OpenSSL: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Geist (Diskussion | Beiträge) |
Geist (Diskussion | Beiträge) |
||
| (59 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
== '''OpenSSL Version 1.1.1''' == | == '''OpenSSL Version 1.1.1''' == | ||
| − | '''Encryption for | + | '''Encryption for''' |
- data | - data | ||
- communication | - communication | ||
| Zeile 7: | Zeile 7: | ||
- secret | - secret | ||
- signing | - signing | ||
| − | '''plain --> cipher''' | + | '''''plain --> cipher''''' |
| + | |||
| + | '''Terminology''' | ||
| + | Plain text (human readable) | ||
| + | Cipher text (not human readable) | ||
| + | Encryption (process) | ||
| + | Symmetric encryption (type of encryption) | ||
| + | Asymmetric encryption (type of encryption) | ||
| + | Symmetric key (symmetric encryption) | ||
| + | AES - Advanced Encryption Standard (algorithm for encryption) | ||
== '''Types of encryption''' == | == '''Types of encryption''' == | ||
| − | Symmetric encryption ==> Same key for encrypt/decrypt | + | '''Symmetric encryption ==> Same key for encrypt/decrypt''' |
| − | Algorithms examples: | + | '''Algorithms examples:''' |
- AES | - AES | ||
- DES | - DES | ||
| Zeile 19: | Zeile 28: | ||
- Twofish | - Twofish | ||
| − | Asymmetric encryption ==> | + | '''Asymmetric encryption ==> Different key for encrypt/decrypt''' |
| − | Algorithms examples: | + | '''Algorithms examples:''' |
- RSA | - RSA | ||
- DSA | - DSA | ||
| Zeile 29: | Zeile 38: | ||
- SHA-256 | - SHA-256 | ||
- SHA-512 | - SHA-512 | ||
| + | - Diffie-Hellman | ||
| + | - ElGamal | ||
| + | - ECC | ||
| + | |||
| + | == '''Key length & keyspace''' == | ||
| + | Binary System -> 0|1 | ||
| + | 1 Bit -> 0|1 # on|off # true|false # | ||
| + | 128-bit key | ||
| + | Key length = | ||
| + | Key space = | ||
| + | == '''Classification of symmetric algorithms''' == | ||
| + | Stream ciphers -> RC4, A5/1, E0 | ||
| + | Block ciphers -> AES, DES, SHA, IDEA, SERPENT, TWOFISH | ||
| + | |||
| + | '''$ whereis openssl''' | ||
| + | '''$ which openssl''' | ||
| + | '''$ openssl rsautl''' | ||
| − | $ | + | '''$ openssl version''' |
| − | $ | + | '''$ openssl help''' |
| + | '''$ openssl help list''' | ||
| + | '''$ openssl list -help''' | ||
| + | '''Valid options are:''' | ||
| + | -help Display this summary | ||
| + | -1 List in one column | ||
| + | -commands List of standard commands | ||
| + | -digest-commands List of message digest commands | ||
| + | -digest-algorithms List of message digest algorithms | ||
| + | -cipher-commands List of cipher commands | ||
| + | -cipher-algorithms List of cipher algorithms | ||
| + | -public-key-algorithms List of public key algorithms | ||
| + | -public-key-methods List of public key methods | ||
| + | -disabled List of disabled features | ||
| + | -missing-help List missing detailed help strings | ||
| + | -options val List options for specified command | ||
| − | + | == '''Terminology of asymmetric encryption''' == | |
| − | + | Asymmetric key/keys (1 for encryption, 1 for decryption) | |
| − | + | Key pair, private and public key | |
| − | + | Public key, part of asymmetric key, for encryption | |
| + | Private key for decryption | ||
| − | $ | + | == '''Symmetric encryption/decryption with gpg''' == |
| + | '''$ gpg --symmetric --cipher-algo AES256 --output file.gpg file.txt''' | ||
| + | '''$ gpg --decrypt --output file.txt file.gpg''' | ||
| − | + | == '''Symmetric encryption with openssl''' == | |
| + | '''$ openssl enc -aes-256-cbc -in sslmessage -out sslmessage.enc''' | ||
| + | '''$ openssl enc -aes-256-cbc -salt -pbkdf2 -in msg.txt -out msg.txt.enc''' | ||
| + | == '''Symmetric decryption with openssl''' == | ||
| + | '''$ openssl enc -aes-256-cbc -d -in sslmessage -pass pass:test''' | ||
| + | '''$ openssl aes-256-cbc -d -salt -pbkdf2 -in msg.txt.enc -out msg.read''' | ||
| + | '''$ openssl aes-256-cbc -d -salt -pbkdf2 -in msg.txt.enc -out msg.read -pass pass:test''' | ||
| − | + | == '''Asymmetric encryption with openssl''' == | |
| − | + | ===== Generate a private key ===== | |
| + | [https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm OpenSSL Quick Reference Guide] | ||
| + | [https://www.ibm.com/docs/en/license-metric-tool?topic=communication-step-1-creating-private-keys-certificates Creating private keys and certificates IBM] | ||
| + | https://gist.github.com/briansmith/2ee42439923d8e65a266994d0f70180b | ||
| − | + | When generating a key, you have to decide three things: the key algorithm, the key size, and whether to use a passphrase. | |
| + | 1. Key Algorithm | ||
| + | 2. Key Size | ||
| + | 3. Passphrase | ||
| − | + | '''[https://www.ssl.com/de/leiten/pem-der-crt-und-cer-x-509-Kodierungen-und-Konvertierungen/ PEM, DER, CRT und CER: X.509-Codierungen und -Konvertierungen]''' | |
| − | + | '''PEM (ursprünglich “PRivalität Everbessert Mail ”) ''' | |
| − | + | '''DER (Distinguished Encoding Rules) ''' | |
| − | + | [https://stackoverflow.com/questions/9375044/can-we-have-multiple-public-keys-with-a-single-private-key-for-rsa Can we have multiple public keys with a single private key for RSA?] | |
| − | + | '''In practice and with respect to security, no, mathematically, yes''' | |
| − | + | [https://stackoverflow.com/questions/5244129/use-rsa-private-key-to-generate-public-key Use RSA private key to generate public key?] | |
| − | generate private key | + | |
| − | $ openssl genrsa -out key1.pem 512 | + | '''Private-Key with RSA''' |
| − | $ openssl genrsa -out key1.pem 4096 | + | '''$ openssl genrsa -out key1.pem 512''' |
| + | '''$ openssl genrsa -out key1.pem 4096''' | ||
| + | '''$ openssl genrsa -des3 -out key1.pem 2048''' (With password) | ||
| + | |||
| + | '''Private-Key with ECDSA''' | ||
| + | For a list of possible curve names, run: | ||
| + | '''$ openssl ecparam -list_curves''' | ||
| + | '''$ openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem''' | ||
| + | '''$ openssl ecparam -genkey -name secp521r1 | openssl ec -aes256 -out my.key.pem''' (With password) | ||
| + | |||
| + | '''$ openssl ecparam -name prime256v1 -genkey -noout -out key.pem''' | ||
| + | |||
| + | [https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other- openssl-generated-key-file What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?] | ||
| − | + | ===== Generate a public key from private key ===== | |
| − | $ openssl rsa -in key1.pem -outform PEM -pubout -out key1.pub | + | '''$ openssl rsa -in key1.pem -outform PEM -pubout -out key1.pub''' |
| + | '''$ openssl rsa -in key1_private_key.pem -outform PEM -pubout -out key1_public_key.pem''' | ||
| + | |||
| + | ''Generate random key'' | ||
| + | '''$ openssl rand -hex -out key1_random_key.bin 64''' | ||
| − | + | ''Display information'' | |
| − | |||
| − | Encrypt | + | '''$ openssl rsa -in key1.pem -text''' |
| − | $ openssl rsa -in key1.pem -des3 -out key1.enc | + | '''$ openssl rsa -in key1.pem -text -noout''' |
| − | $ openssl genrsa -des3 -out key1.enc | + | |
| + | ===== Encrypt ===== | ||
| + | '''$ openssl rsa -in key1.pem -des3 -out key1.enc''' | ||
| + | '''$ openssl genrsa -des3 -out key1.enc''' | ||
| + | '''$ openssl enc -aes-256-cbc -salt -in SecretFile -out SecretFile.enc -pass file:user1_random_key.bin''' | ||
| + | '''$ file SecretFile.enc''' | ||
| + | |||
| + | ===== Decrypt ===== | ||
| + | '''$ openssl rsa -in key1_enc.pem -outform PEM -pubout -out mypublickey1.pem''' | ||
| + | |||
| + | ===== Datenintegrität ===== | ||
| + | Was ist Datenintegrität? | ||
| + | Der Begriff Datenintegrität bezieht sich auf die Korrektheit, Vollständigkeit und Konsistenz von Daten. | ||
| + | - '''Nicht verändert worden''' | ||
| + | - '''Identifizierung des Senders''' | ||
| + | Identifizierung oder Identifikation (von lateinisch identitas „Wesenheit" und facere „machen") steht für: . Identifikation (Psychologie), das Einfühlen in eine andere Person oder Figur der Nachweis oder die Verifizierung einer behaupteten Eigenschaft einer Entität, die Authentifizierung; bei Personen die amtliche Identitätsfeststellung | ||
| + | [https://de.wikipedia.org/wiki/Identifizierung Identifizierung | Wikipedia] | ||
| + | - '''repudiation attack''' | ||
| + | |||
| + | ===== Hashing ===== | ||
| + | '''FUNCTION(DATEN)=HASHWERT''' | ||
| + | |||
| + | ===== CHECKSUM ===== | ||
| + | '''echo -n "TEXT" | cksum''' | ||
| + | '''md5sum SecretFile > checksum.txt''' | ||
| + | '''md5sum -c checksum.txt''' | ||
| + | |||
| + | ===== Digitale Signatur ===== | ||
| + | '''openssl rsautl''' | ||
| + | '''openssl dgst''' | ||
| + | |||
| + | '''openssl genrsa -des3 -out user2_private_key.pem 2048''' | ||
| + | '''openssl rsa -in user2_private_key.pem -outform PEM -pubout -out user2_public_key.pem''' | ||
| + | '''openssl rand -hex -out user1_random_key.bin 64''' | ||
| + | '''openssl enc -aes-256-cbc -salt -in SecretFile -out SecretFile.enc -pass file:user1_random_key.bin''' | ||
| + | '''openssl rsautl -encrypt -inkey user''' | ||
Aktuelle Version vom 11. März 2022, 11:12 Uhr
Inhaltsverzeichnis
- 1 OpenSSL Version 1.1.1
- 2 Types of encryption
- 3 Key length & keyspace
- 4 Classification of symmetric algorithms
- 5 Terminology of asymmetric encryption
- 6 Symmetric encryption/decryption with gpg
- 7 Symmetric encryption with openssl
- 8 Symmetric decryption with openssl
- 9 Asymmetric encryption with openssl
OpenSSL Version 1.1.1
Encryption for - data - communication - traffic - secret - signing plain --> cipher
Terminology Plain text (human readable) Cipher text (not human readable) Encryption (process) Symmetric encryption (type of encryption) Asymmetric encryption (type of encryption) Symmetric key (symmetric encryption) AES - Advanced Encryption Standard (algorithm for encryption)
Types of encryption
Symmetric encryption ==> Same key for encrypt/decrypt Algorithms examples: - AES - DES - Triple DES - Serpent - Twofish
Asymmetric encryption ==> Different key for encrypt/decrypt Algorithms examples: - RSA - DSA - PGP - SHA-1 - SHA-2 - SHA-24 - SHA-256 - SHA-512 - Diffie-Hellman - ElGamal - ECC
Key length & keyspace
Binary System -> 0|1 1 Bit -> 0|1 # on|off # true|false # 128-bit key Key length = Key space =
Classification of symmetric algorithms
Stream ciphers -> RC4, A5/1, E0 Block ciphers -> AES, DES, SHA, IDEA, SERPENT, TWOFISH
$ whereis openssl $ which openssl $ openssl rsautl
$ openssl version $ openssl help $ openssl help list $ openssl list -help Valid options are: -help Display this summary -1 List in one column -commands List of standard commands -digest-commands List of message digest commands -digest-algorithms List of message digest algorithms -cipher-commands List of cipher commands -cipher-algorithms List of cipher algorithms -public-key-algorithms List of public key algorithms -public-key-methods List of public key methods -disabled List of disabled features -missing-help List missing detailed help strings -options val List options for specified command
Terminology of asymmetric encryption
Asymmetric key/keys (1 for encryption, 1 for decryption) Key pair, private and public key Public key, part of asymmetric key, for encryption Private key for decryption
Symmetric encryption/decryption with gpg
$ gpg --symmetric --cipher-algo AES256 --output file.gpg file.txt $ gpg --decrypt --output file.txt file.gpg
Symmetric encryption with openssl
$ openssl enc -aes-256-cbc -in sslmessage -out sslmessage.enc $ openssl enc -aes-256-cbc -salt -pbkdf2 -in msg.txt -out msg.txt.enc
Symmetric decryption with openssl
$ openssl enc -aes-256-cbc -d -in sslmessage -pass pass:test $ openssl aes-256-cbc -d -salt -pbkdf2 -in msg.txt.enc -out msg.read $ openssl aes-256-cbc -d -salt -pbkdf2 -in msg.txt.enc -out msg.read -pass pass:test
Asymmetric encryption with openssl
Generate a private key
OpenSSL Quick Reference Guide Creating private keys and certificates IBM https://gist.github.com/briansmith/2ee42439923d8e65a266994d0f70180b
When generating a key, you have to decide three things: the key algorithm, the key size, and whether to use a passphrase. 1. Key Algorithm 2. Key Size 3. Passphrase
PEM, DER, CRT und CER: X.509-Codierungen und -Konvertierungen PEM (ursprünglich “PRivalität Everbessert Mail ”) DER (Distinguished Encoding Rules)
Can we have multiple public keys with a single private key for RSA? In practice and with respect to security, no, mathematically, yes
Use RSA private key to generate public key?
Private-Key with RSA $ openssl genrsa -out key1.pem 512 $ openssl genrsa -out key1.pem 4096 $ openssl genrsa -des3 -out key1.pem 2048 (With password)
Private-Key with ECDSA For a list of possible curve names, run: $ openssl ecparam -list_curves $ openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem $ openssl ecparam -genkey -name secp521r1 | openssl ec -aes256 -out my.key.pem (With password)
$ openssl ecparam -name prime256v1 -genkey -noout -out key.pem openssl-generated-key-file What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
Generate a public key from private key
$ openssl rsa -in key1.pem -outform PEM -pubout -out key1.pub $ openssl rsa -in key1_private_key.pem -outform PEM -pubout -out key1_public_key.pem Generate random key $ openssl rand -hex -out key1_random_key.bin 64
Display information $ openssl rsa -in key1.pem -text $ openssl rsa -in key1.pem -text -noout
Encrypt
$ openssl rsa -in key1.pem -des3 -out key1.enc $ openssl genrsa -des3 -out key1.enc $ openssl enc -aes-256-cbc -salt -in SecretFile -out SecretFile.enc -pass file:user1_random_key.bin $ file SecretFile.enc
Decrypt
$ openssl rsa -in key1_enc.pem -outform PEM -pubout -out mypublickey1.pem
Datenintegrität
Was ist Datenintegrität? Der Begriff Datenintegrität bezieht sich auf die Korrektheit, Vollständigkeit und Konsistenz von Daten. - Nicht verändert worden - Identifizierung des Senders Identifizierung oder Identifikation (von lateinisch identitas „Wesenheit" und facere „machen") steht für: . Identifikation (Psychologie), das Einfühlen in eine andere Person oder Figur der Nachweis oder die Verifizierung einer behaupteten Eigenschaft einer Entität, die Authentifizierung; bei Personen die amtliche Identitätsfeststellung Identifizierung | Wikipedia - repudiation attack
Hashing
FUNCTION(DATEN)=HASHWERT
CHECKSUM
echo -n "TEXT" | cksum md5sum SecretFile > checksum.txt md5sum -c checksum.txt
Digitale Signatur
openssl rsautl openssl dgst
openssl genrsa -des3 -out user2_private_key.pem 2048 openssl rsa -in user2_private_key.pem -outform PEM -pubout -out user2_public_key.pem openssl rand -hex -out user1_random_key.bin 64 openssl enc -aes-256-cbc -salt -in SecretFile -out SecretFile.enc -pass file:user1_random_key.bin openssl rsautl -encrypt -inkey user