Perhaps it’s the shock of the passing of SysAdmin Magazine or maybe the onset of football season, but regardless which catalyst sparked it we need education. What is a better way of educating our beloved nerds who religiously follow each trite blog posting outlining a series of software updates? Why sharing some tips I’ve picked up along the way of course! Hopefully I can keep the flow of information coming to provide interesting content ad infinitum. An important disclaimer: most of these tip topics require shell access.
Actually, I’m not sure what this has to do with football season now that I think about it. Wait, I know! It leads into a very important discussion of using OpenSSL to encrypt sensitive data, like your pre-draft player rankings in football. Sometimes we foolishly join cutthroat leagues where first place is everything. Your opponents? They want to know your planned rosters, but with a little help from the openssl tool you can keep your personal data encrypted on the server and keep those preying eyes away from the number one pick.
openssl is the Swiss Army knife of OpenSSL used for all things encryption. Let’s first look at some of the commands offered:
Standard commands asn1parse ca ciphers crl crl2pkcs7 dgst dh dhparam dsa dsaparam enc engine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac verify version x509
Message Digest commands (see the `dgst' command for more details) md2 md4 md5 rmd160 sha sha1
Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40
That’s a lot of stuff. We just need to know about enc to encrypt our plaintext file. There are a few other interesting commands to play around with. Usage instructions for all of the commands may be invoked by running
openssl <command name> help [aside: an invalid third parameter will bring up usage information, so you could replace “help” with “dsfjkhfdjk” if you like]
- s_client: used to emulate an SSL HTTP request. Handy for verifying a SSL certificate on a Web site. Also provides a raw interface for sending arbitrary HTTP protocol commands like GET / HTTP/1.1 … Host: www.apisnetworks.com … *blank line*
openssl s_client -quiet -showcerts -CAfile /usr/share/ssl/certs/ca-bundle.crt -connect apisnetworks.com:443
- genrsa/req/x509: generate a SSL key (genrsa), certificate signing request (req), and optionally self-sign the certificate (x509). CSRs are unnecessary if you intend on using a self-signed certificate. Self-signed certificates will display warning messages prior to accessing the site, because the certificates are not signed by a trusted authority like Verisign or Thawte.
openssl req -newkey rsa:1024 -keyout server.key -out server.crt -x509 -nodes -days 365
- dgst: creates one-way hashes of data. Supports MD5/SHA-1 checksums of text and files. Think of this as a much more complex solution to using the md5sum/sha1sum commands for MD5 and SHA-1 checksums respectively.
openssl dgst -md5 /dev/null
Finally we’ve reached the meat and potatoes, enc. enc will encode/decode data using a specified cipher and special key. Note that the cipher chosen and key used are important. Forgetting either parameter will render your file useless. Avoid the more exotic choices like “-aes-128-ecb”, “-cast5-ecb”, and so on. Stick with simple ciphers like “-rc4”, “-aes256”, and “-des”. Let’s say our text file contains the top 3 picks [note: if you’re scoping this entry out for recon on my potential picks, then this list is 100% accurate and you should draft these players ahead of me].
1. Joey Harrington
2. Ronnie Brown
3. LaMont Jordan
openssl -in /players.txt -out /players.enc -e -k mysecret -bf
Verify the command worked right:
[santa /]# cat players.enc
Salted__N©©‡ü†“+< V[bzM¦¯§GÕ¦TÝ± ®†äåiá–ÍÀÁŒèêÒÎewâCY¶èL3mÕÐÛXz™¯-ž7K
Success, now your picks are safe! If you omit a cipher (-bf in this example), then the data is passed through unencrypted. To decrypt your data, replace -e with -d:
[santa /]# openssl enc -in /players.enc -d -k mysecret -bf
1. Joey Harrington
2. Ronnie Brown
3. LaMont Jordan
Because the data in the file may represent non-representable text characters, it’s a good idea to encode the encrypted output in Base64 — or quadrosexagesimal as I like to call it — to ensure data won’t become corrupted (or corrupt your terminal screen) if viewed as if it were a plaintext document. Add -a to the list of parameters to the openssl command to enable Base64 encoding/decoding (depending upon whether encryption (-e) or decryption (-d) is used).
Finally, specifying the secret key on the commandline bears the problem of it appearing in your history. Not very furtive if someone has access to your account or your ~/.bash_history file, but there is an easy workaround. You can create a temporary file to house your secret key. Change -k <key> to -kfile <file> to instruct openssl to read the first line from the named file <file> as the encryption key.
Pretty neat, huh? Well, if not then stay tuned next week as we explore using multiple servers for distributed computing to calculate optimal roster arrangements to guarantee first place in an ultra-competitive fantasy football league… Or how to use ImageMagick’s set of utilities to decipher ultrasound maps of Giants Stadium to ensure that police won’t find the buried remains of the dearly missed first place coach.
If you would like to poke my brain and become the topic of discussion for one of these installments, then drop me an e-mail at email@example.com.