openssl

openssl Onno W. Purbo onno@indo.net.id

Reference • http://www.openssl.org • http://www.linuxdoc.org • http://www.redhat.com

OpenSSL • OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

Private Key

make server.key [root@linux conf]# make server.key umask 77 ; \ /usr/bin/openssl genrsa -des3 -rand 1024 > server.key 0 semi-random bytes loaded Generating RSA private key, 512 bit long modulus ...++++++++++++ ..++++++++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:

More server.key [root@linux conf]# more server.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,317BF4C50E1C590B X/V5VDJxPg702miehbOCsumLf2QS9vpO2YxI9BLsNrtBkPyN363UEVQ9Hsrpct mQhDa+/BXuUFqKtZcGJJef2kIhwqe1L5oW0RBRk5XJvOtVWkxobEuRq28f76+j 9+gtNW9O12tTXEg+nGR5KOWd+UEOCtLyCgs2YMfUwloGYzc26lw9n77VI7g0RC ViiNdZLGWlg2ywFBXGVBHeuo2a8NHXxOTuFdPdBP0UCodknzd+Af761FZPJDg0 HEvFzHUpoEExn00NzBUj0YvkUMtOXi4Q9GNB1V7UUiAJNwUZXjbjRgbUXfSMcZ ZY9LkHoc4cq5F4w+IN8O4KLkTfzLENdbbFP04R2BJ5ASx4r7GADaeCMaXUYuqU DjP5gGDIG0lHXSnn31tPBZeVX+AcYEmDU2Zbch5PxPs= -----END RSA PRIVATE KEY-----

Private Key [root@linux conf]# openssl rsa -noout -text -in server.key read RSA key Enter PEM pass phrase: Private-Key: (512 bit) modulus: 00:a3:f6:5c:c5:39:72:54:80:41:94:6a:a0:ae:0c: 7c:eb:d8:ac:f5 publicExponent: 65537 (0x10001) privateExponent: 10:08:c2:af:c2:db:6c:6a:12:7f:ba:21:b6:83:9e: fa:e3:74:e1 prime1: 00:d3:a3:99:4f:43:ba:b3:97:a3:bc:58:e3:58:ce: c6:9a:ad prime2: 00:c6:54:77:29:cf:8d:8c:6a:f0:76:e5:61:db:c3: 33:ac:69

Testing s_client

S_client [root@linux conf]# openssl s_client -host localhost -port 443 CONNECTED(00000003) depth=0 /C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno @indo.net.id verify error:num=18:self signed certificate verify return:1 depth=0 /C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno @indo.net.id verify return:1 --- Certificate chain 0 s:/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id i:/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id

S_client Command Line [root@linux conf]# openssl s_client -host localhost -port 443 CONNECTED(00000003) depth=0 /C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno @indo.net.id verify error:num=18:self signed certificate verify return:1 depth=0 /C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno @indo.net.id verify return:1 --- Certificate chain 0 s:/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id i:/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id

S_client [root@linux conf]# openssl s_client -host localhost -port 443 CONNECTED(00000003) depth=0 /C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno @indo.net.id verify error:num=18:self signed certificate verify return:1 depth=0 /C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno @indo.net.id verify return:1 --- Certificate chain 0 s:/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id i:/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id Self Sign Cerificate

S_client .. --- Server certificate -----BEGIN CERTIFICATE----- MIIC9TCCAp+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMAkGA1UEBhMCSU DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1UEChMKRnJlZS Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2kLZtwY= -----END CERTIFICATE----- subject=/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id issuer=/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id

S_client .. --- Server certificate -----BEGIN CERTIFICATE----- MIIC9TCCAp+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMAkGA1UEBhMCSU DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1UEChMKRnJlZS Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2kLZtwY= -----END CERTIFICATE----- subject=/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id issuer=/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id Siapa Anda..

S_client .. --- Server certificate -----BEGIN CERTIFICATE----- MIIC9TCCAp+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMAkGA1UEBhMCSU DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1UEChMKRnJlZS Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2kLZtwY= -----END CERTIFICATE----- subject=/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id issuer=/C=ID/ST=DKI/L=Jakarta/O=Free Agent/OU=Owner/CN=www.purbo.org/Email=onno@indo.net.id Issuer / Cerificate Authority

S_client .. --- No client certificate CA names sent --- SSL handshake has read 1221 bytes and written 314 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 512 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: F597E6EEDB4B6C6FADFC7AEDDC0E66F4740E7EB8486F03 Key-Arg : None Start Time: 988936497 Timeout : 300 (sec) Verify return code: 0 (ok)

S_client .. --- No client certificate CA names sent --- SSL handshake has read 1221 bytes and written 314 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 512 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: F597E6EEDB4B6C6FADFC7AEDDC0E66F4740E7EB8486F03 Key-Arg : None Start Time: 988936497 Timeout : 300 (sec) Verify return code: 0 (ok) Master Key

S_client .. --- GET / <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <TITLE>Test Page for the Apache Web Server on Red Hat Linux</TITLE> </HEAD>  <BODY BGCOLOR="#FFFFFF"> <H1 ALIGN="CENTER">Test Page</H1> This page is used to test the proper operation of the Apache Web server after it has been installed. If you can read this page, it means that the Apache Web server installed at this site is working properly. </HTML> closed [root@linux conf]#

openssl

openssl

Presentation Transcript

Investigations into BIND Dynamic Update with OpenSSL

Torturing OpenSSL

OpenSSL and Java 7 vs. 512-bit proxy keys

PKI Processing with OpenSSL

openssl

Introduction to OpenSSL

Investigations into BIND Dynamic Update with OpenSSL

Side-Channel Attack on OpenSSL ECDSA

Running OpenSSL Crypto Algorithms in Simplescalar

Extending Kryptos with OpenSSL