Book Image

Demystifying Cryptography with OpenSSL 3.0

By : Alexei Khlebnikov
Book Image

Demystifying Cryptography with OpenSSL 3.0

By: Alexei Khlebnikov

Overview of this book

Security and networking are essential features of software today. The modern internet is full of worms, Trojan horses, men-in-the-middle, and other threats. This is why maintaining security is more important than ever. OpenSSL is one of the most widely used and essential open source projects on the internet for this purpose. If you are a software developer, system administrator, network security engineer, or DevOps specialist, you’ve probably stumbled upon this toolset in the past – but how do you make the most out of it? With the help of this book, you will learn the most important features of OpenSSL, and gain insight into its full potential. This book contains step-by-step explanations of essential cryptography and network security concepts, as well as practical examples illustrating the usage of those concepts. You’ll start by learning the basics, such as how to perform symmetric encryption and calculate message digests. Next, you will discover more about cryptography: MAC and HMAC, public and private keys, and digital signatures. As you progress, you will explore best practices for using X.509 certificates, public key infrastructure, and TLS connections. By the end of this book, you’ll be able to use the most popular features of OpenSSL, allowing you to implement cryptography and TLS in your applications and network infrastructure.
Table of Contents (20 chapters)
Part 1: Introduction
Part 2: Symmetric Cryptography
Part 3: Asymmetric Cryptography and Certificates
Part 4: TLS Connections and Secure Communication
Part 5: Running a Mini-CA

What’s new in OpenSSL 3.0?

One major change in OpenSSL 3.0 is its license. A software project does not change its license very often during its lifetime. The OpenSSL project used its BSD-style open source license until version 3.0. Since version 3.0, it uses Apache License 2.0.

OpenSSL 3.0 is a release with big changes in the internal architecture of the library. The architectural changes are not finished and will be continued in OpenSSL 4.0. The concept of OpenSSL operation implementation providers was introduced. A provider is a unit of code that provides the implementation of cryptographic algorithms. The existing OpenSSL cryptography code will mostly be available via Default and Legacy providers. Engines are still supported in OpenSSL 3.0 but have been deprecated in favor of providers. Support for ENGINE API may be removed in OpenSSL 4.0. There is also support for third-party providers that allow independent developers to plug their cryptographic algorithms into OpenSSL.

Another interesting feature of OpenSSL 3.0 is Kernel TLS (KTLS). When using KTLS, an application can create a special TLS socket, similar to a TCP socket. OpenSSL then performs a TLS handshake and hands the negotiated encryption key and other data to the operating system kernel in the form of TLS socket options. Then, the actual data transmission in the TLS protocol is handled by the KTLS code. Such TLS offloading to the kernel can speed up data transmission on high-load systems where performance is important, especially when the kernel can use hardware acceleration for Advanced Encryption Standard (AES) and thus offload the main CPU. Of course, KTLS support is needed both in the TLS library and in the operating system kernel. At the time of writing, only the Linux and FreeBSD kernels support KTLS.

Some other notable changes in OpenSSL 3.0 include the following:

  • Support for the Certificate Management Protocol.
  • A simple HTTP/HTTPS client.
  • Advanced Encryption Standard Galois/Counter Mode with Synthetic Initialization Vector (AES-GCM-SIV) encryption.
  • New Message Authentication Code (MAC) algorithms, such as GMAC and KMAC.
  • New Key Derivation Function (KDF) algorithms, such as SSKDF and SSHKDF.
  • New high-level APIs, such as EVP_MAC, EVP_KDF, and EVP_RAND.
  • Low-level APIs deprecated in favor of newer higher-level APIs.
  • Code cleanup.
  • Error handling reworked.
  • Old insecure algorithms are no longer available at the default security level.
  • Interactive mode has been removed from the openssl command-line tool.

OpenSSL is a solid mature software toolkit, so the most important features are already implemented in it. As a result, the latest changes don’t contain that much new functionality for a lot of users. The latest release focuses on architectural improvements to the library.

While OpenSSL is the most popular crypto/TLS library, it’s not the only one. We’ll compare OpenSSL to its competitors in the following sections.