As a security development kit based on cryptography, OpenSSL provides quite powerful and comprehensive functions, including major cryptographic algorithms, commonly used key and certificate encapsulation management functions, and SSL protocols, and provides a wealth of application for testing or other purposes.

1. Symmetric encryption algorithm

OpenSSL provides 8 symmetric encryption algorithms, 7 of which are block encryption algorithms, and the only stream encryption algorithm is RC4 . These seven block encryption algorithms are AES, DES, Blowfish, CAST, IDEA, RC2, and RC5. They all support electronic codebook mode (ECB), encrypted block chaining mode (CBC), encryption feedback mode (CFB), and output feedback mode. (OFB) Four commonly used block cipher encryption modes. Among them, the encryption feedback mode (CFB) and output feedback mode (OFB) packet length used by AES is 128 bits, while other algorithms use 64 bits. In fact, the DES algorithm is not only the commonly used DES algorithm, but also supports three-key and two-key 3DES algorithms.

2. Asymmetric encryption algorithm

OpenSSL has implemented 4 asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and elliptic curve algorithm (EC) . DH algorithm general user key exchange. The RSA algorithm can be used for both key exchange and digital signatures, and of course, if you can tolerate its slow speed, it can also be used for data encryption. The DSA algorithm is generally only used for digital signatures.

3. Information digest algorithm

OpenSSL implements 5 information digest algorithms, namely MD2, MD5, MDC2, SHA (SHA1) and RIPEMD. The SHA algorithm actually includes two information digest algorithms, SHA and SHA1. In addition, OpenSSL also implements the two information digest algorithms DSS and DSS1 specified in the DSS standard.

4. Key and certificate management

Key and certificate management is an important part of PKI. OpenSSL provides rich functions and supports multiple standards.

First of all, OpenSSL implements the ASN.1 certificate and key related standards and provides DER, PEM and BASE64 encoding and decoding of certificates, public keys, private keys, certificate requests, CRL and other data objects. Function. OpenSSL provides methods, functions and applications for generating various public key pairs and symmetric keys, and also provides DER encoding and decoding functions for public keys and private keys. And implements the PKCS#12 and PKCS#8 encoding and decoding functions of the private key. OpenSSL provides encryption protection for private keys in the standard, so that keys can be stored and distributed securely.

On this basis, OpenSSL implements the X.509 standard encoding and decoding of certificates, the encoding and decoding of PKCS#12 format, and the encoding and decoding of PKCS#7. It also provides a text database that supports certificate management functions, including certificate key generation, request generation, certificate issuance, revocation, and verification.

In fact, the CA application provided by OpenSSL is a small certificate management center (CA), which implements the entire process of certificate issuance and most of the mechanisms of certificate management.

5. SSL and TLS protocols

OpenSSL implements SSLv2 and SSLv3 of the SSL protocol and supports most of the algorithm protocols. OpenSSL also implements TLSv1.0. TLS is a standardized version of SSLv3. Although the difference is not big, there are many details that are different.

Although there are many software that have implemented the functions of OpenSSL, the SSL protocol implemented in OpenSSL can give us a clearer understanding of the SSL protocol, because there are at least two points: First, the SSL protocol implemented by OpenSSL The SSL protocol is open source, and we can investigate every detail of the SSL protocol implementation; secondly, the SSL protocol implemented by OpenSSL is a pure SSL protocol and is not combined with other protocols (such as HTTP), which clarifies the nature of the SSL protocol. true colors.

6. Application

OpenSSL application has become an important part of OpenSSL, and its importance may not have been thought of by the developers of OpenSSL at first. Many of the current OpenSSL applications are based on OpenSSL applications rather than its API. For example, OpenCA is completely implemented using OpenSSL applications. OpenSSL applications are written based on the OpenSSL cryptographic algorithm library and SSL protocol library, so there are also some very good OpenSSL API usage examples. After reading all these examples, you will have a more comprehensive understanding of the OpenSSL API usage. Of course, This is also a job that exercises your willpower.

OpenSSL applications provide relatively comprehensive functions. In the eyes of many people, OpenSSL has done everything for itself and does not need to do more development work. Therefore, they also Turn these applications into OpenSSL directives. OpenSSL applications mainly include key generation, certificate management, format conversion, data encryption and signature, SSL testing and other auxiliary configuration functions.

7. Engine mechanism The Engine mechanism appeared in OpenSSL version 0.9.6. At the beginning, the normal version was separated from the version that supports Engine. By OpenSSL version 0.9.7, Engine The mechanism is integrated into the core of OpenSSL and becomes an indispensable part of OpenSSL. The purpose of the Engine mechanism is to enable OpenSSL to transparently use software encryption libraries or hardware encryption devices provided by third parties for encryption. OpenSSL's Engine mechanism successfully achieves this goal, which makes OpenSSL not just an encryption library, but provides a universal encryption interface that can coordinate with most encryption libraries or encryption devices. Of course, to make a specific encryption library or encryption device work with OpenSSL, you need to write a small amount of interface code, but the workload is not large, although it still requires a little knowledge of cryptography. The function of the Engine mechanism is basically the same as the CSP function provided by Windows. Currently, OpenSSL version 0.9.7 supports eight types of embedded third-party encryption devices, including: CryptoSwift, nCipher, Atalla, Nuron, UBSEC, Aep, SureWare, and IBM 4758 CCA hardware encryption devices. Now there is an Engine interface that supports the PKCS#11 interface, and someone is also developing an interface that supports Microsoft CryptoAPI. Of course, support for all the above Engine interfaces may not be comprehensive. For example, one or two public key algorithms may be supported.

8. Auxiliary functions

The BIO mechanism is a high-level IO interface provided by OpenSSL. This interface encapsulates almost all types of IO interfaces, such as memory access, file access, Socket, etc. . This greatly improves the reusability of code and reduces the complexity of the API provided by OpenSSL.

OpenSSL also provides a complete set of solutions and supporting API functions for the generation and management of random numbers. The quality of random numbers is an important prerequisite for determining whether a key is safe.

OpenSSL also provides other auxiliary functions, such as APIs for generating keys from passwords, configuration file mechanisms for certificate issuance and management, etc. If you are patient enough, you will slowly discover many such small functions during the in-depth use of OpenSSL, giving you constant new surprises.