Shulou(Shulou.com)06/02 Report--

3.1. Classification of encryption algorithms

Encryption is to change the original information data with a special algorithm so that even if unauthorized users get the encrypted information, they still can not understand the content of the information because they do not know the method of decryption. The encryption of data on the Internet is mainly to ensure the confidentiality, integrity and authentication of the content data in three aspects.

There are two types of encryption: symmetric encryption and asymmetric encryption.

Common algorithms adopted by both sides of symmetric encryption include DES, 3DES, AES and so on.

Feature encryption and decryption use the same key to divide the original data into blocks of fixed size and encrypt them one by one.

Too many defective keys are distributed.

Asymmetric encryption keys appear in pairs. Common algorithms include RSA, DSA, ELGama and so on.

The public key is open to all pubkey private keys must be kept private secret key

Data encrypted with a public key can only be decrypted using the private key of the partner.

Main application

The main purpose of digital signature is to let the receiver confirm the identity of the sender.

The key exchange sender encrypts a symmetric key with the other party's public key and sends it to the other party.

Data encryption data information encryption

One-way encryption algorithm MD5,SHA1 and so on.

Can only encrypt, not decrypt, extract data fingerprints.

The characteristic fixed-length output and the small change of the original data of avalanche effect lead to the complete change of the encrypted data fingerprint.

In order to ensure the confidentiality and integrity of the data and confirm the identity of the other party, we need to carry out a set of complex encryption algorithms for the upper data interaction on the Internet.

1. Using the one-way encryption algorithm to extract the digest information from the data to be sent, using the private key of A to encrypt the digest information, the digest information is digitally signed and placed after the plaintext.

2. In the use of A's private encryption into ciphertext.

3. Then use symmetrical encryption to encrypt the password with B public key to complete the confidentiality of the data envelope.

3.2. SSL Protocol and openssl

SSL (Secure Sockets Layer secure socket layer) and its successor transport layer security Transport Layer SecurityTLS is a security protocol that provides security and data integrity for network communication. TLS and SSL encrypt the network connection at the transport layer. The main services provided are authenticated users and servers to ensure that data is sent to the correct client and server to encrypt data so as to prevent data from being stolen and maintain data integrity to ensure that data is not changed in the process of transmission.

OpenSSL is a secure socket layer cryptographic library that includes major cryptographic algorithms, commonly used key and certificate encapsulation management functions, and the SSL protocol, and provides rich applications for testing or other purposes.

The composition of Openssl can be divided into three parts.

Libcrypto: encryption library

Libssl: TLS/SSL implements a session-based TLS/SSL library that implements authentication, data confidentiality, and session integrity

Openssl: a multipurpose command-line tool that implements encryption.

The usage of openssl command

Openssl command [command_opts] [command_args]

Openssl [list-standard-commands | list-message-digest-commands | list-cipher-commands | list-cipher-algorithms | list-message-digest-algorithms | list-public-key-algorithms]

STANDARD COMMANDS

Asn1parse 、 ca 、 ciphers 、 cms 、 crl 、 crl2pkcs7 、 dgst 、 dh 、 dhparam 、 dsa 、 dsaparam

Ec ecparam enc engine errstr gendh gendsa

Genpkey genrsa nseq ocsp passwd pkcs12 pkcs7

Pkey pkeyparam pkeyutl rand req rsa rsautl

S_client s_server s_time sess_id smime speed spkac

Ts verify x509

MESSAGE DIGEST COMMANDS

Md2 md5 mdc2 rmd160 sha sha1 sha224

Sha256 sha384 sha512

ENCODING AND CIPHER COMMANDS

Base64 Base64 Encoding

Bf bf-cbc bf-cfb bf-ecb bf-ofb

Cast cast-cbc

Cast5-cbc cast5-cfb cast5-ecb cast5-ofb

Des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb

Des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb

Idea idea-cbc idea-cfb idea-ecb idea-ofb

Rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb

Rc4 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb

Symmetrical encryption

Openssl enc-des3-a-salt-in / path/to/input_file-out cipher_file # encryption

Openssl enc-d-des3-a-salt-in / path/to/cipher_file-out clear_file # decryption

[root@mylinux home] # cat test.py # View file content #! / usr/bin/python3def add (num1 Num2):''> > add (122.23) 35 'return num1+num2if _ _ name__ = =' _ _ main__': import doctest doctest.testmod () [root@mylinux home] # openssl enc-des3-a-salt-in test.py-out cipher.py # encrypt files enter des-ede3-cbc encryption password:Verifying-enter des-ede3-cbc encryption password: [root@ Mylinux home] # cat cipher.py # encrypted document U2FsdGVkX1Universe 9lzx024oU9uI9ifaddQZ008Sgencrypted FGEpFVXMZe77OnNHREcx8lgonKroom05Qilx9lbFtIO0qY8jsEQF9yyiQEF4H0sYzIVnh6W5fq6k3RvZRfFpPaIw0L3OMdjdocument N8ixLJUDUDUPpAtzialway VDOFZ8TJulXotzpRjlUvKum8OgMxMjlK8OgMxAZBL2dQPv3LubL2YTYKINKGV0v0v0L3OfFpPaI0L3OMdjnPaI0L3ORfFpPaI0L3OMdjnPaI0L3ORfFpPaI0L3OMdjpN8i5LJUXotzpRjlUvKum8OXotzpRjlKum8OgMxMjlKum8OgMxL2dQPv3L3RfFpPaI0L3OMdjpPaI0L3ORfFpPaI0L3OMdjpPaI0L3ORfFpPaI0L3OMdjpN8ixL3RfFpPaI0L3OMdjpN8ixLJOXotzpRjlKum8OXotzRjlKum8OgMJL Num2):''> > add (122.23) 35 'return num1+num2if _ _ name__ = =' _ main__': import doctest doctest.testmod () [root@mylinux home] #

One-way encryption

Openssl dgst [- md5 |-md4 |-md2 |-sha1 |-sha |-mdc2 |-ripemd160 |-dss1] [- out filename]

Somefile

[root@mylinux home] # lsdate loganalyzer-3.6.6 python_web shell wswp-codedow.zip _ pycache__ samba test.py [root@mylinux home] # openssl md5 test.py # extract md5 signature MD5 (test.py) of test.py = cafc9ca93649c2b9d67f33075402ce24

Public key encryption (usually not used to encrypt data) private key decryption of data

The key exchange obtains the other party's public key, the data encryption uses the other party's public key, and the identity authentication uses its own private key.

Openssl genrsa-out / PATH/TO/KEYFILENAME NUMBITS generates private key rsa

Openssl rsa-in / PATH/TO/KEYFILENAME-pubout extract public key

[root@mylinux home] # openssl genrsa-out private.pem 2048 # generate private key Generating RSA private key 2048 bit long modulus...+++...+++e is 65537 (0x10001) [root @ mylinux home] # openssl rsa-in private.pem-pubout-out pub.pem # extract public key writing RSA key [root@mylinux home] # lscipher.py dow.zip private.pem _ pycache__ samba test.pydate loganalyzer-3.6.6 pub.pem python_web shell wswp-code [root@mylinux home] # cat date ls-ldate [root@mylinux home] # openssl rsautl-encrypt-in date-inkey pub.pem-pubin- Out date.en # encrypt date file with public key [root@mylinux home] # cat date.en # encrypted file) Lroot@mylinux home vsnWiyc $[% v4 OgqNwktU1] W} YB&u$q {F [root@mylinux home] # [root@mylinux home] # openssl rsautl-decrypt-in date.en-inkey private.pem-out date.de # use private key to decrypt the file [root@mylinux home] # cat date.de # decrypted file ls-ldate

3.3.issuing certificates and CA

When communicating on the Internet, it is usually necessary to encrypt the data. For a web website owner who uses SSL, the owner must generate a CSR (Certificate Signing Request, certificate issuing request). CSR is a digital file that contains a public key and a company name. The 'certificate' must be issued by a trusted source called CA (Certificate Authority, Certificate Authority).

Generation of CA server:

1. Determine the working directory of CA

[root@promote CA] # vim / etc/pki/tls/openssl.cnf certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crlnumber # must be commented out to leave a V1 CRL... [CA_default] dir = / etc/pki/CA # Where everything is kept # working directory...

2. Self-signed certificate

[root@promote ~] # cd / etc/pki/CA/ [root@promote CA] # lscerts crl newcerts private [root@promote CA] # umask 077 [root@promote CA] # openssl genrsa-out private/cakey.pem 2048 # generate private key Generating RSA private key 2048 bit long modulus...+++...+++e is 65537 (0x10001) [root@promote CA] # openssl rsa-in private/cakey.pem-text-noout # can To view the public key Private-Key: (2048 bit) modulus: 00:a3:a5:32:18:d8:3f:8a:6a:b7:8c:f2:3f:85:b9: d5:ea:d4:21:47:c3:11:9c:1b:65:22:b8:02:ac:2f: 51:e0:d5:0a:bd:e1:d9:5c:de:cd:80:3a:3a:b3:15: c0:38:db: B4:b7:4d:34:32:6f:7a:90:85:8a:b5:68: c2:04:9c:71:e9:0f:5a:e4:06:77:93:ef:5b:be:32: ba:0f:d8:aa:90:19:b0:2f:f2:13:06:a2:7b:a3:72: c7:28:34:a3:d9:0f:d7:35:1b:28:4e:73:cf:5c:ca: 7e:4d:56:c1:56:82:83:c2:c7:d9:31:f5:9a:0d:9a: 53:63:21:40:99:81:ee:6a:80:37:47:4a:b0:4f:5e: 7c:3b:e1:79:85:de:99:d7:85:fd:f8:5c:c8:c7:16: 7f:d3:b6:36:1e:54:08:be:7a:27:a2: 3c:c4:7c:c2: 76:e8:26:56:17:24:3c:f4:cb:ba:80:97:f1:17:11: 6b:2d:b5:93:df:04:54:14:dc:1f:cf:49:43:31:f7: fe:ae:99:a0:34:cc:d1:85:61:c5:55:e7:27:4b:60: 3d:6e:a4:71:1a:43:58: 9b:3f:27:29:66:04:41:c4: 7e:41:bb:08:82:be:ec:68:56:37:b1:fa:7d:53:09: 10:8a:4c:39:81:28:c2:83:33:88:63:f0:3e:bb:f4: bb:37... [root@promote CA] # openssl req-x509-new-key private/cakey.pem-out cacert.pem-days 365 Certificate You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CHState or Province Name (full name) []: AH Locality Name (eg, city) [Default City]: AQOrganization Name (eg, company) [Default Company Ltd]: UJSOrganizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []:

3. Create the required files:

[root@promote CA] # touch index.txt serial crlnumber [root@promote CA] # echo 01 > serial [root@promote CA] # lscacert.pem certs crl crlnumber index.txt newcerts private serial

Certificate applicant:

1. Generate a key for a service:

[root@promote CA] # cd / etc/ssh/ [root@promote ssh] # lsmoduli ssh_host_dsa_key ssh_host_key.pubssh_config ssh_host_dsa_key.pub ssh_host_rsa_keysshd_config ssh_host_key ssh_host_rsa_ key.pub[ root @ promote ssh] # mkdir ssh [root@promote ssh] # cd ssh [root@promote ssh] # umask 077 [root@promote ssh] # openssl genrsa 1024 > ssh.key # generate key Generating RSA private key 1024 bit long modulus.+.+e is 65537 (0x10001) [root@promote ssh] # openssl req-new-key ssh.key-out ssh.csr # generate certificate signing request You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CAState or Province Name (full name) []: AHLocality Name (eg, city) [Default City]: AQOrganization Name (eg, company) [Default Company Ltd]: UJSOrganizational Unit Name (eg, section) []: Common Name (eg) Your name or your server's hostname) []: www.mylinux.comEmail Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: 123456An optional company name []: mylinux

2. Pass this request to the CA server in some way

# scp ssh.csr USERNAME@HOST:/path/to/somewhere (copy to CA server)

3. CA signs the certificate (operates on the CA server), and then sends it to the applicant

[root@promote ssh] # openssl ca-in ssh.csr-out ssh.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: May 16 20:22:46 2017 GMT Not After: May 16 20:22:46 2018 GMT Subject: countryName = CA stateOrProvinceName = AH organizationName = UJS commonName = www.mylinux.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 02:46:26:FF:10:D9:7F:8A:70:68: 41:52:E1:6F:35:46:7C:FF:A6:BB X509v3 Authority Key Identifier: keyid:0A:04:7A:44:C6:8B:69:FD:7E:B0:F3:E4:5A:90:F4:DE:83:9B:A1:95Certificate is to be certified until May 16 20:22:46 2018 GMT (365days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [YBO] yWrite out database with 1 new entriesData Base Updated [root@promote ssh] # lsssh.crt ssh.csr ssh.key# scp vsftpd.crt USERNAME@HOST:/path/to/somewhere (copy to applicant)

The meaning of files with suffixes in openssl

.key format: private key

.crt format: certificate file, abbreviation for certificate

.csr format: certificate signing request (certificate request file), containing public key information, abbreviation of certificate signing request

.crl format: certificate revocation list, abbreviation for Certificate Revocation List

.pem format: the format of the certificate used for export and import, with the beginning and end of the certificate

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.