Perhaps it’s the shock of the passing of SysAdmin Magazine or maybe the onset of football season, but regardless which catalyst sparked it we need education. What is a better way of educating our beloved nerds who religiously follow each trite blog posting outlining a series of software updates? Why sharing some tips I’ve picked up along the way of course! Hopefully I can keep the flow of information coming to provide interesting content ad infinitum. An important disclaimer: most of these tip topics require shell access.

Actually, I’m not sure what this has to do with football season now that I think about it. Wait, I know! It leads into a very important discussion of using OpenSSL to encrypt sensitive data, like your pre-draft player rankings in football. Sometimes we foolishly join cutthroat leagues where first place is everything. Your opponents? They want to know your planned rosters, but with a little help from the openssl tool you can keep your personal data encrypted on the server and keep those preying eyes away from the number one pick.

openssl is the Swiss Army knife of OpenSSL used for all things encryption. Let’s first look at some of the commands offered:

Standard commands
asn1parse      ca             ciphers        crl            crl2pkcs7
dgst           dh             dhparam        dsa            dsaparam
enc            engine         errstr         gendh          gendsa
genrsa         nseq           ocsp           passwd         pkcs12
pkcs7          pkcs8          rand           req            rsa
rsautl         s_client       s_server       s_time         sess_id
smime          speed          spkac          verify         version
x509
Message Digest commands (see the `dgst' command for more details)
md2            md4            md5            rmd160         sha
sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc
aes-256-ecb    base64         bf             bf-cbc         bf-cfb
bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc
cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc
des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb
des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb
des-ofb        des3           desx           rc2            rc2-40-cbc
rc2-64-cbc     rc2-cbc        rc2-cfb        rc2-ecb        rc2-ofb
rc4            rc4-40

That’s a lot of stuff. We just need to know about enc to encrypt our plaintext file. There are a few other interesting commands to play around with. Usage instructions for all of the commands may be invoked by running openssl <command name> help [aside: an invalid third parameter will bring up usage information, so you could replace “help” with “dsfjkhfdjk” if you like]

  • s_client: used to emulate an SSL HTTP request. Handy for verifying a SSL certificate on a Web site. Also provides a raw interface for sending arbitrary HTTP protocol commands like GET / HTTP/1.1 … Host: www.apisnetworks.com … *blank line*
    • Example: openssl s_client -quiet -showcerts -CAfile /usr/share/ssl/certs/ca-bundle.crt -connect apisnetworks.com:443
  • genrsa/req/x509: generate a SSL key (genrsa), certificate signing request (req), and optionally self-sign the certificate (x509). CSRs are unnecessary if you intend on using a self-signed certificate. Self-signed certificates will display warning messages prior to accessing the site, because the certificates are not signed by a trusted authority like Verisign or Thawte.
    • Example: openssl req -newkey rsa:1024 -keyout server.key -out server.crt -x509 -nodes -days 365
  • dgst: creates one-way hashes of data. Supports MD5/SHA-1 checksums of text and files. Think of this as a much more complex solution to using the md5sum/sha1sum commands for MD5 and SHA-1 checksums respectively.
    • Example: openssl dgst -md5 /dev/null

Finally we’ve reached the meat and potatoes, enc. enc will encode/decode data using a specified cipher and special key. Note that the cipher chosen and key used are important. Forgetting either parameter will render your file useless. Avoid the more exotic choices like “-aes-128-ecb”, “-cast5-ecb”, and so on. Stick with simple ciphers like “-rc4”, “-aes256”, and “-des”. Let’s say our text file contains the top 3 picks [note: if you’re scoping this entry out for recon on my potential picks, then this list is 100% accurate and you should draft these players ahead of me].

1. Joey Harrington
2. Ronnie Brown
3. LaMont Jordan

openssl -in /players.txt -out /players.enc -e -k mysecret -bf

Verify the command worked right:
[santa /]# cat players.enc
Salted__N©©‡ü†“+< V[bzM¦¯§GÕ¦Tݱ ®†äåiá–ÍÀÁŒèêÒÎewâCY¶èL3mÕÐÛXz™¯-ž7K

Success, now your picks are safe! If you omit a cipher (-bf in this example), then the data is passed through unencrypted. To decrypt your data, replace -e with -d:

[santa /]# openssl enc -in /players.enc -d -k mysecret -bf
1. Joey Harrington
2. Ronnie Brown
3. LaMont Jordan

Because the data in the file may represent non-representable text characters, it’s a good idea to encode the encrypted output in Base64 — or quadrosexagesimal as I like to call it — to ensure data won’t become corrupted (or corrupt your terminal screen) if viewed as if it were a plaintext document. Add -a to the list of parameters to the openssl command to enable Base64 encoding/decoding (depending upon whether encryption (-e) or decryption (-d) is used).

Finally, specifying the secret key on the commandline bears the problem of it appearing in your history. Not very furtive if someone has access to your account or your ~/.bash_history file, but there is an easy workaround. You can create a temporary file to house your secret key. Change -k <key> to -kfile <file> to instruct openssl to read the first line from the named file <file> as the encryption key.

Pretty neat, huh? Well, if not then stay tuned next week as we explore using multiple servers for distributed computing to calculate optimal roster arrangements to guarantee first place in an ultra-competitive fantasy football league… Or how to use ImageMagick’s set of utilities to decipher ultrasound maps of Giants Stadium to ensure that police won’t find the buried remains of the dearly missed first place coach.

If you would like to poke my brain and become the topic of discussion for one of these installments, then drop me an e-mail at msaladna@apisnetworks.com.

Weekly Tip #1: Encrypting sensitive data with OpenSSL

One thought on “Weekly Tip #1: Encrypting sensitive data with OpenSSL

  • September 3, 2007 at 5:13 pm UTC
    Permalink

    Everyone knows that Jimmy Hoffa is buried in Giants Stadium, not some coach …

Comments are closed.