OpenSSL: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Geist (Diskussion | Beiträge) |
Geist (Diskussion | Beiträge) |
||
| (34 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 38: | Zeile 38: | ||
- SHA-256 | - SHA-256 | ||
- SHA-512 | - SHA-512 | ||
| + | - Diffie-Hellman | ||
| + | - ElGamal | ||
| + | - ECC | ||
== '''Key length & keyspace''' == | == '''Key length & keyspace''' == | ||
| Zeile 93: | Zeile 96: | ||
== '''Asymmetric encryption with openssl''' == | == '''Asymmetric encryption with openssl''' == | ||
===== Generate a private key ===== | ===== Generate a private key ===== | ||
| + | [https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm OpenSSL Quick Reference Guide] | ||
| + | [https://www.ibm.com/docs/en/license-metric-tool?topic=communication-step-1-creating-private-keys-certificates Creating private keys and certificates IBM] | ||
| + | https://gist.github.com/briansmith/2ee42439923d8e65a266994d0f70180b | ||
| + | |||
| + | When generating a key, you have to decide three things: the key algorithm, the key size, and whether to use a passphrase. | ||
| + | 1. Key Algorithm | ||
| + | 2. Key Size | ||
| + | 3. Passphrase | ||
| + | |||
| + | '''[https://www.ssl.com/de/leiten/pem-der-crt-und-cer-x-509-Kodierungen-und-Konvertierungen/ PEM, DER, CRT und CER: X.509-Codierungen und -Konvertierungen]''' | ||
| + | '''PEM (ursprünglich “PRivalität Everbessert Mail ”) ''' | ||
| + | '''DER (Distinguished Encoding Rules) ''' | ||
| + | |||
| + | [https://stackoverflow.com/questions/9375044/can-we-have-multiple-public-keys-with-a-single-private-key-for-rsa Can we have multiple public keys with a single private key for RSA?] | ||
| + | '''In practice and with respect to security, no, mathematically, yes''' | ||
| + | |||
| + | [https://stackoverflow.com/questions/5244129/use-rsa-private-key-to-generate-public-key Use RSA private key to generate public key?] | ||
| + | |||
| + | '''Private-Key with RSA''' | ||
'''$ openssl genrsa -out key1.pem 512''' | '''$ openssl genrsa -out key1.pem 512''' | ||
'''$ openssl genrsa -out key1.pem 4096''' | '''$ openssl genrsa -out key1.pem 4096''' | ||
| − | pem - | + | '''$ openssl genrsa -des3 -out key1.pem 2048''' (With password) |
| + | |||
| + | '''Private-Key with ECDSA''' | ||
| + | For a list of possible curve names, run: | ||
| + | '''$ openssl ecparam -list_curves''' | ||
| + | '''$ openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem''' | ||
| + | '''$ openssl ecparam -genkey -name secp521r1 | openssl ec -aes256 -out my.key.pem''' (With password) | ||
| + | |||
| + | '''$ openssl ecparam -name prime256v1 -genkey -noout -out key.pem''' | ||
| + | |||
| + | [https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other- openssl-generated-key-file What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?] | ||
===== Generate a public key from private key ===== | ===== Generate a public key from private key ===== | ||
'''$ openssl rsa -in key1.pem -outform PEM -pubout -out key1.pub''' | '''$ openssl rsa -in key1.pem -outform PEM -pubout -out key1.pub''' | ||
| − | '''$ openssl rsa -in | + | '''$ openssl rsa -in key1_private_key.pem -outform PEM -pubout -out key1_public_key.pem''' |
| − | '''$ openssl | + | |
| + | ''Generate random key'' | ||
| + | '''$ openssl rand -hex -out key1_random_key.bin 64''' | ||
| + | |||
| + | ''Display information'' | ||
| + | '''$ openssl rsa -in key1.pem -text''' | ||
| + | '''$ openssl rsa -in key1.pem -text -noout''' | ||
| + | |||
===== Encrypt ===== | ===== Encrypt ===== | ||
'''$ openssl rsa -in key1.pem -des3 -out key1.enc''' | '''$ openssl rsa -in key1.pem -des3 -out key1.enc''' | ||
'''$ openssl genrsa -des3 -out key1.enc''' | '''$ openssl genrsa -des3 -out key1.enc''' | ||
| + | '''$ openssl enc -aes-256-cbc -salt -in SecretFile -out SecretFile.enc -pass file:user1_random_key.bin''' | ||
| + | '''$ file SecretFile.enc''' | ||
| + | |||
| + | ===== Decrypt ===== | ||
| + | '''$ openssl rsa -in key1_enc.pem -outform PEM -pubout -out mypublickey1.pem''' | ||
| + | |||
| + | ===== Datenintegrität ===== | ||
| + | Was ist Datenintegrität? | ||
| + | Der Begriff Datenintegrität bezieht sich auf die Korrektheit, Vollständigkeit und Konsistenz von Daten. | ||
| + | - '''Nicht verändert worden''' | ||
| + | - '''Identifizierung des Senders''' | ||
| + | Identifizierung oder Identifikation (von lateinisch identitas „Wesenheit" und facere „machen") steht für: . Identifikation (Psychologie), das Einfühlen in eine andere Person oder Figur der Nachweis oder die Verifizierung einer behaupteten Eigenschaft einer Entität, die Authentifizierung; bei Personen die amtliche Identitätsfeststellung | ||
| + | [https://de.wikipedia.org/wiki/Identifizierung Identifizierung | Wikipedia] | ||
| + | - '''repudiation attack''' | ||
| + | |||
| + | ===== Hashing ===== | ||
| + | '''FUNCTION(DATEN)=HASHWERT''' | ||
| + | |||
| + | ===== CHECKSUM ===== | ||
| + | '''echo -n "TEXT" | cksum''' | ||
| + | '''md5sum SecretFile > checksum.txt''' | ||
| + | '''md5sum -c checksum.txt''' | ||
| + | |||
| + | ===== Digitale Signatur ===== | ||
| + | '''openssl rsautl''' | ||
| + | '''openssl dgst''' | ||
| + | |||
| + | '''openssl genrsa -des3 -out user2_private_key.pem 2048''' | ||
| + | '''openssl rsa -in user2_private_key.pem -outform PEM -pubout -out user2_public_key.pem''' | ||
| + | '''openssl rand -hex -out user1_random_key.bin 64''' | ||
| + | '''openssl enc -aes-256-cbc -salt -in SecretFile -out SecretFile.enc -pass file:user1_random_key.bin''' | ||
| + | '''openssl rsautl -encrypt -inkey user''' | ||
Aktuelle Version vom 11. März 2022, 11:12 Uhr
Inhaltsverzeichnis
- 1 OpenSSL Version 1.1.1
- 2 Types of encryption
- 3 Key length & keyspace
- 4 Classification of symmetric algorithms
- 5 Terminology of asymmetric encryption
- 6 Symmetric encryption/decryption with gpg
- 7 Symmetric encryption with openssl
- 8 Symmetric decryption with openssl
- 9 Asymmetric encryption with openssl
OpenSSL Version 1.1.1
Encryption for - data - communication - traffic - secret - signing plain --> cipher
Terminology Plain text (human readable) Cipher text (not human readable) Encryption (process) Symmetric encryption (type of encryption) Asymmetric encryption (type of encryption) Symmetric key (symmetric encryption) AES - Advanced Encryption Standard (algorithm for encryption)
Types of encryption
Symmetric encryption ==> Same key for encrypt/decrypt Algorithms examples: - AES - DES - Triple DES - Serpent - Twofish
Asymmetric encryption ==> Different key for encrypt/decrypt Algorithms examples: - RSA - DSA - PGP - SHA-1 - SHA-2 - SHA-24 - SHA-256 - SHA-512 - Diffie-Hellman - ElGamal - ECC
Key length & keyspace
Binary System -> 0|1 1 Bit -> 0|1 # on|off # true|false # 128-bit key Key length = Key space =
Classification of symmetric algorithms
Stream ciphers -> RC4, A5/1, E0 Block ciphers -> AES, DES, SHA, IDEA, SERPENT, TWOFISH
$ whereis openssl $ which openssl $ openssl rsautl
$ openssl version $ openssl help $ openssl help list $ openssl list -help Valid options are: -help Display this summary -1 List in one column -commands List of standard commands -digest-commands List of message digest commands -digest-algorithms List of message digest algorithms -cipher-commands List of cipher commands -cipher-algorithms List of cipher algorithms -public-key-algorithms List of public key algorithms -public-key-methods List of public key methods -disabled List of disabled features -missing-help List missing detailed help strings -options val List options for specified command
Terminology of asymmetric encryption
Asymmetric key/keys (1 for encryption, 1 for decryption) Key pair, private and public key Public key, part of asymmetric key, for encryption Private key for decryption
Symmetric encryption/decryption with gpg
$ gpg --symmetric --cipher-algo AES256 --output file.gpg file.txt $ gpg --decrypt --output file.txt file.gpg
Symmetric encryption with openssl
$ openssl enc -aes-256-cbc -in sslmessage -out sslmessage.enc $ openssl enc -aes-256-cbc -salt -pbkdf2 -in msg.txt -out msg.txt.enc
Symmetric decryption with openssl
$ openssl enc -aes-256-cbc -d -in sslmessage -pass pass:test $ openssl aes-256-cbc -d -salt -pbkdf2 -in msg.txt.enc -out msg.read $ openssl aes-256-cbc -d -salt -pbkdf2 -in msg.txt.enc -out msg.read -pass pass:test
Asymmetric encryption with openssl
Generate a private key
OpenSSL Quick Reference Guide Creating private keys and certificates IBM https://gist.github.com/briansmith/2ee42439923d8e65a266994d0f70180b
When generating a key, you have to decide three things: the key algorithm, the key size, and whether to use a passphrase. 1. Key Algorithm 2. Key Size 3. Passphrase
PEM, DER, CRT und CER: X.509-Codierungen und -Konvertierungen PEM (ursprünglich “PRivalität Everbessert Mail ”) DER (Distinguished Encoding Rules)
Can we have multiple public keys with a single private key for RSA? In practice and with respect to security, no, mathematically, yes
Use RSA private key to generate public key?
Private-Key with RSA $ openssl genrsa -out key1.pem 512 $ openssl genrsa -out key1.pem 4096 $ openssl genrsa -des3 -out key1.pem 2048 (With password)
Private-Key with ECDSA For a list of possible curve names, run: $ openssl ecparam -list_curves $ openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem $ openssl ecparam -genkey -name secp521r1 | openssl ec -aes256 -out my.key.pem (With password)
$ openssl ecparam -name prime256v1 -genkey -noout -out key.pem openssl-generated-key-file What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
Generate a public key from private key
$ openssl rsa -in key1.pem -outform PEM -pubout -out key1.pub $ openssl rsa -in key1_private_key.pem -outform PEM -pubout -out key1_public_key.pem Generate random key $ openssl rand -hex -out key1_random_key.bin 64
Display information $ openssl rsa -in key1.pem -text $ openssl rsa -in key1.pem -text -noout
Encrypt
$ openssl rsa -in key1.pem -des3 -out key1.enc $ openssl genrsa -des3 -out key1.enc $ openssl enc -aes-256-cbc -salt -in SecretFile -out SecretFile.enc -pass file:user1_random_key.bin $ file SecretFile.enc
Decrypt
$ openssl rsa -in key1_enc.pem -outform PEM -pubout -out mypublickey1.pem
Datenintegrität
Was ist Datenintegrität? Der Begriff Datenintegrität bezieht sich auf die Korrektheit, Vollständigkeit und Konsistenz von Daten. - Nicht verändert worden - Identifizierung des Senders Identifizierung oder Identifikation (von lateinisch identitas „Wesenheit" und facere „machen") steht für: . Identifikation (Psychologie), das Einfühlen in eine andere Person oder Figur der Nachweis oder die Verifizierung einer behaupteten Eigenschaft einer Entität, die Authentifizierung; bei Personen die amtliche Identitätsfeststellung Identifizierung | Wikipedia - repudiation attack
Hashing
FUNCTION(DATEN)=HASHWERT
CHECKSUM
echo -n "TEXT" | cksum md5sum SecretFile > checksum.txt md5sum -c checksum.txt
Digitale Signatur
openssl rsautl openssl dgst
openssl genrsa -des3 -out user2_private_key.pem 2048 openssl rsa -in user2_private_key.pem -outform PEM -pubout -out user2_public_key.pem openssl rand -hex -out user1_random_key.bin 64 openssl enc -aes-256-cbc -salt -in SecretFile -out SecretFile.enc -pass file:user1_random_key.bin openssl rsautl -encrypt -inkey user