openssl - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

openssl

Description:

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2 ... (TLS v1) network protocols and related cryptography standards required by them. ... – PowerPoint PPT presentation

Number of Views:955
Avg rating:3.0/5.0
Slides: 18
Provided by: OnnoW2
Category:
Tags: crypto | openssl

less

Transcript and Presenter's Notes

Title: openssl


1
openssl
  • Onno W. Purbo
  • onno_at_indo.net.id

2
Reference
  • http//www.openssl.org
  • http//www.linuxdoc.org
  • http//www.redhat.com

3
OpenSSL
  • OpenSSL is a cryptography toolkit implementing
    the Secure Sockets Layer (SSL v2/v3) and
    Transport Layer Security (TLS v1) network
    protocols and related cryptography standards
    required by them.

4
OpenSSL
  • The openssl program is a command line tool for
    using the various cryptography functions of
    OpenSSL's crypto library from the shell. It can
    be used for
  • Creation of RSA, DH and DSA key parameters
  • Creation of X.509 certificates, CSRs and CRLs
  • Calculation of Message Digests
  • Encryption and Decryption with Ciphers
  • SSL/TLS Client and Server Tests
  • Handling of S/MIME signed or encrypted mail

5
Standard Commands
  • Asn1parse - Parse an ASN.1 sequence.
  • Ca - Certificate Authority (CA) Management.
  • Ciphers - Cipher Suite Description Determination.
  • Crl - Certificate Revocation List (CRL)
    Management.
  • Crl2pkcs7 - CRL to PKCS7 Conversion.
  • Dgst - Message Digest Calculation.
  • Dh - Diffie-Hellman Parameter Management.
    Obsoleted by dhparam.
  • Dsa - DSA Data Management.

6
Standard Commands
  • Dsaparam - DSA Parameter Generation.
  • Enc - Encoding with Ciphers.
  • Errstr - Error Number to Error String Conversion.
  • Dhparam - Generation and Management of
    Diffie-Hellman Parameters.
  • Gendh - Generation of Diffie-Hellman Parameters.
    Obsoleted by dhparam.
  • Gendsa - Generation of DSA Parameters.
  • Genrsa - Generation of RSA Parameters.

7
Standard Commands
  • Ocsp - Online Certificate Status Protocol
    utility.
  • Passwd - Generation of hashed passwords.
  • Pkcs7 - PKCS7 Data Management.
  • Rand - Generate pseudo-random bytes.
  • Req - X.509 Certificate Signing Request (CSR)
    Management.
  • Rsa - RSA Data Management.
  • Rsautl - RSA utility for signing, verification,
    encryption, and decryption.

8
Standard Commands
  • s_client - This implements a generic SSL/TLS
    client which can establish a transparent
    connection to a remote server speaking SSL/TLS.
    It's intended for testing purposes only and
    provides only rudimentary interface functionality
    but internally uses mostly all functionality of
    the OpenSSL ssl library.

9
Standard Commands
  • s_server - This implements a generic SSL/TLS
    server which accepts connections from remote
    clients speaking SSL/TLS. It's intended for
    testing purposes only and provides only
    rudimentary interface functionality but
    internally uses mostly all functionality of the
    OpenSSL ssl library. It provides both an own
    command line oriented protocol for testing SSL
    functions and a simple HTTP response facility to
    emulate an SSL/TLS-aware webserver.

10
Standard Commands
  • s_time - SSL Connection Timer.
  • sess_id - SSL Session Data Management.
  • Smime - S/MIME mail processing.
  • Speed - Algorithm Speed Measurement.
  • Verify - X.509 Certificate Verification.
  • Version - OpenSSL Version Information.
  • X509 - X.509 Certificate Data Management.

11
/etc/httpd/conf/
  • root_at_linux conf ls -l
  • total 68
  • lrwxrwxrwx 1 root root 37 May 2 0406
    Makefile -gt ../../../usr/share/ssl/certs/Makefile
  • -rw-r--r-- 1 root root 348 Aug 24 2000
    access.conf
  • -rw-r--r-- 1 root root 40561 Aug 24 2000
    httpd.conf
  • -rw-r--r-- 1 root root 357 Aug 24 2000
    srm.conf
  • drwx------ 2 root root 4096 May 2 0406
    ssl.crl
  • drwx------ 2 root root 4096 May 2 0406
    ssl.crt
  • drwx------ 2 root root 4096 May 2 0943
    ssl.csr
  • drwx------ 2 root root 4096 May 2 0406
    ssl.key
  • drwx------ 2 root root 4096 May 2 0406
    ssl.prm

12
make usage
  • root_at_linux conf make usage
  • This makefile allows you to create
  • o public/private key pairs
  • o SSL certificate signing requests (CSRs)
  • o self-signed SSL test certificates
  • To create a key pair, run "make SOMETHING.key".
  • To create a CSR, run "make SOMETHING.csr".
  • To create a test certificate, run "make
    SOMETHING.crt".
  • To create a key and a test certificate in one
    file, run "make SOMETHING.pem".
  • To create a key for use with Apache, run "make
    genkey".
  • To create a CSR for use with Apache, run "make
    certreq".
  • To create a test certificate for use with Apache,
    run "make testcert".

13
Private Key
14
make server.key
  • root_at_linux conf make server.key
  • umask 77 \
  • /usr/bin/openssl genrsa -des3 -rand 1024 gt
    server.key
  • 0 semi-random bytes loaded
  • Generating RSA private key, 512 bit long modulus
  • ...
  • ..
  • e is 65537 (0x10001)
  • Enter PEM pass phrase
  • Verifying password - Enter PEM pass phrase

15
More server.key
  • root_at_linux conf more server.key
  • -----BEGIN RSA PRIVATE KEY-----
  • Proc-Type 4,ENCRYPTED
  • DEK-Info DES-EDE3-CBC,317BF4C50E1C590B
  • X/V5VDJxPg702miehbOCsumLf2QS9vpO2YxI9BLsNrtBkPyN36
    3UEVQ9Hsrpct
  • mQhDa/BXuUFqKtZcGJJef2kIhwqe1L5oW0RBRk5XJvOtVWkxo
    bEuRq28f76j
  • 9gtNW9O12tTXEgnGR5KOWdUEOCtLyCgs2YMfUwloGYzc26l
    w9n77VI7g0RC
  • ViiNdZLGWlg2ywFBXGVBHeuo2a8NHXxOTuFdPdBP0UCodknzd
    Af761FZPJDg0
  • HEvFzHUpoEExn00NzBUj0YvkUMtOXi4Q9GNB1V7UUiAJNwUZXj
    bjRgbUXfSMcZ
  • ZY9LkHoc4cq5F4wIN8O4KLkTfzLENdbbFP04R2BJ5ASx4r7GA
    DaeCMaXUYuqU
  • DjP5gGDIG0lHXSnn31tPBZeVXAcYEmDU2Zbch5PxPs
  • -----END RSA PRIVATE KEY-----

16
Private Key
  • root_at_linux conf openssl rsa -noout -text -in
    server.key
  • read RSA key
  • Enter PEM pass phrase
  • Private-Key (512 bit)
  • modulus
  • 00a3f65cc53972548041946aa0ae0c
  • 7cebd8acf5
  • publicExponent 65537 (0x10001)
  • privateExponent
  • 1008c2afc2db6c6a127fba21b6839e
  • fae374e1
  • prime1
  • 00d3a3994f43bab397a3bc58e358ce
  • c69aad
  • prime2
  • 00c6547729cf8d8c6af076e561dbc3
  • 33ac69

17
Certificate Signing Request
18
make CSR
  • root_at_linux conf make server.csr
  • umask 77 \
  • /usr/bin/openssl req -new -key server.key -out
    server.csr
  • Using configuration from /usr/share/ssl/openssl.cn
    f
  • Enter PEM pass phrase
  • You are about to be asked to enter information
    that will be incorporated
  • into your certificate request.
  • What you are about to enter is what is called a
    Distinguished Name or a DN.
  • There are quite a few fields but you can leave
    some blank
  • For some fields there will be a default value,
  • If you enter '.', the field will be left blank.
  • -----

19
Make CSR ...
  • Country Name (2 letter code) AUID
  • State or Province Name (full name)
    Some-StateDKI
  • Locality Name (eg, city) Jakarta
  • Organization Name (eg, company) Internet Widgits
    Pty LtdFree Agent
  • Organizational Unit Name (eg, section) Owner
  • Common Name (eg, your name or your server's
    hostname) www.purbo.org
  • Email Address onno_at_indo.net.id
  • Please enter the following 'extra' attributes
  • to be sent with your certificate request
  • A challenge password apa kabar
  • An optional company name purbo.org
  • root_at_linux conf

20
Server.csr
  • This is the server certificate signing request
    for Apache/mod_ssl corresponding to the
    ../ssl.crt/server.crt file.
  • Then it contains the CSR which you can send to a
    public Certification Authority (CA) for
    requesting a real signed certificate (which then
    can replace the ../ssl.crt/server.crt file).

21
More server.csr
  • root_at_linux conf more server.csr
  • -----BEGIN CERTIFICATE REQUEST-----
  • MIIBezCCASUCAQAwgYsxCzAJBgNVBAYTAklEMQwwCgYDVQQIEw
    NES0kxEDAOBg
  • BAcTB0pha2FydGExEzARBgNVBAoTCkZyZWUgQWdlbnQxDjAMBg
    NVBAsTBU93bm
  • MRYwFAYDVQQDEw13d3cucHVyYm8ub3JnMR8wHQYJKoZIhvcNAQ
    kBFhBvbm5vQG
  • ZG8ubmV0LmlkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKP2XM
    U5clSAQZRqoK
  • aHiFnbiIcyt/vgx301kwmkH1DdRncuR74mIPAjSxA9Mik5cPUO
    UtCQmw7LCbfO
  • rPUCAwEAAaA0MBgGCSqGSIb3DQEJAjELEwlwdXJiby5vcmcwGA
    YJKoZIhvcNAQ
  • MQsTCWFwYSBrYWJhcjANBgkqhkiG9w0BAQQFAANBADnl/mBcXO
    kFv6I8PV5oWC
  • BH5Ppxx0T4bON2vaE2DPiEdneWdbt5QoJBw7AO1zWuGSxhQDEx
    4RaEx6sEfXX2
  • -----END CERTIFICATE REQUEST-----
  • root_at_linux conf

22
Server.csr
  • root_at_linux conf openssl req -noout -text -in
    server.csr
  • Using configuration from /usr/share/ssl/openssl.cn
    f
  • Certificate Request
  • Data
  • Version 0 (0x0)
  • Subject CID, STDKI, LJakarta, OFree
    Agent, OUOwner, CNwww.purbo.org/Emailonno_at_indo.
    net.id
  • Subject Public Key Info
  • Public Key Algorithm rsaEncryption
  • RSA Public Key (512 bit)
  • Modulus (512 bit)
  • 00a3f65cc5397254804194
    6aa0ae0c
  • 03d32293970f50e52d0909b0ecb09b
  • 7cebd8acf5
  • Exponent 65537 (0x10001)

23
Server.csr ..
  • Attributes
  • unstructuredName purbo.org
  • challengePassword apa kabar
  • Signature Algorithm md5WithRSAEncryption
  • 39e5fe605c5ce905bfa23c3d5e68
    582f9b04
  • 7e4fa71c744f86ce376bda1360cf
    88476779
  • 675bb79428241c3b00ed735ae192
    c6140313
  • 1e11684c7ab047d75f6d
  • root_at_linux conf

24
Digital Certificate (Self Signed)
25
Make CRT
  • root_at_linux conf
  • root_at_linux conf make server.crt
  • umask 77 \
  • /usr/bin/openssl req -new -key server.key -x509
    -days 365 -out server.crt
  • Using configuration from /usr/share/ssl/openssl.cn
    f
  • Enter PEM pass phrase
  • You are about to be asked to enter information
    that will be incorporated
  • into your certificate request.
  • What you are about to enter is what is called a
    Distinguished Name or a DN.
  • There are quite a few fields but you can leave
    some blank
  • For some fields there will be a default value,
  • If you enter '.', the field will be left blank.

26
Make CRT ..
  • -----
  • Country Name (2 letter code) AUID
  • State or Province Name (full name)
    Some-StateDKI
  • Locality Name (eg, city) Jakarta
  • Organization Name (eg, company) Internet Widgits
    Pty LtdFree Agent
  • Organizational Unit Name (eg, section) Owner
  • Common Name (eg, your name or your server's
    hostname) www.purbo.org
  • Email Address onno_at_indo.net.id
  • root_at_linux conf

27
/etc/httpd/conf/ssl.crt
  • The ssl.crt/ directory of Apache/mod_ssl where
    PEM-encoded X.509 Certificates for SSL are
    stored.
  • server.crt - is the server certificate for
    Apache/mod_ssl, configured with the
    SSLCertificateFile directive.

28
More server.crt
  • root_at_linux conf more server.crt
  • -----BEGIN CERTIFICATE-----
  • MIIC9TCCApgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMA
    kGA1UEBhMCSU
  • DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1
    UEChMKRnJlZS
  • Z2VudDEOMAwGA1UECxMFT3duZXIxFjAUBgNVBAMTDXd3dy5wdX
    Jiby5vcmcxHz
  • BgkqhkiG9w0BCQEWEG9ubm9AaW5kby5uZXQuaWQwHhcNMDEwNT
    AzMDE0MTE1Wh
  • MDIwNTAzMDE0MTE1WjCBizELMAkGA1UEBhMCSUQxDDAKBgNVBA
    gTA0RLSTEQMA
  • A1UEBxMHSmFrYXJ0YTETMBEGA1UEChMKRnJlZSBBZ2VudDEOMA
    wGA1UECxMFT3
  • ZXIxFjAUBgNVBAMTDXd3dy5wdXJiby5vcmcxHzAdBgkqhkiG9w
    0BCQEWEG9ubm
  • aW5kby5uZXQuaWQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAo/
    ZcxTlyVIBBlG
  • rgxoeIWduIhzK3DHfTWTCaQfUN1Gdy5HviYg8CNLED0yKTlw
    9Q5S0JCbDssJ
  • 69is9QIDAQABo4HrMIHoMB0GA1UdDgQWBBT995mg/pKwzq5yZS
    SK9jCpxRzbtT
  • uAYDVR0jBIGwMIGtgBT995mg/pKwzq5yZSSK9jCpxRzbtaGBka
    SBjjCBizELMA
  • A1UEBhMCSUQxDDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYX
    J0YTETMBEGA1
  • ChMKRnJlZSBBZ2VudDEOMAwGA1UECxMFT3duZXIxFjAUBgNVBA
    MTDXd3dy5wdX
  • Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2k
    LZtwY
  • -----END CERTIFICATE-----
  • root_at_linux conf

29
Server.crt
  • root_at_linux conf openssl x509 -noout -text -in
    server.crt
  • Certificate
  • Data
  • Version 3 (0x2)
  • Serial Number 0 (0x0)
  • Signature Algorithm md5WithRSAEncryption
  • Issuer CID, STDKI, LJakarta, OFree
    Agent, OUOwner, CNwww.purbo.or
  • g/Emailonno_at_indo.net.id
  • Validity
  • Not Before May 3 014115 2001 GMT
  • Not After May 3 014115 2002 GMT
  • Subject CID, STDKI, LJakarta, OFree
    Agent, OUOwner, CNwww.purbo.o
  • rg/Emailonno_at_indo.net.id
  • Subject Public Key Info

30
Server.crt ..
  • Public Key Algorithm rsaEncryption
  • RSA Public Key (512 bit)
  • Modulus (512 bit)
  • 00a3f65cc5397254804194
    6aa0ae0c
  • Exponent 65537 (0x10001)
  • X509v3 extensions
  • X509v3 Subject Key Identifier
  • FDF799A0FE92B0CEAE726524
    8AF630A9
  • X509v3 Authority Key Identifier
  • keyidFDF799A0FE92B0CEAE72
    65248A
  • DirName/CID/STDKI/LJakarta/OFr
    ee Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo
    .net.id
  • serial00
  • X509v3 Basic Constraints
  • CATRUE
  • Signature Algorithm md5WithRSAEncryption
  • 8daf9e12ee9042e40cfc40ddf7b0
    086f17d5
  • root_at_linux conf

31
Testing s_client
32
S_client
  • root_at_linux conf openssl s_client -host
    localhost -port 443
  • CONNECTED(00000003)
  • depth0 /CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno
  • _at_indo.net.id
  • verify errornum18self signed certificate
  • verify return1
  • depth0 /CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno
  • _at_indo.net.id
  • verify return1
  • ---
  • Certificate chain
  • 0 s/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id
  • i/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id

33
S_client
Command Line
  • root_at_linux conf openssl s_client -host
    localhost -port 443
  • CONNECTED(00000003)
  • depth0 /CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno
  • _at_indo.net.id
  • verify errornum18self signed certificate
  • verify return1
  • depth0 /CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno
  • _at_indo.net.id
  • verify return1
  • ---
  • Certificate chain
  • 0 s/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id
  • i/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id

34
S_client
  • root_at_linux conf openssl s_client -host
    localhost -port 443
  • CONNECTED(00000003)
  • depth0 /CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno
  • _at_indo.net.id
  • verify errornum18self signed certificate
  • verify return1
  • depth0 /CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno
  • _at_indo.net.id
  • verify return1
  • ---
  • Certificate chain
  • 0 s/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id
  • i/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id

Self Sign Cerificate
35
S_client ..
  • ---
  • Server certificate
  • -----BEGIN CERTIFICATE-----
  • MIIC9TCCApgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMA
    kGA1UEBhMCSU
  • DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1
    UEChMKRnJlZS
  • Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2k
    LZtwY
  • -----END CERTIFICATE-----
  • subject/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id
  • issuer/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id

36
S_client ..
  • ---
  • Server certificate
  • -----BEGIN CERTIFICATE-----
  • MIIC9TCCApgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMA
    kGA1UEBhMCSU
  • DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1
    UEChMKRnJlZS
  • Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2k
    LZtwY
  • -----END CERTIFICATE-----
  • subject/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id
  • issuer/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id

Siapa Anda..
37
S_client ..
  • ---
  • Server certificate
  • -----BEGIN CERTIFICATE-----
  • MIIC9TCCApgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMA
    kGA1UEBhMCSU
  • DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1
    UEChMKRnJlZS
  • Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2k
    LZtwY
  • -----END CERTIFICATE-----
  • subject/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id
  • issuer/CID/STDKI/LJakarta/OFree
    Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
    t.id

Issuer / Cerificate Authority
38
S_client ..
  • ---
  • No client certificate CA names sent
  • ---
  • SSL handshake has read 1221 bytes and written 314
    bytes
  • ---
  • New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
  • Server public key is 512 bit
  • SSL-Session
  • Protocol TLSv1
  • Cipher EDH-RSA-DES-CBC3-SHA
  • Session-ID
  • Session-ID-ctx
  • Master-Key F597E6EEDB4B6C6FADFC7AEDDC0E66F474
    0E7EB8486F03
  • Key-Arg None
  • Start Time 988936497
  • Timeout 300 (sec)
  • Verify return code 0 (ok)

39
S_client ..
  • ---
  • No client certificate CA names sent
  • ---
  • SSL handshake has read 1221 bytes and written 314
    bytes
  • ---
  • New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
  • Server public key is 512 bit
  • SSL-Session
  • Protocol TLSv1
  • Cipher EDH-RSA-DES-CBC3-SHA
  • Session-ID
  • Session-ID-ctx
  • Master-Key F597E6EEDB4B6C6FADFC7AEDDC0E66F474
    0E7EB8486F03
  • Key-Arg None
  • Start Time 988936497
  • Timeout 300 (sec)
  • Verify return code 0 (ok)

Master Key
40
S_client ..
  • ---
  • GET /
  • lt!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2
    Final//EN"gt
  • ltHTMLgt
  • ltHEADgt
  • ltTITLEgtTest Page for the Apache Web Server on
    Red Hat Linuxlt/TITLEgt
  • lt/HEADgt
  • lt!-- Background white, links blue (unvisited),
    navy (visited), red (active) --gt ltBODY
    BGCOLOR"FFFFFF"gt
  • ltH1 ALIGN"CENTER"gtTest Pagelt/H1gt
  • This page is used to test the proper operation
    of the Apache Web server after it has been
    installed. If you can read this page, it means
    that the Apache Web server installed at this site
    is working properly.
  • lt/HTMLgt
  • closed
  • root_at_linux conf
Write a Comment
User Comments (0)
About PowerShow.com