Loading
OpenSSL Hacks
OpenSSL contains a command-line tool to do nearly everything possible within the OpenSSL library. Even better, it's probably already installed on your system.
OpenSSL is a powerful Secure Sockets Layer cryptographic library. Apache uses it for HTTPS encryption, and OpenSSH uses it for SSH encryption. But, you don't have to use it as a library. It's also a multipurpose, cross-platform crypto tool.
Here's a little background on OpenSSL. Before OpenSSL, there was ssleay, an SSL implementation written by Eric A. Young. It was successively improved and eventually became OpenSSL, similar to how NCSA HTTPd became the Apache Web server. Today, OpenSSL supports dozens of cryptographic algorithms and protocols with hundreds of options.
OpenSSL has a lot of features. In addition to the SSL client and server features, OpenSSL also has:
US federal government NIST FIPS 140-2 Level 1 validation.
TLS, the next generation of SSL.
X.509 key and certificate generation.
X.509 certificate authority.
S/MIME encryption.
File encryption and hashing.
UNIX password hashes.
Nine different commercial cryptographic hardware devices.
Cryptographic performance testing.
Thirty-six commands.
Six message digest algorithms.
Nine cipher algorithms with four block modes (where applicable).
Multiple crypto protocols.
Although OpenSSL is complex, a lot of that complexity can be avoided. The remainder of this article concentrates on features that are easy to use, and in only a few lines of shell code.
This article uses the same section titles as in my earlier GnuPG article (“GnuPG Hacks”, Linux Journal, March 2006, page 52) to make it easier to compare OpenSSL and GnuPG.
First, let's confirm that OpenSSL is installed and in your path. Many Linux distributions, even some small distributions, include OpenSSL. Usually OpenSSL is located in /usr/bin/, like most bundled packages.
In all of the examples, the shell prompt is set to $.
First, type:
$ openssl version
Note that there are no leading dashes for the version option.
You should get something like this:
OpenSSL 0.9.7d 17 Mar 2004
The exact version number, date and other details may vary. At the time of this writing, the current version is OpenSSL 0.9.8a. The examples we're using should work for most versions of OpenSSL.
If you typed openssl with no command-line option, you'll get this:
OpenSSL>
If this happens, simply type quit or press Ctrl-C to exit safely. It's only the OpenSSL internal command-line prompt. It doesn't have command-line editing and has no explicit help function. But, it will type a list of commands if you type a command it doesn't know. It's better to avoid it for now.
Binary files typically are sent in e-mail using MIME. However, if your e-mail software doesn't support MIME, like most command-line e-mail, you're stuck with uuencode, or you can use OpenSSL's base64 encoding. Base64 is the same encoding used by the much more complicated MIME protocol, but it's not directly MIME-compatible.
To wrap a file in base64 text encoding, type:
$ openssl base64 < filename.bin > filename.txt
To unwrap a base64-encoded file, type:
$ openssl base64 -d < filename.txt > filename.bin
Note that OpenSSL doesn't care about the filename extension.
OpenSSL, unlike GnuPG or MIME, also can encode short strings, as follows:
$ echo "The Linux Journal" | openssl base64 VGhlIExpbnV4IEpvdXJuYWwK
Decoding is similar:
$ echo "VGhlIExpbnV4IEpvdXJuYWwK" | openssl base64 -d The Linux Journal
sum and cksum are the traditional UNIX checksum programs. They work fine, as long as as you don't need cross-platform compatibility or security, and you don't mind that occasionally two completely different files will have the same checksum value.
Although Linux systems often have md5sum installed, the MD5 algorithm suffers from a relatively new vulnerability and shouldn't be used anymore.
If it's installed, the more secure sha1sum should be used. Several different programs go by this name, however. Some versions can hash only one file at a time, some can't handle stdin or have some other deficiency. If you run into any of these problems or simply want consistent, known, good cross-platform software, consider OpenSSL.
The OpenSSL hash output format is a bit different from GnuPG, but numerically identical. OpenSSL format always identifies the algorithm used and also outputs a lowercase hexadecimal string with no whitespace. Some find this format easier to use.
Here are some examples:
$ openssl sha1 filename SHA1(filename)= e83a42b9bc8431a6645099be50b6341a35d3dceb $ openssl md5 filename MD5(filename)= 26e9855f8ad6a5906fea121283c729c4
As in my previous “GnuPG Hacks” article, the above examples use a file that contains the string: “The Linux Journal”. Note that there is no period in the string.
If you have a problem replicating these results, here is the ASCII-annotated hexadecimal representation of the file. Note the newline at the end automatically added by vi:
T h e L i n u x J o u r n a l \n 54 68 65 20 4c 69 6e 75 78 20 4a 6f 75 72 6e 61 6c 0a
OpenSSL, unlike GnuPG, doesn't have SHA-512, but OpenSSL does have MD2, MD4 and MDC2. These are older algorithms that are provided for backward compatibility. Like MD5, they shouldn't be used anymore.
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Home, My Backup Data Center
- What's the tweeting protocol?
- New Products
- One Hand Slapping
- Readers' Choice Awards
- RSS Feeds
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
7 hours 13 min ago
9 hours 45 min ago
11 hours 3 min ago
11 hours 37 min ago
12 hours 29 sec ago
16 hours 48 min ago
17 hours 35 min ago
19 hours 9 min ago
20 hours 46 min ago
22 hours 43 min ago