官网:https://www.openssl.org/
OpenSSL计划在1998年开始,其目标是发明一套自由的加密工具,在互联网上使用。OpenSSL以Eric Young以及Tim Hudson两人开发的SSLeay为基础,随着两人前往RSA公司任职,SSLeay在1998年12月停止开发。因此在1998年12月,社群另外分支出OpenSSL,继续开发下去
OpenSSL管理委员会当前由7人组成有13个开发人员[3]具有提交权限(其中许多人也是OpenSSL管理委员会的一部分)。只有两名全职员工(研究员),其余的是志愿者
该项目每年的预算不到100万美元,主要依靠捐款。 TLS 1.3的开发由 Akamai 赞助
OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,避免窃听,同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上
其主要库是以C语言所写成,实现了基本的加密功能,实现了SSL与TLS协议。OpenSSL可以运行在OpenVMS、 Microsoft Windows以及绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统)
心脏出血漏D:OpenSSL 1.0.1版本(不含1.0.1g)含有一个严重漏D,可允许攻J 者读取服务器的内存信息。该漏D于2014年4月被公诸于世,影响三分之二的活跃网站
包括三个组件:
libcrypto:用于实现加密和解密的库
libssl:用于实现ssl通信协议的安全库
openssl:多用途命令行工具
1. Base64 编码
Base64是网络上最常见的用于传输 8Bit 字节码的编码方式之一,Base64就是一种基于64个可打印字符来表示二进制数据的方法
base64的编码过程如下:
将每3个字节放入一个24位的缓冲区中,最后不足3个字节的,缓冲区的剩余部分用0来填补。然后每次取出6位(2的6次方为64,使用64个字符即可表示所有),将高2位用0来填充,组成一个新的字节,计算出这个新字节的十进制值,对应上面的编码表,输出相应的字符。这样不断地进行下去,就可完成对所有数据的编码工作。
按照以上规则对文本Man编码如下:
[root@centos8 ~]#echo -n Man | base64
TWFu
[root@centos8 ~]#echo TWFu | base64 -d
Man
[root@centos8 ~]#
[root@centos8 ~]#echo -n ab | base64
YWI=
[root@centos8 ~]#echo -n ab | base64 | base64 -d ab
[root@centos8 ~]#
2.openssl命令
两种运行模式:
交互模式
批处理模式
三种子命令:
[root@centos8 ~]#openssl version
OpenSSL 1.1.1 FIPS 11 Sep 2018
[root@centos8 ~]#openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
[root@centos8 ~]#openssl
OpenSSL> help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
......
OpenSSL> ca --help
Usage: ca [options]
Valid options are:
-help Display this summary
-verbose Verbose output during processing
-config val A config file
......
OpenSSL>q
[root@centos8 ~]#
消息摘要命令
加密命令
3. openssl命令对称加密
工具:openssl enc, gpg
算法:3des, aes, blowfish, twofish
enc命令:帮助:man enc
加密
man enc
openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher
[root@c7-157 ~]# openssl enc -e -des3 -a -salt -in /fstab -out fstab.cipher
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
You have new mail in /var/spool/mail/root
[root@c7-157 ~]# ls /
bin dev fstab home lib64 mnt proc run srv tmp var
boot etc fstab.gpg lib media opt root sbin sys usr wang.pubkey
[root@c7-157 ~]# ls
20.sh anaconda-ks.cfg bdjb.sh fstab.cipher hellodb_innodb.sql testlog.sql
You have new mail in /var/spool/mail/root
[root@c7-157 ~]# cat fstab.cipher
U2FsdGVkX19UMWCUae4hwixe4irrZWX+2kJeHm4c5uuuDibrZPIsWwDnzZKlHi8x
J2/s02mzi2Qfl8lmnHnPNycpZN8StVUP6cNvQBjo0ixXQdpkRKSmz2tBFU9Ja5ym
B2Nf/ObUSkPJKxjGDaYbmAZZ4htiBzsrvFbpziTI2uub5HLDc3mIEnw3Nrx909c7
j9zalALnVSwGjTaWBLxRPMUg3E+toyGUmfDmvrDbyMJ+Jf37xrCq2KhQmOp2+Hb3
GW3XgMB//SK84YYjag3cHAOYyPY4WWZ7CRfmndMcZDs4Vzq6yaLYbBY6eIkvwYUA
Ludl49zRse/5G1PNp6awZkfiVCViYMFcczCiC1PABddPFIG32RICRlaaOO/MjbRN
ZdxrWfOK8riSjBiF55jnyt12UmB6VeSLvuHjhypWpWDv9X0cykmGxWgOaklTFXZk
oGHmK5lXRgpfzy8ZAvvGJzNlihrTHkv1RZYWMokJAp30Jix1dTcZL6ObkFoiZMgt
de4a43fX+xxfGxwnPFq4jrAJ+jF0UJx02HgNdClh4GmqxZYqjE+GrDnjZZua8LiO
IfJ+eOAccvD4Q7zxL2SyFc1hD2DWKZZ2YPwMOzi9c+lvdmwMoDLOlRRbUJdl0ZLC
f6N6mcuWku52o887ynq51a4+Q0FndnpnQomCWiR2uKyhJcMeHpB5L2q9p7cagCgP
xiufpus8EHg1lbXxNu5vc/nTkaH6n44bnfDkWNDIYw0oZXzZViaolw==
[root@c7-157 ~]# cat /fstab
#
# /etc/fstab
# Created by anaconda on Thu Jun 10 05:04:06 2021
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more inf
#
#/dev/mapper/centos-root / xfs defaults 0 0
UUID=1ebf2de9-d896-401d-9d33-1e74eee806da / xfs defaults 0 0
UUID=af5925a2-c99f-4f03-892b-edafd53060ee /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
[root@c7-157 ~]# base64 -d <fstab.cipher
ڜɶ8Yf{ɚ.枓d;8W:ºɢ:x/E.榣ݑ±𐺍§¦°fGᒥb`s0¢.vj')dݒµUꂯ@鐬WA٤D¤¦ΫAOIk¦c_+
SWO·גFV8𐌍´Me۫Y癧˝vR`zU䋾⣇*V¥`ɉĨjISvd a䫙W
tͯ)aŖ*O¬9⥛r̡`ԩv`wػ_Z¸° t
ov
2Ε[Pe£z˖�ͻɺ¹ծ>CAgvzgBZ$v¸¬¡%^y/j½§·(ī¦麐x5µsYou have new mail in /var/spool/mail/root
[root@c7-157 ~]# Xshell^C
解密
openssl enc -d -des3 -a -salt -in testfile.cipher -out testfile
[root@c7-157 ~]# openssl enc -d -des3 -a -salt -in fstab.cipher -out fstab.2
enter des-ede3-cbc decryption password:
You have new mail in /var/spool/mail/root
[root@c7-157 ~]# cat fstab.2
# /etc/fstab
# Created by anaconda on Thu Jun 10 05:04:06 2021
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#/dev/mapper/centos-root / xfs defaults 0 0
UUID=1ebf2de9-d896-401d-9d33-1e74eee806da / xfs defaults 0 0
UUID=af5925a2-c99f-4f03-892b-edafd53060ee /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0
4. openssl命令单向哈希加密
工具:openssl dgst
算法:md5sum, sha1sum, sha224sum,sha256sum…
dgst命令:帮助:man dgst
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
[root@c7-157 mail]# openssl dgst /fstab
MD5(/fstab)= d7b5287b412cbf163a94ef80e2ebc2af
[root@c7-157 mail]# openssl md5 /fstab
MD5(/fstab)= d7b5287b412cbf163a94ef80e2ebc2af
[root@c7-157 mail]# sha512sum /fstab
868088f52409556a1a4711d02beb4a2b826b1fb08c592120c0c2ef305ce0ff165f837ac8c105a8b8ab14b16e063d46bbd8b07009ae08792817608aa669faaf71 /fstab
[root@c7-157 mail]# openssl sha512 /fstab
SHA512(/fstab)= 868088f52409556a1a4711d02beb4a2b826b1fb08c592120c0c2ef305ce0ff165f837ac8c105a8b8ab14b16e063d46bbd8b07009ae08792817608aa669faaf71
5. openssl命令生成用户米玛
passwd命令:帮助:man sslpasswd
[root@centos8 ~]#openssl passwd --help
Usage: passwd [options]
Valid options are:
-help Display this summary
-in infile Read passwords from file
-noverify Never verify when reading password from terminal
-quiet No warnings
-table Format output as table
-reverse Switch table columns
-salt val Use provided salt
-stdin Read passwords from stdin
-6 SHA512-based password algorithm
-5 SHA256-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-1 MD5-based password algorithm
-aixmd5 AIX MD5-based password algorithm
-crypt Standard Unix password algorithm (default)
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
#centos 7的
[root@c7-147 /]#openssl passwd -1
Password:
Verifying - Password:
$1$UJelP6Y2$W/wJHROK/OhYn1EickOeg1
6. 创建新用户同时指定密Ma,在都通用Ubuntu和CentOS
#通用centos8 和UBuntu
[root@C8-8 ~]# useradd -p `echo magedu | openssl passwd -6 -salt Y16DiwuVQtL6XCQK -stdin` zhang
#生成一段随机的口令
[root@C8-8 ~]# openssl passwd -6 --salt wrerg#@dfg wangge
$6$wrerg#@dfg$9u/QhajupVEZw/caSNakITlS9CvzaSepzRVQ14PMSmdUhpG2/Xh7cnFLVjr2.dAIc6om0Z99jQom3DAli5Or61
[root@C8-8 ~]#
7. openssl命令生成随机数
随机数生成器:伪随机数字,利用键盘和鼠标,块设备中断生成随机数
/dev/random:仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞
帮助:man sslrand
openssl rand -base64|-hex NUM
NUM: 表示字节数,使用-hex,每个字符为十六进制,相当于4位二进制,出现的字符数为NUM*2
[root@C8-8 ~]# echo 12*8/6 |bc
16
[root@C8-8 ~]# echo 12*6/8 |bc
9
[root@C8-8 ~]# openssl rand -base64 12 |head -c 10
q/yDD7TZ73[root@C8-8 ~]#
[root@C8-8 ~]# tr -dc '[:alnum:]' < /dev/urandom |head -c10
7NF9Ms7yvB[root@C8-8 ~]#
8. openssl命令实现 PKI
公钥加密:
算法:RSA, ELGamal
工具:gpg, openssl rsautl(man rsautl)
数字签名:
算法:RSA, DSA, ELGamal
密钥交换:
算法:dh
DSA:Digital Signature Algorithm
DSS:Digital Signature Standard
RSA:
openssl命令生成密钥对儿:man genrsa
生成私钥
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE [-des3] [NUM_BITS,默认2048]
[root@C8-8 ~]# openssl genrsa -out /data/app.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.......+++++
...+++++
e is 65537 (0x010001)
[root@C8-8 ~]# cat /data/app.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDEhqXN/xiBBNhnbIIreGdw3L4Tn+VF6vEB0KoP9ja/r90C/QEg
KZh7sjzktEVQvuOS0GB7F/5TiAjJ6Whs7xrk8IjD9lJ6MTXus8F7CakfJ5NP4yR1
6qE3m9zjAsA2MBFLNthuy8MCbvekNvc060v2gYGjKryLzbU30ul4ZNZziwIDAQAB
AoGAdLKP2lbUMiiyaBei5DVHF1m89OJJvs7X9f/2PCw0Lnc7gf7CoFqS1UDtr9Ds
KBpyAEgEQpPozalFrsAO5kDFcoksU/h++12t7AJZMGkkyV2/0EEOgUE6BBUip02q
a+HoOIkR9p6Q0QPbJjOipSBZjtu21mbGDXcyMwpcmM267AECQQD4aZZdpFZXS1oC
Ar6cyll3zucrG3RAiEWbo03yw04+FPzISMeC8b+l+6WOtJR74JN4QbHl3OHA4N3f
kkm7u7kLAkEAyodYFiyaBNnO7GOYfhjvFjJAxRg6AKVeoHrctfxenXeepuhHKMWU
pANthbSi45L3ie+YPcQjonlmDQZGZ+2/gQJAOfSYajx/EFq6IyH0yqvC99rDwCDl
nHCunMMa2nqKdJ185FVmhrxUFCuD0ql6wvQAM9xP3usLmG5eFV0R6sS/RQJAObeq
ld8uIZXFD78udTk74dJ+fOzzkr2OIyQAhGigujWd5CksJmVwf/FuI/2fskVvAENk
2q1sDmCUgb+5DuNFgQJBANWcEMkbuAo05IX6oyZpj8bqY9NjPf8rbRXyHss1/EZj
ErB8qfe5v9eUh6kp+d3uobepBabi6biuBAm8/OgzyKE=
-----END RSA PRIVATE KEY-----
#生成对称秘钥加密的私钥,通过设置严格的权限实现安全,应用更广泛
[root@centos8 ~]#(umask 077; openssl genrsa –out app.key 2048) centos7的权限不严谨
[root@C8-8 ~]# openssl genrsa -out /data/app2.key -des3 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
.+++++
e is 65537 (0x010001)
Enter pass phrase for /data/app2.key:
Verifying - Enter pass phrase for /data/app2.key:
[root@C8-8 ~]# cat /data/app2.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CB90F273C12D570F
wimdUTx/N1JDiTBcejQwNQx1CFLfcfmqrqLvZIFCcA44bXJs3KDDQW4J7zz5/al8
gGs+lOtpPP2m/WBIJ7bvGHR43p3M7Wf90mI0K64HJn7sy5RsCeNW57zH2lUx5gkQ
kTt0hPp1g1Uu2WPfKKKry/c3251hOnyej/oq77Yiw0oiTfl1hNDu3tXARRrCENYS
rXnXdXEXVJctl2GlTAkVCY3G9Z1BkF8PNY4EuhUxnboDnOzAqyZ450CcKqyA8OGK
YsEX6Ej/ft2yF7S4kSrRL5ArvzeQZQuD8gH+U0ZyQFGqEME1G/IMg3ePk+diBOj3
kNFfycPfau1Qx5W1Xu362ee4fQ7/7AxUITIKocgYDJgdqkgUDbtjyyCA9p8HP0rA
9lKFVqeJHK89HbmWjKHOw7vjuT17J2+TdY3JXaqxz0xdn+RkVPzSTDKCDFhoUe3S
yjzjp5lCd1WclJu97pX5mzxcRcsKX2hFdiO7BLPAAYTHmQp5pfK18SGa3VkMOcGj
CJw1MunBW2oXwt+QgpMlG+duw4aBwpr1btnJdeUddSW8wmj11vbS7LJNj60972je
Cn2p6TXRwcigzfc8WzsI+gGIG8I4QeQ6nnY7wB83RYoSF2GYyg7zqpihqmEzyt28
nh08efwF5jrvwpOaXtuEFlbzLiH8PxojQVS1z2N/9MhpL/4YBU8pbEqMdUcny/rF
tuHcEbGsL+CuKtI8GycKKaT+JOIe82/xBZovf8hOZDDZLmGXUxDu/nZ2lK6t+yBV
Tk3jeBQpjpYpvw0mZa/7DGmap+8Ljlotllns/jDdxECqRJh9R+nJyZqpsS/kP4HV
Z4m/QwPuqlDuOlOvo45//JdEK8S7nlYBi13qw/IXtrYjcgGn2gM9WihXiou4rNVw
F9KE2UXmqoMQQW16tYqejUmvWQqowPxX2LM+aU6AZXBiSBVFKhjCbyzD1qsefQVw
uuFPrH3C8tHWwAHYKYK/SUvJDpOiyiUrWoDvD+RB/fX/VkhhPWwHVRVL0h03CkBX
wT0j1V7R5sOQiq6c63Du7oxgpoPYAABDjLzIhn/D9zFd6BlTqHDLnnkHmxEbZOny
q2C6bHGl9NW/fur/qW2yWq1Yo0yYLVsYHd6xEsUJ9p/SxmEpZSWWccQrdT9RhAaI
yS53UAp5BZXyXFBQ7tw4WQollajPCv86lxCVeGbCNmxhty7S1Yosx+nFOoqQOBz3
bHAuFW4kXAxjms+iBQ+Bw56XkNnMv7G09GAtl+5K8coo1kKODgyQmRkNf2qonY6U
z82TdXwONSTYFA3EkxgfDMFxBwo89yHHNImjWsyqbNly9i0Rbg+I+UNKEzQqVLuU
ZO1R5f4rK+W/NudCYqpXGMRJDv34MmlKqm16OY2Rn2yQ3SuZomIVxJVytS4h+H4Y
bquVROwspIuFTfsgrRXt4b9bxDshYi0Oel1uKlNMY+y2gDMl8i/UaSAHZ47CVZ/K
bvNAv++hFX06hZ7qKTn0L5E6PqLxVAlnVieguWmTRXfCWpVwtQi4Nb7KLOVf4Yt7
Dyk3A0Pz3GSzwxK2j/TTF6YWurkxk45Zbhw3CctefC7oeCVS/eTd+g==
-----END RSA PRIVATE KEY-----
从私钥中提取出公钥
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE 私钥未被加密
[root@C8-8 ~]# openssl rsa -in /data/app.key -pubout -out /data/app.pubkey
writing RSA key
[root@C8-8 ~]# cat /data/app.pubkey
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEhqXN/xiBBNhnbIIreGdw3L4T
n+VF6vEB0KoP9ja/r90C/QEgKZh7sjzktEVQvuOS0GB7F/5TiAjJ6Whs7xrk8IjD
9lJ6MTXus8F7CakfJ5NP4yR16qE3m9zjAsA2MBFLNthuy8MCbvekNvc060v2gYGj
KryLzbU30ul4ZNZziwIDAQAB
-----END PUBLIC KEY-----
加密后的私钥被解密导出
[root@C8-8 ~]# openssl rsa -in /data/app2.key -out /data/app2.key.pubkey
Enter pass phrase for /data/app2.key:
writing RSA key
[root@C8-8 ~]# ll /data/
total 16
-rw-------. 1 root root 1743 Dec 24 09:19 app2.key
-rw-------. 1 root root 1675 Dec 24 09:37 app2.key.pubkey
-rw-------. 1 root root 887 Dec 24 09:06 app.key
-rw-r--r--. 1 root root 272 Dec 24 09:27 app.pubkey
[root@C8-8 ~]# cat /data/app2.key.pubkey
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxA80ERL86IdTpzHGq2jlDizTEba78mAQmhvT5KwC9lGHu7tq
6LH5qWN18y4uw5JPqe8wJ6O355J92Ydj8Hqz7k3L3Ngnv0TKaP0SudpK7xHTOiw4
UmX8Vbtx6zpWvozZAzTVSYdabeDZ8S3xojw3UyVdP22iEV9Dxc2kezG4y2tI7G6l
F3J9XRpEZUGUib02byrDj+9Rn/KEyYlkAn3tn2aEwZ9Qc+Jt4ibM8z3axmJFrrtX
KKoClocJqHgcRypUzObJK654usiSgZdiyW1hG2EG46KKGw8DtzI1AllC2h3Bf3xM
F+3gM7HEf5AvYmM0+WtAxM1xm4VdbJdLxjs4owIDAQABAoIBAEvBgCHUz2pd1+Hz
pstWtaL7iPcAP7EQk3mopQBnwqFAsYzFhzKwikJ8TvgO8TzaTPPhmx7F8OqGvSAP
Y3tpPhsnbk1ALGOIhhl5KAIuKeQkZBTHP1//TjgmPIdivF/Wdof5oyxNI5DvX+cE
FKjWUZ5MArLefs/tmndU1WhQtxHKDXLn5eaYPxvaCOH5Xipx3D5nBoQR1Vu6wPwt
AWKP4Le6GA3i/Vo/hwWqQsK1oqkiFja1NDnDs/9IP+s1r5VX/whhjb++Y4jQ8Hgl
KMWsC9xAtHDpU+I28+UZ2OQ8723tcX4hUaxkS8xMAQ1DTwgRHPFA+7Xeku8W32Lt
fV3CztECgYEA+dU1odSjxBZ9V5UJuM+sfaeUC0TSdDz3DzlwJd9QM9Q4upf/KuO8
uBXnqqg+BBROuv1abGLmb37l3WzdGaf3U2FPZ2PIgwCfVrFx4GFfJ51pON/WCNIT
dFofBz0EF9QLiH48vaYyM3CewfvU1P+d3Xkr8Ds7h82nrsVG0fNu1RsCgYEAyOYt
tl/E+J7JHaltCtk7d6mU1IxVwY9XU3wfX5qWiXwiroN8yrKPlUD3fAOaVi/7L0vG
Z+gljqJbsvS7i1nc+yDghaVc/CeZul8jL2E5NE2MZUZ+KMrJ8SlG6zCGNkl2LhdP
EPMDIt0tvuFM+c6bMhevysBRzTKwVjqRpesEyxkCgYAcXaHeQvdpHyiSFiDpc+Lg
zXMYqHLAsd9XQi1Cj41apSDfxrw5EWxu9kW8cafA7NFXl8Z5ge0qAZ11u5OLAzAo
rmbGlWTBwwNUY4dLc6LLK6szwu5ZSAjfcBAP0VSyo+e/Up3w5nrSrlnIKqCqom85
IzXi68bBj48XX9y/n8UYuwKBgCGabrb8mePEG3u8pSKVZ18CnIRY3Nc9dKvgLRc+
skNY4iwyjiMRbvbWIQ87Qwt7hxZIJG2o5O9QtOngCaarZ00SGLwCBuWechY8Z5Q7
POhEuGEQQ3XrRY/zCYu5WBmoe/4FpBH/s9yXBlnRMaDvMAJW9+5/8K7T9a7WqRoJ
j4mxAoGBAMEAkYxuAhgr+O3TxbA2URmwwP6bCZEoK5p3UqTABP2lrYUvJoJlkm/M
XK7qif6u9m7FHZltBrGCRdBN4mSA6JhupQvmw+ZlfNpl+OUPRsa+o3U7RuCY8CV2
CYW6Le0+naLx8esvkLRH5ERrlLMMOmEi+lmHaQq0eFlHCClozKQi
-----END RSA PRIVATE KEY-----