Encryption,Decryption using OpenSSL and Generating a Self-Signed Certification Authority and create a certificate from your CA.

   ∗ ∗ ∗MD5 value, SHA1 value and SHA256 ∗ ∗ ∗

md5sum is a computer program that calculates and verifies 128-bit MD5 hashes, as described in RFC 1321. The MD5 hash (or checksum) functions as a compact digital fingerprint of a file. As with all such hashing algorithms, there is theoretically an unlimited number of files that will have any given MD5 hash. However, it is very unlikely that any two non-identical files in the real world will have the same MD5 hash, unless they have been specifically created to have the same hash.

The underlying MD5 algorithm is no longer deemed secure, thus while md5sum is well-suited for identifying known files in situations that are not security related, it should not be relied on if there is a chance that files have been purposefully and maliciously tampered. In the latter case, the use of a newer hashing tool such as sha256sum is highly recommended.

Virtually any non-malicious change to a file will cause its MD5 hash to change; therefore md5sum is used to verify the integrity of files. Most commonly, md5sum is used to verify that a file has not changed as a result of a faulty file transfer, a disk error or non-malicious meddling. The md5sum program is installed by default in most Unix, Linux, and Unix-like operating systems or compatibility layers. Other operating systems, including Microsoft Windows and BSD variants — such as Mac OS X – have similar utilities (see external links). On FreeBSD this utility is called ‘md5’ and contains additional features.

sha1sum is a computer program that calculates and verifies SHA-1 hashes. It is commonly used to verify the integrity of files. It (or a variant) is installed by default in most Unix-like operating systems. Variants include shasum (which permits SHA-1 through SHA-512 hash functions to be selected manually) and sha224sumsha256sumsha384sum andsha512sum, which use a specific SHA-2 hash function. Versions for Microsoft Windows also exist, and the ActivePerl distribution includes a perl implementation of shasum. On FreeBSD this utility is called ‘sha512’ and contains additional features.

The SHA-1 variants are considered vulnerable to collision attacks, and users should use for example a SHA-2 variant such as sha256sum instead if used for the purpose of preventing tampering by an adversary.

The program sha256sum is designed to verify data integrity using the SHA-256 (SHA-2 family with a digest length of 256 bits). SHA-256 hashes used properly can confirm both file integrity and authenticity. SHA-256 serves a similar purpose to a prior algorithm recommended by Ubuntu, MD5, but is less vulnerable to attack.

Comparing hashes makes it possible to detect changes in files that would cause errors. The possibility of changes (errors) is proportional to the size of the file; the possibility of errors increase as the file becomes larger. It is a very good idea to run an SHA-256 hash comparison check when you have a file like an operating system install CD that has to be 100% correct.

In terms of security, cryptographic hashes such as SHA-256 allow for authentication of data obtained from insecure mirrors. The SHA-256 hash must be signed or come from a secure source (such as a HTTPS page or a GPG-signed file) of an organization you trust. See the SHA-256 checksum file for the release you’re using under http://releases.ubuntu.com.

Using a pass phrase to generate the key to encrypt & decrypt.

Step 1: Choose an appropriate algorithm that would suite your requirement

Step 2: Use the following format to encrypt or decrypt a file

$ openssl enc -<cipher algorithm>­ ­e/d ­-in <input file name> -­out ­<output file name> md [md5/sha/sha1]

12

3

  • OpenSSL result could be used to encrypt/decrypt files using private keys and public keys

Generating key pairs – [public key / private key]

Generating a RSA key pair

  •   This key can be used for signing and encryption

$ openssl genrsa -­out <private_key>  .pem <Key_length>

45

  •  If you would like to protect the private key with a password you should use an additional parameter

$ openssl genrsa -<cipher algorithm> ­-­out <private_key>.pem<key_length> 

67

  •  Now we have a private key. We derive public key from the private key.

$ openssl rsa ­-in <private_key>.pem -­pubout -­out <public_key>.pem

89

Generating a DSA key pair

  •   This key can only be used for signing

generating key without protected by a pass phrase

$ openssl gendsa ­-out <private_key>.pem <dsa_param_file>.pem

1011

generating key with password protected

$ openssl gendsa ­-des3 -­out <private_key>.pem <dsa_param_file>.pem

1213

The whole thing could be done in a single step also. Then you will only be able to generate a single key from the parameters generated.

$ openssl dsaparam ­-noout -­out <private_key>.pem -­genkey <key_length>

1415

  • Now we have a private key. We derive public key from the private key.

$ openssl dsa -­in <private_key>.pem -­pubout ­-out <public_key>.pem

16

  • Removing pass phrase encryption of your private key

$ openssl <algorithm> -­in <private_key_ecrypted>.pem -­out <private_key_plain>.pem

1718

Decryption

$ openssl rsautl ­-decrypt -­inkey <private_key>. <­keyformat> -ketform <keyformat> -in <file_encrypyted>­ -out <file_decrypted>

19

Signing RSA/DSA

$ openssl rsautl -­sign -­inkey <private_key>.<keyformat> -­keyform <keyformat> -­in <fil_to_sign> -­out <file_singed>

20

Verifying RSA/DSA

$ openssl rsautl ­-verify -­pubin -­inkey <public_key>.<keyformat> -­keyform ­-in <file_signed>

21

♥♥ Generating a Self-Signed Certification Authority and create a certificate from your CA 

1.       Create a Self-Signed Certification Authority.

22

2.     Analyze the generated Certificate and list down the usage of each and every parameter in the certificate.

  •  Country Name (2 letter code) [AU]:US
  •  State or Province Name (full name) [Some-State]:New York
  •  Locality Name (eg, city) []:Brooklyn
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company
  •  Organizational Unit Name (eg, section) []:Technology Division
  •  Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.comEmail
  •  Address []: example@email.com

3.       Generate a Private Key which can be used by a Server

23

4.       Create a CSR for the generated private key

2425

5.       Sign the CSR using the previously created Certification Authority.

2627

6.       Analyze the generated Certificate and list down the usage of each and every parameter in the certificate.

*Country Name (2 letter code) [AU]:US
*State or Province Name (full name) [Some-State]:New York
*Locality Name (eg, city) []:Brooklyn
*Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company
*Organizational Unit Name (eg, section) []:Technology Division
*Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.comEmail
*Address []: example@email.com

TinyCA

TinyCA is a simple graphical userinterface written in Perl/Gtk to manage a small CA (Certification Authority).
TinyCA works as a frontend for openssl

Features:
Currently TinyCA supports the following features:

Unlimited CAs possible
Support for creating and managing SubCAs
Creation and Revocation of x509 – S/MIME certificates
PKCS#10 Requests can be imported and signed
RSA and DSA keys can be generated and used
ServerCertificatesCertificates can be exported as: PEM, DER, TXT and PKCS#12
Certificates may be used with e.g. Apache, Postfix, OpenLDAP, Cyrus, FreeS/WAN, OpenVPN, OpenSWAN, FreeRadius
ClientCertificates
Certificates can be exported as: PEM, DER, TXT and PKCS#12
Certificates may be used with e.g. Netscape, Konqueror, Opera, Internet Explorer, Outlook (Express) and FreeS/WAN
Certificate Revocation List
CRLs can be exported as: PEM, DER and TXT
Language Support:
English
German
Czech (Thanks to Robert Wolf )
Swedish (Thanks to Daniel Nylander )
Spanish (Thanks to Ramon Pons Vivanco )
French (Thanks to Thibault Le Meur )

You won’t find TinyCA in your distribution’s repositories. You can either add the necessary repository to your /etc/apt/sources.list file or you can install from one of the binaries found on the main page. Let’s use Ubuntu and Debian as an example for installation.

If you want to install using apt-get you will need to first add the repository file to your sources.list file.  So open up the /etc/apt/sources.list file with your favorite editor and add the following line:
deb http://ftp.de.debian.org/debian sid main

NOTE: Replace “sid” with the version you are using. If you are using Ubuntu 9.04 the example above will work.

Now run the command:

sudo apt-get update

You will notice that apt-get complains about the lack of a gpg key. That’s okay because we are going to install using the command line.

Now issue the command:

sudo apt-get install tinyca

This should install TinyCA without complaint. You might have to okay the installation of some dependencies.

To run TinyCA issue the command tinyca2 and the main window will open. Upon your first run you will be greeted by the Create CA window. When you already have CAs this window will not open automatically. In this window you will create a new CA.

1.       Create a Certification Authority using Tiny CA

2829303132

2.       Create another private key using OpenSSL.

33

3.       Create a CSR for the generated private key44

34

4.      Generate a CRL from TinyCA.

35

36

S.H.M Lahiru Prabath Balasuriya.

Reference

  1. http://www.ghacks.net/2009/09/16/create-your-own-certificate-authority-with-tinyca/
  2. http://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s