实验1-1（1-3学时）

实验 1-1 （ 1-3 学时）一、 OpenSSL openssl version $ echo 123 | openssl sm3 SM3(stdin)= e95001aed4b6f7de59169913997dace404f05091ed49c37133a9950a69405a9c $ echo "123" | openssl sm3 SM3(stdin)= e95001aed4b6f7de59169913997dace404f05091ed49c37133a9950a69405a9c $ echo 123 | od -tx1 -tc 0000000 31 32 33 0a 1 2 3 \n 0000004 $ echo -n 123 | od -tx1 -tc 0000000 31 32 33 1 2 3 $ echo 123 | openssl sm3 SM3(stdin)= e95001aed4b6f7de59169913997dace404f05091ed49c37133a9950a69405a9c $ echo -n 123 | openssl sm3 SM3(stdin)= 6e0f9e14344c5406a0cf5a3b4dfb665f87f4a771a31f7edbb5c72874a32b2957 $ echo 123 > 123.txt $ openssl sm3 -file 123.txt SM3(123.txt)= e95001aed4b6f7de59169913997dace404f05091ed49c37133a9950a69405a9c $ echo 123 | openssl sm3 SM3(stdin)= e95001aed4b6f7de59169913997dace404f05091ed49c37133a9950a69405a9c $ echo "obase=16;123" | bc 7B $ echo -n -e "\x7B" > 123.bin $ od -tx1 123.bin 0000000 7b 0000001 $ openssl sm3 -file 123.bin SM3(123.bin)= 2ed59fea0dbe4e4f02de67ee657eb6be8e22a7db425103402d8a36d7b6f6d344 $ echo -ne "\x7B" | openssl sm3 SM3(stdin)= 2ed59fea0dbe4e4f02de67ee657eb6be8e22a7db425103402d8a36d7b6f6d344 $ openssl prime -help prime 素数检查 $ openssl prime 3 3 (3) is prime $ openssl prime 33 21 (33) is not prime $ openssl prime -checks 10 33 21 (33) is not prime $ openssl prime -hex 4F 4F (4F) is prime 素数产生 $ openssl prime -generate -bits 10 997 $ openssl prime 997 3E5 (997) is prime $ openssl prime -generate -bits 10 821 $ openssl prime 821 335 (821) is prime $ openssl prime -generate -bits 10 -hex 0377 $ openssl prime -hex 0377 377 (0377) is prime rand help $ openssl rand -help Usage: rand [options] num General options: -help Display this summary -engine val Use engine, possibly a hardware device Output options: -out outfile Output file -base64 Base64 encode output -hex Hex encode output Random state options: -rand val Load the given file(s) into the random number generator -writerand outfile Write random data to the specified file Provider options: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 随机数产生 $ openssl rand 10 eb�!t�t�� $ openssl rand 10 | od -tx1 0000000 e0 97 c1 45 ae 31 47 04 6a 71 0000012 $ openssl rand 10 | xxd -p b303d64a1838d08f1a81 $ openssl rand -hex 10 496bdfc8f1453fcb23cb $ openssl rand -base64 10 O1YkLrtRJHMS+Q== -provider-path val Provider load path (must be before 'provider' argument if required) -provider val Provider to load (can be specified multiple times) -propquery val Property query used when fetching algorithms Parameters: num Number of bytes to generate 17 18 19 20 21 22 随机数文件 $ openssl rand -out r1.bin 10 $ od -tx1 r1.bin 0000000 2d 61 d9 79 7b c9 48 02 62 a5 0000012 $ openssl rand 10 > r2.bin $ cat r2.bin | xxd -p bac2b83462b226ff380c base64 help $ openssl base64 -help Usage: base64 [options] General options: -help Display this summary -list List ciphers -ciphers Alias for -list -e Encrypt -d Decrypt -p Print the iv/key -P Print the iv/key and exit -engine val Use engine, possibly a hardware device Input options: -in infile Input file -k val Passphrase -kfile infile Read passphrase from file Output options: -out outfile Output file -pass val Passphrase source -v Verbose output -a Base64 encode/decode, depending on encryption flag -base64 Same as option -a -A Used with -[base64|a] to specify base64 buffer as a single line Encryption options: -nopad Disable standard block padding -salt Use salt in the KDF (default) -nosalt Do not use salt in the KDF 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 编码解码 $ echo ljp | openssl base64 bGpwCg== $ echo ljp | openssl base64 -e bGpwCg== $ echo bGpwCg== | openssl base64 -d ljp $ echo -ne "\x11\x22\x33" | openssl base64 ESIz $ echo ESIz | openssl base64 -d | xxd -p 112233 -debug Print debug info -bufsize val Buffer size -K val Raw key, in hex -S val Salt, in hex -iv val IV in hex -md val Use specified digest to create a key from the passphrase -iter +int Specify the iteration count and force the use of PBKDF2 Default: 10000 -pbkdf2 Use password-based key derivation function 2 (PBKDF2) Use -iter to change the iteration count from 10000 -none Don't encrypt -saltlen +int Specify the PBKDF2 salt length (in bytes) Default: 16 -* Any supported cipher Random state options: -rand val Load the given file(s) into the random number generator -writerand outfile Write random data to the specified file Provider options: -provider-path val Provider load path (must be before 'provider' argument if required) -provider val Provider to load (can be specified multiple times) -propquery val Property query used when fetching algorithms 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 $ echo -ne "\x11\x22\x33\x44" | openssl base64 ESIzRA== $ echo ESIzRA== | openssl base64 -d | xxd -p 11223344 文件编码解码 $ echo ljp > ljp.txt $ openssl base64 -in ljp.txt -out ljp.b64 $ cat ljp.b64 bGpwCg== $ openssl base64 -d -in ljp.b64 -out ljp2.txt $ diff ljp.txt ljp2.txt $ cat ljp2.txt ljp asn1parse help $ openssl asn1parse -help Usage: asn1parse [options] General options: -help Display this summary -oid infile file of extra oid definitions I/O options: -inform parm input format - one of DER PEM B64 -in infile input file -out outfile output file (output format is always DER) -noout do not produce any output -offset +int offset into file -length +int length of section in file 1 2 3 4 5 6 7 8 9 10 11 12 13 密码工程中的格式 $ openssl asn1parse -help -strparse +int offset; a series of these can be used to 'dig' -genstr val string to generate ASN1 structure from into multiple ASN1 blob wrappings -genconf val file to generate ASN1 structure from -strictpem equivalent to '-inform pem' (obsolete) -item val item to parse and print (-inform will be ignored) Formatting options: -i indents the output -dump unknown data in hex form -dlimit +int dump the first arg bytes of unknown data in hex form 14 15 16 17 18 19 20 21 22 23 24 25 Usage: asn1parse [options] General options: -help Display this summary -oid infile file of extra oid definitions I/O options: -inform parm input format - one of DER PEM B64 -in infile input file -out outfile output file (output format is always DER) -noout do not produce any output -offset +int offset into file -length +int length of section in file -strparse +int offset; a series of these can be used to 'dig' -genstr val string to generate ASN1 structure from into multiple ASN1 blob wrappings -genconf val file to generate ASN1 structure from 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Hash 与 HMAC ： dgst help $ openssl dgst -help -strictpem equivalent to '-inform pem' (obsolete) -item val item to parse and print (-inform will be ignored) Formatting options: -i indents the output -dump unknown data in hex form -dlimit +int dump the first arg bytes of unknown data in hex form 18 19 20 21 22 23 24 25 Usage: dgst [options] [file...] General options: -help Display this summary -list List digests -engine val Use engine e, possibly a hardware device -engine_impl Also use engine given by -engine for digest operations -passin val Input file pass phrase source Output options: -c Print the digest with separating colons -r Print the digest in coreutils format -out outfile Output to filename rather than stdout -keyform format Key file format (ENGINE, other values ignored) -hex Print as hex dump -binary Print in binary form -xoflen +int Output length for XOF algorithms -d Print debug info -debug Print debug info 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 list $ openssl dgst -list Signing options: -sign val Sign digest using private key -verify val Verify a signature using public key -prverify val Verify a signature using private key -sigopt val Signature parameter in n:v form -signature infile File with signature to verify -hmac val Create hashed MAC with key -mac val Create MAC (not necessarily HMAC) -macopt val MAC algorithm parameters in n:v form or key -* Any supported digest -fips-fingerprint Compute HMAC with the key used in OpenSSL-FIPS fingerprint Random state options: -rand val Load the given file(s) into the random number generator -writerand outfile Write random data to the specified file Provider options: -provider-path val Provider load path (must be before 'provider' argument if required) -provider val Provider to load (can be specified multiple times) -propquery val Property query used when fetching algorithms Parameters: file Files to digest (optional; default is stdin) 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 openssl dgst -sm3 <==> openssl.sm3 $ echo ljp | openssl dgst -sm3 SM3(stdin)= a4f888920807c7502ca20d027486dfe20be6259bf9287713f7744b120f282589 $ echo ljp | openssl sm3 SM3(stdin)= a4f888920807c7502ca20d027486dfe20be6259bf9287713f7744b120f282589 $ echo ljp | openssl sm3 -hex SM3(stdin)= a4f888920807c7502ca20d027486dfe20be6259bf9287713f7744b120f282589 $ echo ljp | openssl sm3 -binary t��P,� �%��(w�tK(%� $ echo ljp | openssl sm3 -binary | xxd -p a4f888920807c7502ca20d027486dfe20be6259bf9287713f7744b120f282589 Supported digests: -blake2b512 -blake2s256 -md4 -md5 -md5-sha1 -ripemd -ripemd160 -rmd160 -sha1 -sha224 -sha256 -sha3-224 -sha3-256 -sha3-384 -sha3-512 -sha384 -sha512 -sha512-224 -sha512-256 -shake128 -shake256 -sm3 -ssl3-md5 -ssl3-sha1 -whirlpool 1 2 3 4 5 6 7 8 9 10 没有 -in 参数，直接传文件 $ echo ljp > ljp.txt $ openssl sm3 ljp.txt SM3(ljp.txt)= a4f888920807c7502ca20d027486dfe20be6259bf9287713f7744b120f282589 rocedu@RocEDUWork:~/diocs/sh/openssl$ echo ljp | openssl sm3 SM3(stdin)= a4f888920807c7502ca20d027486dfe20be6259bf9287713f7744b120f282589 对称算法： enc help $ openssl enc -help Usage: enc [options] General options: -help Display this summary -list List ciphers -ciphers Alias for -list -e Encrypt -d Decrypt -p Print the iv/key -P Print the iv/key and exit -engine val Use engine, possibly a hardware device Input options: -in infile Input file -k val Passphrase -kfile infile Read passphrase from file Output options: -out outfile Output file -pass val Passphrase source -v Verbose output -a Base64 encode/decode, depending on encryption flag -base64 Same as option -a -A Used with -[base64|a] to specify base64 buffer as a single line 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 list $ openssl dgst -list Encryption options: -nopad Disable standard block padding -salt Use salt in the KDF (default) -nosalt Do not use salt in the KDF -debug Print debug info -bufsize val Buffer size -K val Raw key, in hex -S val Salt, in hex -iv val IV in hex -md val Use specified digest to create a key from the passphrase -iter +int Specify the iteration count and force use of PBKDF2 -pbkdf2 Use password-based key derivation function 2 -none Don't encrypt -* Any supported cipher Random state options: -rand val Load the given file(s) into the random number generator -writerand outfile Write random data to the specified file Provider options: -provider-path val Provider load path (must be before 'provider' argument if required) -provider val Provider to load (can be specified multiple times) -propquery val Property query used when fetching algorithms 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 加密解密 $ openssl sm4-cbc -K "2851fa25211a48023794ae9515909603" -iv "da80e405a4998c351b0717093cbe86ab" -in ljp.txt -out ljp.enc $ openssl sm4-cbc -d -K "2851fa25211a48023794ae9515909603" -iv "da80e405a4998c351b0717093cbe86ab" -in ljp.enc -out ljp2.txt $ diff ljp.txt ljp2.txt 非对称算法 Supported digests: -blake2b512 -blake2s256 -md4 -md5 -md5-sha1 -ripemd -ripemd160 -rmd160 -sha1 -sha224 -sha256 -sha3-224 -sha3-256 -sha3-384 -sha3-512 -sha384 -sha512 -sha512-224 -sha512-256 -shake128 -shake256 -sm3 -ssl3-md5 -ssl3-sha1 -whirlpool 1 2 3 4 5 6 7 8 9 10 RSA RSA (Rivest-Shamir-Adleman) 简介： RSA 是最常用的非对称加密算法之一，主要用于数据加密和数字签名。相关命令：生成 RSA 密钥：从私钥提取公钥：加密和解密：加密：解密：签名和验证：签名：验证： openssl genpkey -algorithm RSA -out private_key.pem 1 openssl rsa -pubout -in private_key.pem -out public_key.pem 1 openssl rsautl -encrypt -inkey public_key.pem -pubin -in plaintext.txt -out encrypted.bin 1 openssl rsautl -decrypt -inkey private_key.pem -in encrypted.bin -out decrypted.txt 1 openssl dgst -sha256 -sign private_key.pem -out signature.sig file.txt 1 openssl dgst -sha256 -verify public_key.pem -signature signature.sig file.txt 1 SM2 SM2 是中国国家密码管理局制定的椭圆曲线公钥密码算法，主要用于数字签名、密钥交换和公钥加密，是中国国家密码标准的一部分。 SM2 算法基于椭圆曲线加密，提供安全的公钥加密和签名机制。 OpenSSL 从 1.1.1 版本开始支持 SM2 算法。以下是如何使用 OpenSSL 对 SM2 算法进行操作的基本步骤： 1. 生成 SM2 密钥对要生成一个 SM2 密钥对（包含私钥和公钥）： 2. 提取公钥从生成的私钥中提取公钥： 3. 使用 SM2 进行签名使用生成的 SM2 私钥对文件进行签名：在这个例子中， -sm2-id 参数用于指定 SM2 的鉴别字符串，这在签名中是可选的，但通常需要在验证过程中提供。 4. 验证 SM2 签名使用对应的公钥进行签名验证： openssl ecparam -genkey -name SM2 -out private_key.pem 1 openssl ec -in private_key.pem -pubout -out public_key.pem 1 openssl pkeyutl -sign -inkey private_key.pem -in file.txt -sm2-id "1234567812345678" -out signature.sig 1 openssl pkeyutl -verify -inkey public_key.pem -pubin -in file.txt -sigfile signature.sig -sm2-id "1234567812345678" 1 5. 使用 SM2 进行加密用公钥加密数据： 6. 使用 SM2 进行解密用私钥解密数据：注意事项 SM2 规范： SM2 是专门为中国市场设计的密码算法标准。在使用时，应确保所使用的环境和设备支持 SM2 ，并符合相关标准规范。版本支持：确保使用的 OpenSSL 版本是 1.1.1 或更高版本，才会原生支持 SM2 。 SM2 的 ID ：在签名和验证处理中， -sm2-id 用于指定鉴别身份的字符串（可以理解为一种上下文数据），这在某些应用场景中是必需的。通过这些命令和操作，您可以有效地使用 OpenSSL 来处理 SM2 算法的加密和签名任务。每次使用时请确保密钥的安全性以及环境的安全配置，以防止潜在的安全风险。其他签名 DSA (Digital Signature Algorithm) 简介： DSA 专用于数字签名，而不用于数据加密。相关命令：生成 DSA 参数和密钥：从私钥提取公钥： openssl pkeyutl -encrypt -pubin -inkey public_key.pem -in plaintext.txt -out encrypted.bin 1 openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted.bin -out decrypted.txt 1 openssl dsaparam -genkey -out private_dsa.pem 2048 1 签名和验证：签名：验证： ECDSA (Elliptic Curve Digital Signature Algorithm) 简介： ECDSA 是基于椭圆曲线的签名算法，提供与 RSA 类似的安全性，但使用更短的密钥。相关命令：生成 ECDSA 私钥：从私钥提取公钥：签名和验证：签名：验证： EdDSA (Edwards-curve Digital Signature Algorithm) 简介： EdDSA 是一种现代、高效的数字签名算法，支持曲线如 Ed25519 。相关命令： openssl dsa -pubout -in private_dsa.pem -out public_dsa.pem 1 openssl dgst -sha256 -sign private_dsa.pem -out signature.dss file.txt 1 openssl dgst -sha256 -verify public_dsa.pem -signature signature.dss file.txt 1 openssl ecparam -genkey -name secp256r1 -out private_ecdsa.pem 1 openssl ec -pubout -in private_ecdsa.pem -out public_ecdsa.pem 1 openssl dgst -sha256 -sign private_ecdsa.pem -out signature.ecdsa file.txt 1 openssl dgst -sha256 -verify public_ecdsa.pem -signature signature.ecdsa file.txt 1 生成 EdDSA 密钥：从私钥提取公钥：签名和验证：签名：验证：这些命令涉及到密钥生成、加密、解密、签名和验证，是使用 OpenSSL 处理非对称加密的基本工作流。从安全角度来看，确保密钥的安全存储和管理是至关重要的。其他命令 $ openssl list -commands openssl genpkey -algorithm ed25519 -out private_eddsa.pem 1 openssl pkey -pubout -in private_eddsa.pem -out public_eddsa.pem 1 openssl pkeyutl -sign -inkey private_eddsa.pem -out signature.eddsa -rawin -in file.txt 1 openssl pkeyutl -verify -pubin -inkey public_eddsa.pem -sigfile signature.eddsa -rawin -in file.txt 1 asn1parse ca ciphers cmp cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr fipsinstall gendsa genpkey genrsa help info kdf list mac nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509 1 2 3 4 5 6 7 8 9 10 11 12 13 14