Introduction To OpenSSL

INTRODUCTION TO
OPENSSL
OVERVIEW
What is OpenSSL
SSL Protocol
Command-Line Interface
Application Programming Interface
Problems with OpenSSL
Summary
WHAT IS OPENSSL
Open Secure Socket Layer Protocol

The OpenSSL Project is a collaborative effort to develop a robust, commercial-
grade, fully featured, and Open Source toolkit implementing the SSL_v2/v3 and
TLS_v1 protocols as well as a full-strength general purpose cryptography library.
WHAT IS OPENSSL CONT.
The OpenSSL Project is managed by a worldwide community of volunteers that use

the Internet to communicate, plan, and develop the toolkit and its related
documentation.
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and
Tim J. Hudson.
The current versions is 1.0.1o . Current version installed on your system can be
checked by
typing openssl version v on command line.
Features:
Open Source
Fully Functional Implementation
Cross-Platform (Unix & Windows)
Command-Line Interface (openssl command)
Application Programming Interface (C/C++, Perl, PHP & Python)
INSTALLATION
yum install openssl

SSL PROTOCOL
The primary goal of the SSL (Secure Sockets Layer) Protocol and its successor - TLS
(Transport Layer Security) Protocol is to provide privacy and reliability between two
communicating applications.
SSL PROTOCOL CONT.
It is composed of two layers:

SSL Record Protocol
It is used for the transmission of bulk data.
SSL Handshake Protocol

It is used to establish the secure connection for data transfer.
SSL PROTOCOL CONT.
Handshake
Negotiate the cipher suite
Authenticate the server
Authenticate the client (Optional)
Generate the session keys
Establish a secure connection
QUESTION
In public key cryptography we can also use session keys which are symmetric. How do
the sender (say a server) provides this session key information to its clients?
If the sender (here server) provides the session key by encrypting using its private
key, all the clients (including a malicious one) can decrypt (using available public key)
and see that session key , right? The server can't use public key to encrypt the
session key since none of the clients have private key to decrypt it.
ANSWER
Normally, the client sends the session key. This means that clients cannot decrypt
other session keys.
Although this approach ensures each session is safe from information gathered in
other sessions, it doesn't guard the session against an attacker later acquiring the
server's key and retrospectively decoding all recorded sessions.
To guard against that threat is termedPerfect Forward Privacy. This can be achieved
using ephemeral Diffie-Hellman (EDH,DHE) key exchange.
There is an excellent blog explaining recent improvements inPerfect Forward Secrecy
which is well worth reading.
SSL PROTOCOL CONT.
More detail information can be found from:

SSL Protocol v3 @ http://www.netscape.com/eng/ssl3/draft302.txt
TLS Protocol v1 @ http://www.ietf.org/rfc/rfc2246.txt
COMMAND-LINE INTERFACE
Functionality
Creation of RSA, DSA & DH key pairs
Creation of X.509 Certificates, CSRs & CRLs
Calculation of Message Digests(hashes)
Encryption & Decryption with Ciphers
SSL/TLS Client & Server Tests
Handling of S/MIME signed and/or encrypted mails
Note: S/MIME: Secure/Multi Purpose Internet Mail extensions
Command Line help: Type openssl command -- help
COMMAND-LINE INTERFACE CONT.
Example 1: Generating your self signed X.509 certificate for your digital signatures
Example 2 Secure Apache Web Server with mod_ssl & OpenSSL
Example 3 S/MIME
GENERATING CERTIFICATE SIGNING
REQUEST
openssl req x509 days 365 newkey rsa:2048 -keyout my-key.pem out my-
cert.pem
PUTTING BOTH KEY AND CERT IN PFX FILE
openssl pkcs12 -export -in my-cert.pem inkey my-key.pem out test-cert.pfx
Now We can use private key to sign document and public key to verify signature
EXPORTING PUBLIC KEY TO HANDOUT
CLIENT
openssl pkcs12 -in test-cert.pfx clcerts nokeys out test-cert-public.pem

Note:
export for outputting pkcs12 file
clcerts for output only client certificates
nokeys for dont output private keys as pfx contains both public and private keys
SECURE APACHE WEB SERVER WITH
MOD_SSL & OPENSSL
Generate the Root Certificate

Generate the CSR (Certificate Signing Request)
Sign the CSR
Generate the PKCS12
Modify the Apache Configuration File
GENERATE THE ROOT CERTIFICATE
openssl req -x509 -days 2922 -newkey rsa:1024 -md5 -out ca.crt -keyout ca.key
-config .\openssl.cnf
GENERATE THE CSR
openssl req -newkey rsa:1024 -out mec.csr -keyout mec.key -config .\openssl.cnf -reqexts
v3_req
SIGN THE CSR
openssl x509 -req -in mec.csr -extfile .\openssl.cnf -extensions usr_cert -CA ca.crt -CAkey
ca.key -CAcreateserial -sha1 -days 1461 -out mec.crt
GENERATE THE PKCS12
openssl pkcs12 -export -out mec.p12 -in mec.crt -inkey mec.key -certfile ca.crt
MODIFY THE APACHE CONFIGURATION FILE
The Apache Configuration File httpd.conf
LoadModule ssl_module modules/libssl.so

AddModule mod_ssl.c
SSLEngine off
SSLSessionCache dbm:logs/ssl_cache
SSLSessionCacheTimeout 300
Listen 80
Listen 443
CONT.
<VirtualHost _default_:80>
<Location /admin>
Deny from all
</Location>
</VirtualHost>
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile conf/ssl.crt/mec.crt
SSLCertificateKeyFile conf/ssl.key/mec.key
SSLCACertificateFile conf/ssl.crt/ca.crt
CONT.
<Location /admin>
SSLVerifyClient require
SSLRequire %{SSL_CLIENT_S_DN_CN} eq Administrator
</Location>
</VirtualHost>
S/MIME
Sign
openssl smime -sign -in m.txt -out sign_clear.eml -signer jingli.pem
Verify
openssl smime -verify -in sign_clear.eml -signer jingli.pem -CAfile ca.crt
S/MIME CONT.
Encrypt
openssl smime -encrypt -des3 -in m.txt -out encrypt.eml jingli.crt
Decrypt
openssl smime -decrypt -in encrypt.eml -recip jingli.pem
Sign & Encrypt
openssl smime -sign -in m.txt -text -signer jingli.pem | openssl smime -encrypt -des3 -out
sign_encrypt.eml jingli.pem
APPLICATION PROGRAMMING
INTERFACE
libssl.a or libssl.so
Implementation of SSL_v2/3 & TLS_v1
libcrypto.a or libcrypto.so
Ciphers (AES, DES, RC2/4, Blowfish, IDEA)
Digests (MD5, SHA-1, MDC2)
Public Keys (RSA, DSA, DH)
X509s (ASN.1 DER & PEM)
Others (BIO, BASE64)
APPLICATION PROGRAMMING
INTERFACE CONT.
OpenSSLs libraries are also used by other tools, such as OpenCA, OpenSSH, to
implement secure transmission of data
Using SSL Proxy, arbitrary socket connections can be secured by SSL
PROBLEMS WITH OPENSSL
It is powerful, but is not easy for use

Non object-oriented
Be lack of documents, especially for APIs
Problems with shared libraries in some platforms
SUMMARY
OpenSSL is an Open Source toolkit implementing SSL/TLS & Cryptography

It has a command-line interface & an application programming interface
There are a lot of tools using OpenSSLs libraries to secure data or establish secure
connections
REFERENCES
OpenSSL http://www.openssl.org
SSL http://www.netscape.com/eng/ssl3/draft302.txt
TLS http://www.ietf.org/rfc/rfc2246.txt
Apache http://www.apache.org
mod_ssl http://www.modssl.org
Network Security with OpenSSL by Pravir Chandra, Matt Messier & John Viega
Applied Cryptography by Bruce Schneier
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-
1/ssl.html

Introduction To OpenSSL

Uploaded by

Copyright:

Available Formats

Introduction To OpenSSL

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To OpenSSL

Uploaded by

Copyright:

Available Formats

What is OpenSSL and what are its main components?

What are the goals of the SSL and TLS protocols?

INTRODUCTION TO

Open Secure Socket Layer Protocol

The OpenSSL Project is managed by a worldwide community of volunteers that use

yum install openssl

It is composed of two layers:

SSL Handshake Protocol

More detail information can be found from:

openssl pkcs12 -export -in my-cert.pem inkey my-key.pem out test-cert.pfx

openssl pkcs12 -in test-cert.pfx clcerts nokeys out test-cert-public.pem

Generate the Root Certificate

LoadModule ssl_module modules/libssl.so

It is powerful, but is not easy for use

OpenSSL is an Open Source toolkit implementing SSL/TLS & Cryptography

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.