当前位置：网站首页>OpenSSL enc encryption and decryption

OpenSSL enc encryption and decryption

2022-06-11 03:28:00 【ee230】

1、 Overview of symmetric encryption algorithm

openssl The encryption algorithm library provides a wealth of symmetric encryption algorithms , We can go through openssl The symmetric encryption algorithm instructions are provided in the form of , You can also call openssl Provided API The way to use .

openssl Symmetric encryption algorithm instructions are mainly used to encrypt and decrypt data ,openssl Basically, it provides the application of instruction for all symmetric encryption algorithms supported by it , The name of these application instructions is basically the name of the symmetric encryption algorithm itself plus the number of digits 、 Encryption mode or combination of other attributes . for example DES Algorithm CBC Pattern , The corresponding instruction is des-cbc. You can use the command to view the current version of openssl Supported symmetric encryption algorithm , for example Ubunt14.04 openssl The version and instructions supporting symmetric encryption algorithm are as follows ：

[email protected]:~$ openssl enc -help
unknown option '-'
options are
...
/**/
Cipher Types
-aes-128-cbc               -aes-128-cbc-hmac-sha1     -aes-128-cfb              
-aes-128-cfb1              -aes-128-cfb8              -aes-128-ctr              
-aes-128-ecb               -aes-128-gcm               -aes-128-ofb              
-aes-128-xts               -aes-192-cbc               -aes-192-cfb              
-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr              
-aes-192-ecb               -aes-192-gcm               -aes-192-ofb              
-aes-256-cbc               -aes-256-cbc-hmac-sha1     -aes-256-cfb              
-aes-256-cfb1              -aes-256-cfb8              -aes-256-ctr              
-aes-256-ecb               -aes-256-gcm               -aes-256-ofb              
-aes-256-xts               -aes128                    -aes192                   
-aes256                    -bf                        -bf-cbc                   
-bf-cfb                    -bf-ecb                    -bf-ofb                   
-blowfish                  -camellia-128-cbc          -camellia-128-cfb         
-camellia-128-cfb1         -camellia-128-cfb8         -camellia-128-ecb         
-camellia-128-ofb          -camellia-192-cbc          -camellia-192-cfb         
-camellia-192-cfb1         -camellia-192-cfb8         -camellia-192-ecb         
-camellia-192-ofb          -camellia-256-cbc          -camellia-256-cfb         
-camellia-256-cfb1         -camellia-256-cfb8         -camellia-256-ecb         
-camellia-256-ofb          -camellia128               -camellia192              
-camellia256               -cast                      -cast-cbc                 
-cast5-cbc                 -cast5-cfb                 -cast5-ecb                
-cast5-ofb                 -des                       -des-cbc                  
-des-cfb                   -des-cfb1                  -des-cfb8                 
-des-ecb                   -des-ede                   -des-ede-cbc              
-des-ede-cfb               -des-ede-ofb               -des-ede3                 
-des-ede3-cbc              -des-ede3-cfb              -des-ede3-cfb1            
-des-ede3-cfb8             -des-ede3-ofb              -des-ofb                  
-des3                      -desx                      -desx-cbc                 
-id-aes128-GCM             -id-aes192-GCM             -id-aes256-GCM            
-rc2                       -rc2-40-cbc                -rc2-64-cbc               
-rc2-cbc                   -rc2-cfb                   -rc2-ecb                  
-rc2-ofb                   -rc4                       -rc4-40                   
-rc4-hmac-md5              -seed                      -seed-cbc                 
-seed-cfb                  -seed-ecb                  -seed-ofb

As you can see, what we do above is enc -help command ,enc What is it? ？ original openssl There are two ways to call the symmetric encryption algorithm ：

One is to directly call symmetric encryption instructions , for example ：

openssl des-cbc -in plain.txt -out encrypt.txt -pass pass:12345678

The other is to use enc The way , That is, the symmetric encryption instruction is used as enc Instruction parameter , for example ：.

openssl enc -des-cbc -in plain.txt -out encrypt.txt -pass pass:12345678

The above two instructions perform the same functions , And its parameters are the same . original enc What is the function ？ Simply speaking , In order to save trouble …….

openssl Provides N Multiple symmetric encryption algorithm instructions ,enc That's all N Multiple symmetric encryption algorithm instructions are integrated into enc In the instruction . When users use , Just use enc, Specify encryption algorithm , Is to complete the operation completed by a separate encryption algorithm instruction . and ,enc Symmetric encryption algorithm instructions that can be specified in may not exist as separate instructions . All authors recommend using enc This way, .

Of course , although openssl Although the symmetric encryption algorithm instructions provided to us are powerful , But it's not complete , For example, symmetric encryption algorithm does not support 76 Bit RC2 Encryption and decryption or 84 Bit RC4 Encryption and decryption lamp function . If you want to use these encryption algorithms and patterns flexibly , You need to learn openssl Provided API

2、 Symmetric encryption algorithm instruction parameters

Can pass enc Of man Manual review enc Detailed usage , It can also be done through enc -help To view the summary of main parameters , as follows

[email protected]:~$ openssl enc -help
unknown option '-help'
options are
-in <file>     input file
-out <file>    output file
-pass <arg>    pass phrase source
-e             encrypt
-d             decrypt
-a/-base64     base64 encode/decode, depending on encryption flag
-k             passphrase is the next argument
-kfile         passphrase is the first line of the file argument
-md            the next argument is the md to use to create a key
                 from a passphrase.  One of md2, md5, sha or sha1
-S             salt in hex is the next argument
-K/-iv         key/iv in hex is the next argument
-[pP]          print the iv/key (then exit if -P)
-bufsize <n>   buffer size
-nopad         disable standard block padding
-engine e      use engine e, possibly a hardware device.
Cipher Types
...

[in/out]

These two parameters specify the input file and the output file , Encryption means that the input file is plaintext , The output file is ciphertext ; When decrypting, the input file is ciphertext , The output file is clear text .

[pass]

Specify how to enter the password , There are five ways ： Command line input (stdin)、 File input (file)、 Environment variable input (var)、 File descriptor input (fd)、 The standard input (stdin). The default is standard input , And input from the keyboard .

[e/d]

e: encryption , d: Decrypt The default is encryption

[-a/-base64]

Because the file is encrypted in binary form , Inconvenient to view , Use this parameter to make the encrypted content pass through base64 code , Make it readable ; Again , Decryption needs to be done first base64 Decoding , Then decrypt .

[-k/-kfile]

Compatible with previous versions , Specify the password input method , Has been pass Parameters replace

[md]

Specify the digest algorithm for key generation , The password entered by the user cannot be directly used as the key for file encryption , Instead, it is transformed through the summary algorithm , This parameter specifies the digest algorithm , Default md5

[-S]

To enhance security , The salt value is required to convert the user password into an encryption key , Default salt values are generated randomly . Use this parameter , The salt value is specified by the user . It can also refer to -nosalt Specifies that the salt value is not used , But it reduces security , It is not recommended to use .

[K/IV]

Of the encryption key for the default file Key and IV The value is generated by transforming the password entered by the user , But it can also be specified by the user Key/IV value , here pass Parameters don't work

[pP]

add p Parameter will print the file key Key and IV value , add P Parameter also prints the file key Key and IV value , But do not perform real encryption and decryption operations

[bufsize]

Reading and writing files I/O cache , In general, it is not necessary to specify

[-nopad]

Do not use complement , This requires that the input data length is a multiple of the packet size using the encryption algorithm

[engine]

Specify a third-party encryption device , There is no environment , No experiment for the time being

3、 Example of symmetric encryption algorithm

1、 Only on files base64 code , Instead of using encryption and decryption

/* On the file base64 code */
openssl enc -base64 -in plain.txt -out base64.txt
/* Yes base64 Format file for decryption operation */
openssl enc -base64 -d -in base64.txt -out plain2.txt
/* Use diff Command view shows that the plaintext is the same before and after decoding */
diff plain.txt plain2.txt

2、 Different ways of password input

/* Command line input , password 123456*/
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass pass:123456
/* File input , password 123456*/
echo 123456 > passwd.txt
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass file:passwd.txt
/* Environment variable input , password 123456*/
passwd=123456
export passwd
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass env:passwd
/* Import... From file description */ 
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass fd:1  
/* Input from standard input */ 
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass stdin

3、 Fix salt Value encryption

[email protected]:~$ openssl enc -aes-128-cbc -in plain.txt -out encrypt.txt -pass pass:123456 -P
salt=32F5C360F21FC12D
key=D7E1499A578490DF940D99CAE2E29EB1
iv =78EEB538897CAF045F807A97F3CFF498
[email protected]:~$ openssl enc -aes-128-cbc -in plain.txt -out encrypt.txt -pass pass:123456 -P
salt=DAA482697BECAB46
key=9FF8A41E4AC011FA84032F14B5B88BAE
iv =202E38A43573F752CCD294EB8A0583E7
[email protected]:~$ openssl enc -aes-128-cbc -in plain.txt -out encrypt.txt -pass pass:123456 -P -S 123
salt=1230000000000000
key=50E1723DC328D98F133E321FC2908B78
iv =1528E9AD498FF118AB7ECB3025AD0DC6
[email protected]:~$ openssl enc -aes-128-cbc -in plain.txt -out encrypt.txt -pass pass:123456 -P -S 123
salt=1230000000000000
key=50E1723DC328D98F133E321FC2908B78
iv =1528E9AD498FF118AB7ECB3025AD0DC6
[email protected]:~$

You can see , Don't use -S Parameters ,salt Parameters are generated randomly ,key and iv The values are constantly changing , When slat When the value is fixed ,key and iv The value is also fixed .

4、 After encryption and decryption, the process uses base64 codec

/* Use -a Use after parameter encryption base64 code */
[email protected]:~$ openssl enc -aes-128-cbc -in plain.txt -a -out encrypt.txt -pass pass:123456
/* Use -a Parameter before decryption base64 decode */
[email protected]:~$ openssl enc -aes-128-cbc -in encrypt.txt -d -a -out plain1.txt -pass pass:123456
/* file */
[email protected]:~$ diff plain.txt plain1.txt 
/* The encrypted file uses base64 code */
[email protected]:~$ cat encrypt.txt 
U2FsdGVkX19KbCj9GMI1TBOQjP8JJcefIUH1tHwf/Z4=

5、 Specify manually Key and IV value

/* Specify manually key and iv value ,salt Fix */
[email protected]:~$ openssl enc -aes-128-cbc -in plain.txt -out encrypt.txt  -K 1223 -iv f123 -p
salt=0B00000000000000
key=12230000000000000000000000000000
iv =F1230000000000000000000000000000
/* Appoint pass password , It doesn't work , Be careful Key and IV The value is 16 Base number */
[email protected]:~$ openssl enc -aes-128-cbc -in plain.txt -out encrypt.txt  -K 1223 -iv f123 -p -pass pass:123456
salt=F502F4B8DE62E0E5
key=12230000000000000000000000000000
iv =F1230000000000000000000000000000