Table of Contents

Prefacexv

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Share Your Thoughts

Part 1: Introduction

1

OpenSSL and Other SSL/TLS Libraries3

What is OpenSSL?

The history of OpenSSL

What’s new in OpenSSL 3.0?

Comparing OpenSSL with GnuTLS

Comparing OpenSSL with NSS

Comparing OpenSSL with Botan

Comparing OpenSSL with lightweight TLS libraries

Comparing OpenSSL with LibreSSL

Comparing OpenSSL with BoringSSL

Summary

Part 2: Symmetric Cryptography

2

Symmetric Encryption and Decryption15

Technical requirements

Understanding symmetric encryption

An overview of the symmetric ciphers supported by OpenSSL

Comparing block ciphers and stream ciphers

Understanding symmetric cipher security

How many bits of security is enough?

Reviewing the AES cipher

Reviewing DES and 3DES ciphers

Reviewing the RC4 cipher

Reviewing the ChaCha20 cipher

Reviewing other symmetric ciphers supported by OpenSSL

Block cipher modes of operation

Reviewing the Electronic Code Book mode

Reviewing CBC mode

Reviewing CTR mode

Reviewing GCM

Reviewing AES-GCM-SIV

Other block cipher operation modes

Choosing the block cipher operation mode

Padding for block ciphers

How to generate a symmetric encryption key

Downloading and installing OpenSSL

How to encrypt and decrypt with AES on the command line

Initializing and uninitializing OpenSSL library

How to compile and link with OpenSSL

How to encrypt with AES programmatically

Implementing the encryption program

Running the encrypt program

How to decrypt with AES programmatically

Implementing the decrypt program

Running the decrypt program

Summary

3

Message Digests55

Technical requirements

What are message digests and cryptographic hash functions?

Why are message digests needed?

Data integrity verification

Basis for HMAC

Digital signatures

Network protocols

Password verification

Content identifier

Blockchain and cryptocurrencies

Proof-of-work

Assessing the security of cryptographic hash functions

Overview of the cryptographic hash functions supported by OpenSSL

Reviewing the SHA-2 family of hash functions

Reviewing the SHA-3 family of hash functions

Reviewing the SHA-1 and SHA-0 hash functions

Reviewing the MD family of hash functions

Reviewing the BLAKE2 family of hash functions

Reviewing less popular hash functions supported by OpenSSL

Which cryptographic hash function should you choose?

How to calculate a message digest on the command line

How to calculate the message digest programmatically

Implementing the digest program

Running the digest program

Summary

4

MAC and HMAC71

Technical requirements

What is a MAC?

Understanding MAC function security

HMAC – a hash-based MAC

MAC, encryption, and the Cryptographic Doom Principle

How to calculate HMAC on the command line

How to calculate HMAC programmatically

Implementing the hmac program

Running the hmac program

Summary

5

Derivation of an Encryption Key from a Password83

Technical requirements

Understanding the differences between a password and an encryption key

What is a key derivation function?

Overview of key derivation functions supported by OpenSSL

Deriving a key from a password on the command line

Deriving a key from a password programmatically

Implementing the kdf program

Running the kdf program

Summary

Part 3: Asymmetric Cryptography and Certificates

6

Asymmetric Encryption and Decryption95

Technical requirements

Understanding asymmetric encryption

Understanding a Man in the Middle attack

Meeting in person

Verifying a key fingerprint over the phone

Key splitting

Signing the key by a trusted third party

What kind of asymmetric encryption is available in OpenSSL?

Understanding a session key

Understanding RSA security

How to generate an RSA keypair

How to encrypt and decrypt with RSA on the command line

How to encrypt with RSA programmatically

Implementing the rsa-encrypt program

Running the rsa-encrypt program

Understanding the OpenSSL error queue

How to decrypt with RSA programmatically

Implementing the rsa-decrypt program

Running the rsa-decrypt program

Summary

7

Digital Signatures and Their Verification119

Technical requirements

Understanding digital signatures

Difference between digital signatures and MACs

Overview of digital signature algorithms supported by OpenSSL

Reviewing RSA

Reviewing DSA

Reviewing ECDSA

Reviewing EdDSA

Reviewing SM2

Which digital signature algorithm should you choose?

How to generate an elliptic curve keypair

How to sign and verify a signature on the command line

How to sign programmatically

Implementing the ec-sign program

Running the ec-sign program

How to verify a signature programmatically

Implementing the ec-verify program

Running the ec-verify program

Summary

8

X.509 Certificates and PKI137

Technical requirements

What is an X.509 certificate?

Understanding certificate signing chains

How are X.509 certificates issued?

What are X509v3 extensions?

Understanding X.509 Public Key Infrastructure

How to generate a self-signed certificate

How to generate a non-self-signed certificate

How to verify a certificate on the command line

How to verify a certificate programmatically

Implementing the x509-verify program

Running the x509-verify program

Summary

Part 4: TLS Connections and Secure Communication

9

Establishing TLS Connections and Sending Data over Them163

Technical requirements

Understanding the TLS protocol

Understanding a TLS handshake

What happens after the TLS handshake?

The history of the TLS protocol

Establishing a TLS client connection on the command line

Preparing certificates for a TLS server connection

Accepting a TLS server connection on the command line

Understanding OpenSSL BIOs

Establishing a TLS client connection programmatically

Implementing the tls-client program

Running the tls-client program

Accepting a TLS server connection programmatically

Implementing the tls-server program

Running the tls-server program

Summary

10

Using X.509 Certificates in TLS193

Technical requirements

Custom verification of peer certificates in C programs

Registering the verification callback

Implementing the verification callback

Running the program

Using Certificate Revocation Lists in C programs

Registering the CRL lookup callback

Implementing the CRL lookup callback

Implementing the function for downloading a CRL from a distribution point

Implementing the function for downloading a CRL from an HTTP URL

Running the program

Using the Online Certificate Status Protocol

Understanding the Online Certificate Status Protocol

Using OCSP on the command line

Using OCSP in C programs

Using TLS client certificates

Generating TLS client certificates

Packaging client certificates into PKCS #12 container files

Requesting and verifying a TLS client certificate on the server side programmatically

Establishing a TLS client connection with a client certificate programmatically

Summary

11

Special Usages of TLS243

Technical requirements

Understanding TLS certificate pinning

Using TLS certificate pinning

Changing the run_tls_client() function

Implementing the cert_verify_callback() function

Running the tls-cert-pinning program

Understanding blocking and non-blocking sockets

Using TLS on non-blocking sockets

Changing the run_tls_client() function

Running the tls-client-non-blocking program

Understanding TLS on non-standard sockets

Using TLS on non-standard sockets

Implementing the service_bios() function

Reimplementing the run_tls_client() function

Running the tls-client-memory-bio program

Summary

Part 5: Running a Mini-CA

12

Running a Mini-CA279

Technical requirements

Understanding the openssl ca subcommand

Generating a root CA certificate

Generating an intermediate CA certificate

Generating a certificate for a web server

Generating a certificate for a web and email client

Revoking certificates and generating CRLs

Providing certificate revocation status via OCSP

Summary

Index305

Other Books You May Enjoy318