Documente Academic
Documente Profesional
Documente Cultură
AKHIL
KHANDELWAL
Acknowledgements
I would like to give my sincere acknowledgements to all those who helped me during my
training at CMC LTD.
I would like to acknowledge my mentor Mr. Pravesh Sharma, from CMC LTD., who
gave me well guided assistance when needed throughout the period of training till the end
and without whom it would have been rather difficult to present the project report in
present form.
Further I would like to thank Mr. Thomas Hruska from Shining Light products for
enlightening my concepts of OpenSSL and providing timely help to complete my work
Technologies used:
§ Win32Openssl0.9.7g
§ C-Free 3.5 ( MinGW compiler)
Development Environment:
o Windows 2000
o MS DOS
OPEN SSL project
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim
J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which
basically means that you are free to get and use it for commercial and non-commercial
purposes subject to some simple license conditions. The SSL library provides an
implementation of all versions of SSL protocols. The cryptography library provides the
most popular algorithm for symmetric and public key cryptography, hash algorithms, and
message digest. It also provides pseudorandom number generator, and support for
manipulating common certificate format and managing key material. Additionally
OpenSSL supports most common cryptography acceleration hardware.
OpenSSL is the only free, full featured SSL implementation currently available for use
with C and C++ programming languages. It works across every major platform including
all Unix OSs and all common versions of Microsoft Windows.
Installations on Unix and Windows platform have similar requirements i.e. they both
require Perl and C compiler. On Windows system Borland C++, Visual C++, GNU C and
MinGW C compilers are supported.
Win32OpenSSL
Win32OpenSSL provides the Windows version of the OpenSSL. This project is designed
to make it easy for Windows developers to get OpenSSL binaries (DLLs) installed.
The Win32 OpenSSL Installation Project is dedicated to providing a simple installation
of OpenSSL. It is easy to set up and easy to use through the simple, effective installer. No
need to compile anything or jump through any hoops, just click a few times and it is
installed, leaving you to doing real work I have used Win32OpenSSL0.9.7g version for
implementation.
Some OpenSSL commands
How do I find out what OpenSSL version I'm running?
# list only high encryption ciphers (keys larger than 128 bits)
OPENSSL>ciphers -v 'HIGH'
The OpenSSL developers have built a benchmarking suite directly into the openssl
binary. It's accessible via the speed option. It tests how many operations it can perform
in a given time, rather than how long it takes to perform a given number of operations..
OPENSSL>speed
There are two sets of results. The first reports how many bytes per second can be
processed for each algorithm, the second the times needed for sign/verify cycles. Here are
the results on an 866MHz Pentium III.
Certificates
How do I generate a self-signed certificate?
first of all it is tobe decided whether or not encryption of key is required .Doing so means
that the key is protected by a passphrase.On the plus side, adding a passphrase to a key
makes it more secure, so the key is less likely to be useful to someone who steals it. The
downside, however, is that you'll have to either store the passphrase in a file or type it
manually every time you want to start your web .
This example will produce a file called mycert.pem which will contain both the private
key and the public certificate based on it. The certificate will be valid for 365 days, and
the key is unencrypted(nodes option).
OPENSSL> req \
-x509 -nodes -days 365 \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem
Using this command-line invocation, you'll have to answer a lot of questions: Country
Name, State, City, and so on. The tricky question is “Common Name.” We want to
answer with the hostname or CNAME by which people will address the server. This is
very important. If your web server's real hostname is mybox.mydomain.com but people
will be using www.mydomain.com to address the box, then use the latter name to answer
the “Common Name” question.
Once you're comfortable with the answers you provide to those questions, you can script
the whole thing by adding the -subj option. I've included some information about
location into the example that follows, but the only thing you really need to include for
the certificate to be useful is the hostname (CN).
openssl req \
-x509 -nodes -days 365 \
-subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem
Using the -text option will give you the full breadth of information.
Certificate Verification
Applications linked against the OpenSSL libraries can verify certificates signed by a
recognized certificate authority (CA).
If your local OpenSSL installation recognizes the certificate or its signing authority and
everything else (dates, signing chain, etc.) checks out, you'll get a simple OK message.
If anything is amiss, you'll see some error messages with short descriptions of the
problem, e.g.,
Within that directory and a subdirectory called certs, you're likely to find one or more of
three different kinds of files.
Generating digests with the dgst option is one of the more straightforward tasks you can
accomplish with the openssl binary. Producing digests is done so often, as a matter of
fact, that you can find special-use binaries for doing the same thing.
# SHA1 digest
OPENSSL> dgst -sha1 filename
The MD5 digests are indentical to those created with the widely available md5sum
command, though the output formats differ.
The same is true for SHA1 digests and the output of the sha1sum application.
After you choose a cipher, you'll also have to decide if you want to base64-encode the
data. Doing so will mean the encrypted data can be, say, pasted into an email message.
Otherwise, the output will be a binary file.
# the same, only the output is base64 encoded for, e.g., e-mail
OPENSSL> enc -aes-256-cbc -a -salt -in file.txt -out file.enc
To decrypt file.enc you or the file's recipient will need to remember the cipher and the
passphrase.
Keys
If you're only going to build a single DSA key, you can do so in just one step using the
dsaparam subcommand.
If, on the other hand, you'll be creating several DSA keys, you'll probably want to build a
shared parameter file before generating the keys. It can take a while to build the
parameters, but once built, key generation is done quickly.
Decrypt key, removing the passphrase requirement, using the rsa or dsa option,
depending on the signature algorithm you chose when creating your private key.
If you created an RSA key and it is stored in a standalone file called key.pem, then here's
how to output a decrypted version of the same key to a file called newkey.pem.
Often, you'll have your private key and public certificate stored in the same file. If they
are stored in a file called mycert.pem, you can construct a decrypted version called
newcert.pem in two steps.
Bob
(Bob's private key)
Bob has been given two keys. One of Bob's keys is called a Public Key, the other is
called a Private Key.
Bob's Co-workers:
Bob's Public key is available to anyone who needs it, but he keeps his Private Key to
himself. Keys are used to encrypt information. Encrypting information means
"scrambling it up", so that only a person with the appropriate key can make it readable
again. Either one of Bob's two keys can encrypt data, and the other key can decrypt that
data.
Susan (shown below) can encrypt a message using Bob's Public Key. Bob uses his
Private Key to decrypt the message. Any of Bob's coworkers might have access to the
message Susan encrypted, but without Bob's Private Key, the data is worthless.
"Hey Bob, HNFmsEm6Un
how about BejhhyCGKOK
lunch at Taco JUxhiygSBCEiC
Bell. I hear 0QYIh/Hn3xgiK
they have free BcyLK1UcYiY
refills!" lxx2lCFHDC/A
HNFmsEm6Un "Hey Bob,
BejhhyCGKOK how about
JUxhiygSBCEiC lunch at Taco
0QYIh/Hn3xgiK Bell. I hear
BcyLK1UcYiY they have free
lxx2lCFHDC/A refills!"
With his private key and the right software, Bob can put digital signatures on documents
and other data. A digital signature is a "stamp" Bob places on the data which is unique to
Bob, and is very difficult to forge. In addition, the signature assures that any changes
made to the data that has been signed can not go undetected.
To sign a document, Bob's software will crunch down the data into just a few
lines by a process called "hashing". These few lines are called a message
digest. (It is not possible to change a message digest back into the original
data from which it was created.)
Bob's software then encrypts the message digest with his private key. The result is the
digital signature.
Finally, Bob's software appends the digital signature to document. All of the data that
was hashed has been signed.
First, Pat's software decrypts the signature (using Bob's public key) changing
it back into a message digest. If this worked, then it proves that Bob signed
the document, because only Bob has his private key. Pat's software then
hashes the document data into a message digest. If the message digest is the
same as the message digest created when the signature was decrypted, then
Pat knows that the signed data has not been changed.
/* signv.c - Application using OpenSSL to sign and verify data */
#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/pem.h>
int main ()
{
int i=0;
char *data=NULL;
unsigned int sig_len;
int err;
EVP_MD_CTX md_ctx;
EVP_PKEY *pkey;
const EVP_MD *digest;
FILE *fp;
FILE *fp1;
FILE *fp2;
char *sig_buf;
char ch;
X509 *x509;
/* set up library */
OpenSSL_add_all_algorithms ();
ERR_load_crypto_strings ();
seed_prng ();
/* signing data */
EVP_SignInit (&md_ctx, digest);
EVP_SignUpdate (&md_ctx, data, strlen(data));
sig_len = sizeof(sig_buf);
err = EVP_SignFinal (&md_ctx, sig_buf, &sig_len, pkey);
if(err!=1)
{
if (x509 == NULL)
{
printf("error reading piblic key");
ERR_print_errors_fp (stderr);
exit (-1);
if (err != 1)
{
printf("error verification");
ERR_print_errors_fp (stderr);
exit (-1);
}
}
/* creating basic connection with OpenSSL*/
Below I have shown two programs for generating OpenSSL connection with remote
server. One shows an unsecured connection to http://www.verisign.com/, while the other
shows a secured SSL connection to https://www.verisign.com/. Both connect to the
server and download the home page.
/* unsecured connection */
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <stdio.h>
#include <string.h>
int main()
{
BIO * bio;
int p;
ERR_load_BIO_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
bio = BIO_new_connect("www.verisign.com:80");
if(bio == NULL)
{ printf("BIO is null\n"); return; }
if(BIO_do_connect(bio) <= 0)
{
ERR_print_errors_fp(stderr);
BIO_free_all(bio);
return;
}
for(;;)
{
p = BIO_read(bio, r, 1023);
if(p <= 0) break;
r[p] = 0;
printf("%s", r);
}
BIO_free_all(bio);
return 0;
}
/* secured connection */
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <stdio.h>
#include <string.h>
int main()
{
BIO * bio;
SSL * ssl;
SSL_CTX * ctx;
int p;
ERR_load_BIO_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
ctx = SSL_CTX_new(SSLv23_client_method());
bio = BIO_new_ssl_connect(ctx);
BIO_set_conn_hostname(bio, "www.verisign.com:https");
if(BIO_do_connect(bio) <= 0)
{
fprintf(stderr, "Error attempting to connect\n");
ERR_print_errors_fp(stderr);
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
if(SSL_get_verify_result(ssl) != X509_V_OK)
{
fprintf(stderr, "Certificate verification error: %i\n", SSL_get_verify_result(ssl));
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
for(;;)
{
p = BIO_read(bio, r, 1023);
if(p <= 0) break;
r[p] = 0;
printf("%s", r);
}
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
Bibliography and References
Following websites were really helpful towards completing my project: