform crypto tool.

Here's a little background on OpenSSL. Before OpenSSL, there was ssleay, an SSL implementation written by Eric A. Young. It was successively improved and eventually became OpenSSL, similar to how NCSA HTTPd became the Apache Web server. Today, OpenSSL supports dozens of cryptographic algorithms and protocols with hundreds of options.

OpenSSL has a lot of features. In addition to the SSL client and server features, OpenSSL also has:

  • US federal government NIST FIPS 140-2 Level 1 validation.

  • TLS, the next generation of SSL.

  • X.509 key and certificate generation.

  • X.509 certificate authority.

  • S/MIME encryption.

  • File encryption and hashing.

  • UNIX password hashes.

  • Nine different commercial cryptographic hardware devices.

  • Cryptographic performance testing.

  • Thirty-six commands.

  • Six message digest algorithms.

  • Nine cipher algorithms with four block modes (where applicable).

  • Multiple crypto protocols.

Although OpenSSL is complex, a lot of that complexity can be avoided. The remainder of this article concentrates on features that are easy to use, and in only a few lines of shell code.

This article uses the same section titles as in my earlier GnuPG article (“GnuPG Hacks”, Linux Journal, March 2006, page 52) to make it easier to compare OpenSSL and GnuPG.

Getting Started

First, let's confirm that OpenSSL is installed and in your path. Many Linux distributions, even some small distributions, include OpenSSL. Usually OpenSSL is located in /usr/bin/, like most bundled packages.

In all of the examples, the shell prompt is set to $.

First, type:

$ openssl version

Note that there are no leading dashes for the version option.

You should get something like this:

OpenSSL 0.9.7d 17 Mar 2004

The exact version number, date and other details may vary. At the time of this writing, the current version is OpenSSL 0.9.8a. The examples we're using should work for most versions of OpenSSL.

If you typed openssl with no command-line option, you'll get this:

OpenSSL>

If this happens, simply type quit or press Ctrl-C to exit safely. It's only the OpenSSL internal command-line prompt. It doesn't have command-line editing and has no explicit help function. But, it will type a list of commands if you type a command it doesn't know. It's better to avoid it for now.

Binary File Shields

Binary files typically are sent in e-mail using MIME. However, if your e-mail software doesn't support MIME, like most command-line e-mail, you're stuck with uuencode, or you can use OpenSSL's base64 encoding. Base64 is the same encoding used by the much more complicated MIME protocol, but it's not directly MIME-compatible.

To wrap a file in base64 text encoding, type:


$ openssl base64 < filename.bin > filename.txt

To unwrap a base64-encoded file, type:


$ openssl base64 -d < filename.txt > filename.bin

Note that OpenSSL doesn't care about the filename extension.

OpenSSL, unlike GnuPG or MIME, also can encode short strings, as follows:

$ echo "The Linux Journal" | openssl base64
VGhlIExpbnV4IEpvdXJuYWwK

Decoding is similar:

$ echo "VGhlIExpbnV4IEpvdXJuYWwK" | openssl base64 -d
The Linux Journal

Note the -d option, which specifies decoding.

Better Checksums

sum and cksum are the traditional UNIX checksum programs. They work fine, as long as as you don't need cross-platform compatibility or security, and you don't mind that occasionally two completely different files will have the same checksum value.

Although Linux systems often have md5sum installed, the MD5 algorithm suffers from a relatively new vulnerability and shouldn't be used anymore.

If it's installed, the more secure sha1sum should be used. Several different programs go by this name, however. Some versions can hash only one file at a time, some can't handle stdin or have some other deficiency. If you run into any of these problems or simply want consistent, known, good cross-platform software, consider OpenSSL.

The OpenSSL hash output format is a bit different from GnuPG, but numerically identical. OpenSSL format always identifies the algorithm used and also outputs a lowercase hexadecimal string with no whitespace. Some find this format easier to use.

Here are some examples:

$ openssl sha1 filename
SHA1(filename)= e83a42b9bc8431a6645099be50b6341a35d3dceb

$ openssl md5 filename
MD5(filename)= 26e9855f8ad6a5906fea121283c729c4

As in my previous “GnuPG Hacks” article, the above examples use a file that contains the string: “The Linux Journal”. Note that there is no period in the string.

If you have a problem replicating these results, here is the ASCII-annotated hexadecimal representation of the file. Note the newline at the end automatically added by vi:

T  h  e     L  i  n  u  x     J  o  u  r  n  a  l  \n
54 68 65 20 4c 69 6e 75 78 20 4a 6f 75 72 6e 61 6c 0a

OpenSSL, unlike GnuPG, doesn't have SHA-512, but OpenSSL does have MD2, MD4 and MDC2. These are older algorithms that are provided for backward compatibility. Like MD5, they shouldn't be used anymore.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix