Mastering Encryption: From Basics to OpenSSL PKI Implementation

Introduction

The rapid growth of the Internet has excited both enterprises and consumers, but the security of transmitting confidential information remains a major concern. Encryption technology, long used in warfare, commerce, and data exchange, is now essential for modern e‑commerce and network communications.

Basic Concepts

Encryption converts readable text (plaintext) into unreadable ciphertext using an algorithm and a key, protecting data from unauthorized access.

Decryption restores ciphertext to its original plaintext.

Most cryptographic systems are either symmetric (the same key encrypts and decrypts) or asymmetric (a public key encrypts, a private key decrypts). Common symmetric algorithms include DES, 3DES, AES, and DH. Asymmetric algorithms include RSA, DSA, and ElGamal, which rely on a key pair (public and private keys).

Encryption Transmission Principles

Secure email requires both parties to possess a public‑private key pair. The sender encrypts the message with the recipient’s public key, ensuring confidentiality, and signs the message with their private key to guarantee authenticity.

Digital certificates, issued by a Certificate Authority (CA), bind a public key to an identity, enabling verification of the sender’s authenticity and ensuring data integrity, confidentiality, and non‑repudiation.

Public Key Infrastructure (PKI)

PKI provides the framework for managing digital certificates and keys. The CA issues certificates, maintains a Certificate Revocation List (CRL), and validates identities. Digital certificates are widely used in secure email, e‑commerce, online banking, and other internet services.

OpenSSL Basic Usage

OpenSSL is a powerful cryptographic library used for SSL/TLS, SSH, and certificate management. Its components include a cryptographic algorithm library, SSL/TLS protocol library, and various utilities.

Common commands: # rpm -ql openssl # check installation Encrypt a file:

# openssl enc -e -des3 -salt -in messages -out messages.enc

Decrypt a file:

# openssl enc -d -des3 -in messages.enc -out messages.dec

Generate a password hash: # openssl passwd -1 -salt mysalt mypassword Generate random data: # openssl rand -base64 4 Generate a private key:

# openssl genrsa -out private.key 2048

Building a Private CA

1. Create a private key for the CA:

# openssl genrsa -out /etc/pki/CA/private/ca.key 2048

2. Generate a self‑signed CA certificate:

# openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/certs/ca.crt -days 3650

3. Prepare the CA directory structure (create index.txt and serial files):

# touch /etc/pki/CA/{index.txt,serial}
# echo "01" > /etc/pki/CA/serial

4. Issue a certificate for an HTTP server:

# openssl req -new -key server.key -out server.csr
# openssl ca -in server.csr -out server.crt -days 365

5. Verify the issued certificate:

# openssl x509 -in server.crt -noout -subject
# openssl x509 -in server.crt -noout -serial

Revoking Certificates

1. Create the CRL number file if it does not exist:

# touch /etc/pki/CA/crlnumber
# echo "01" > /etc/pki/CA/crlnumber

2. Revoke a certificate:

# openssl ca -revoke /etc/pki/CA/newcerts/01.pem

3. Generate an updated CRL:

# cd /etc/pki/CA/crl
# openssl ca -gencrl -out thisca.crl

4. View revocation information (index.txt will show status changes from V to R).

Conclusion

The above steps outline the fundamentals of encryption, the role of PKI, and practical OpenSSL commands for creating a private CA, issuing certificates, and managing revocation, providing a solid foundation for secure communications.