Open in app

Sign in

Write

Sign in

OpenSSL : SSL/TLS Toolkit [Basics]

0liverFlow
9 min readApr 15, 2023

--

OpenSSL

OpenSSL is a versatile and widely-used open-source cryptographic library that allows you to perform lots of interesting things like:

  • Encrypt and decrypt data.
  • Encode and decode a file.
  • Calculation of Message digests or Hashing (MD5, SHA).

In this article, you are going to learn all the points listed above with concrete and simple examples.

However, keep in mind that OpenSSL can be used for other purposes such as generating an SSL/TLS certificate, a digital signature and much more. We will discuss these topics in a next article.

For now, just make sure to open your terminal and let’s get started :)

Installing OpenSSL

Depending on your Linux distributions, you can install openssl as follows:

Debian based systems: sudo apt update && sudo apt install openssl

Red-Hat based systems: sudo yum update && sudo yum install openssl

Arch-Linux and Arch-based distributions: sudo pacman -Syu openssl

openSUSE: sudo zypper install openssl

Alpine Linux : apk add openssl

NOTES📝:

  • The results returned by openssl can vary from one user to another, depending on the version they use. In my case, i’m using the OpenSSL 3.0.8.7 version. You can check your openSSL version using the following command (openssl version ):
OpenSSL version
  • Feel free to take a look at openssl’s man page or the help menu if you face any misunderstanding.

Well, it’s time to explore openssl a bit. Let’s gooo!

OpenSSL: Usages

Syntax: openssl command [options ...] [parameters ...]

openssl list standard-commands | digest-commands | cipher-commands | digest-algorithms | mac-algorithms | public-key-algorithms

Let’s list openssl‘s standard commands:

OpenSSL standard commands

To get additional information concerning a standard-command (enc for example), you can use: openssl enc -h or man openssl enc .

OpenSSL: Encryption/Decryption

Encryption is the process of transforming a plain text (human readable text) into cipher text (unintelligible text) using a secret key.

On the other hand, decryption is the process of transforming a cipher text into a plain text using a secret key.

A key in cryptography is a piece of information, usually a string of numbers or letters that is used to encrypt and/or decrypt messages.

When the same secret key is used for both encryption and decryption, we talk about symmetric cryptography or symmetric key encryption.

However, when the key used for encryption is different from the key used for decryption, we talk about asymmetric cryptography or public key encryption.

Knowing that, this article is mainly focused on how openssl works, i will not go deeper on the cryptography aspects involved. For those of you, who want to learn more about the cryptography side, you can check this article.

Some of the well known encryption algorithms are: AES, RSA, DES, Blowfish and so on.

Let’s start by listing all openssl‘s supported encryption algorithms.

To do that, we can use: openssl list -cipher-commands

OpenSSL supported cipher commands

In our case, we are going to use aes-256-cbc which is one of the standard symmetric encryption algorithm considered secure.

To encrypt a file using this encryption algorithm, we need to use the following command:

Encryption using openssl and -aes-256-cbc

Let’s break the command above:

  • openssl enc : uses to encrypt/decrypt a file.
  • -aes-256-cbc : encryption algorithm used to encrypt our file.
  • -salt : uses to specify a salt (randomly generated or provided with -S option), when encrypting a file. This is used by openSSL by default. A salt is a random string added to the secret key in order to increase its protection against brute force attacks.
  • -in readers.txt: the input filename (here readers.txt), standard input by default.
  • -out readers.enc : the output filename (here readers.enc), standard output by default.
  • -S salt : use to specify a specific salt (the salt value must be in hexadecimal format).

After hitting enter, you will be prompted to enter a password (secret key) to encrypt the file. Make sure to use a strong password and keep it on a safe place because without it, you will not be able to recover your plain text file.

To decrypt the readers.enc encrypted file, you need to use the command:

Decryption using OpenSSL and -aes-256-cbc

The openssl command used in this example, is quite similar to the one we previously used. However, we specified the -d option in order to tell openssl that we want to decrypt the input data (readers.enc).

NOTES📝:

  • In the first command, you can see that, we got an error: ‘bad magic number’. This happened because, we omitted the salt value that we explicitly specified during the encryption phase.
  • While specifying the password in the command is not recommended, you can do it using the -pass pass:<password> option.

The same steps used to encrypt a file can be applied to a directory as well. To do that, you need first to compress the directory, then encrypts it. Here is an example of how to do it:

Encrypting a compressed directory using OpenSSL and aes-256-cbc encryption

Let’s break down the openssl enc -aes-256-cbc -a -salt -pbkdf2 -iter 10000 -in mydir.tar.gz -out mydir.tar.gz.enccommand above:

  • -a/-base64 : Uses to encode the content of mydir.tar.gz.enc in base64.
Base64 process the encrypted data
  • -salt : Use randomly generated salt when encrypting, this is used by default. We could omit it.
  • -pbkdf2 : Use PBKDF2 algorithm with default iteration count unless we specified it using the -iter option.
  • -iter 10000 : Use to specify a number of iterations (10000) on the password in deriving the encryption key. High values increase the time required to brute-force the resulting file. This option enables the use of PBKDF2 algorithm to derive the key.

What about the file command?

file is a command used to determine a file type.

Let’s now try to decrypt our encrypted compressed directory:

Decrypting a compressed directory using OpenSSL and aes-256-cbc encryption

The options are similar to those we previously used to decrypt our readers.enc file.

Hmmm, wondering if it’s necessary to mention the -pbkdf2 and -iter options to decrypt the encrypted compressed directory?

Yep, it is crucial here to specify the -pbkdf2 option with the right number of iterations -iter 10000 in the command, see that we used them during the encryption phase. If omitted, we won’t be able to successfully decrypt our archive (compressed directory).

Why you didn’t mention the -salt option too?

I didn’t mention the -salt option because OpenSSL will automatically determine it. This happens because OpenSSL generates a random salt by default during the encryption phase, which is then automatically use during the decryption process. However, if i had used a specific salt like i did for the readers.txt file, i would have specified it in the command using the -Soption.

OpenSSL: Hashing

A cryptographic hash function is an algorithm that takes data of arbitrary size as its input and returns a fixed size value, called message digest or checksum, as its output. Moreover, contrary to a cryptographic asymmetric or symmetric algorithm, it is not possible to retrieve the data that has been hashed from the checksum or message digest. Indeed a hash algorithm doesn’t use a secret key.

What’s the use of a hash?

A hash can be used in different situations. Here are some of them:

  1. A hash can be used to securely save passwords in a database. Indeed, it’s not recommended at all to save users’ passwords in plain text in a database, see that an attacker could easily get access to these credentials after compromising the server that stores them. Moreover, other security measures like salting and peppering can also be used in addition to hashing a password.
  2. A hash can also be used to assure the integrity of a file. Integrity is a condition where we can be sure that data has not been altered or tampered with in an unauthorized or unintended manner. In fact, knowing that, a hash is a unique value, any changes make to a message will automatically change the hash value and then violates its integrity.

Now that we have a better understanding of hash importance, let’s learn how to use hashes with OpenSSL by taking a look at its available hash algorithms:

OpenSSL supported hashes

We will be focusing on SHA256 which is considered secure.

To generate a hash using OpenSSL and SHA256 hash algorithm, we can use the following command:

Hashing a file using OpenSSL and sha256 hash algorithm

Let’s break down the command above:

  • openssl sha256 : Tells OpenSSL to use the sha256 hash algorithm. The number 256 represents the hash-length in bits (here 256 bits). However, the hash value is generally displayed in hexadecimal format. This means that when using sha256, we must normally get a hash of 64 hexadecimal characters long (64x4 = 256 bits).
  • > hash.txt : redirects the output to the hash.txt file.

Feel free to test this command, using different hash algorithms such as SHA512, MD5 or Whirlpool.

Let’s now take a quick look to openssl passwd [hash_algorithm] password command.

This command is used to generate hashed passwords.

The command takes the password as input and outputs the hashed password on the default output unless we redirect it. The hashed password can then be stored in a file or a database for future authentication purposes. For instance, this is used a lot during Capture The Flag competitions to create a new user on the target system.

Here is an illustration of how it works:

Generating hashed password using OpenSSL’s passwd standard command

Let’s break down the first command:

  • openssl passwd : command used to generate a hashed password.
  • -6 : optional option used to tells OpenSSL passwd to use SHA512 hash algorithm to hash the password.
  • -salt : optional option used to add a string to our password before hashing it (here i used “This_Is_My_Salt” as a salt).
  • iloveyou : the password to be hashed. Never use this password guys 😜!

That’s it. Feel free to use other hashing algorithms and have fun.

Let’s now see how to encode and decode a file using OpenSSL and base64 encoding.

Encoding/Decoding

In this section, we will learn how to encode and decode a file using the base64 encoding.

This can be very useful, especially if you are using a system on which base64 command is not installed by default.

Encoding and decoding a file using OpenSSL and base64 encoding

As you can see, this is intuitive enough. You only need to use the following options:

  • -in : the input file
  • -out : the output file
  • -base64 : tells OpenSSL that you want to use base64 encoding. You can also use -a instead. Indeed, they are both identical.
  • -d : In this specific case, this option tells OpenSSL that you want to decode a file encoded in base64. However, in an encryption scenario, it tells openSSL to decrypt the encrypted file.

Excellent guys! Now let’s sum up all the things, we’ve seen in this article.

Let’s recap!

To connect the dots, OpenSSL is a powerful tool that can allow you to realize lots of things. In this article, we learnt how to:

  • Encrypt and decrypt a file or archive using the openssl enc command.
  • Hash a file using the openssl [hash_algorithm] [file_to_hash] command.
  • Generate a hashed password using the openssl passwd command.
  • Encode and decode a file in base64 using the openssl -base64 command.

Hope you learnt something guys! My piece of advice to those of you who faced any difficulties is just to keep practicing the commands day after day until you become comfortable.

Do not forget to click on the little clap icon below if you enjoyed the content.

Furthermore, thanks for subscribing to my newsletter to keep up with my latest articles.

Openssl
Cryptography
Hashing
Encryption
Cybersecurity

--

--

0liverFlow

Written by 0liverFlow

122 Followers

Pentester | Enjoy breaking and building stuffs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams