OpenSSL
Last updated
Was this helpful?
Last updated
Was this helpful?
OpenSSL is a widely-used toolkit for implementing SSL/TLS and other cryptographic protocols. It includes various commands to generate symmetric keys, encrypt and decrypt data, and manage cryptographic keys.
Symmetric key generation involves creating a secret key that will be used for both encryption and decryption processes in symmetric cryptography. The strength and security of the encryption depend on the quality of the generated key.
To generate a symmetric key using OpenSSL:
<key_length>: Specify the desired key length in bytes (e.g., 16 for 128-bit key).
<output_file>: Name of the file to store the generated key (written in raw binary format).
-base64 : encodes the key in Base64 format for readability
-hex : outputs the key in hexadecimal format, which might be required by some tools.
To encrypt data using a symmetric key
<encryption algorithm>: Specifies the encryption algorithm (AES-128 in CBC mode for example). We can use other algorithms and modes like des-cbc or aes-256-cfb. Choose based on the security requirements.
-salt: (Optional) Adds a salt to the encryption.
-in <input_file>: Path to the file containing the plain text data you want to encrypt.
-out <output_file>: Path to the file where the encrypted data (ciphertext) will be written.
-k <symmetric_key>: This is where we provide the symmetric key used for encryption. There are two ways to specify the key:
Raw Key: If key is a raw binary string (generated with openssl rand without -base64), use this option directly followed by the key in hexadecimal format. (e.g., -k F40F9211C8AF2009...).
Base64 Encoded Key: If key is Base64 encoded (more common for readability), use -k followed by the -base64 option and then the Base64 encoded key string. (e.g., -k -base64 your_base64_encoded_key).
Password-Based Encryption: We can use the -pass option to provide a password at runtime. OpenSSL will derive a key from the password using PBKDF2 for added security. (e.g., openssl enc -aes-128-cbc -in data.txt -out data.txt.enc -pass pass:your_password).
To decrypt data using a symmetric key
-d: Decryption mode flag (essential for decryption).
<encryption algorithm>: Specifies the decryption algorithm and mode used during encryption (should match the encryption process).
-in <encrypted_file>: Path to the file containing the encrypted data (ciphertext).
-out <decrypted_file>: Path to the file where the decrypted plain text data will be written.
-k <symmetric_key>: This is where you provide the symmetric key used for decryption. Similar to encryption, there are two ways to specify the key:
Raw Key: If the key is a raw binary string, use -k followed by the key in hexadecimal format.
Base64 Encoded Key: If the key is Base64 encoded (more common), use -k followed by the -base64 option and then the Base64 encoded key string
Asymmetric key cryptography, also known as public-key cryptography, utilizes a pair of mathematically linked keys: a public key and a private key.
algorithm: Type of algorithm to use. For example RSA, DSA, EC etc.
OpenSSL can create the corresponding public key from the private key
<private_key_file>: Path to the existing private key file (generated in step 1).
<public_key_file>: Path to the file where the public key will be stored (in PEM format).
In asymmetric encryption, we use the public key of the recipient to encrypt data and the corresponding private key of the recipient to decrypt it.
-encrypt: Encrypt the input data.
-pubin: Indicates the input key is a public key.
-inkey public_key.pem: Path to the recipient's public key used for encryption (PEM format).
-in plaintext.txt: Input file to encrypt.
-out encrypted.bin: Output the encrypted data to encrypted.bin
While asymmetric encryption uses public keys, decryption relies on the corresponding private key.
-decrypt: Decrypt the input data.
-pubin: Indicates the input key is a public key.
-inkey your_private_key.pem: Path to the recipient's private key used for decryption (PEM format).
-in encryptedtext.enc: Input file with encrypted data.
-out plaintext.txt: Output the decrypted data to plaintext.txt
A Certificate Signing Request (CSR) is a data structure containing information used to obtain a digital certificate from a Certificate Authority (CA)
-new: Indicates a new CSR creation.
-key my_private_key.pem: Specifies the path to your private key file.
-out my_csr.csr: Specifies the output file for the CSR.
[-subj "/C=US/ST=California/L=San Francisco/O=My Company/CN=www.example.com"]: This is an optional subject field. It defines information about the entity requesting the certificate. You can replace the values with your own details:
/C=US: Country (2-letter code)
/ST=California: State/Province
/L=San Francisco: Locality (City)
/O=My Company: Organization Name
/CN=www.example.com: Common Name (Domain name or server identifier)
While obtaining a certificate from a trusted Certificate Authority (CA) is generally recommended, OpenSSL allows us to create a self-signed certificate for testing or internal purposes.
-x509: This flag indicates creating a self-signed certificate.
-sha256: Specifies the signature hashing algorithm (SHA-256 is recommended).
-days 365: Sets the validity period of the certificate to 365 days .
-newkey rsa:2048: Generates a new RSA key (2048 bits) and stores it in my_server_key.pem.
-keyout my_server_key.pem: Specifies the output file for the private key (same as before).
-out my_server_cert.crt: Specifies the output file for the self-signed certificate.
[-subj "/C=US/ST=California/L=San Francisco/O=My Company/CN=www.example.com"]: This optional subject information is similar to CSR creation.
Digital signatures are a crucial aspect of secure communication, allowing verification of data integrity and origin. OpenSSL provides functionalities for signing data using your private key.
-sha256: Specifies the hashing algorithm used to create a digest of the data (SHA-256 is recommended).
-sign my_private_key.pem: Indicates signing with our private key stored in my_private_key.pem.
-out signature.txt: Specifies the output file for the signature .
data.txt: The path to the file containing the data we want to sign.
Verify a signature using a public key
-sha256: Specifies the hashing algorithm used during signing (ensure it matches the signing process).
-verify signer_public_key.pem: Indicates verification using the public key of the signer. This file (e.g., signer_public_key.pem) should be obtained from a trusted source.
-signature signature.txt: Specifies the path to the signature file created during signing.
data.txt: The path to the original data file (or the data itself if not in a file).
Output:
If the verification is successful, OpenSSL will print "Verified OK". This indicates the data has not been tampered with and the signature is valid.
If the verification fails, it will display an error message. This might suggest the data has been modified, the signature is invalid, or the wrong public key was used.
