Upload
penelope-ramsey
View
220
Download
0
Embed Size (px)
Citation preview
Rodney Thayer 2
Contents
• Standards
• Protocols
• OpenSSL as a Tool
• OpenSSL as PKI Tool
• OpenSSL as PKI Subsystem
Rodney Thayer 3
Introduction
• Open source OpenSSL (formerly SSLEAY)
• Processes IETF TLS and SSL 2,3 (Netscape)
• Processes Public Key certificates (for PKI)
Rodney Thayer 4
Standards
• Algorithms: RSA, DSA, MD5, SHA-1
• RFC 2459 (PKIX); X.509
• DER and PEM
• PKI Standard features: Roots, CRL’s, OCSP
• PKCS 7, 1, 10
Rodney Thayer 5
Protocols
• TLS and SSL, using certificates
• SMIME
• IPsec for VPN’s
Rodney Thayer 6
OpenSSL as a Tool
Rodney Thayer 7
‘openssl’ - the program
• Apps/ directory
• commands for tls tests
• commands for crypto
• commands for cert processing
• uses simple keystore
• uses DER and PEM format certificates
Rodney Thayer 8
Standard commandsasn1parse ca ciphers crl crl2pkcs7dgst dh dhparam dsa dsaparamenc errstr gendh gendsa genrsanseq passwd pkcs12 pkcs7 pkcs8rand req rsa rsautl s_clients_server s_time sess_id smime speedspkac verify version x509
Rodney Thayer 9
Message Digest commands (see the `dgst' command for more details)md2 md4 md5 mdc2 rmd160sha sha1
Rodney Thayer 10
Cipher commands (see the `enc' command for more details)base64 bf bf-cbc bf-cfb bf-ecbbf-ofb cast cast-cbc cast5-cbc cast5-cfbcast5-ecb cast5-ofb des des-cbc des-cfbdes-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofbdes-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofbdes3 desx idea idea-cbc idea-cfbidea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbcrc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecbrc5-ofb
Rodney Thayer 11
OpenSSL as a PKI Tool
Rodney Thayer 12
‘openssl’ - the program
• Apps/ directory
• commands for tls tests
• commands for crypto
• commands for cert processing
• uses simple keystore
• uses DER and PEM format certificates
Rodney Thayer 13
‘openssl’ commands
asn1parse
• ca
• crl
• crl2pkcs7
• dsaparam
Rodney Thayer 14
‘openssl’ commands (cont.)
• Pkcs7
• req
• x509
Rodney Thayer 15
OpenSSL as a Subsystem
• Builds to a library
• API for certificate processing
• API for underlying crypto operations
• used by TLS/SSL, ‘openssl’ application
Rodney Thayer 16
Subsystem Uses
• TLS and SSL
• SMIME
• OpenSSH
• GPKCS
• Embedded systems
Rodney Thayer 17
API Calls for Cert Request
• See apps/req.c
• 1. Make key pair
• 2. Configure certificate request
• 3. Sign certificate request
• 4. Output as DER or PEM
Rodney Thayer 18
Application
OpenSSL
CertificateProcessing
CyptographicProcessing
CertificateStore
Key StoreHardware
Acceleration
Rodney Thayer 19
Conclusion
• General purpose cryptographic tool
• Provides PKI processing
• Out of the box support for standards
• Published API
• Definitely product-grade solution
Contact Info
Rodney Thayer
The Tillerman Group
http://www.pkiclue.com/presentations