Computer security lab

openssl
Content
● Installing and configuring OpenSSL
● Introduction and commands used in OpenSSL
● Encryption using conventional algorithms
● Symmetric encryption with OpenSSL
● Encrypting file using DES
● Asymmetric encryption with OpenSSL
● Encrypting file using RSA
● Combination of DES and RSA
● Digital Certification with OpenSSL
● Digital Signature
Installing and configuring OpenSSL

● Step-By-Step Procedure To Install OpenSSL On The Windows

Platform
● Download /index.html (openssl.org)
● Step by step tutorial
● For linux user
○ Pip install openssl or conda install openssl
note:
- Openssl in the command line should be written in small letter: openssl
 Introduction and commands used in OpenSSL
● OpenSSL is a software library for applications that secure communications over computer networks
against eavesdropping or need to identify the party at the other end.
● OpenSSL is among the most popular cryptography libraries. It is most commonly used to implement
the Secure Sockets Layer and Transport Layer Security (SSL and TLS) protocols to ensure secure
communications between computers. In recent years, SSL has become basically obsolete since TLS
offers a higher level of security, but some people have gotten into the habit of referring to both
protocols as SSL.
● Cryptography is tricky business, and OpenSSL has too many features to cover in one article, but this
OpenSSL tutorial will help you get started creating keys and certificates.
● It is widely used by Internet servers, including the majority of HTTPS websites.
● OpenSSL is all about its command lines. a few common OpenSSL commands for regular users. If
you want to study all the commands, please go to this page.
○ openssl version
○ Openssl help

https://www.ssldragon.com/blog/what-is-openssl-and-how-it-works/

https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
 Symmetric encryption with OpenSSL

● The symmetric cipher commands allow data to be encrypted or decrypted using various block
and stream ciphers using keys based on passwords or explicitly provided. Base64 encoding
or decoding can also be performed either by itself or in addition to the encryption or decryption

The meaning of the following output is:

1. Create a short text message with echo. The -n option is used to ensure no newline is added to the
end. There are two things about this message that will be important later: the length is a multiple of 8
characters (9 by 8 characters) and the word secret appears twice (in particular positions).
2. Display the message on the screen with cat.
3. Count the number of characters with wc.
4. View the file size with ls.
5. Show the message in hexadecimal and binary using xxd. From now on, I'll only look at the
hexadecimal values (not binary).
cont…
● Commands to create files and display :touch, vim, cat
● $ echo -n "Hello. This is our super secret message. Keep it secret please.
Goodbye." > plaintext.txt
● $ cat plaintext.txt
● $ wc -m plaintext.txt, 72 plaintext.txt
● $ ls -l
○ total 4
○ -rw-r--r-- 1 sgordon sgordon 72 Nov 11 16:39 plaintext.txt

$ xxd -c 8 plaintext.txt
DES
● The Data Encryption Standard is a symmetric-key algorithm for the encryption of
digital data. Although its short key length of 56 bits makes it too insecure for modern
applications, it has been highly influential in the advancement of cryptography.
● Encrypt & Decrypt Files using ciphers
● Encrypt using des:
○ openssl des -salt -in data.txt -out data.des
● Decryption :
○ openssl des -d -salt -in data.des -out data1.txt -k [key]
● What is Salting? Salting is a concept that typically pertains to password hashing. Essentially, it's a
unique value that can be added to the end of the password to create a different hash value
● A salt is a piece of random data added to a password before it is hashed and stored.

https://www.openssl.org/docs/man1.0.2/man1/openssl-enc.html
Otherway
We can use the following command on terminal

● encryption :
○ $ secret=$(echo "this is my secret information." | openssl enc -e -des3 -base64 -pass
pass:mypasswd -pbkdf2)
● decryption :
○ $ echo "${secret}" | openssl enc -d -des3 -base64 -pass pass:mypasswd -pbkdf2
● In cryptography, PBKDF1 and PBKDF2 are key derivation functions with a
sliding computational cost, used to reduce vulnerabilities of brute-force
attacks.
Encryption and Decryption using AES
● The Advanced Encryption Standard (AES) is a symmetric
block cipher chosen by the U.S. government to protect ● Example:
classified information. AES is implemented in software and ● touch plain.txt
hardware throughout the world to encrypt sensitive data.
● The general format: openssl command echo "Hello World!" >
command-options argument plain.txt
● example:
○ openssl enc -e -aes256 -in data.txt -out secured_data.txt ● openssl enc
● In the above command,
○ enc – openssl command to encode with ciphers -aes-256-cbc -in
○ e – option to encrypt the input file/stream plain.txt -out
○ aes256 – encryption cipher
○ in – input file location or name, data.txt encrypted.bin
○ out – output file location or name secured_data.txt
● openssl enc -aes-256-cbc -d -in
decryption: encrypted.bin -pass pass:[pass]
- openssl enc -d -aes256 -in secured_data.txt -out data.txt

https://fedingo.com/how-to-encrypt-decrypt-files-using-op
enssl/
Or using keyfile
● Encrypt:
○ penssl aes-256-cbc -in myfile.txt -out myfile_encrypted.txt -e -a
-kfile -mykey.txt -pbkdf2
● Note:
○ Pbkdf2: password based key derivation
○ -a indicates the encrypted file will be represented using base64
● Decrypt:
○ openssl aes-256-cbc -in myfile_encrypted.txt -out myfile_encRecovered.txt -d -a -kfile
mykey.txt -pbkdf2

More examples: https://tutonics.com/2012/10/easy-file-encryption-using-openssl.html

https://linuxconfig.org/using-openssl-to-encrypt-messages-and-files-on-linux
Asymmetric encryption decryption
● RSA
○ First generate key:
■ openssl genrsa -out yourdomain.key 2048 or openssl genrsa -aes128 -out
alice_private.pem 1024
○ This command generates a private key in your current directory named yourdomain.key (-out yourdomain.key) using the
RSA algorithm (genrsa) with a key length of 2048 bits (2048). The generated key is created using the OpenSSL format
called PEM.
○ cat yourdomain.key
○ Even though the contents of the file might look like a random chunk of text, it actually contains important information
about the key.
○ Use the following command to decode the private key and view its contents:
○ openssl rsa -text -in yourdomain.key -noout, The -noout switch omits the output of the encoded version of the private
key.
○ Next , Extracting Your Public Key:
○ The private key file contains both the private key and the public key. You can extract your public key from your private
key file if needed.
○ Use the following command to extract your public key:
■ openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
[https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm]
Cont …
● Encryption: using public key
○ openssl rsautl -encrypt -inkey yourdomain_public.key -pubin -in myfile.txt -out
myfile_secret.enc
○ In the above example,
■ encrypt – option to encrypt data
■ inkey location of receiver’s public key file
■ in – input file location
■ out – output file location
● Decryption: using private key
○ openssl rsautl -decrypt -inkey yourdomain.key -in myfile_secret.enc >
myfile_Recover.txt

https://fedingo.com/how-to-encrypt-decrypt-files-using-openssl/
 Certificate Signing Request

● A Certificate Signing Request or CSR is a specially formatted encrypted message sent from
a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA). The
CSR validates the information the CA requires to issue a certificate
● To do that follow the ff steps
○ Openssl req -new -key yourdomain.key -out domain.csr
○ U will be asked different things here,,,
○ The common name is important
○ Then verify: Openssl req -text -in domain.csr -noout -verify
○ Here, if it was real it would have been certify by CA
○ In this case we will apply self signing, to do that
■ Openssl x509 -in domain.csr -out domainsigned.crt -req -signkey yourdomain.key -days 365
○ So now you can have security certificate

https://www.keycdn.com/blog/openssl-tutorial#part-3-creating-digital-signatures
Digital signature (DS)
● A digital signature is a mathematical scheme for verifying the
authenticity of digital messages or documents.
● A valid digital signature, where the prerequisites are satisfied, gives a
recipient very high confidence that the message was created by a known
sender (authenticity), and that the message was not altered in transit
(integrity).
● So you can hash the file using sha256 with openssl
○ Openssl sha256 -hex -out myfile.sha256 myfile.txt
○ Then u can check the integrity of the txt file by comparing with the
checksum.
Digital Signature

- Authenticity and integrity

- Sign: uses private key:
- openssl rsautl -sign -inkey yourdomain.key -in myfile.txt -out myfile.txt.sign
- Verify: checking using public key:
- openssl rsautl -verify -inkey yourdomain_public.key -pubin -in myfile.txt.sign
- Signing using hashing
- openssl sha1 -sign yourdomain.key -out myfile_signH.txt.sign myfile.txt
- You can use sha256 instead of sha1
- openssl sha1 -verify yourdomain_public.key -signature myfile_signH.txt.sign
myfile.txt
- It should say “Verified OK”
Signing using dgst
- You can use openssl dgst -list to see the commands
- Sign:
- openssl dgst -sha256 -sign yourdomain.key -out myfilDigest.txt.sign
myfile.txt
- Verify
- openssl dgst -sha256 -verify yourdomain_public.key -signature
myfilDigest.txt.sign myfile.txt
-
 Signing using pkeyutl-integrity

- first generate hash of the file

- openssl sha256 -binary -out hash.sh myfile.txt
- sign:
- openssl pkeyutl -sign -inkey yourdomain.key -in hash.sh -out datahashsign.txt.sign
-pkeyopt digest:sha256
- verify:
- openssl pkeyutl -verify -inkey yourdomain_public.key -pubin -in hash.sh -sigfile
datahashsign.txt.sign
Combining RSA and DES