Userland Cryptography on OpenSolaris
Posted on October 27, 2007
OpenSSL is the old standby solution for all things encryption, but did you know that Solaris provides an excellent array of userland tools to solve your cryptographic cypherpunk needs?
There are 3 we’ll look at which provide the most basic cryptographic needs:
- encrypt & decrypt: This pair of tools encrypt and decrypt a stream or file
- mac: Calculate cryptographic Message Authentication Codes (MACs) for a stream or file
- digest: Calculate digests (“checksums”) of a stream of file
Encrypt & Decrypt
The encrypt and decrypt tools do what the name suggests. Run them with the -l flag to list the available ciphers:
benr@aeon ~$ encrypt -l Algorithm Keysize: Min Max (bits) ------------------------------------------ aes 128 256 arcfour 8 2048 des 64 64 3des 192 192
Give it a file or a stream and a key (remember, a password is a key, no magic here) and your off:
benr@aeon tmp$ encrypt -a aes -i testfile -o testfile.encrypted Enter key: <-- entered "this is my key" benr@aeon tmp$ cat testfile.encrypted èk»¯mÞ©¦p'T ÕWp³#÷d¯HÇø7ìâtìtÆ@ßÒÉÇnwu¾VUuÈÓW benr@aeon tmp$ decrypt -a aes -i testfile.encrypted Enter key: <-- entered "this is my key" This is a plaintext file.
Easy as that, if you do not supply in or out files standard in/out are used. Need to exchange some super secret files to a friend? Why not tar them up, encrypt them, send them via email and then call your buddy with the string you used for the key. The longer and more whacky the string/key the better.
If your wondering what ARCFOUR is, its more commonly known as RC4, a good algorithm but not recommended for sensitive data encryption. Read up on Wikipedia for more on RC4.
MAC's are used for integrity checking. They are cryptographic checksums that validate that the data was in fact sent by the person you think it was. This is done by using a key just like encryption or decryption:
benr@aeon tmp$ mac -l Algorithm Keysize: Min Max (bits) ------------------------------------------ des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512 sha256_hmac 8 512 sha384_hmac 8 1024 sha512_hmac 8 1024 benr@aeon tmp$ mac -a sha256_hmac testfile Enter key: <--- Entered "this is my mac key" b49ddab17cb32eca448eb1abf977b7cacdf9e3435e558883a5a6300cd7205307 benr@aeon tmp$ mac -a sha256_hmac testfile Enter key: <--- Entered "this is not my mac key" 1bbcd4b28aa38097b6b6f8adb49aa111be0aebf109b6d5568de6fa64e98f2822 benr@aeon tmp$ mac -a sha256_hmac testfile Enter key: <--- Entered "this is my mac key" b49ddab17cb32eca448eb1abf977b7cacdf9e3435e558883a5a6300cd7205307
So above you can see the list of MAC's available and an example of how to use the tool, notice that if you insert the wrong password/key you get a different checksum, this is the power of MACs.
Everyone should be familiar with digests, namely MD5 Checksums commonly used to verify downloaded files. On Linux or other platforms the md5sum tool is commonly used, elsewhere OpenSSL is used (openssl digest ...), but Solaris provides a tool with a verity of handy digest algorithms:
benr@aeon tmp$ digest -l sha1 md5 sha256 sha384 sha512 benr@aeon tmp$ digest -a sha256 testfile 88b84e9fc0ddaed0f41a7010a59662c75dd65b6c100ead82a14415d0e78c2ca2
Quick, easy to use, and a verity of algorithms easier to use than OpenSSL's syntax I think.
Handy huh? With these tools you can have lots of fun.. secure those IRS return PDF's, hide that ummmm "sensitive" data, or combine with other tools to add encryption capability like we will in my next post!