Dec 102010
 

opensslAfter my previous article 7 Practical uses of Openssl I have received many comments and suggestions of other possible uses of this excellent program.

With this article, i’ll show you other uses of the openssl command used from the command line.


Encryption/Decryption

You can use openssl to encrypt files. To view the list of available ciphers, use

 openssl list-cipher-commands.

You’ll get an output like this

aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
cast
cast-cbc
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
des
des-cbc
des-cfb
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ofb
des3
desx
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40

Once you’ve chosen a cipher to use, you can encrypt the file using the following commands:

openssl enc -aes-256-cbc -salt -in foo.txt -out foo.enc

You’ll be prompted for a password twice and after that you’ll get your encrypted file. In this example the file foo.txt was encrypted using 256-bit AES in CBC mode, the encrypted copy being saved as the file foo.enc. Looking at the contents of the file provide gibberish. Decrypting the file is done using the -d option; however, keep in mind that not only do you need to remember the password, you also need to know the cipher used.

Decrypt command:

openssl enc -d -aes-256-cbc -in foo.enc

Base64 encoding

If you work with raw email can be useful to encrypt/decrypt with Base64, for openssl it’s just a kind of cypher so you can use:

# send encoded contents of file.txt to stdout

openssl enc -base64 -in file.txt

# same, but write contents to file.txt.enc

openssl enc -base64 -in file.txt -out file.txt.enc

interpret SSL error messages

Sometimes you could see SSL error message related to other programs (http, ldap, ssh), you can use openssl to get a better understanding of what it means.

For example:

sshd[31784]: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)
sshd[770]: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)

The first step to figure out what’s going wrong is to use the errstr option to intrepret the error code. The code number is found between “error:” and “:lib”. In this case, it’s 0407006A.

$ openssl errstr 0407006A
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01

Prime numbers

Current cryptographic techniques rely heavily on the generation and testing of prime numbers, so it’s no surprise that the OpenSSL libraries contain several routines dealing with primes. Beginning with version 0.9.7e (or so), the prime option was added to the openssl binary.

To test if a number is prime just pass the number after the prime option. Openssl will answer with the hex of that number telling if it’s prime or not:

$openssl prime 12123211
B8FC4B is prime
 
$openssl prime 121232111
739DAEF is not prime

References: http://blogs.techrepublic.com.com/opensource/?p=200

Popular Posts:

Flattr this!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*