Securing Network with OpenSSL
What is SSL
- SSL stands for Secure Socket Layer
- Network Protocol which runs on in between presentation layer and Transport layer
- Now SSL has successor which is called TLS stands for Transport Layer Security
Why We need SSL/TLS
-
SSL/TLS is used for securing connection between systems so that they can share important information and no one other can read or modify it.
-
SSL/TLS basically use encryption algorithms to encrypt that data and share keys only to system who are communicating with each other
To Get more information on SSL click here
How To Get SSL Certificate?
Its Easy, as there are many companies which sell SSL encryption certificate service.
Various Open-Source SSL certificate Service
- All these come under open-source license.
- Can be commercially used for free
- No hidden charges
What is OpenSSL
- It is open-source cryptographic library.
- Written in C, Assembly and Perl
- It is used for data encryption
- It has various encryption algorithm and provide many encryption tools
- SSL/TLS is one of encryption tool provided by OpenSSL
for more information click here
History Of OpenSSL
- Released on 23 December 1998 by OpenSSL Project Team
- In 2019 OpenSSL is managed by OpenSSL management committee
- This project budget is around one million per year which primarily completed by donations
Get more information on wikipedia
How OpenSSL is Work
Open SSL architecture is divided into 4 parts
- libcrypto
- libssl
- Engine
- Application Component
Libcrypto
- It is general purpose cryptographic library which contains all various cryptographic services used in OpenSSL
- It also provide supporting services which are used by libssl which handle SSL/TLS in OpenSSL
Libssl
- This library depends upon libcrypto
- It handle the TLS protocols and its execution
Engine
- They are Dynamically modules registered with libcrypto to help it to run cryptographic algorithms
- It is the hardware and software implementations used to run cryptographic algorithms
- Used as hardware accelerator for these algorithms
Application Component
“Applications are set of command –line tools that use the underlaying libcrypto and libssl components to provide cryptographic and other features like[1]
- Key and parameter generation and inspection
- Certificate generation and inspection
- SSL/TSL test tools
- ASN.1 Inspection”
OpenSSL Module
Get more information on OpenSSL Architechture
OpenSSL installation
on Windows
(Since windows version package is not available on OpenSSL website, I found an URL in third party website and check that it is virus-free via https://www.virustotal.com/)
On Ubuntu
Type commands in Ubuntu Terminal:
$ sudo apt-get install openssl
$ sudo apt-get install libssl-dev
(libssl-dev is OpenSSL development package)
Technical presentation on Ubuntu
OpenSSL Generating Keys & Encryption & Decryption in RSA algorithm
Generating private key:
/tmp/Alice$ openssl genrsa -out A_private.key 2048
/tmp/Bob$ openssl genrsa -out B_private.key 2048
Generating public key:
/tmp/Alice$ openssl rsa -in A_private.key -out A_public.key -pubout
/tmp/Bob$ openssl rsa -in B_private.key -out B_public.key -pubout
(.pem is either ok to be generated and used the same function with .key)
(use $ openssl rsa -in A.key -text to get parameters like modulus, primes, exponents and coefficient in RSA algorithms)
Exchanging keys:
Simulating by copying or linking using ‘ln -s’ or commands in Ubuntu file system.
/tmp/Alice$ ln -s /tmp/Bob/B_public.key
/tmp/Bob$ ln -s /tmp/Alice/A_public.key
Typing a Message:
/tmp/Alice$ echo"Hi Bob! This is Alice." > A_msg
Scenario1:
Encryption:
/tmp/Alice$ openssl rsautl -encrypt -in A_msg -out ciphertext -inkey B_public.key -pubin
Massage-passing:
/tmp/Bob$ ln -s /tmp/Alice/ciphertext
Decryption:
/tmp/Bob$ openssl rsautl -decrypt -inkey B_private.key -in ciphertext -out B_msg
Scenario2:
Sign:
/tmp/Alice$ openssl rsautl -inkey A_private.key -sign -in msg -out A_signed_msg
Massage-passing:
/tmp/Bob$ ln -s /tmp/Alice/A_signed_msg
Verify:
/tmp/Bob$ openssl rsautl -verify -inkey A_public.key -in A_signed_msg -out B_verified_msg -pubin
Then only by using Alice’s public key can Bob decrypt the message. In this method Bob can verify that the message can only be from Alice, which is non-repudiation.
Eve who wants to eavesdrop the messages is not introduced here, because the RSA algorithm guarantees the unbreakability from the theory of Math and CS. If the length of the private key is long enough and well kept, Eve won’t be able to decipher unless she revolutionizes mathematics or, she makes quantum computer come true.
Thanks to the Cryptographers who created such mighty algorithms, and thanks to the engineers who contributed to open source communities like OpenSSL that made these algorithms accessible to everyone, thus making our privacy well protected. You know without their fighting, such algorithms maybe exclusive to American government and military use for many more years. That’s another story about Phil Zimmerman and crypto wars.
OpenSSL CSR generating
(CSR is short for Certificate Signing Request, which can be authenticated by a CA to be a Certificate)
$ openssl req -out mydomain.csr -new -newkey rsa:2048 -nodes -keyout mydomain.key
And then fill in information as requested.
(use $ openssl req -in mydomain.csr -text to check the details of the csr file)
Apply OpenSSL on Windows
Tutorial of Encryption and Decryption in AES algorithm
Tutoroal of generating RSA keys
References
https://www.openssl.org/docs
“[1].” https://www.openssl.org, https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html.
“Figure1. OSI Layers and Protocols used.” https://thecybersecuritymancom.com, https://thecybersecuritymancom.files.wordpress.com/2017/11/84433547__web.png.
“Figure 2. SSL Client-Server communication.” https://www.manageengine.com/, https://www.manageengine.com/key-manager/information-center/what-is-ssl-certificate-management.html.
https://www.sciencedirect.com/topics/engineering/layered-architecture
“[2].” https://www.youtube.com/watch?v=-nEh7X4dtuw&t=58s
“[3].” https://support.globalsign.com/ssl/ssl-certificates-installation/generate-csr-openssl
“[4].” https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
“[5].” https://en.wikipedia.org/wiki/Crypto_Wars
“[6].” https://en.wikipedia.org/wiki/Phil_Zimmermann