OpenSSL Library

OpenSSL Library PowerPoint PPT Presentation

  • Updated On :
  • Presentation posted in: General

OpenSSL. http://www.openssl.orgfree library providing cryptographic functionsit's not the only one, alternatives: Crypto and Cryptlib of Peter Guttmanthe important feature is the complete implementation of the protocols SSLv2,SSLv3 and TLSv1. Algorithms implemented. Block ciphers: DES, 3DES, DESX, CAST, RC2, RC5, IDEA, Blowfishstream cipher: RC4hash: MD2, MD4, MD5, SHA-1, RIPEMD 160, MDC2asymmetric cryptosystems: RSA, DSA, DHMAC: HMAC.

Download Presentation

OpenSSL Library

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

1. OpenSSL Library Daniele Mazzocchi

2. OpenSSL free library providing cryptographic functions its not the only one, alternatives: Crypto++ and Cryptlib of Peter Guttman the important feature is the complete implementation of the protocols SSLv2,SSLv3 and TLSv1

3. Algorithms implemented Block ciphers: DES, 3DES, DESX, CAST, RC2, RC5, IDEA, Blowfish stream cipher: RC4 hash: MD2, MD4, MD5, SHA-1, RIPEMD 160, MDC2 asymmetric cryptosystems: RSA, DSA, DH MAC: HMAC

4. Standards implemented PKCS 1(full), PKCS 7 (almost complete for the types actually used: Data, Signed and Enveloped), PKCS 8 (full), PKCS10 (full) and PKCS 12 X509v3 ASN.1 with DER encoding (not complete) SSLv3 and TLSv1 (practically identical)

5. STANDARD COMMANDS (1) asn1parse parse an ASN.1 sequence ca Certificate Authority (CA) management ciphers cipher suite description crl Certificate Revocation List (CRL) management crl2pkcs7 CRL to PKCS#7 conversion

6. STANDARD COMMANDS (2) dgst message digest calculation dh Diffie-Hellman parameter management. Obsoleted by dhparam dsa DSA data management dsaparam DSA parameter generation enc encoding with ciphers

7. STANDARD COMMANDS (3) errstr error number to error string conversion dhparam generation and management of Diffie-Hellman parameters gendh generation of Diffie-Hellman parameters. Obsoleted by dhparam gendsa generation of DSA parameters

8. STANDARD COMMANDS (4) genrsa generation of RSA parameters ocsp Online Certificate Status Protocol utility passwd generation of hashed passwords pkcs12 PKCS#12 data management pkcs7 PKCS#7 data management

9. STANDARD COMMANDS (5) rand generate pseudo-random bytes req X.509 Certificate Signing Request (CSR) management rsa RSA data management rsautl RSA utility for signing, verification, encryption, and decryption

10. STANDARD COMMANDS (6) s_server a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. It provides both an own command line oriented protocol for testing SSL functions and a simple HTTP response facility to emulate an SSL/TLS-aware webserver.

11. STANDARD COMMANDS (7) s_client a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library s_time SSL Connection Timer sess_id SSL session data management

12. STANDARD COMMANDS (8) smime S/MIME mail processing speed algorithm speed measurement verify X.509 certificate verification version OpenSSL version information x509 X.509 certificate data management

13. Documentation Situation is slowly improving best source:, updated man page (sometimes too updated) for the SSL stuff a book is available from Eric Escorla ( good support with mailing list: the code of the various demo applications !!! the file openssl.txt in the directory doc

14. Version current version 0.9.6b next version 0.9.7 new ASN.1 code (MAJOR CHANGE, one of the biggest improvement in the history of the library !!!!) AES elliptic curve OCSP

15. Some remarks if youre not an expert ALWAYS calls as the first function OpenSSL_add_all_algorithms(); initialize an internal table with no initialization all the functions that make a lookup in the table fail (its impossible to read an RSA private key if encrypted for instance) if you know exactly what youre doing you can use only the algorithms that you really need

16. ASN.1 (current version) every time you add a structure STR you have to provide four functions: STR_new() STR_free() i2d_STR (from internal to DER) d2i_STR (from DER to internal) you are obliged to use some painful MACROs contained in asn1_mac.h (with no documentation)

17. ASN.1 (ctd) luckily theres a compiler that can create the functions starting form an ASN.1 text file (of course you must know ASN.1) the common problem unsigned char *buf, *p; int len; (1)len = i2d_PKCS7(p7, NULL); (2)buf = OPENSSL_malloc(len); (3)i2d_PKCS7(p7, &buff); (the DER encoding is now in some mysterious place in the memory !!!) (3bis)p=buff; i2d_PKCS7(p7, &p);

18. Remarks before becoming crazy read the FAQ that points out many common errors every time youre not sure about a call (e.g., if you need to allocate a structure in advance) try to find an example in the application in the apps directory there is NO DOCUMENTATION for the PKCS7 function: but the right file to look at is smime.c and NOT pkcs7.c

19. A closer look (1) SYMMETRIC CIPHERS blowfish, cast,des, idea, rc2, rc4(3), rc5 PUBLIC KEY CRYPTOGRAPHY dsa, dh, rsa CERTIFICATES x509, x509v3 HASH FUNCTIONS hmac, md2, md4, md5, mdc2, ripemd, sha

20. A closer look (2) AUXILIARY FUNCTIONS err, threads, rand INPUT/OUTPUT, DATA ENCODING asn1, bio, evp, pem, pkcs7, pkcs12 INTERNAL FUNCTIONS bn, buffer, lhash, objects, stack, txt_db

21. EVP SEAL example int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek, int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk); int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); EVP_des_ede3_cbc(void) example EVP_PKEY a general wrapper for RSA private/public key, DSA key

22. BIO interface A BIO is an I/O abstraction, it hides many of the underlying I/O details from an application. If an application uses a BIO for its I/O it can transparently handle SSL connections, unencrypted network connections and file I/O. BIO *mem =BIO_new(BIO_s_mem()); BIO *bio_out; bio_out = BIO_new(BIO_s_file()); if(bio_out == NULL) /* Error ... */ if(!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) /* Error ... */ IO_printf(bio_out, "Hello World\n");

23. PKCS 7 PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,BIO *data, int flags); int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, EVP_CIPHER *cipher, int flags); int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);

  • Login