As a security development package based on cryptography, OpenSSL provides powerful and comprehensive functions, including major cryptographic algorithms, common key and certificate encapsulation management functions and SSL protocol, and provides a wealth of applications for testing or other purposes.

1. symmetric encryption algorithm

OpenSSL-* * provides eight symmetric encryption algorithms, seven of which are block encryption algorithms, and the only stream encryption algorithm is RC4. These seven block encryption algorithms are AES, DES, Blowfish, CAST, IDEA, RC2 and RC5, and they all support four commonly used block cipher encryption modes: electronic codebook mode (ECB), encrypted block link mode (CBC), encrypted feedback mode (CFB) and output feedback mode (OFB). Among them, the packet length of encrypted feedback mode (CFB) and output feedback mode (OFB) used by AES is 128 bits, while other algorithms use 64 bits. In fact, DES algorithm is not only the commonly used DES algorithm, but also supports 3DES algorithms with three keys and two keys.

2. asymmetric encryption algorithm

OpenSSL-* * implements four asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and elliptic curve algorithm (EC). DH algorithm general user key exchange. RSA algorithm can be used for both key exchange and digital signature. Of course, if you can tolerate its slow speed, it can also be used for data encryption. DSA algorithm is generally only used for digital signature.

3. Information summarization algorithm

OpenSSL has implemented five kinds of information summarization algorithms, namely MD2, MD5, MDC2, SHA(SHA1) and RIPEMD. SHA algorithm actually includes SHA and SHA1 information summarization algorithms. In addition, OpenSSL also implements two information summarization algorithms DSS and DSS1 specified in DSS standard.

4. Key and certificate management

Key and certificate management is an important part of PKI, and OpenSSL provides rich functions for it and supports various standards.

first of all, OpenSSL implements the certificate and key related standards of ASN.1, and provides the codec functions of DER, PEM and BASE64 for certificate, public key, private key, certificate request, CRL and other data objects. OpenSSL provides methods, functions and applications for generating various public key pairs and symmetric keys, and also provides the DER encoding and decoding function for public keys and private keys. And the encoding and decoding functions of PKCS#12 and PKCS#8 of private keys are realized. OpenSSL provides the encryption protection function for private keys in the standard, so that the keys can be stored and distributed safely.

on this basis, OpenSSL has realized the encoding and decoding functions of X.59 standard, PKCS#12 format and PKCS#7. A text database is provided, which supports the management functions of certificates, including certificate key generation, request generation, certificate issuance, revocation and verification.

In fact, the CA application provided by OpenSSL is a small certificate management center (CA), which realizes the whole process of certificate issuance and most mechanisms of certificate management.

5.SSL and TLS protocols

OpenSSL implements SSLv2 and SSLv3 of SSL protocols and supports most of them. OpenSSL also implements TLSv1., which is a standardized version of SSLv3. Although there is little difference, there are many different details.

Although many softwares have realized the functions of OpenSSL, the SSL protocol implemented in OpenSSL can make us have a clearer understanding of the SSL protocol, because there are at least two points: First, the SSL protocol implemented by OpenSSL is open source, and we can investigate every detail of the SSL protocol implementation; Second, the SSL protocol implemented by OpenSSL is a pure SSL protocol, and it is not combined with other protocols (such as HTTP), which clarifies the true colors of the SSL protocol.

6. Application

The application of OpenSSL has become an important part of OpenSSL, and its importance is probably unexpected to the developers of OpenSSL at first. Nowadays, many applications of OpenSSL are based on OpenSSL applications rather than its API, such as OpenCA, which is completely realized by OpenSSL applications. OpenSSL applications are written based on OpenSSL's cryptographic algorithm library and SSL protocol library, so they are also some very good examples of OpenSSL's API use. After reading all these examples, you will have a comprehensive understanding of OpenSSL's API use. Of course, this is also a job to exercise your willpower.

OpenSSL applications provide relatively comprehensive functions. In the eyes of quite a few people, OpenSSL has done everything for itself, and there is no need to do more development work, so they also regard these applications as instructions of OpenSSL. OpenSSL applications mainly include key generation, certificate management, format conversion, data encryption and signature, SSL testing and other auxiliary configuration functions.

7.Engine mechanism appeared in OpenSSL version .9.6. At first, the normal version was separated from the version supporting Engine. By OpenSSL version .9.7, the Engine mechanism was integrated into the kernel of OpenSSL and became an indispensable part of OpenSSL. The purpose of Engine mechanism is to enable OpenSSL to transparently use the software encryption library or hardware encryption equipment provided by the third party for encryption. The Engine mechanism of OpenSSL has successfully achieved this goal, which makes OpenSSL not only an encryption library, but also provides a universal encryption interface, which can work in coordination with most encryption libraries or encryption devices. Of course, to make a specific encryption library or encryption device work more harmoniously with OpenSSL, a small amount of interface code needs to be written, but the workload is not large, although a little knowledge of cryptography is still needed. The function of Engine mechanism is basically the same as that of CSP provided by Windows. At present, OpenSSL version .9.7 supports eight kinds of embedded third-party encryption devices, including CryptoSwift, nCipher, Atalla, Nuron, UBSEC, Aep, SureWare and hardware encryption devices of IBM 4758 CCA. Now there is an Engine interface supporting PKCS#11 interface, and an interface supporting Microsoft CryptoAPI has also been developed. Of course, all the above Engine interface support may not be comprehensive, for example, one or two public key algorithms may be supported.

8. Auxiliary functions

BIO mechanism is a high-level IO interface provided by OpenSSL, which encapsulates almost all types of IO interfaces, such as memory access, file access and Socket. This greatly improves the reusability of the code and reduces the complexity of the API provided by OpenSSL.

OpenSSL also provides a set of solutions and supporting API functions for the generation and management of random numbers. The quality of random number is an important prerequisite to determine whether a key is safe or not.

OpenSSL also provides some other auxiliary functions, such as API for generating keys from passwords, configuration file mechanism in certificate issuance and management, and so on. If you have enough patience, you will gradually discover many such small functions during the in-depth use of OpenSSL, which will make you constantly have new surprises.