SSL and its successor TLS were protocols developed to provide communication security over a network using cryptography. You are probably most familiar with the protocol in web browsers for websites beginning with https. You can take advantage of the encryption in SSL or TLS to encrypt your data.
The most common implementation of SSL is OpenSSL, an open-source community project for a full-featured toolkit implement of SSL and TLS, as well as general-purpose cryptography. It was subject of the infamousHeartbleed vulnerability that primarily affected the communication encryption aspect of OpenSSL. The cryptography library aspect of OpenSSL is still extremely useful.
OpenSSL has a number of ciphers, cryptographic hash functions, and public key encryption algorithms.
- Ciphers
- AES
- Blowfish
- Camellia
- SEED
- CAST-128
- DES
- IDEA
- RC2
- RC4
- RC5
- Triple DES
- GOST 28147-89
- Cryptographic hash functions
- MD5
- MD4
- MD2
- SHA-1
- SHA-2
- RIPEMD-160
- MDC-2
- GOST R 34.11-94
- Public-key cryptography
- RSA
- DSA
- Diffie–Hellman key exchange
- Elliptic curve
- GOST R 34.10-2001
OpenSSL really focuses on encryption and decryption and not compression. Consequently, you shouldn’t expect the encrypted file to be smaller than the original file.
Using OpenSSL requires a few more arguments than the typical encryption tool:
[laytonjb@home4 TEMP]$ ls -s total 7288 196 hpc_001.html 7092 MFS2007.pdf [laytonjb@home4 TEMP]$ openssl aes-256-cbc -salt -in hpc_001.html -out hpc_001.html.enc enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: [laytonjb@home4 TEMP]$ ls -s total 7484 196 hpc_001.html 196 hpc_001.html.enc 7092 MFS2007.pdf
The first option I use is aes-256-cbc, which tells OpenSSL to use the 256-bit key with OpenSSL, along with the AES cipher. The -in option specifies the input file, and -out specifies the output (encrypted) file.
The option -salt is added to the command line because it can be very important for improving security. Classically, a salt is a random bit of data that is used as an additional input to a one-way function that hashes the passphrase. It protects against dictionary attacks and against precomputed rainbow table attacks. Thereason is that without the salt, the same password always generates the same encryption key. When the salt is used with OpenSSL, the first 8 bytes of the encrypted data are reserved for the salt (i.e., the random bit of data). When the file is decrypted, the salt is read from the encrypted file and used for decryption.
Notice that OpenSSL does not echo the passphrase, so it can’t be captured in the shell history. Also, notice that OpenSSL doesn’t have a standard file extension. I chose .enc to show that the file is encrypted.
As I mentioned earlier, OpenSSL is just an encryption tool. It doesn’t do file compression. Consequently, the file size of the encrypted text file in the previous example is roughly the same as the original text file. OpenSSL can operate on a compressed file as well, but in a step that is done separately:
[laytonjb@home4 TEMP]$ openssl aes-256-cbc -salt -in hpc_001.html.gz \ -out hpc_001.html.gz.enc enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: [laytonjb@home4 TEMP]$ ls -s total 7336 24 hpc_001.html.gz
24 hpc_001.html.gz.enc
In this case, I used gzip to compress the file before using OpenSSL. Otherwise the process is the same. Notice the size difference between the encrypted compressed file, and the encrypted but uncompressed file.
Decrypting a file is also fairly easy using the -d option on the command line:
[laytonjb@home4 TEMP]$ openssl aes-256-cbc -d -in hpc_001.html.enc -out hpc_001.html.2 enter aes-256-cbc decryption password: [laytonjb@home4 TEMP]$> ls -s total 7680 196 hpc_001.html.2
196 hpc_001.html.enc
No comments:
Post a Comment