You're reading from Demystifying Cryptography with OpenSSL 3.0 Discover the best techniques to enhance your network security with OpenSSL 3.0

Product type Paperback

Published in Oct 2022

Publisher Packt

ISBN-13 9781800560345

Length 342 pages

Edition 1st Edition

Languages

Tools

Wireshark

Concepts

Cryptography

Author (1):

Alexei Khlebnikov

View More author details

Table of Contents (20) Chapters

Preface

1. Part 1: Introduction

2. Chapter 1: OpenSSL and Other SSL/TLS Libraries FREE CHAPTER

3. Part 2: Symmetric Cryptography

4. Chapter 2: Symmetric Encryption and Decryption

5. Chapter 3: Message Digests

6. Chapter 4: MAC and HMAC

7. Chapter 5: Derivation of an Encryption Key from a Password

8. Part 3: Asymmetric Cryptography and Certificates

9. Chapter 6: Asymmetric Encryption and Decryption

10. Chapter 7: Digital Signatures and Their Verification

11. Chapter 8: X.509 Certificates and PKI

12. Part 4: TLS Connections and Secure Communication

13. Chapter 9: Establishing TLS Connections and Sending Data over Them

14. Chapter 10: Using X.509 Certificates in TLS

15. Chapter 11: Special Usages of TLS

16. Part 5: Running a Mini-CA

17. Chapter 12: Running a Mini-CA

18. Index

Why subscribe?

19. Other Books You May Enjoy

Packt is searching for authors like you

What’s new in OpenSSL 3.0?

One major change in OpenSSL 3.0 is its license. A software project does not change its license very often during its lifetime. The OpenSSL project used its BSD-style open source license until version 3.0. Since version 3.0, it uses Apache License 2.0.

OpenSSL 3.0 is a release with big changes in the internal architecture of the library. The architectural changes are not finished and will be continued in OpenSSL 4.0. The concept of OpenSSL operation implementation providers was introduced. A provider is a unit of code that provides the implementation of cryptographic algorithms. The existing OpenSSL cryptography code will mostly be available via Default and Legacy providers. Engines are still supported in OpenSSL 3.0 but have been deprecated in favor of providers. Support for ENGINE API may be removed in OpenSSL 4.0. There is also support for third-party providers that allow independent developers to plug their cryptographic algorithms into OpenSSL.

Another interesting feature of OpenSSL 3.0 is Kernel TLS (KTLS). When using KTLS, an application can create a special TLS socket, similar to a TCP socket. OpenSSL then performs a TLS handshake and hands the negotiated encryption key and other data to the operating system kernel in the form of TLS socket options. Then, the actual data transmission in the TLS protocol is handled by the KTLS code. Such TLS offloading to the kernel can speed up data transmission on high-load systems where performance is important, especially when the kernel can use hardware acceleration for Advanced Encryption Standard (AES) and thus offload the main CPU. Of course, KTLS support is needed both in the TLS library and in the operating system kernel. At the time of writing, only the Linux and FreeBSD kernels support KTLS.

Some other notable changes in OpenSSL 3.0 include the following:

Support for the Certificate Management Protocol.
A simple HTTP/HTTPS client.
Advanced Encryption Standard Galois/Counter Mode with Synthetic Initialization Vector (AES-GCM-SIV) encryption.
New Message Authentication Code (MAC) algorithms, such as GMAC and KMAC.
New Key Derivation Function (KDF) algorithms, such as SSKDF and SSHKDF.
New high-level APIs, such as EVP_MAC, EVP_KDF, and EVP_RAND.
Low-level APIs deprecated in favor of newer higher-level APIs.
Code cleanup.
Error handling reworked.
Old insecure algorithms are no longer available at the default security level.
Interactive mode has been removed from the openssl command-line tool.

OpenSSL is a solid mature software toolkit, so the most important features are already implemented in it. As a result, the latest changes don’t contain that much new functionality for a lot of users. The latest release focuses on architectural improvements to the library.

While OpenSSL is the most popular crypto/TLS library, it’s not the only one. We’ll compare OpenSSL to its competitors in the following sections.