Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Demystifying Cryptography with OpenSSL 3.0
  • Table Of Contents Toc
Demystifying Cryptography with OpenSSL 3.0

Demystifying Cryptography with OpenSSL 3.0

By : Alexei Khlebnikov
4.8 (4)
Buy this Book
close
close
Demystifying Cryptography with OpenSSL 3.0

Demystifying Cryptography with OpenSSL 3.0

4.8 (4)
By: Alexei Khlebnikov
Buy this Book

Overview of this book

Security and networking are essential features of software today. The modern internet is full of worms, Trojan horses, men-in-the-middle, and other threats. This is why maintaining security is more important than ever. OpenSSL is one of the most widely used and essential open source projects on the internet for this purpose. If you are a software developer, system administrator, network security engineer, or DevOps specialist, you’ve probably stumbled upon this toolset in the past – but how do you make the most out of it? With the help of this book, you will learn the most important features of OpenSSL, and gain insight into its full potential. This book contains step-by-step explanations of essential cryptography and network security concepts, as well as practical examples illustrating the usage of those concepts. You’ll start by learning the basics, such as how to perform symmetric encryption and calculate message digests. Next, you will discover more about cryptography: MAC and HMAC, public and private keys, and digital signatures. As you progress, you will explore best practices for using X.509 certificates, public key infrastructure, and TLS connections. By the end of this book, you’ll be able to use the most popular features of OpenSSL, allowing you to implement cryptography and TLS in your applications and network infrastructure.
Table of Contents (20 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the example code files
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Share Your Thoughts
1
Part 1: Introduction
Icon
Part 1: Introduction
Lock Free Chapter
2
Chapter 1: OpenSSL and Other SSL/TLS Libraries
chevron up
Icon
Chapter 1: OpenSSL and Other SSL/TLS Libraries
Icon
What is OpenSSL?
Icon
The history of OpenSSL
Icon
What’s new in OpenSSL 3.0?
Icon
Comparing OpenSSL with GnuTLS
Icon
Comparing OpenSSL with NSS
Icon
Comparing OpenSSL with Botan
Icon
Comparing OpenSSL with lightweight TLS libraries
Icon
Comparing OpenSSL with LibreSSL
Icon
Comparing OpenSSL with BoringSSL
Icon
Summary
3
Part 2: Symmetric Cryptography
Icon
Part 2: Symmetric Cryptography
4
Chapter 2: Symmetric Encryption and Decryption
Icon
Chapter 2: Symmetric Encryption and Decryption
Icon
Technical requirements
Icon
Understanding symmetric encryption
Icon
An overview of the symmetric ciphers supported by OpenSSL
Icon
Block cipher modes of operation
Icon
Padding for block ciphers
Icon
How to generate a symmetric encryption key
Icon
Downloading and installing OpenSSL
Icon
How to encrypt and decrypt with AES on the command line
Icon
Initializing and uninitializing OpenSSL library
Icon
How to compile and link with OpenSSL
Icon
How to encrypt with AES programmatically
Icon
How to decrypt with AES programmatically
Icon
Summary
5
Chapter 3: Message Digests
Icon
Chapter 3: Message Digests
Icon
Technical requirements
Icon
What are message digests and cryptographic hash functions?
Icon
Why are message digests needed?
Icon
Assessing the security of cryptographic hash functions
Icon
Overview of the cryptographic hash functions supported by OpenSSL
Icon
How to calculate a message digest on the command line
Icon
How to calculate the message digest programmatically
Icon
Summary
6
Chapter 4: MAC and HMAC
Icon
Chapter 4: MAC and HMAC
Icon
Technical requirements
Icon
What is a MAC?
Icon
Understanding MAC function security
Icon
HMAC – a hash-based MAC
Icon
MAC, encryption, and the Cryptographic Doom Principle
Icon
How to calculate HMAC on the command line
Icon
How to calculate HMAC programmatically
Icon
Summary
7
Chapter 5: Derivation of an Encryption Key from a Password
Icon
Chapter 5: Derivation of an Encryption Key from a Password
Icon
Technical requirements
Icon
Understanding the differences between a password and an encryption key
Icon
What is a key derivation function?
Icon
Overview of key derivation functions supported by OpenSSL
Icon
Deriving a key from a password on the command line
Icon
Deriving a key from a password programmatically
Icon
Summary
8
Part 3: Asymmetric Cryptography and Certificates
Icon
Part 3: Asymmetric Cryptography and Certificates
9
Chapter 6: Asymmetric Encryption and Decryption
Icon
Chapter 6: Asymmetric Encryption and Decryption
Icon
Technical requirements
Icon
Understanding asymmetric encryption
Icon
Understanding a Man in the Middle attack
Icon
What kind of asymmetric encryption is available in OpenSSL?
Icon
Understanding a session key
Icon
Understanding RSA security
Icon
How to generate an RSA keypair
Icon
How to encrypt and decrypt with RSA on the command line
Icon
How to encrypt with RSA programmatically
Icon
Understanding the OpenSSL error queue
Icon
How to decrypt with RSA programmatically
Icon
Summary
10
Chapter 7: Digital Signatures and Their Verification
Icon
Chapter 7: Digital Signatures and Their Verification
Icon
Technical requirements
Icon
Understanding digital signatures
Icon
Overview of digital signature algorithms supported by OpenSSL
Icon
How to generate an elliptic curve keypair
Icon
How to sign and verify a signature on the command line
Icon
How to sign programmatically
Icon
How to verify a signature programmatically
Icon
Summary
11
Chapter 8: X.509 Certificates and PKI
Icon
Chapter 8: X.509 Certificates and PKI
Icon
Technical requirements
Icon
What is an X.509 certificate?
Icon
Understanding certificate signing chains
Icon
How are X.509 certificates issued?
Icon
What are X509v3 extensions?
Icon
Understanding X.509 Public Key Infrastructure
Icon
How to generate a self-signed certificate
Icon
How to generate a non-self-signed certificate
Icon
How to verify a certificate on the command line
Icon
How to verify a certificate programmatically
Icon
Summary
12
Part 4: TLS Connections and Secure Communication
Icon
Part 4: TLS Connections and Secure Communication
13
Chapter 9: Establishing TLS Connections and Sending Data over Them
Icon
Chapter 9: Establishing TLS Connections and Sending Data over Them
Icon
Technical requirements
Icon
Understanding the TLS protocol
Icon
The history of the TLS protocol
Icon
Establishing a TLS client connection on the command line
Icon
Preparing certificates for a TLS server connection
Icon
Accepting a TLS server connection on the command line
Icon
Understanding OpenSSL BIOs
Icon
Establishing a TLS client connection programmatically
Icon
Accepting a TLS server connection programmatically
Icon
Summary
14
Chapter 10: Using X.509 Certificates in TLS
Icon
Chapter 10: Using X.509 Certificates in TLS
Icon
Technical requirements
Icon
Custom verification of peer certificates in C programs
Icon
Using Certificate Revocation Lists in C programs
Icon
Using the Online Certificate Status Protocol
Icon
Using TLS client certificates
Icon
Summary
15
Chapter 11: Special Usages of TLS
Icon
Chapter 11: Special Usages of TLS
Icon
Technical requirements
Icon
Understanding TLS certificate pinning
Icon
Using TLS certificate pinning
Icon
Understanding blocking and non-blocking sockets
Icon
Using TLS on non-blocking sockets
Icon
Understanding TLS on non-standard sockets
Icon
Using TLS on non-standard sockets
Icon
Summary
16
Part 5: Running a Mini-CA
Icon
Part 5: Running a Mini-CA
17
Chapter 12: Running a Mini-CA
Icon
Chapter 12: Running a Mini-CA
Icon
Technical requirements
Icon
Understanding the openssl ca subcommand
Icon
Generating a root CA certificate
Icon
Generating an intermediate CA certificate
Icon
Generating a certificate for a web server
Icon
Generating a certificate for a web and email client
Icon
Revoking certificates and generating CRLs
Icon
Providing certificate revocation status via OCSP
Icon
Summary
18
Index
Icon
Index
Icon
Why subscribe?
19
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you

Comparing OpenSSL with BoringSSL

BoringSSL is another fork of OpenSSL that was made public in 2014. BoringSSL was made for the needs of the Google corporation. For years, Google maintained its own patches for OpenSSL for use in various Google products, such as Chrome, Android, and the server’s infrastructure. Finally, they decided to fork OpenSSL and maintain their fork as a separate library.

Like LibreSSL, in BoringSSL, Google removed a lot of the original OpenSSL code, which was responsible for supporting old and unpopular algorithms and features. Google also added some functionality that does not exist in OpenSSL. For example, the CRYPTO_BUFFER functionality allows you to deduplicate X.509 certificates in memory, thus reducing memory usage. It also allows you to remove OpenSSL’s X.509 and ASN.1 code from the application if OpenSSL is linked statically to the application. The X.509 code is a sizeable part of OpenSSL.

Unlike LibreSSL, BoringSSL does not aim for API compatibility with OpenSSL, or even with former versions of BoringSSL. Google wants to change the library API at will. It makes sense because Google controls both BoringSSL and the major software projects that use the library, which makes it possible to synchronize the API changes in BoringSSL and those projects. If the API is not kept stable, it is possible to free up development resources that would otherwise be spent on maintaining the old APIs.

But this also means that if someone outside Google wants to use BoringSSL, they should be ready for breaking changes in the library API, at the least suitable times. This is very inconvenient for developers who use the library. Google understands this and states that although BoringSSL is an open source project, it is not for general use.

My opinion is that BoringSSL was made open source mostly for third-party contributors to Google projects, such as Chrome and Android.

I do not recommend using BoringSSL in your applications due to its API instability. Furthermore, OpenSSL has more features, better documentation, and a much larger community.

With that, we have reviewed several competitors of OpenSSL. You should now understand the main differences between the popular TLS libraries and which library should be used in which case.

Let’s proceed to the summary.

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Demystifying Cryptography with OpenSSL 3.0
End of Section 2
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon