Inf's Lairtag:ascarter.net,2009-12-31:/atom.xml2018-04-24T00:54:19+00:00The Untold Story - Anecdotes from the OpenSSL China tourPaul Yang2018-02-26T00:00:00-07:00tag:infohunter.github.io,2018-02-26:/2018/02/26/the-untold-story-en<h2 id="table-of-contents">Table of Contents</h2>
<ol>
<li><a href="#Why-this-article-is-here?">Why this article is here?</a></li>
<li><a href="#The-Pick-up-Adventure">The Pick-up Adventure</a></li>
<li><a href="#Do-you-have-WeChat,-Dude?">Do you have WeChat, Dude?</a></li>
<li><a href="#What's-Your-Feeling-back-in-Alibaba">What’s Your Feeling back in Alibaba</a></li>
<li><a href="#The-"Twins"">The “Twins”</a></li>
<li><a href="#Liger-or-Tigon?">Liger or Tigon?</a></li>
<li><a href="#Damn,-the-Boarding-Pass-is-Lost">Damn, the Boarding Pass is Lost</a></li>
<li><a href="#Did-We-Fuck-up-the-OpenSource-Event?">Did We Fuck up the OpenSource Event?</a></li>
<li><a href="#Worm-Dinner">Worm Dinner</a></li>
<li><a href="#Drunk-as-a-Lord">Drunk as a Lord</a></li>
<li><a href="#The-Final-"Haul-Ass"">The Final “Haul Ass”</a></li>
</ol>
<h2 id="why-this-article-is-here">Why this article is here?</h2>
<p>As most people have already known that OpenSSL has been in China for several days in September, from 17th to 25th specifically. The stories describing the very formal activities we had experienced during those days, have been reported by some media articles after the tour, thus many people knew what we have done in China, in particular the business part. But from my perspective, there were also things which were not disclosed yet, but should be told. I consider them as ‘anecdotes’: something made this China tour much more vivid and enjoyable. And this is why I decided to write these words. I would like to record the moments and memories we had together back in those nine days in China.</p>
<p>Before I tell you the amazing and funny stories, I will thank again the following <a href="https://www.baishancloud.com">BaishanCloud</a> staffs who put huge efforts into this tour (In order of appearance in the stories): Jane, Sean, Jedo, Paul (me, absolutely), Shirley, Alan. And also the people didn’t show them up in the stories: Jenna, Amy, Mr. Wei An, our CTO Mr. Jian Tong and my boss Terence and Mel :-). Thank you all very much for supporting our ‘operation’. I also would like to thank the guys from OpenSSL for your patience for suffering a lot from our poor oral English ;-).</p>
<h2 id="the-pick-up-adventure">The Pick-up Adventure</h2>
<p>The pick-up at the airport for the guys of OpenSSL was more scared than hurt. The original plan was: “Jane and Sean went to Shanghai Pudong airport to pick up Matt in the morning and then Jane accompanied with Matt back to the hotel while Sean stayed at the airport waiting for Steve, who would arrive at noon. Meanwhile, Jedo would go to Shanghai Hongqiao airport to pick Richard”.</p>
<p>After Matt and Jane arrived at the hotel, we took this photo, and this was also the first photo in the China tour:</p>
<p><span id="2-1"><img src="/images/anecdotes/2-1.jpg" alt="first photo in China" /></span></p>
<p><em>Lunch with Matt</em></p>
<p>Everthing ran smoothly until the afternoon. Sean called to tell me that Steve didn’t show up at the airport but the plane had already landed for almost 2 hours. We didn’t have any method to contace Steve since Steve bought himself a SIM card in US but that card didn’t work in his phone before he left his country. So we asked the airlinesm and they told us Steve didn’t board. That was very confused for us, so we contacted Beijing to check the filght information of Steve. Finally we found that someone in BaishanCloud made the flight wrong and the true time of arrival of Steve should be in the evening. So Sean had to continue to wait at the airport to pick up Steve. That was a though day for him anyway…</p>
<p>At last in the evening, around 7 o’clock, we picked up Steve, Tim and Rich. On the way back to the hotel, Rich teased me that I also needed to handle the problem with jetlag. And he was correct about this, since I usually slept at 3:00AM and woke up at 9:00 ~ 10:00AM in the same day, but during the tour I needed to adjust that life style.</p>
<h2 id="do-you-have-wechat-dude">Do you have WeChat, Dude?</h2>
<p>When I met Matt, I gave him a Chinese local SIM card thus he could use the mobile network in China. We also prepared one SIM card for Richard, and both of the cards worked well with their cell phones. As mentioned before, Steve used a Chinese local SIM card bought by himself. Tim and Rich just used their own numbers ‘internationally’. So the result was, except Steve (he used a 2G network GSM phone), all other guys had 3G/4G access, it’s time to move to a more Chinese style communication.</p>
<p>I first helped Matt set up a WeChat account, and the next day all guys had their WeChat account, we even created a chat group there. Richard seemed to be interested of the WeChat app and played with the funny features for some time. That chat group helped a lot to coordinate schedules during the 8-day tour.</p>
<p>All guys kept using their WeChat even after they left China, for instance Tim and I chatted a lot by WeChat.</p>
<h2 id="whats-your-feeling-back-in-alibaba">What’s Your Feeling back in Alibaba</h2>
<p>On 18th September, we went to Alibaba HQ, the Xixi campus in Hangzhou. Rich and I have met here back in 2015, two days before that year’s Tmall double eleven festival. I resigned from Alibaba in June 2016, and this was the first time I came back here since then.</p>
<p><span id="4-1"><img src="/images/anecdotes/4-1.jpg" alt="met with Rich in 2015" /></span></p>
<p><em>First met with Rich in 2015</em></p>
<p>After the meeting we took a walk in the campus, Rich asked me about what I felt coming back again here. Well, it’s a little complicated. I first worked on OpenSSL (as well as other SSL/TLS and cryptography stuffs) was in Alibaba, in 2014. The most important thing I’ve gotten in this company was the opportunities to widen my vision during last two years. That meant a lot to me. Back to the feelings, I was very happy to meet some old buddies there and was cherished the memory a little of those day-and-night when we fought together.</p>
<p><span id="4-2"><img src="/images/anecdotes/4-2.jpg" alt="sculpture in Ali HQ" /></span></p>
<p><em>Sculpture in Alibaba</em></p>
<h2 id="the-twins">The “Twins”</h2>
<p>After hanging out in Alibaba HQ, we departed for Shenzhen next day and it’s Shirley who picked us up at the airport and we planed to visit Tencent and Huawei.</p>
<p><span id="5-1"><img src="/images/anecdotes/5-1.jpg" alt="depart for Shenzhen" /></span></p>
<p><em>Depart for Shenzhen</em></p>
<p>It’s very interested when we took a tour in Huawei’s exhibition center - a place showing the company’s most advantage techniques. One of the most interesting thing was there was a VR game section and two person could play it together to experience Huawei’s 5G tech. To play the VR game, a special device was needed and it would be convenient if the player didn’t wear glasses. Since Matt and Rich were the only two guys who didn’t wear glasses, so they went on the stage.</p>
<p><span id="5-2"><img src="/images/anecdotes/5-2.jpg" alt="twins" /></span></p>
<p><em>The “Twins”</em></p>
<p>This is funny and it reminded people of a 1988 movie with the name ‘Twins’. The game was about shooting zombies and it was very entertaining even just to watch the players shooting to the air for audience.</p>
<h2 id="liger-or-tigon">Liger or Tigon?</h2>
<p>Having finished the visit to Huawei in the morning, we went to the zoo in the afternoon. This was a very educational trip that I learned two new English words - Liger and Tigon.</p>
<p><span id="6-1"><img src="/images/anecdotes/6-1.jpg" alt="photographer" /></span></p>
<p><em>Richard was photographing</em></p>
<p>A Liger is the hybrid cross of a lion father and a tiger mother, apparently the word Liger itself indicates this already. To the contrary, a Tigon comes from a tiger father and a lion mother. I have seen them in the zoo in Shenzhen, but to be honest, I still can not distinguish them accurately as I always considered no matter which one is the father, the children should seem very similar but only the names are different. It could be interesting if I dig into this topic deeper in the future.</p>
<p>And we also had the chance to feed the big cats in a well ‘armoured’ bus, that was excited.</p>
<p><span id="6-2"><img src="/images/anecdotes/6-2.jpg" alt="armoured bus" /></span></p>
<p><em>The bus we were in</em></p>
<p>The driver drove the bus into the ‘free-ranging’ area. Everyone in the bus had a fork and a piece of chicken leg - which was used to feed the tigon/liger/tigers.</p>
<p><span id="6-3"><img src="/images/anecdotes/6-3.jpg" alt="park gate" /></span></p>
<p><em>The portal to the wild, Jurassic Park?</em></p>
<p>Actually it was a little tricky to feed the big cats - the best method was to ‘seduce’ the big cats with the chicken and didn’t put it too close to them, thus the big cats would cling to the safety nets of the bus and people inside could have more time to watch them.</p>
<p><span id="6-4"><img src="/images/anecdotes/6-4.jpg" alt="Liger or Tigon" /></span></p>
<p><em>I think this should be a Tigon</em></p>
<p>If you put the chicken too close to them, they would have the chicken and kept far from the bus - but in practice, it was hard to achieve this so we ran out of chicken quickly.</p>
<p><span id="6-5"><img src="/images/anecdotes/6-5.jpg" alt="Tiger" /></span></p>
<p><em>This is a real tiger</em></p>
<h2 id="damn-the-boarding-pass-is-lost">Damn, the Boarding Pass is Lost</h2>
<p>On 21 September, we left Shenzhen and headed to Beijing. An adventure happened in the airport - I lost my boarding pass just before the boarding gate was closed.</p>
<p><span id="7-1"><img src="/images/anecdotes/7-1.jpg" alt="at the airport" /></span></p>
<p><em>Moment that I still had my boarding pass</em></p>
<p>I went to the boarding gate to ask if I could use the ID card for boarding, the answer was negative and I had to go to the counter of Shenzhen Airlines to reprint the boarding pass - the counter located several hundreds meters away from the gate and it was only 15 minutes before the gate got closed.</p>
<p>Sean and I rushed madly back to the counter of the airlines and meanwhile Rich and Jedo stayed at the boarding gate trying their best to prevent the gate from closing. I have not run at that pace for a decade I guess. Eventually we made it and boarded into the plane.</p>
<p>It felt good to see the night of Beijing with all other guys! It was more scared than hurt anyway!</p>
<p><span id="7-2"><img src="/images/anecdotes/7-2.jpg" alt="Arrival in beijing" /></span></p>
<p><em>Arrival in Beijing</em></p>
<p>Postscript: Several days later when I got home and cleared up my backpack, I found the ‘lost’ boarding pass at the bottom of my backpack. Damn it, I should be more careful.</p>
<h2 id="did-we-fuck-up-the-opensource-event">Did We Fuck up the OpenSource Event?</h2>
<p>In Beijing we had lots of work. And the most important agenda would be the open source event on 23 September. Everyone was going to give a speech in that afternoon.</p>
<p><span id="8-1"><img src="/images/anecdotes/8-1.jpg" alt="Meeting with BaishanCloud" /></span></p>
<p><em>Meeting in BaishanCloud office</em></p>
<p>We actually didn’t know what we prepared interested the audience or not. And we didn’t know if the simultaneous interpretation service in the saloon was good or not. It was not easy for the audience to have a most-English open source event.</p>
<p><span id="8-2"><img src="/images/anecdotes/8-2.jpg" alt="Preparing" /></span></p>
<p><em>Preparing</em></p>
<p>Everyone didn’t know if we would mess up the presentations or not. If no one likes to ask questions or doesn’t understand the speech well, that would a catastrophe. Lots of media persons awaited for writing report there, I hoped the atmosphere could be ‘hot’.</p>
<p><span id="8-3"><img src="/images/anecdotes/8-3.jpg" alt="matt-tls13" /></span></p>
<p><em>Matt’s talking about TLS13</em></p>
<p>After I have done my presentation, Steve, Tim and I were grabbed to another room to have an interview so I didn’t really aware of how it was going outside there. And I missed all the presentations after mine, which should be Rich, Richard and Tim. Some topics in their slides were also interest me a lot, but no chance to listen the speech lively.</p>
<p>The result was excellent by the feedback from staffs of BaishanCloud.</p>
<p><span id="8-4"><img src="/images/anecdotes/8-4.jpg" alt="group photo" /></span></p>
<p><em>Group photo with some audience</em></p>
<p>According to Tim, they were asked questions after the event was over. And many Chinese technical guys were very interested in TLS 1.3, Post-Quantum Cryptography and also other topics we have talked about.</p>
<p>This was the first time BaishanCloud held such an event and it was also the first time OpenSSL presented in China. It was not easy, but we conquered it. We have done a great job and the what left was just to have a relax time in China!</p>
<h2 id="worm-dinner">Worm Dinner</h2>
<p>Our CTO Mr. Jian Tong, on behalf of BaishanCloud, held a small banquet for our guests in the evening of 23 September. The dinner was in a very decent Spanish restaurant and I was lucky again that night…</p>
<p>I ordered fish, fried if I recall correctly. Along with the fish, there was salad in the dish. After I have eaten half of the fish, I found something wriggling in the dish, the light was poor so I didn’t see it clearly at first. And then that thing kept moving. I took a close look and I found it was like a ‘thread’ there, alive. I was panic. Then I called the waiter and they were panic.</p>
<p>Very quickly, the manager, a foreigner I couldn’t figure out his nationality, came to me and apologized very sincerely for the disaster, in English. I was curious that why he didn’t talk in Chinese since Tim heard he talked in Chinese to the waiters. But anyway, I pardoned this tragedy because I was in very good mood that night. After all we have done a tough job in the afternoon.</p>
<p>Finally they supplied new food for me, for free of course. By the way, the wine was good in that restaurant ignoring the ‘worm’ ;-)</p>
<p>We took a walk in the shops nearby after finishing the dinner, waiting for the bus to pick us up back to the hotel. Guys were happy and played around.</p>
<p><span id="9-1"><img src="/images/anecdotes/9-1.jpg" alt="Rich" /></span></p>
<p><em>Rich with cool glasses</em></p>
<h2 id="drunk-as-a-lord">Drunk as a Lord</h2>
<p>Tim, Rich and I went to a bar at night to celebrate. We drank several ‘cannon’s beer that night. For me, I might need some alcohol to reduce the effect of ‘worm’.</p>
<p>We have talked a lot of interesting stuffs such as the culture difference, the history of OpenSSL project, the Tao of open source etc. Some friends of mine joined the party and thus it’s more diverse to understand different Chinese attitudes toward open source.</p>
<p>We got back at around 4 AM in the morning and I went to bed in my boots, literally. And I woke up at around 6, because we have schedule to take a tour in Beijing.</p>
<p>When I was in the bus, I was something like this:</p>
<p><span id="10-1"><img src="/images/anecdotes/10-1.jpg" alt="Paul" /></span></p>
<p><em>Photographed by Tim. Good capture!</em></p>
<h2 id="the-final-haul-ass">The Final ‘Haul Ass’</h2>
<p>The last part was the touring in several places in Beijing city, including the Forbidden City and Shichahai. This was described in Tim’s blog post on OpenSSL website, so I will skip this part in this article since here comes only the ‘untold’ parts.</p>
<p>The phrase ‘Haul Ass’ and its synonyms were frequently used by me during the whole journey when I needed to call for a move. I didn’t notice it had comedy effect at first, but it seemed so.</p>
<p>Tim was the first person who departed, on 24 September. And then the other guys on 25th. I made my final ‘Haul Ass’ at the airport to bid them farewell.</p>
<p>Rich, on behalf of OpenSSL, has sent me a party hat after he got back to USA and I like that very much, thanks!</p>
<p><span id="11-1"><img src="/images/anecdotes/11-1.jpg" alt="Beer hat" /></span></p>
<p><em>Party hat with two beer slots</em></p>
<p>It was not a long trip in China, but as I mentioned earlier, this was the first time members of OpenSSL were here, so it’s important. I hope this trip was a start to make a channel of communication between China and the international open source community, which can help more Chinese developers to understand how to participate in the community. The community can also benefit from intelligence in China, to help the software being more widely used in Chinese market.</p>
<p>All things are difficult before they are easy. And the first step is always the hardest. But fortunately, we get this done and I am optimistic about the future.</p>
<p>Hope to meet you guys again!</p>
<p><span id="11-2"><img src="/images/anecdotes/11-2.jpg" alt="haul ass" /></span></p>
Chapter 01 - A Brief History of OpenSSLPaul Yang2017-01-10T12:00:00-07:00tag:infohunter.github.io,2017-01-10:/2017/01/10/openssl-chapter-01-en<h1 id="a-brief-history-of-openssl">A Brief History of OpenSSL</h1>
<h2 id="ssl-protocol">SSL Protocol</h2>
<p>When people talk about the history of Internet, a famous legacy name will be always mentioned, Netscape. This company, whose headquarters were located in California, made a huge contribution to the technical evolution of humanity, including JavaScript, Gecho, Project Mozilla and of course SSL protocol. Back in 1995, Netscape released the first production-ready version of SSL, SSL 2.0. In 1996, Netscape released the SSL 3.0 specification. At that point the era of encrypted Web traffic has begun. Taher Elgamal, who worked for Netscape as ‘Chief Scientist’ at that time, is recognized as ‘father of SSL’.</p>
<blockquote>
<p>Taher Elgamal
Dr. Taher Elgamal is the creator of the famous ElGamal asymmetric key encryption and signature algorithm The widely used DSA algorithm is a variant of ElGamal signature algorithm. Dr. Taher Elgamal’s Doctoral advisor was Martin Hellman, the ‘H’ in DH algorithm, and ElGammal alogorithm is based on DH key exchange algorithm. Dr. Taher Elgamal serves as CTO of Security at Salesforce.com.</p>
</blockquote>
<p>Netscape has supported the SSL protocol in its own product line, including Netscape Navigator and FastTrack, Enterprise web server etc. on the server side. But since Netscape was an U.S. based company, due to limits on the export of cryptography from the U.S., Netscape’s product could not be used outside the U.S. with strong encryption. For instance, at that time, Netscape’s products were separated into a ‘domestic version’ and an ‘international version’. For those ‘international’ products, symmetric key length was limited to 40-bit, the RSA private key was limited to 512-bit, and all of the above keys were easy to break even back in those days. Along with the rise of the Internet and open source software, many great cryptographic systems are widely used. Nowadays the effect of the cryptographic export limitations is greatly reduced, but those limits were indeed a problem back to the 1990s.</p>
<h2 id="ssleay">SSLeay</h2>
<p>In 1995 Tim Hudson, who worked for Bond University in Australia, had several projects which needed to use SSL. But, due to the export limits for cryptography from the U.S., the only way he could obtain SSL was to use the export version of Netscape products and purchase their license. According to Tim Hudson, that would have had some issues:</p>
<ol>
<li>First, it required a patent license from RSA Data Security (now RSA Security LLC).</li>
<li>Second, it was expensive, USD 30,000 at that time.</li>
<li>Last, Netscape didn’t offer strong encryption except weakened 40-bit export form.</li>
</ol>
<p>From Tim Hudson’s point of view, even though he used the expensive Netscape products, all he got was only weakened cryptography, which would not resolve the problems he met in his project, so at last he decided to implement a new SSL library from scratch and made it useful in his projects. Then Tim asked Eric Young, who was working for his Ph.D. in Bond University, to implement a new SSL library with him. Both Eric and Tim are Alumni of the University of Queensland. Since Eric had already implemented the DES cipher and had more spare time, they decided Eric would implement the new SSL library itself and Tim went to deal with application side compatibility, documentation and user issues. The new SSL library was named after Eric’s full name ‘Eric Andrew Young’, SSLeay, read as S-S-L-E-A-Y. SSLeay supported SSLv2, SSLv3 and TLSv1, and most of its APIs are almost the same to today’s OpenSSL. You can see some old documentation about SSLeay at http://www.umich.edu/~x509/ssleay/</p>
<p>In August 1998, Eric and Tim joined RSA Data Security, and developed SSL-C for RSA Data Security. SSL-C is an SSL SDK used in the BSAFE product of RSA Data Security. At the same time, SSLeay development stopped with no future releases. In 2007, Tim left RSA Data Security and returned to operate a company called Cryptsoft, which was started by Tim and Eric before they joined RSA Data Security. In 2012, Tim became a partner of the OpenSSL Foundation and a member of the core development team in 2014.</p>
<p>Previous to working for RSA Data Security, Eric and Tim worked at a company called C2Net for around one and a half years, developing SSLeay. This work experience led to the birth of OpenSSL.</p>
<h2 id="c2net">C2Net</h2>
<p>C2Net was a company based in California that provided cryptographic software, founded in 1994. The products the company developed, including web browser, web server and proxy server software, etc, included full support for encryption to protect user’s data. In 1997, C2Net opened a branch in Europe, C2Net Europe Ltd, with Mark J. Cox as the Managing Director. He was in charge of development of international products for C2Net. As the same time, Eric and Tim also joined C2Net in 1997, to develop SSLeay, which was used in those international products of C2Net to provide SSL and cryptographic functionality.</p>
<p>At that time, the primary product that C2Net offered was a web server named Stronghold which supported the SSL/TLS protocol and strong encryption alogorithms and competed with the Netscape web server software. Stronghold was the only one that provided strong encryption globally among commercial web server software products. That was because Stronghold was developed outside the United States (In Europe and Australia). Anyway, C2Net needed to pay for the RSA patent until it expired in 2000.</p>
<p>In 1998, Tim and Eric left C2Net, and joined RSA Data Security. In 2000, C2Net was acquired by Red Hat and Mark Cox worked as Senior Director of Product Security for Red Hat till now.</p>
<blockquote>
<p>C2Net
C2Net played a very important role in the history of Internet security, read more at: https://awe.com/mark/history/c2net.html and more info about Stronghold at: https://awe.com/mark/history/stronghold.html</p>
</blockquote>
<h2 id="openssl">OpenSSL</h2>
<p>When Tim and Eric left C2Net in 1998, Mark decided to launch a new open source project to succeed SSLeay, OpenSSL. OpenSSL then replaced SSLeay in the C2Net products and was widely used as a successful open source software product.</p>
<p>From the first release 0.9.1c in 1998, to the latest 1.1.0 branch, the OpenSSL project has experinced ups and downs. The most significant event that ever influnced the project was the ‘Heartbleed’ vulnerability in 2014.</p>
<blockquote>
<p>Heartbleed
http://heartbleed.com/, the impact is that attacker could read the memory data in HTTPS servers and eventually recover a lot of important information including private keys, user passwords etc.</p>
</blockquote>
<p>After Heartbleed was disclosed, the Linux Foundation initiated a project named CII (Core Infrastructure Initiative), which aimed to help improve the quality of Internet infrastructure software. The CII project collaborated with companies including IBM, Microsoft, Intel, AWS, etc. to fund some key-role open source projects to help them be better and more secure. OpenSSL was among the first projects that were funded by CII undoubtedly and this ended the ‘underfunded’ status of OpenSSL, which until then was receiving only about USD 2,000 per year in donations. CII sponsored two full-time OpenSSL core developers and with the goal of a well-developed OpenSSL.</p>
<p>At the time Heartbleed was disclosed, OpenSSL was independently forked by OpenBSD and Google, each pursuing their own SSL/TLS library. Their libraries were called LibreSSL (OpenBSD fork) and BoringSSL (Google fork). LibreSSL was forked from OpenSSL by OpenBSD in April 2014, with the goal of refactoring OpenSSL and enhancing security. The first release of LibreSSL was in July 2014 with the version 2.0.0. In LibreSSL, plenty of legacy and useless code were removed and some new features were introduced, such as ChaCha and Poly1305. In Jun 2014, Google forked OpenSSL as BoringSSL. BoringSSL didn’t aim to replace OpenSSL as a generic SSL library, instead, it was more like a Google-customized SSL library to support Google’s own requirements, and was primarily used in Chrome and Android.</p>
<p>According to Mark Cox, “OpenSSL is likely to be the most useful library for general purpose needs, and the changes post Heartbleed (having dedicated team members, responding to security issues, published policies, obtaining CII badging) should change the brand
impression to one which is positive”. For LibreSSL and BoringSSL, OpenSSL likes to maintain good relationships with both teams and collaborates on security issues with them.</p>
RSA PaddingPaul Yang2016-11-28T16:27:00-07:00tag:infohunter.github.io,2016-11-28:/2016/11/28/rsa-padding<p>一个有意思的问题,如果一段数据用RSA私钥进行加密,针对加密的密文,如果使用和加密私钥不匹配的公钥进行解密,会解密出无意义的内容,还是会解密失败?</p>
<p>答案是:it depends!</p>
<p>首先要了解两个概念:密码学原语(Cryptographic Primitive)和密码体制(Cryptographic Scheme)</p>
<h2 id="primitive">Primitive</h2>
<p>密码学原语指的是某种数学计算的方式,可以对数据进行某种密码学处理。例如在RSA中,有加密原语和解密原语,顾名思义,这两个原语分别定义了RSA的加密和解密算法。</p>
<p>例如,RSA的公钥加密过程可以表示为:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>c = RSAEP((n, e), m)
</code></pre></div></div>
<p>其中:</p>
<ul>
<li>c是密文</li>
<li>m是明文</li>
<li>(n, e)是公钥,其中n是modulus,e是RSA的公钥指数</li>
<li>RSAEP是RSA Encryption Primitive的意思,即RSA加密原语</li>
</ul>
<p>RSAEP的具体内容,就是RSA的加密算法,也就是“数学层面”的内容:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>c = m^e mod n
</code></pre></div></div>
<p>对应的还有一个RSADP,就是解密的原语,解密的原语根据私钥表述类型的不同,除了可以进行和加密原语类似的指数运算之外,还可以利用中国剩余定理,使用分离的素数而不是模数n进行计算,避免了性能开销较大的指数运算,实现优化,这也是实现多素数RSA的基础原理。具体可以参考RFC3447的5.1.2节,在此不再赘述。</p>
<p>那么,再回到最初的问题,如果用于解密的公钥(或私钥)与加密用的私钥(或公钥)不配对,那么结果就是你会经过计算得出一个数值,但是这个数值不是原来的明文,因此从这个意义上来说,解密算法不会“失败”。</p>
<h2 id="scheme">Scheme</h2>
<p>但是在现实生活中,几乎没有直接对于primitives的使用,我们可以用openssl来对一段数据进行加密,然后用不匹配的秘钥进行解密。</p>
<p>先生成两对儿公私钥,A对儿和B对儿:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./openssl genpkey -algorithm RSA -out priv_A.key -pkeyopt rsa_keygen_bits:2048
...................+++
......................+++
$ ./openssl genpkey -algorithm RSA -out priv_B.key -pkeyopt rsa_keygen_bits:2048
...................+++
......................+++
</code></pre></div></div>
<p>从私钥导出公钥:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./openssl rsa -pubout -in priv_A.key -out pub_A.key
$ ./openssl rsa -pubout -in priv_B.key -out pub_B.key
</code></pre></div></div>
<p>这样就有了两个key pair:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-rw-------. 1 paul paul 1704 Nov 28 17:50 priv_A.key
-rw-------. 1 paul paul 1704 Nov 28 17:50 priv_B.key
-rw-rw-r--. 1 paul paul 451 Nov 28 17:54 pub_A.key
-rw-rw-r--. 1 paul paul 451 Nov 28 17:55 pub_B.key
</code></pre></div></div>
<p>OK,接下来测试一下正常的加密和解密,用pub_A加密,用priv_A解密的效果:</p>
<p><span id="rsa_good"><img src="/images/rsa_good.png" alt="rsa_good" /></span></p>
<p>可以正常解密出原文,接下来常使用错误的私钥进行解密,使用priv_B:</p>
<p><span id="rsa_bad"><img src="/images/rsa_bad.png" alt="rsa_bad" /></span></p>
<p>并没有出现无意义的内容,而是openssl直接报错:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
rsa routines:rsa_ossl_private_decrypt:padding check failed
</code></pre></div></div>
<p>这个就是因为在实际中,一般不会直接使用原语对数据进行操作,因为直接使用原语进行运算会产生很多的安全问题,可以参考:<a href="https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29#Attacks_against_plain_RSA">这里</a></p>
<p>为此,实践中的RSA都会填充(padding)随机数据,然后再进行加密,可以使密文多样化,这种规定如何填充的方法就是scheme。</p>
<p>RSA padding的主要scheme有几种:</p>
<ul>
<li>加密:
<ul>
<li>RSAES-PKCS1-v1_5: PKCS #1中规定的老式方法,从PKCS #1 version 1.5开始使用</li>
<li>RSAES-OAEP,新式方法,可见:<a href="https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding">OAEP</a>,有图</li>
</ul>
</li>
<li>签名:
<ul>
<li>RSASSA-PKCS-v1_5: 老式方法</li>
<li>RSASSA-PSS: 新式方法</li>
</ul>
</li>
</ul>
<p>在openssl命令中可以使用参数来指定使用哪种padding scheme,默认是PKCS #1的老式方法:</p>
<p><span id="rsa_padding"><img src="/images/rsa_padding.png" alt="rsa_padding" /></span></p>
<p>当然,你也可以不padding,那就和直接使用原语无差别了。</p>
<p>我们再基于PKCS的padding方式来看为何openssl能发现解密失败,而不是返回数据。首先要了解一下具体的padding方法,根据RFC 3447的7.2.1节的2.b步骤:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>EM = 0x00 || 0x02 || PS || 0x00 || M.
</code></pre></div></div>
<ul>
<li>PS,padding string,随机数</li>
<li>M,明文</li>
</ul>
<p>padding的方式是在固定的pattern之中加上随机数,然后作为明文的前缀进行加密原语的运算。</p>
<p>对于解密,会对上述解密出来的加上了padding的数据进行decode,从而最后拿到明文M,根据RFC 3447 7.2.2的步骤三:</p>
<p><span id="rsa_padding_failed"><img src="/images/rsa_padding_failed.png" alt="rsa_padding_failed" /></span></p>
<p>可以发现padding不对,从而直接判断出解密失败。</p>
《OpenSSL辟邪剑法》第一式Paul Yang2016-10-14T22:00:00-07:00tag:infohunter.github.io,2016-10-14:/2016/10/14/openssl-chapter-01<h1 id="openssl前世今生">OpenSSL前世今生</h1>
<h2 id="ssl协议">SSL协议</h2>
<p>说到人类互联网的历史,就不得不提到一个古老而响亮的名字,Netscape。这家总部位于美国加州的公司,为人类贡献了并留下了很多有意义的东西,例如JavaScript,Gecko,Mozilla项目,当然也包括SSL协议。早在1995,Netscape提出了SSL的第一个可用版本SSL 2.0,在1996年,Netscape发布了SSL 3.0的协议规范,由此拉开了当代Web流量加密的序幕。当时在Netscape做首席科学家的Taher Elgamal博士是公认的“SSL之父”。</p>
<blockquote>
<p>Taher Elgamal
Taher Elgamal博士是著名的ElGamal非对称加密和签名算法的发明者,广泛使用的DSA签名算法属于ElGamal算法的变种版本。Taher Elgamal博士师从密码学大师Martin Hellman,就是DH算法中的那个’H’,而ElGamal算法就是基于DH算法而来。Taher Elgamal博士目前在Salesforce.com担任安全方向CTO。</p>
</blockquote>
<p>Netscape在自家的全线产品中实现了对SSL协议的支持,包括Netscape Navigator浏览器以及服务器端的FastTrack和Enterprise web server等。但是由于Netscape是一家美国公司,受当时美国对密码技术的出口限制,Netscape的那些提供SSL的产品无法在美国之外使用高安全强度的加密技术。例如,当时Netscape的产品分为“美国国内版本”和“国际版本”,在国际版本的产品中,对称秘钥的长度被限制在40-bit,RSA私钥长度被限制在512-bit,都是可以被很容易的破解。现今随着互联网和开源软件的崛起,优秀的密码学系统被广泛的使用,密码学出口限制的实际效果已经大打折扣,但这种限制在当时确实是一个问题。</p>
<h2 id="ssleay">SSLeay</h2>
<p>1995年,当时在澳大利亚Bond大学工作的Tim Hudson,有几个项目需要使用SSL,但是受到当时美国的密码学出口限制的影响,他唯一能获得SSL这项技术的途径,就是使用Netscape的出口产品。具Tim Hudson描述,使用Netscape的产品,存在着很多的问题:</p>
<ol>
<li>首先要取得RSA Data Security(即现在的RSA Security LLC)的专利授权</li>
<li>其次Netscape的license费用比较昂贵,当时是30000美元</li>
<li>最后是Netscape收密码学出口管制的影响,只能提供低安全等级的加密技术,例如40-bit的对称加密</li>
</ol>
<p>Tim Hudson认为,即使付出了高昂的成本,也只会得到低安全强度的加密算法,这无法解决他项目上的问题,因此他决定自行开发一个SSL库来支撑他在美国之外的几个研究项目。Tim找到了同在Bond大学读PhD的Eric Young,来共同实现一个新的SSL库。Eric是Tim在昆士兰大学(The University of Queensland)时期的同窗好友,因为Eric的时间比较充足而且他已经开发了一个DES加密算法的实现,所以由Eric主要来负责SSL库本身的开发,而Tim主要负责应用程序端的接入开发、编写文档以及处理用户问题。这个SSL库以Eric的全名首字母缩写命名(Eric Andrew Young),是为SSLeay,其读音为S-S-L-E-A-Y,按单个字母读。SSLeay支持SSL 2, SSL 3以及TLS 1,,其大部分API和今天的OpenSSL相差无几,关于当年SSLeay的文档可以在这里找到:http://www.umich.edu/~x509/ssleay/</p>
<p>1998年8月,Eric和Tim加入了RSA Data Security公司,他们基于SSLeay为RSA公司开发SSL-C,一个应用在RSA的BSAFE产品中SSL SDK,而SSLeay则停止了开发,也再没有新的版本发布。2007年,Tim离开了RSA,转而继续运营Cryptsoft公司,该公司是Eric和Tim在加入RSA之前创办的,而Eric则一直留在RSA工作。2012年开始Tim成为了OpenSSL基金会的合伙人并在2014年成为OpenSSL开发团队成员。</p>
<p>在Eric和Tim加入RSA之前,他们为一家名为C2Net的公司工作了大约一年半的时间,并主要负责SSLeay的开发,这段工作经历过为后来的OpenSSL的诞生打下了伏笔。</p>
<h2 id="c2net">C2Net</h2>
<p>C2Net是一家位于美国加州提供隐私加密服务的公司,成立于1994年,主要提供包括浏览器、服务器以及代理软件等多种产品,并在其产品中提供完善的加密手段保护用户的隐私安全。在1997年,C2Net成立了欧洲公司,由Mark J. Cox担任欧洲公司的总经理,负责C2Net全球化产品的开发,于此同时,Eric和Tim于1997年也加入了C2Net公司,负责SSLeay的开发,而C2Net的全球化产品中使用的就是SSLeay来提供SSL功能。</p>
<p>当时C2Net的拳头产品是一款名为Stronghold的Web服务器软件,全面支持SSL/TLS协议以及高强度的密码学算法。该产品的主要竞争对手是Netscape的Web服务器软件。当时Stronghold也是唯一一款在全球范围销售的提供强加密算法的同类产品,这主要得益于Stronghold是在美国之外开发的(英格兰和澳大利亚),当然C2Net依然要为RSA的专利买单,直到RSA专利过期。</p>
<p>在1998年的时候,Tim和Eric离开了C2Net,加入了RSA Security,而C2Net则在2000年的时候被Red Hat收购,Mark Cox也成为了Red Hat的员工,目前负责Red Hat的安全方向。</p>
<blockquote>
<p>C2Net
C2Net是一家在互联网安全领域举足轻重的公司,其具体的介绍可以参考:https://awe.com/mark/history/c2net.html 以及关于Stronghold的信息:https://awe.com/mark/history/stronghold.html</p>
</blockquote>
<h2 id="openssl">OpenSSL</h2>
<p>当Tim和Eric在1998年离开C2Net之后,Mark决定启动一个新的开源项目以继承SSLeay,这个项目就是OpenSSL。OpenSSL代替了SSLeay对C2Net的产品进行支持,并作为一个成功的开源项目被广泛的应用。</p>
<p>OpenSSL从1998年释放第一个版本0.9.1c开始,到最新的1.1.0b版本,期间也经历了许多波折,其中对于OpenSSL项目影响最大的就是2014年爆出的心脏滴血(Heartbleed)漏洞。</p>
<blockquote>
<p>Heartbleed
http://heartbleed.com/,其主要影响是,攻击者可以利用该漏洞对服务器内存进行读取,进而获取各种秘钥、用户名/密码等信息。</p>
</blockquote>
<p>心脏滴血漏洞被披露之后,Linux基金会为了提高互联网基础设施的软件质量,发起了名为Core Infrastucture Initiatives (CII)的项目,该项目联合了多家商业公司,包括IBM,微软,Intel,AWS等,其目的是为了资助一些关键的开源项目,帮助它们变得更加完善且高质量,而OpenSSL则顺理成章的成为了CII第一个资助的开源项目。在此之前,OpenSSL处于‘缺衣少粮’的状态,每年只能依靠捐款而获得大概2000美元的经费。CII资助了开发人员在OpenSSL项目上进行了全职开发,并希望此举能达到提高OpenSSL的安全性等目的。</p>
<p>在心脏滴血漏洞公布之后,OpenBSD和Google分别对OpenSSL进行了fork,开始发展自己的SSL/TLS库,他们各自库的名称分别名为LibreSSL和BoringSSL。LibreSSL是OpenBSD社区在2014年4月从OpenSSL中fork出的一个版本,主要目的是为了重构OpenSSL的代码并增强安全性,LibreSSL的第一个版本在2014年7月发布,初始版本为2.0.0,LibreSSL中删除了OpenSSL中遗留的大量无用和老旧代码,并增加了一些新的特性,例如ChaCha和Poly1305算法等。在2014年6月,Google也基于OpenSSL fork出了自己的版本,BoringSSL。BoringSSL并不旨在取代OpenSSL成为一个通用的SSL库,而是更多的为了Google自己的业务需要而独立开发的版本,并主要在Chrome和Android中使用。</p>
<p>根据Mark J. Cox的说法,在未来,OpenSSL希望能成为最广泛使用的通用型SSL库,并且基于心脏滴血之后的种种措施和手段,期望能将OpenSSL这个品牌变得更加正面以减弱那些负面的影响。关于LibreSSL和BoringSSL,Mark表示OpenSSL会和他们在安全问题上保持沟通,并维持良好的合作关系。</p>
Use CDN to provide HTTPS abilityPaul Yang2016-08-04T22:00:00-07:00tag:infohunter.github.io,2016-08-04:/2016/08/04/depoly-cdn<p>Since GitHub Pages does not support HTTPS for custom domains, which means you cannot use your domain’s certificate and this resutls in a ‘common name’ mismatch problem in the browsers.</p>
<p>I decide to use CDN to do the SSL offload job to solve this problem:</p>
<ol>
<li>find a CDN provider who supports HTTPS</li>
<li>Get a SSL certificate for yourself, there are some vendors who provide FREE certificates, for instance, Alibaba Cloud and Let’s Encrypt.</li>
<li>Upload Certificate and Private Key to your CDN provider</li>
<li>set username.github.io as origin of your domain</li>
</ol>
<p>Everything is fine, except it might cost you a little money for CDN service.</p>
<p>I have asked GitHub when it could support HTTPS for custom domains, their staff answered as ‘no recent plans’, that’s sad…</p>
NirvanaPaul Yang2016-08-02T16:22:00-07:00tag:infohunter.github.io,2016-08-02:/2016/08/02/nirvana<p>Yeah, yeah, eventually I decide to use a free hosting system instead of the old one (which is deployed in a virtual machine of Alibaba Cloud).</p>
<p>The main reason for this is nothing about the costs, but I do not want to maintain such a BIG system just for a personal weblog.</p>
<p>OK, and now I hug into <a href="https://github.io">Github Pages</a> and <a href="http://github.com/mojombo/jekyll">Jekyll</a>, and I copy this site from Andrew Carter’s <a href="https://github.com/ascarter/ascarter.github.io">Coding in the Rain</a>, who is an experienced software engineer. What an awesome blog style, I like it!</p>
<p>Later I will port my old articles here (although I don’t have many).</p>
<p>Well, let’s test some Chinese characters:</p>
<p>涅槃</p>
<p>终于我决定使用一个免费的主机托管系统,然后放弃掉原来在阿里云上的那个虚拟机。主要不是因为开销问题,而是不希望为了个人博客而维护一个重量级的系统。我现在投入了<a href="https://github.io">Github Pages</a>和<a href="http://github.com/mojombo/jekyll">Jekyll</a>的怀抱,我从Andrew Carter那里抄了一个博客的模板过来,Andrew是一个非常资深的软件工程师。blog的风格很牛逼!后续我会将原paulyang.cn上的内容迁移过来。</p>
用Let’s Encrypt获取免费证书Paul Yang2015-12-29T22:00:00-07:00tag:infohunter.github.io,2015-12-29:/2015/12/29/lets-encrypt<h1 id="什么是lets-encrypt">什么是Let’s Encrypt</h1>
<p>Let’s Encrypt是由ISRG提供的免费CA服务。ISRG,即Internet Security Research Group,是一个由多个组织和公司共同资助的、旨在提高互联网通信安全的非营利性公益组织。Let’s Encrypt的功能简单来说,就是基于ACME协议提供了一套自动化的证书管理服务,包括证书的签发、更新、撤销等功能,而且这一切还都是免费的。</p>
<h1 id="什么是acme">什么是ACME</h1>
<p>ACME是Automated Certificate Management Environment的缩写,是一种在证书申请者和CA之间进行自动认证域名有效性并执行DV级别证书签发/作废等操作的网络协议,ACME协议的通信格式使用JSON,并完全基于HTTPS在client和server之间。该协议正在标准化的进程当中,目前还并不是十分完善,最新的draft可以在如下地址查看:<a href="https://github.com/ietf-wg-acme/acme">https://github.com/ietf-wg-acme/acme</a></p>
<p>ACME协议本身比较独立,不仅仅是Let’s Encrypt在使用,也可以考虑和web服务器紧密集成,例如与tengine集成之后,就可以实现服务器主动发起证书新签发/过期续签的完全自动化,也就是获取到签发的证书之后,可以直接动态应用到tengine中,当然目前是没有此等功能的,后续如有机会也许能在tengine里实现一下。</p>
<h1 id="lets-encrypt的使用方法">Let’s Encrypt的使用方法</h1>
<p>使用起来非常简单,首先下载letsencrypt客户端:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://github.com/letsencrypt/letsencrypt.git
</code></pre></div></div>
<p>然后在源码目录中执行letsencrypt-auto命令,这个具体的执行方法可以自由选择,以本站为例,申请了两个域名:www.paulyang.cn和paulyang.cn的证书,使用的是指定web服务器html目录的方法。</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./letsencrypt-auto certonly -a webroot \
--webroot-path /path/to/my/html/root \
-d paulyang.cn -d www.paulyang.cn
</code></pre></div></div>
<p>执行成功之后,会在</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/etc/letsencrypt/live/域名/
</code></pre></div></div>
<p>目录中找到签发下来的证书连接和私钥连接,一般会有4个文件,分别是:</p>
<ol>
<li>域名证书文件</li>
<li>签发域名证书的证书链文件</li>
<li>域名证书+证书链文件</li>
<li>私钥文件</li>
</ol>
<p>所有文件均为PEM格式。</p>
<p>例如本站的情况是:</p>
<p><span id="img1"><img src="/images/certs_x.png" alt="certs" width="867" height="128" /></span></p>
<p>N的名字,同时会用X509v3的SAN扩展添加多个域名,例如本站是两个:</p>
<p><span id="img2"><img src="/images/san_x.png" alt="san" width="749" height="559" /></span></p>
<p>我们使用的时候需要的是3和4,将其配置在对应的web服务器中即可,例如我使用的是tengine,因此只需要在tengine的配置文件中添加对证书和私钥的私用即可:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssl_certificate /etc/letsencrypt/live/paulyang.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/paulyang.cn/privkey.pem;
</code></pre></div></div>
<p>letsencrypt-auto的其他用发可以用-h或者-h [topic]的方式查看,主要有如下几种方式:</p>
<ul>
<li>使用apache插件进行自动的证书签发和安装</li>
<li>使用nginx插件自动进行证书签发和安装,这个目前是experimental,比较不稳定</li>
<li>使用standalone模式由letsencrypt客户端启动独立webserver完成认证</li>
<li>使用指定html根目录的方式完成认证</li>
</ul>
<p>目前letsencrypt还处于beta阶段,可能会有不稳定的情况,不过鉴于签发证书也不是频率奇高之事,因此还是可以正常使用的,签发的证书的有效期是3个月。</p>
<p>国内DNS问题</p>
<p>根据国内DNS服务器提供商的差别,可能会出现使用某些DNS服务器导致从Let’s Encrypt服务器上无法解析网站域名的问题,我目前了解到的是DNSPod没问题,但是万网不行。</p>
<h1 id="lets-encrypt的原理">Let’s Encrypt的原理</h1>
<p>说到原理,因为Let’s Encrypt只验证域名的归属是否有效,而不关注线下的实体是否存在,所以Let’s Encrypt的本质上就是一个自动化了的证明域名控制权的过程。</p>
<p>大概的流程是这样:</p>
<ol>
<li>letsencrypt客户端在要申请证书的域名所指向的web服务器上先生成一个公私钥对儿</li>
<li>letsencrypt客户端连接Let’s Encrypt的server端,就是连接CA申请开始认证</li>
<li>
<p>Let’s Encrypt的server端会发给letsencrypt客户端一些“任务”,由客户端完成以证明其有权控制域名,基本上是这样:
<span id="img3"><img src="/images/Screenshot-from-2016-01-10-001136.png" alt="s1" width="649" height="149" /></span>
要求有两点,一个是用客户端生成的私钥对一个server指定的数据进行签名(上图中的9cf0b331),二是将server指定的内容放在服务器的指定位置上。</p>
</li>
<li>在客户端按照server的要求完成上述任务后,通知server开始校验,如下图所示:
<span id="img4"><img src="/images/Screenshot-from-2016-01-10-001151.png" alt="s2" width="648" height="347" /></span>
server端会首先使用letsencrypt客户端生成的公钥校验签名是否有效,之后再尝试下载待签发域名的指定位置下的内容并进行判断,如果全都没问题,则通知client验证通过</li>
<li>之后就是证书的签发,letsencrypt客户端会发送给server端CSR,然后server端签发证书并发回给client,这些流程和普通CA都是相同的</li>
</ol>
<p>Let’s Encrypt的网站是:<a href="https://letsencrypt.org">https://letsencrypt.org</a>
代码托管位于GitHub:<a href="https://github.com/letsencrypt/letsencrypt">https://github.com/letsencrypt/letsencrypt</a></p>
OpenSSL辟邪剑谱Paul Yang2015-12-26T22:00:00-07:00tag:infohunter.github.io,2015-12-26:/2015/12/26/openssl-bible<p>OpenSSL大法博大精深,非内功深厚者无以参透其本质,而其文档残缺,代码风格异于常人,加之密码学晦涩难懂,虽应用颇广,然则世人多触及其皮毛,于其本质则不甚了了。</p>
<p>本人籍由阿里巴巴全站HTTPS项目,半路出家,有幸接触OpenSSL大法,现将修炼大法之浅薄心得记录于此,是为“三十六式OpenSSL辟邪剑谱”,哪三十六式?</p>
<ul>
<li>第一式 OpenSSL前世今生</li>
<li>第二式 OpenSSL编译系统</li>
<li>第三式 app和OpenSSL命令行</li>
<li>第四式 BIO</li>
<li>第五式 BN</li>
<li>第六式 Buffer</li>
<li>第七式 EVP</li>
<li>第八式 LHASH</li>
<li>第九式 Objects</li>
<li>第十式 Stack</li>
<li>第十一式 Store (mem)</li>
<li>第十二式 Sec mem</li>
<li>第十三式 PEM</li>
<li>第十四式 ASN.1</li>
<li>第十五式 PKCS#12/PKCS#7</li>
<li>第十六式 Rand</li>
<li>第十七式 SHA/HMAC</li>
<li>第十八式 AES</li>
<li>第十九式 DES</li>
<li>第二十式 ChaCha</li>
<li>第二十一式 Modes</li>
<li>第二十二式 RSA</li>
<li>第二十三式 DSA</li>
<li>第二十四式 DH</li>
<li>第二十五式 ECC</li>
<li>第二十六式 X509</li>
<li>第二十七式 OCSP</li>
<li>第二十八式 DSO/Engine</li>
<li>第二十九式 SSL/TLS Record</li>
<li>第三十式 SSL/TLS state machine</li>
<li>第三十一式 SSL lib</li>
<li>第三十二式 SSL Session</li>
<li>第三十三式 SSL Cert</li>
<li>第三十四式 Test框架</li>
<li>第三十五式 Debug</li>
<li>第三十六式 Error处理</li>
</ul>
<p>虽能力有限,然愿以此砖头引璞玉,以此剑谱传心法,期终达成互联网净化之目标,与吾曹共勉。</p>
<p><span id="bible"><img src="/images/Photo_1230_1d.jpg" alt="bible" width="50%" /></span></p>