| By David Dodd | Article Rating: |
|
| August 18, 2011 07:30 AM EDT | Reads: |
783 |
The OpenSSL is based on SSLeay library developed by Eric A. Young and Tim J. Hudson and licensed under an Apache-style license. OpenSSL has lots of features but I will cover encoding, checksums, encryption, passwords and pass phrases.
Many Linux distributions have OpenSSL as part of the bundled packages and is most likely located in /usr/bin. To find it on your system type:
$ which openssl
/usr/bin/openssl
$ openssl version
OpenSSL 1.0.0a 1 Jun 2010
Versions may vary and currently openssl-1.0.0d Feb 8 is the current version. Most of the examples that are found in this document should work on most versions.
Base64 encoding and decoding can be performed alone or used in conjunction with encryption and decryption. Below we are encoding a file with base64:
$ openssl base64 -in text.txt -out text.3634
Now we are decoding it:
$ openssl base64 -d -in text.3634 -out text.txt
File name extensions are not relevant to OpenSSL and you can drop them.
Encryptions
Encrypt a file with any of the available ciphers:
$ openssl list-cipher-commands
This will list a number of ciphers to use. Now let's encrypt the file using triple DES in CBC “Cipher Block Chaining” mode using a prompted password:
$ openssl des3 -salt -in recept.pdf -out recept.des3
prompted for a password enter it twice. To decrypt the file using the supplied password
$ openssl des3 -d -salt -in recept.des3 -out recept.pdf -k password
enter des-ede3-cbc encryption password:
Verifying – enter des-ede3-cbc encryption password:
You can encrypt a file then base64 encode it using Blowfish in CBC mode using the following comamnd:
$ openssl bf -a -salt -in recept.pdf -out recept.bf
enter bf-cbc encryption password:
Verifying – enter bf-cbc encryption password:
Again the file extensions are not relevant and if you open the file with a gedit it will be a bunch of characters. OpenSSL won't manage the files and file extensions for you, you must specify where you want the outgoing data written. The reason to encrypt then encode and not the other way around is you want to have random data to encrypt and when you encode you are left with no random data. To decrypt us the following command:
$ openssl bf -d -salt -a -in recept001.bf -out recept001.pdf
enter bf-cbc decryption password:
Have strong password is important but like many discover its also difficult to maintain password different for many devices. The goal with password is to make a secret that you can remember but someone else wont know and cant guess. You can generate pass phrases with OpenSSL using this command:
$ openssl rand 20 -base64
This generates a random character that is 20 binary bytes with base64 encoding for a total of 28 characters.
Shadow-style password hash
OpenSSL has the ability for creating encrypted Linux passwords exactly like those make by /bin/passwd. Just enter in the following command:
$ openssl passwd -1 enter-in-text
$1$Av0HxLID$WLFyqVyjJOtqnYfVufpCw0
Every time you enter the above it will produce a different hash, your hash will be different except for the $1$ in front. You can make a hash of your password that you choose without outputting the result to the screen like so:
$ openssl passwd -1
Password:
Verifying – Password
Checksums
A checksum is a way of ensuring that data has not been corrupted, either accidentally or maliciously. OpenSSL uses md5 but the MD5 algorithm suffers from vulnerabilities and should not be used anymore. Instead use the more secure sha1sum (see Figure 1).

Figure 1
Notice the difference in hash output lengths.
OpenSSL is FIPS 140-2 Level 1 validation and is available for government cryptography. The FIPS 140-2 User Guide is available here updated November 21, 2009. This tool is available for use in the enterprise and with a little administration can provide a solution to many of your security requirements.


Let pbnetworks get your pen-test on target

Visit us and learn how http://pbnetworks.net
How secure is your network?
Published August 18, 2011 Reads 783
Copyright © 2011 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By David Dodd
David J. Dodd is currently in the United States and holds a current 'Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for pbnetworks Inc. http://pbnetworks.net a small service disabled veteran owned business located in San Diego, CA and can be contacted by emailing: dave@pbnetworks.net.
- Ubuntu-based Open Source Linux Mint Tests KDE Version
- Dell and Cloudera Package Up Turnkey Hadoop
- Linux Labs Completed Development for HPC Cloud Computing Service
- The Detested Microsoft-Novell Deal Lives On
- Oracle Makes Oracle Linux More Competitive
- Cloud Cruiser to Exhibit at Cloud Expo 2011 Silicon Valley
- Red Hat Pushes into All-Cloud Management
- Microsoft Cuts Cloud Deal with Chinese Linux Outfit
- Samba 3.6 Out
- Top 10 Reasons to Choose an Open Source Application Integration Solution
- How to Improve Server Performance by IO Tuning – Part 2
- Basic Apache and MySQL Performance Tuning
- Cloud Expo Silicon Valley Call for Papers Deadline September 16
- Xen, KVM and the Linux Choice
- Ubuntu-based Open Source Linux Mint Tests KDE Version
- Adobe AIR Dead on Desktop Linux
- Red Hat Wheels Out MRG 2.0
- Twenty-Five Linux Server Hardening Tips
- Oracle Releases VM Template for MySQL Enterprise Edition
- Dell and Cloudera Package Up Turnkey Hadoop
- Likewise Sells Heritage Assets to Go into Storage
- Nokia and Accenture Finalize Symbian Software Development and Support Services Outsourcing Agreement
- Linux Labs Completed Development for HPC Cloud Computing Service
- The Development of a Perl-based Password Complexity Filter
- The i-Technology Right Stuff
- Linux.SYS-CON.com Exclusive: Linus Discloses *Real* Fathers of Linux
- After Ubuntu, Windows Looks Increasingly Bad, Increasingly Archaic, Increasingly Unfriendly
- A Closer Look at Damn Small Linux
- Linus' Top Ten SCO Barbs
- SCO CEO Posts Open Letter to the Open Source Community
- Netscape Co-Founder's 12 Reasons for Growth of Open Source
- Where Are RIA Technologies Headed in 2008?
- *POINT - COUNTERPOINT SPECIAL* What's Wrong with the Open Source Community?
- Introducing "Cooperative Linux" - Linux for Windows, No Less
- Linux.SYS-CON.com Exclusive: What Would UserLinux Look Like?
- Why Recovering a Deleted Ext3 File Is Difficult . . .

































