OpenSSL学习笔记
OpenSSL支持的命令
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160
sha sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb zlib
密钥
如何生成RSA密钥
openssl后面加上genrsa选项
// default 1024-bit key, sent to standard output
$ openssl genrsa
// 2048-bit key, saved to file named mykey.pem
$ openssl genrsa -out mykey.pem 2048
// same as above, but encrypted with a passphrase
$ openssl genrsa -des3 -out mykey.pem 2048
如何生成RSA公钥
使用rsa选项私钥对应的公钥
openssl rsa -in mykey.pem -pubout
密码哈希值
素数(Prime numbers)
当前加密技术高度依赖素数的产生和判断,所以OpenSSL包含一些处理素数的库是很正常的。
如何判断一个数是否为素数?
在prime选项后面跟上要判断的数。注意openssl返回值为16进制,而非十进制
$ openssl prime 25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107384461557193173304497244814071505790566593206419759
1E63554AE1C0CE000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012F is prime
也可以直接判断16进制数是否为素数
$ openssl prime -hex 1e63554ae1c0ce0000000000000000000000000000000000000000000000004167d57ab769100000000000000000000000000000000000000000000000000022b
1E63554AE1C0CE0000000000000000000000000000000000000000000000004167D57AB769100000000000000000000000000000000000000000000000000022B is prime
如何生成一组素数?
$ openssl prime -generate -bits 64
14876100342425215757
$ openssl prime -generate -bits 64 -hex
E7476F6284525409
二进制文件保护
使用base64打包二进制文件为文本文件
$ openssl base64 < filename.bin > filename.txt
从base64生成的文本文件再恢复为二进制文件
$ openssl base64 -d < filename.txt > filename.bin
对短字符串进行base64编码
$ echo "The Linux Journal" | openssl base64
对base64编码数据解码
$ echo "VGhlIExpbnV4IEpvdXJuYWwK" | openssl base64 -d
对文件完整性进行校验
$ openssl sha1 filename
$ openssl md5 filename
$ openssl sha256 filename
对文件进行快速加解密
加密
$ openssl enc -aes-128-cbc < filename > filename.aes-128-cbc
enter aes-128-cbc encryption password:
Verifying - enter aes-128-cbc encryption password:
shell脚本批量加密文件
#!/bin/bash
mkdir ../encrypted
for file in *;
do openssl enc -aes-128-cbc -k YOUR-PASSWORD -in $file > ../encrypted/$file;
done;
shell脚本加密文件,删除原文件,修改加密后的文件为只读权限
- 参数一为输入文件
- 参数二为密码
- 参数三为输出文件
#/bin/bash
echo "encrypte.sh #Input #Password #Output"
openssl enc -aes-256-cbc -k $2 < $1 > $3
rm $1
chmod 440 $3
解密
$ openssl enc -d -aes-128-cbc -in filename.aes-128-cbc > filename
enter aes-128-cbc decryption password:
shell脚本批量解密文件
#!/bin/bash
mkdir ../decrypted
for file in *;
do openssl enc -d -aes-128-cbc -k YOUR-PASSWORD -in $file > ../decrypted/$file;
done;
用OpenSSL生成非常强壮的随机密码
$ openssl rand 30 -base64
XpNqlIxTPk6Or2OvzYbA93O3GlntMnFNmKGcRXhs
尽管可以使用openssl rand快速生成密语,但是专业的密语生成器生成强壮的并容易记忆的密语,我强烈推荐使用它。