openssl ssl加密 [英] openssl ssl encryption

问题描述

我想讨论openssl的write和read方法。
假设我有一个数据结构如下：

I want to discuss about openssl write and read method.
Assume I have an data structure like below:

/-----------------------------------------------------\
|  my_header   |  PAYLOAD                             |
\-----------------------------------------------------/
       |                              |
      \ /                            \ /
 not encrypted                      encrypted

I think the proper algorithm would be like this :
   SEND:
   build my_header with my own header.
   encrypt PAYLOAD with encryption function
   attach my_header and PAYLOAD (encrypted) to one buffer
   send it using common POSIX function just like send or sendto
   RECV:
   using common POSIX function just like recv or recvfrom.
   extract my_header and PAYLOAD(encrypted)
   decrypt PAYLOAD with decryption function
   at last i got my_header and PAYLOAD(decrypted).

如果您遇到上述问题，您的方法如何？因为openssl将发送到SSL_write函数（CMIIW）的所有数据加密。

How is your approach if you face a problem like above. Since openssl encrypt all of data that is sent to SSL_write function (CMIIW).

谢谢。

适当的问题是，在openssl中可以使用加密/解密PAYLOAD的加密和解密功能是什么？

Maybe, the apropriate question is, what is the encryption and decryption function that can be used to encrypt/decrypt PAYLOAD in openssl?.

推荐答案

OpenSSL附带一个libcrypto库，通常用于在SSL上下文之外执行独立加密。

OpenSSL comes with a libcrypto library which is commonly used to perform standalone encryption outside of an SSL context.

http://www.openssl.org/docs/crypto/evp.html

或者，图书馆的生物部分可能更接近你想要的：
http://www.openssl.org/docs/crypto/bio.html

Alternatively, the bio portion of the library may be even closer to what you want: http://www.openssl.org/docs/crypto/bio.html

但是，如果您真的打算通过网络发送，那么我会怀疑离开标题的安全性是不加密的。加密是关于不仅仅是隐私，而且也是确保数据在传输过程中没有被修改。如果有人能够监测您的流量，那么他们通常也可以篡改它。

But if you really intend to send this over the network, then I would question the safety of leaving the header unencrypted. Encryption is about more than privacy, it is also about ensuring the data has not been modified in transit. If someone is in a position to monitor your traffic, then they are usually in a position to tamper with it too.

如果您希望标题未加密，以便您可以阅读它在线路调试中，我建议在应用程序中设置一个标志，以完全启用/禁用在调试环境中使用的加密。

If you want the header unecrypted so you can read it in wireshark for debugging, then I suggest making a flag in your application to fully enable/disable encryption for use in a debugging environment.

这篇关于openssl ssl加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！