Thanks Dave, Eric and jeffrey. I would truly be lost without your help!
:confused:
Im not sure how I would be able to encode/decode files before transmission
Dave. Would it be possible to encode them using OAEP before transmission?
I am an novice and Im not 2 sure how I can utilise your advice you have
given me correctly. So below is my step by step process I would personally
use to create a key and certificate file for use in apache2. How could these
steps be modified to include encryption using more secure padding (OAEP if
possible)? I want to if possible encrypt the connection without the hassle
of encrypting files then transmitting them. PS I am using Linux/Ubuntu as my
operating system
If this is not a feasible solution then I shall stand corrected. If so I
would need help to know how to encrypt selected files.
Again thanks in advance for any feedback I receive from you.
******************************************************************************************************************************************
// Build Self CA key
1.
sudo openssl genrsa -des3 -out ca.key 1024
// Build Self CA certificate . Note [x] is the duration of days you wish
your CA certificate to last.
2.
sudo openssl req -new -x509 -days [x] -key ca.key -out ca.crt
// One Key file = ca.key | One certificate file = ca.crt
* Enter Country Code
* Enter Region
* Enter City
* Enter Organisation Name
* Enter Section
* Enter Common Name + "CA"
* Enter Email Address
* Enter Passphrase
// Build SSL Server key
3.
sudo openssl genrsa -des3 -out server.key 1024
// Build SSL Server certificate. Note - IT IS IMPORTANT YOU REMEMBER YOUR
PASSPHRASE CREATED IN STEPS 2 AND 4.
4.
sudo openssl req -new -key server.key -out server.csr
// One Key file = server.key | One certificate file = server.crt
* Enter Country Code
* Enter Region
* Enter City
* Enter Organisation Name
* Enter Section
* Enter Common Name + "CA"
* Enter Email Address
* Enter Passphrase
* Enter Organisation Name
//
5.
sudo openssl x509 -req -days [x] -in server.csr -CA ca.crt -CAkey ca.key
-set_serial 01 -out server.crt
// Enable SSL Module
6.
sudo a2enmod ssl
******************************************************************************************************************************************
Eric S. Eberhard-2 wrote:
>
> I would point out in that last approach -- encrypting and sending un
> secure (which is a good idea in many cases) does have a few
> considerations. If the data is sensitive (like magnetic strip data
> from a credit card) this is completely NOT ALLOWED. PCI and PA-DSS
> won't allow it to hit the disk. If you do hit the disk and you care
> about security on either end, you also need a secure delete
> program. Simply deleting a file does not remove the data from the
> disk. It takes about 5 lines of C to make a secure delete which if
> anyone likes I can give them.
>
> Eric
>
>
> At 08:44 PM 6/6/2011, Dave Thompson wrote:
>> > From: [email protected] On Behalf Of greenelephant
>> > Sent: Sunday, 05 June, 2011 05:20
>>
>> > Thanks for the reply Dave. I am grateful for your advice. I
>> > am a novice as you have probably gathered.
>> > If I am not wrong in my judgement you seem to have some expertise on
>> > cryptology.
>>
>>Some, not a whole lot.
>>
>> > I have stated SSL in my first post that I would like help
>> > with as you know.
>> > But with your expertise is there a better solution to use
>> > except SSL in
>> > terms of security using openssl?
>>
>>SSL/TLS (preferably the newest version supported, today
>>usually TLS 1.1 or maybe 1.2) is a good general solution
>>for security of Internet endpoint communication
>>(particularly, but not only, web traffic using HTTPS).
>>OpenSSL is a good implementation of SSL/TLS, plus some
>>related (crypto) functionality, but not the only one;
>>any other conforming and well-tested implementation
>>available to you should be fine. For examples, Java
>>includes its own SSL/TLS implementation (for Java),
>>and I understand dot-NET does (for C#, VB, etc.)
>>
>>There are other protocols that may be better in specific
>>situations (e.g. SSH as below) or necessary (e.g. IPsec
>>and DNSsec are done at a level below where SSL can work).
>>
>> > Also is SSL an ideal security solution for secured FTP
>> > transmissions using
>> > the openssl module to enable me to subvert any efforts to
>> > sabotage or breach
>> > security perpetrated by intruders or hackers using the
>> > methods of attacks
>> > (side channeling for instance) previously mentioned?
>>
>>FTP over SSL (FTPS) is a secure means of file transfer,
>>if supported by both your server(s) and your client(s),
>>which in my experience is not very common. When it is
>>supported, the server and client code determines what
>>module is used; it might be OpenSSL or something else.
>>
>>Another good and in my experience more common method
>>of securing file transfer is SFTP, part of the SSH
>>protocol suite. The crypto used in SSH is generally
>>similar (though not identical) to SSL/TLS, and in fact
>>the most widespread implementation OpenSSH uses libcrypto
>>from OpenSSL, but the trust model is different (simpler).
>>Instead of creating and verifying certificates, SSH
>>requires you to manually verify a key fingerprint on
>>the first connection between a given client and server
>>(or else manually pre-transfer the encoded publickey).
>>This isn't very good for communications with strangers
>>(like sites you found on Google), but works okay for
>>people that already have some contact (like your friends,
>>customers of your company, etc).
>>
>>Another approach is to secure the files themselves,
>>rather than just the transfer. That is, encrypt and
>>perhaps sign the files when (or before) they are
>>placed on the sending system(s), transfer them
>>using plain FTP or HTTP or other, and decrypt and
>>perhaps verify them on the receiving system(s).
>>
>>
>>
>>______________________________________________________________________
>>OpenSSL Project http://www.openssl.org
>>User Support Mailing List [email protected]
>>Automated List Manager [email protected]
>
>
> Eric S. Eberhard
> (928) 567-3727 Voice
> (928) 567-6122 Fax
> (928) 301-7537 Cell
>
> Vertical Integrated Computer Systems, LLC
> Metropolis Support, LLC
>
> For Metropolis support and VICS MBA Support!!!! http://www.vicsmba.com
>
> Pictures of Snake in Spring
>
> http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49
>
> Pictures of Camp Verde
>
> http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf
>
> Pictures of Land Cruiser in Sedona
>
> http://www.facebook.com/album.php?aid=50953&id=1409661701
>
> Pictures of Flagstaff area near our cabin
>
> http://www.facebook.com/album.php?aid=12750&id=1409661701
>
> Pictures of Cheryl in a Horse Show
>
> http://www.facebook.com/album.php?aid=32484&id=1409661701
>
>
> Pictures of the AZ Desert
>
> http://www.facebook.com/album.php?aid=58827&id=1409661701
>
> (You can see why we love this state :-) )
>
>
>
>
>
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [email protected]
>
>
--
View this message in context:
http://old.nabble.com/Using-PCKS-Padding-in-OpenSSL-tp31728673p31829449.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
