Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Demystifying Cryptography with OpenSSL 3.0
  • Table Of Contents Toc
Demystifying Cryptography with OpenSSL 3.0

Demystifying Cryptography with OpenSSL 3.0

By : Alexei Khlebnikov
4.8 (4)
Buy this Book
close
close
Demystifying Cryptography with OpenSSL 3.0

Demystifying Cryptography with OpenSSL 3.0

4.8 (4)
By: Alexei Khlebnikov
Buy this Book

Overview of this book

Security and networking are essential features of software today. The modern internet is full of worms, Trojan horses, men-in-the-middle, and other threats. This is why maintaining security is more important than ever. OpenSSL is one of the most widely used and essential open source projects on the internet for this purpose. If you are a software developer, system administrator, network security engineer, or DevOps specialist, you’ve probably stumbled upon this toolset in the past – but how do you make the most out of it? With the help of this book, you will learn the most important features of OpenSSL, and gain insight into its full potential. This book contains step-by-step explanations of essential cryptography and network security concepts, as well as practical examples illustrating the usage of those concepts. You’ll start by learning the basics, such as how to perform symmetric encryption and calculate message digests. Next, you will discover more about cryptography: MAC and HMAC, public and private keys, and digital signatures. As you progress, you will explore best practices for using X.509 certificates, public key infrastructure, and TLS connections. By the end of this book, you’ll be able to use the most popular features of OpenSSL, allowing you to implement cryptography and TLS in your applications and network infrastructure.
Table of Contents (20 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the example code files
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Share Your Thoughts
1
Part 1: Introduction
Icon
Part 1: Introduction
Lock Free Chapter
2
Chapter 1: OpenSSL and Other SSL/TLS Libraries
chevron up
Icon
Chapter 1: OpenSSL and Other SSL/TLS Libraries
Icon
What is OpenSSL?
Icon
The history of OpenSSL
Icon
What’s new in OpenSSL 3.0?
Icon
Comparing OpenSSL with GnuTLS
Icon
Comparing OpenSSL with NSS
Icon
Comparing OpenSSL with Botan
Icon
Comparing OpenSSL with lightweight TLS libraries
Icon
Comparing OpenSSL with LibreSSL
Icon
Comparing OpenSSL with BoringSSL
Icon
Summary
3
Part 2: Symmetric Cryptography
Icon
Part 2: Symmetric Cryptography
4
Chapter 2: Symmetric Encryption and Decryption
Icon
Chapter 2: Symmetric Encryption and Decryption
Icon
Technical requirements
Icon
Understanding symmetric encryption
Icon
An overview of the symmetric ciphers supported by OpenSSL
Icon
Block cipher modes of operation
Icon
Padding for block ciphers
Icon
How to generate a symmetric encryption key
Icon
Downloading and installing OpenSSL
Icon
How to encrypt and decrypt with AES on the command line
Icon
Initializing and uninitializing OpenSSL library
Icon
How to compile and link with OpenSSL
Icon
How to encrypt with AES programmatically
Icon
How to decrypt with AES programmatically
Icon
Summary
5
Chapter 3: Message Digests
Icon
Chapter 3: Message Digests
Icon
Technical requirements
Icon
What are message digests and cryptographic hash functions?
Icon
Why are message digests needed?
Icon
Assessing the security of cryptographic hash functions
Icon
Overview of the cryptographic hash functions supported by OpenSSL
Icon
How to calculate a message digest on the command line
Icon
How to calculate the message digest programmatically
Icon
Summary
6
Chapter 4: MAC and HMAC
Icon
Chapter 4: MAC and HMAC
Icon
Technical requirements
Icon
What is a MAC?
Icon
Understanding MAC function security
Icon
HMAC – a hash-based MAC
Icon
MAC, encryption, and the Cryptographic Doom Principle
Icon
How to calculate HMAC on the command line
Icon
How to calculate HMAC programmatically
Icon
Summary
7
Chapter 5: Derivation of an Encryption Key from a Password
Icon
Chapter 5: Derivation of an Encryption Key from a Password
Icon
Technical requirements
Icon
Understanding the differences between a password and an encryption key
Icon
What is a key derivation function?
Icon
Overview of key derivation functions supported by OpenSSL
Icon
Deriving a key from a password on the command line
Icon
Deriving a key from a password programmatically
Icon
Summary
8
Part 3: Asymmetric Cryptography and Certificates
Icon
Part 3: Asymmetric Cryptography and Certificates
9
Chapter 6: Asymmetric Encryption and Decryption
Icon
Chapter 6: Asymmetric Encryption and Decryption
Icon
Technical requirements
Icon
Understanding asymmetric encryption
Icon
Understanding a Man in the Middle attack
Icon
What kind of asymmetric encryption is available in OpenSSL?
Icon
Understanding a session key
Icon
Understanding RSA security
Icon
How to generate an RSA keypair
Icon
How to encrypt and decrypt with RSA on the command line
Icon
How to encrypt with RSA programmatically
Icon
Understanding the OpenSSL error queue
Icon
How to decrypt with RSA programmatically
Icon
Summary
10
Chapter 7: Digital Signatures and Their Verification
Icon
Chapter 7: Digital Signatures and Their Verification
Icon
Technical requirements
Icon
Understanding digital signatures
Icon
Overview of digital signature algorithms supported by OpenSSL
Icon
How to generate an elliptic curve keypair
Icon
How to sign and verify a signature on the command line
Icon
How to sign programmatically
Icon
How to verify a signature programmatically
Icon
Summary
11
Chapter 8: X.509 Certificates and PKI
Icon
Chapter 8: X.509 Certificates and PKI
Icon
Technical requirements
Icon
What is an X.509 certificate?
Icon
Understanding certificate signing chains
Icon
How are X.509 certificates issued?
Icon
What are X509v3 extensions?
Icon
Understanding X.509 Public Key Infrastructure
Icon
How to generate a self-signed certificate
Icon
How to generate a non-self-signed certificate
Icon
How to verify a certificate on the command line
Icon
How to verify a certificate programmatically
Icon
Summary
12
Part 4: TLS Connections and Secure Communication
Icon
Part 4: TLS Connections and Secure Communication
13
Chapter 9: Establishing TLS Connections and Sending Data over Them
Icon
Chapter 9: Establishing TLS Connections and Sending Data over Them
Icon
Technical requirements
Icon
Understanding the TLS protocol
Icon
The history of the TLS protocol
Icon
Establishing a TLS client connection on the command line
Icon
Preparing certificates for a TLS server connection
Icon
Accepting a TLS server connection on the command line
Icon
Understanding OpenSSL BIOs
Icon
Establishing a TLS client connection programmatically
Icon
Accepting a TLS server connection programmatically
Icon
Summary
14
Chapter 10: Using X.509 Certificates in TLS
Icon
Chapter 10: Using X.509 Certificates in TLS
Icon
Technical requirements
Icon
Custom verification of peer certificates in C programs
Icon
Using Certificate Revocation Lists in C programs
Icon
Using the Online Certificate Status Protocol
Icon
Using TLS client certificates
Icon
Summary
15
Chapter 11: Special Usages of TLS
Icon
Chapter 11: Special Usages of TLS
Icon
Technical requirements
Icon
Understanding TLS certificate pinning
Icon
Using TLS certificate pinning
Icon
Understanding blocking and non-blocking sockets
Icon
Using TLS on non-blocking sockets
Icon
Understanding TLS on non-standard sockets
Icon
Using TLS on non-standard sockets
Icon
Summary
16
Part 5: Running a Mini-CA
Icon
Part 5: Running a Mini-CA
17
Chapter 12: Running a Mini-CA
Icon
Chapter 12: Running a Mini-CA
Icon
Technical requirements
Icon
Understanding the openssl ca subcommand
Icon
Generating a root CA certificate
Icon
Generating an intermediate CA certificate
Icon
Generating a certificate for a web server
Icon
Generating a certificate for a web and email client
Icon
Revoking certificates and generating CRLs
Icon
Providing certificate revocation status via OCSP
Icon
Summary
18
Index
Icon
Index
Icon
Why subscribe?
19
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you

Comparing OpenSSL with LibreSSL

LibreSSL is a fork (derived code) of OpenSSL that was created in 2014 by the OpenBSD Project as a response to the infamous Heartbleed vulnerability that was found in OpenSSL. LibreSSL was founded to increase the security and maintainability of the library by removing old, unpopular, and no longer secure cryptographic algorithms and other features.

OpenBSD is a Unix operating system, one of the BSD systems family aimed at security. OpenBSD developers do not only develop the operating system kernel and utilities. Another famous software project is OpenSSH. Other software projects started as applications for OpenBSD, such as OpenNTPD, OpenSMTPD, and others. This now includes LibreSSL.

After forking, the LibreSSL developers removed a lot of the original OpenSSL code that they considered old or insecure. They claimed that they removed approximately half of the OpenSSL code within the first week. They also added a few new cryptographic algorithms such as Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) and ChaCha-Poly1305. In addition to adding and removing code, some existing code was reworked and hardened in some places.

Despite LibreSSL’s aim to increase security, there were some vulnerabilities in LibreSSL that did not affect OpenSSL, such as CVE-2017-8301.

In the last few years, OpenSSL also did some work on improving the security and maintainability of the library and deprecated/removed some code – though not as much code was removed as in LibreSSL. However, more code and new features were added.

OpenSSL has much more development resources than LibreSSL, which means it advances much faster. For example, from the end of 2018 until the beginning of 2021, LibreSSL has merged approximately 1,500 patches from 36 developers. During the same time, OpenSSL has merged more than 5,000 patches from 276 developers. Apart from the core OpenSSL development team, OpenSSL receives code contributions from big companies such as Oracle, Red Hat, IBM, and others.

While the focus of LibreSSL is providing a TLS library for the OpenBSD project, it also aims to support other platforms and remain API-compatible with OpenSSL. At the time of writing, the LibreSSL API is compatible with OpenSSL 1.0.1, but does not include all the newest APIs from OpenSSL 1.0.2 and later.

Since its fork from OpenSSL, LibreSSL became the default TLS library on OpenBSD, but on most other operating systems, the adoption has been low. Most Linux distributions continued using OpenSSL, and some decided to try LibreSSL as a system-wide option but decided to drop such support later. Most commercial application vendors that used OpenSSL also decided to stick with it.

In the competition between OpenSSL and LibreSSL, OpenSSL is winning. I recommend that you choose OpenSSL unless you are developing software specifically for the OpenBSD community, in which case you should consider LibreSSL.

Another fork of OpenSSL has been created by the mighty Google corporation, as we’ll explore in the next section.

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Demystifying Cryptography with OpenSSL 3.0
End of Section 2
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon