Welcome!

Microservices Expo Authors: Pat Romanski, Christoph Schell, Elizabeth White, Matt Brickey, Liz McMillan

Related Topics: Cloud Security, Linux Containers, Open Source Cloud

Cloud Security: Tutorial

Tutorial: OpenSSL Command

A solution to many of your security requirements

The OpenSSL is based on SSLeay library developed by Eric A. Young and Tim J. Hudson and licensed under an Apache-style license. OpenSSL has lots of features but I will cover encoding, checksums, encryption, passwords and pass phrases.

Many Linux distributions have OpenSSL as part of the bundled packages and is most likely located in /usr/bin. To find it on your system type:

$ which openssl
/usr/bin/openssl
$ openssl version

OpenSSL 1.0.0a 1 Jun 2010

Versions may vary and currently openssl-1.0.0d Feb 8 is the current version. Most of the examples that are found in this document should work on most versions.

Base64 encoding and decoding can be performed alone or used in conjunction with encryption and decryption. Below we are encoding a file with base64:

$ openssl base64 -in text.txt -out text.3634

Now we are decoding it:

$ openssl base64 -d -in text.3634 -out text.txt

File name extensions are not relevant to OpenSSL and you can drop them.

Encryptions
Encrypt a file with any of the available ciphers:

$ openssl list-cipher-commands

This will list a number of ciphers to use. Now let's encrypt the file using triple DES in CBC “Cipher Block Chaining” mode using a prompted password:

$ openssl des3 -salt -in recept.pdf -out recept.des3

prompted for a password enter it twice. To decrypt the file using the supplied password

$ openssl des3 -d -salt -in recept.des3 -out recept.pdf -k password

enter des-ede3-cbc encryption password:

Verifying – enter des-ede3-cbc encryption password:

You can encrypt a file then base64 encode it using Blowfish in CBC mode using the following comamnd:

$ openssl bf -a -salt -in recept.pdf -out recept.bf

enter bf-cbc encryption password:

Verifying – enter bf-cbc encryption password:

Again the file extensions are not relevant and if you open the file with a gedit it will be a bunch of characters. OpenSSL won't manage the files and file extensions for you, you must specify where you want the outgoing data written. The reason to encrypt then encode and not the other way around is you want to have random data to encrypt and when you encode you are left with no random data. To decrypt us the following command:

$ openssl bf -d -salt -a -in recept001.bf -out recept001.pdf

enter bf-cbc decryption password:

Have strong password is important but like many discover its also difficult to maintain password different for many devices. The goal with password is to make a secret that you can remember but someone else wont know and cant guess. You can generate pass phrases with OpenSSL using this command:

$ openssl rand 20 -base64

This generates a random character that is 20 binary bytes with base64 encoding for a total of 28 characters.

Shadow-style password hash
OpenSSL has the ability for creating encrypted Linux passwords exactly like those make by /bin/passwd. Just enter in the following command:

$ openssl passwd -1 enter-in-text
$1$Av0HxLID$WLFyqVyjJOtqnYfVufpCw0

Every time you enter the above it will produce a different hash, your hash will be different except for the $1$ in front. You can make a hash of your password that you choose without outputting the result to the screen like so:

$ openssl passwd -1

Password:

Verifying – Password

Checksums
A checksum is a way of ensuring that data has not been corrupted, either accidentally or maliciously. OpenSSL uses md5 but the MD5 algorithm suffers from vulnerabilities and should not be used anymore. Instead use the more secure sha1sum (see Figure 1).

Figure 1

Notice the difference in hash output lengths.

OpenSSL is FIPS 140-2 Level 1 validation and is available for government cryptography. The FIPS 140-2 User Guide is available here updated November 21, 2009. This tool is available for use in the enterprise and with a little administration can provide a solution to many of your security requirements.

Let pbnetworks get your pen-test on target

Visit us and learn how http://pbnetworks.net

How secure is your network?

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

@MicroservicesExpo Stories
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
If you read a lot of business and technology publications, you might think public clouds are universally preferred over all other cloud options. To be sure, the numbers posted by Amazon Web Services (AWS) and Microsoft’s Azure platform are nothing short of impressive. Statistics reveal that public clouds are growing faster than private clouds and analysts at IDC predict that public cloud growth will be 3 times that of private clouds by 2019.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
From personal care products to groceries and movies on demand, cloud-based subscriptions are fulfilling the needs of consumers across an array of market sectors. Nowhere is this shift to subscription services more evident than in the technology sector. By adopting an Everything-as-a-Service (XaaS) delivery model, companies are able to tailor their computing environments to shape the experiences they want for customers as well as their workforce.
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
For over a decade, Application Programming Interface or APIs have been used to exchange data between multiple platforms. From social media to news and media sites, most websites depend on APIs to provide a dynamic and real-time digital experience. APIs have made its way into almost every device and service available today and it continues to spur innovations in every field of technology. There are multiple programming languages used to build and run applications in the online world. And just li...
If you are thinking about moving applications off a mainframe and over to open systems and the cloud, consider these guidelines to prioritize what to move and what to eliminate. On the surface, mainframe architecture seems relatively simple: A centrally located computer processes data through an input/output subsystem and stores its computations in memory. At the other end of the mainframe are printers and terminals that communicate with the mainframe through protocols. For all of its appare...
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained Michael Fuhrman, Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Data reduction delivers compelling cost reduction that substantially improves the business case in every cloud deployment model. No matter which cloud approach you choose, the cost savings benefits from data reduction should not be ignored and must be a component of your cloud strategy. IT professionals are finding that the future of IT infrastructure lies in the cloud. Data reduction technologies enable clouds — public, private, and hybrid — to deliver business agility and elasticity at the lo...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I will be talking about ChatOps and ChatOps as a way to solve some problems in the DevOps space," explained Himanshu Chhetri, CTO of Addteq, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.