Openssl Hash Crypto Sign Verify

Random

openssl rand -base64 32
==>

1
2
3
4
Generally, salt is produced with class SecureRandom
SecureRandom random = new SecureRandom();
byte[] salt = new byte[32];
random.nextBytes(salt);

Other ways

1
2
3
date +%s | sha256sum | base64 | head -c 32 ; echo
date | md5sum
tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1

Reference
https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/

Hash

Encoding with hex(hexdump or xxd)/base64 and openssl base64

echo -n AP0PZxpsbyyrznZzeMkkEAPn726JmkgzwZrE5qwHKNY=|base64 -d > salt.txt
==>
echo -n AP0PZxpsbyyrznZzeMkkEAPn726JmkgzwZrE5qwHKNY=|openssl base64 -d > salt.txt

cat salt.txt|base64
==>
cat salt.txt|openssl base64 Display the character “AP0PZxpsbyyrznZzeMkkEAPn726JmkgzwZrE5qwHKNY=”

hexdump -C salt.txt OR cat salt.txt |hexdump -C OR xxd salt.txt
==>

1
2
3
4
5
JAVA code
BASE64Decoder decoder = new BASE64Decoder();
for (byte b : decoder.decodeBuffer("AP0PZxpsbyyrznZzeMkkEAPn726JmkgzwZrE5qwHKNY=")) {
  System.out.printf("%02x", b); // same as encoded by xxd -p
}

To decode hexadecimal number, using echo -n '0: 50617373776f72643031' | xxd -r => Password01 OR echo -n 50617373776f72643031 | xxd -r -p

Message Digest or Hash: md5sum, sha1sum, sha256sum and openssl md5, sha1, sha256, sha512

md5sum salt.txt == cat salt.txt |openssl md5 == openssl dgst -md5 -hex salt.txt == openssl md5 < salt.txt
sha1sum salt.txt == cat salt.txt |openssl sha1 == openssl dgst -sha1 -hex salt.txt == openssl sha1 < salt.txt
sha256sum salt.txt == cat salt.txt |openssl sha256 == openssl dgst -sha256 -hex salt.txt == openssl sha256 < salt.txt
sha512sum salt.txt == cat salt.txt |openssl sha256 == openssl dgst -sha512 -hex salt.txt == openssl sha512 < salt.txt

Hash password with salt [sha512(salt+password)]

1
2
3
4
echo Password01 > pass.txt (or with -n to remove the \n or using printf)
cat salt.txt pass.txt > combined.txt
tr -d '\n' < combined.txt > combined2.txt // remove the \n
sha512sum combined2.txt

==>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
JAVA code
MessageDigest md = MessageDigest.getInstance("SHA-512");
BASE64Decoder decoder = new BASE64Decoder();

ByteArrayOutputStream array = new ByteArrayOutputStream();
array.write(d.decodeBuffer("AP0PZxpsbyyrznZzeMkkEAPn726JmkgzwZrE5qwHKNY=")); // salt
array.write("Password01".getBytes()); // password

/* Same as below
md.update(d.decodeBuffer("AP0PZxpsbyyrznZzeMkkEAPn726JmkgzwZrE5qwHKNY=")); // salt
md.update("Password01".getBytes()); // password
*/

for (byte b : md.digest(array.toByteArray())) {
  System.out.printf("%02x", b);
}

Encrypt/Decrypt

Symmetric crypto with AES

Encrypt using salt

1
2
echo "randomprhase" | openssl aes-128-cbc -out message.enc (default with salt)
echo "randomprhase" | openssl aes-128-cbc -nosalt -out nosalt.enc (without salt)

Reference: http://stackoverflow.com/questions/7303103/java-aes-encryption-with-salt

Encryption by openssl and java

1
2
3
echo -n qkjll5@2md3gs5Q@|xxd -p ==> 716b6a6c6c3540326d643367733551400a

echo -n secret | openssl enc -aes-128-ecb -K 716b6a6c6c3540326d643367733551400a -a

=>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
public class CipherTest {
    
    private static final String ALGORITHM = "AES/ECB/PKCS5Padding";
    private static byte[] keyValue = "qkjll5@2md3gs5Q@".getBytes(); // key length should be 16

    public static String encrypt(String valueToEnc) throws Exception {
        Key key = generateKey();
        Cipher c = Cipher.getInstance(ALGORITHM);
        c.init(Cipher.ENCRYPT_MODE, key);
        byte[] encValue = c.doFinal(valueToEnc.getBytes());
        String encryptedValue = new BASE64Encoder().encode(encValue);
        return encryptedValue;
    }

    public static String decrypt(String encryptedValue) throws Exception {
        Key key = generateKey();
        Cipher c = Cipher.getInstance(ALGORITHM);
        c.init(Cipher.DECRYPT_MODE, key);
        byte[] decordedValue = new BASE64Decoder().decodeBuffer(encryptedValue);
        byte[] decValue = c.doFinal(decordedValue);
        String decryptedValue = new String(decValue);
        return decryptedValue;
    }

    private static Key generateKey() throws Exception {
        Key key = new SecretKeySpec(keyValue, "AES");
        // SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(ALGORITHM);
        // key = keyFactory.generateSecret(new DESKeySpec(keyValue));
        return key;
    }
    
    public static void main(String[] args) throws Exception {
        String password = "secret";
        String passwordEnc = CipherTest.encrypt(password);
        String passwordDec = CipherTest.decrypt(passwordEnc);

        System.out.println("Plain Text : " + password);
        System.out.println("Encrypted : " + passwordEnc);
        System.out.println("Decrypted : " + passwordDec);
    }
}

For cbc or cfb, iv should be provided. In java code, the IvParameterSpec is need to define.

Openssl encryption sample

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
echo '0: 63616e746765747468697332776f726b' | xxd -r | openssl enc -aes-128-ecb -a -K 00000000000000000000000000000000
=>
N2+bVLU8fIS7ucFW1Qr/xwFD22PuZrDN/59pkXaAFR4= (base64 encoded with option -a)

echo '0: 63616e746765747468697332776f726b' | xxd -r | openssl enc -aes-128-ecb -nopad -K 00000000000000000000000000000000|xxd -p
=>
376f9b54b53c7c84bbb9c156d50affc7 (hex encoded with options -nopad, and xxd -p)

echo '0: 63616e746765747468697332776f726b' | xxd -r | openssl enc -aes-128-ecb -nopad -K 00000000000000000000000000000000|xxd |cut -c10-50
=>
376f 9b54 b53c 7c84 bbb9 c156 d50a ffc7 (hex encoded with cut -c10-50)

echo -n '63616e746765747468697332776f726b' | xxd -r -p | openssl enc -aes-128-ecb -nopad -K 00000000000000000000000000000000|xxd |cut -c10-50
=>
376f 9b54 b53c 7c84 bbb9 c156 d50a ffc7 (xxd -r -p and hex encoded with cut -c10-50)

Reference: http://stackoverflow.com/questions/38082644/how-to-generate-the-output-in-hexadecimal-in-openssl

Asymmetric crypto with RSA

Generate key, publicKey

1
2
3
4
5
openssl genrsa -out key.pem
openssl rsa -in key.pem -pubout > key-pub.pem

openssl rsautl -encrypt -in pass.txt -pubin -inkey key-pub.pem -out pass.encrypted
openssl rsautl -decrypt -in pass.encrypted -inkey key.pem

Encrypt/decrypt with base64/hex encode/decode (Interesting)

1
2
3
echo -n test | openssl rsautl -encrypt -pubin -inkey key-pub.pem | base64 | base64 -d|openssl rsautl -decrypt -inkey key.pem => test

echo -n test | openssl rsautl -encrypt -pubin -inkey key-pub.pem | xxd -p | xxd -r -p |openssl rsautl -decrypt -inkey key.pem => test

Java: https://javadigest.wordpress.com/2012/08/26/rsa-encryption-example/

Sign/Verify

Generate key, publicKey

1
2
openssl genrsa -out key.pem
openssl rsa -in key.pem -pubout > key-pub.pem

Sign/Verify a file with openssl dgst

1
2
openssl dgst -sha256 -sign key.pem -out pass.sign pass.txt
openssl dgst -sha256 -verify key-pub.pem -signature pass.sign pass.txt

Sign/Verify a file with openssl rsautl

1
2
3
openssl rsautl -sign -inkey key.pem -out pass.rsa -in pass.txt
openssl rsautl -verify -inkey key-pub.pem -in pass.rsa -pubin
openssl rsautl -verify -inkey key-pub.pem -in pass.sign -pubin

GPG

Convert keys between GnuPG, OpenSsh and OpenSSL
http://sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL

Other openssl command

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
ssh public key stored in .ssh folder: 
ssh-keygen -f koding -y > koding_id_rsa.pub (openssl genrsa -out key.pem)

show public key from the private key
openssl rsa -in koding -pubout > koding-pub.pem

show -modulus from the private key
openssl rsa -in key.pem -noout -modulus

p12 file (usually with .pfx extension) contains certificate, public key, private key
openssl x509 - for certificate
openssl x509 -inform der -in certificate.cer -out certificate.pem (with -pubkey -noout to print public key only)

openssl pkcs12 - for p12 file
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes -passin pass:"3228474250821687" | openssl x509 -noout -subject
keytool -list -v -keystore P_DS_WONGTWOMANA1136227_Valid785781e3_123.p12 -storepass 123 -storetype pkcs12

openssl rsa - for private key
openssl rsa -in koding -out koding2 (Remove a passphrase from a private key)

openssl req - for private key and csr related
openssl req -out koding.csr -key koding -new


scratch domain csr
openssl req -new -sha256 -key scratch.key -subj "/CN=www.scratch.hk" > scratch.csr
openssl req -new -sha256 -key scratch.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:scratch.hk,DNS:www.scratch.hk")) > scratch.csr

protocal: ssh, ssl 
symmetric cryptographic algorithm : aes, des, 3des
asymmetric cryptographic algorithm: rsa, dsa
hash    : crc32, md5, sha1, sha256, sha512
aes/des加密速度快,适合大量数据,des容易破解,一般用3重des,后来又出现了更快更安全的aes
rsa是公钥加密,速度慢,只能处理少量数据,优点是公钥即使在不安全的网络上公开,也能保证安全
常见情况是双方用rsa协商出一个密钥后通过aes/3des给数据加密

=========
Using a car analogy:

PGP     is a car
OpenPGP is the design for the PGP car
GnuPG   is another car using the same design
RSA     is a diesel engine, and other engines are available
SSH     isn't a car at all. But it uses engines.

https://program-think.blogspot.com/2010/06/howto-prevent-hacker-attack-3.html

Golang

encoding/json, csv, xml, hex, base64
crypto/aes, des, rsa, dsa, md5, sha1, sha256, sha512, x509

New command to learn

tr, xxd