Shulou(Shulou.com)06/01 Report--

In Internet communications, such as QQ, MSN, etc., if the content of our conversation is not encrypted, then others can access it as soon as possible, which is inappropriate, so we have to encrypt the content of our communication, and then it will be relatively safe to communicate.

There are two kinds of data transmission on the Internet: plaintext transmission and encrypted transmission. Plaintext transmission protocols are: ftp, http, smtp, telnet. However, for the sake of data integrity and security, encryption and other related means were later cited to ensure the security and integrity of data.

Encryption Typ

Advantages and disadvantages of algorithms commonly used in the principle of encryption types both sides of symmetrical encryption use the same encryption algorithm to encrypt and decrypt data

DES, 3DES, AES

The encryption speed is fast, and it is suitable for encrypting a large amount of data, which can ensure the confidentiality of the data.

Both sides use the same encryption algorithm, so the integrity of the data cannot be guaranteed. If there is too much data to be encrypted, the secret key cannot be managed effectively.

Asymmetric encryption

Authentication: private key encryption, public key decryption

Data transmission: public key encryption, private key decryption

RSA

DSS

It can ensure the availability of data, the encryption speed is slow, and the secret key to be used is quite long.

Single encryption directly uses the encryption algorithm to encrypt the data, which can only be encrypted but not decrypted md5,sha1

, sha256

Sha512

It can guarantee the integrity of the data and can not be decrypted.

So what is the process of sending a complete data?

1. The sender uses the selected one-way encryption algorithm to calculate the signature of the original data.

2. The sender encrypts the signature with its own private key and appends it to the original data.

3. The sender generates an one-time symmetric key and uses this key to encrypt the data (original data + encrypted signature)

4. The sender uses the receiver's public key to encrypt the one-time symmetric key, which is appended to the encrypted data.

5. Send

1. The receiver uses his own private key to decrypt the encrypted one-time symmetric key

2. Use the symmetric key to decrypt the data and get the encrypted signature and original data.

3. Decrypt the encrypted signature using the sender's public key

4. The signature of the data is recalculated using the same one-way encryption algorithm as the sender, and compared with the decrypted features.

For asymmetric encryption, it is very important to obtain the other party's public key. The simplest thing is to build your own site and put

One's own public key is released, but when others get it, how can they be sure that the public key belongs to the publicist?

Therefore, the simple public key distribution mechanism can no longer guarantee the legitimacy of the public key source, so there is a distributed distribution mechanism, the most common of which is digital certificates.

Digital certificate

Why do we need digital certificates? Imagine, when we want to communicate, how can we make sure that the other person must be the person we want to communicate with? Make a digital signature? So how to make sure that the digital signature is legal? At this time, we need a third-party organization to distribute a kind of digital certificate that everyone agrees with, such as × ×. When we see each other's digital certificate, do we determine the identity of the other party?

Format of digital certificate:

Digital certificate: x.509v3 (commonly used)

Version number (version)

Serial number (): the certificate itself is uniquely identified in the CA

Signature algorithm flag / / allows the consumer to determine which data encryption algorithm to use to verify the validity of the certificate

Publisher name

Period of validity:

Certificate principal name: (organization (host), individual)

Certificate principal public key information:

Issuer's unique logo

The unique mark of the certificate subject

Extend:

Signature:

PKI (Public Key Infrastructure) is a specification that defines the mechanism that an CA has.

Components:

End entity (applicant)

Registered Authority (RC)

Visa Authority (CA)-> Visa Authority (CA)

Certificate revocation list (CRL) issuer

Certificate access library

So how do we make a certificate application? If we only ask for certificates to be distributed to employees within the company, it costs a certain fee to apply for certificates from third-party organizations. At this time, we set up a CA and issue ourselves a certificate, which is much better.

If we want to build our own CA, we need a tool, OpenSSL

Openssl consists of three parts.

Libcrypto: a tool to implement encryption and decryption. Many programs that need encryption will call this library.

Libssl: to implement the ssl function

Openssl: a command line tool for openssl

Openssl: an introduction to several commonly used commands

Versinon to check the version number of openssl

Enc encryption

-des3 specifies the encryption algorithm as des

-in specifies encryption / decryption of files

-e encryption

-d decryption

-out determines the location of encrypted or decrypted files

For example:

In the process of encrypting a file, we use:

Openssl enc-des3-in / path/to/somefile-e-out / path/to/somefile.des3

Decrypt the encrypted file and we will use:

Openssl enc-des3-in / path/to/somefile.des3-d-out / path/to/somefile

Dgst

-hex forbids the display of calculated signatures at 16

-Files saved by out

Example: obtain the signature of a file by md5's algorithm

Openssl dgst-md5-hex / path/to/somefile

Speed Speed Test tool

Test each encryption algorithm without any parameters. If you specify an encryption algorithm, only the specified algorithm is tested.

Generate the private key:

Openssl genrsa num

Num specifies the number of bits to generate the secret key. The default is 512 bits, which must be 2 n times.

For example:

Openssl genrsa 2 ^ n > / path/to/keyfile

Openssl genrsa-out / path/to/keyfile 2 ^ n

The private key can also be encrypted.

-des3 specifies encryption in des3 format

-out specifies the location to save

Example: openssl genrsa-des3 2048

Note: although our private key is encrypted, it cannot be read at will, so we should change the permission of the private key file to only ourselves.

Generate public key

Note: the public key is extracted from the private key:

Rsa

-the location where the in private key is stored

-pubout extract public key

Example:

Extract public key from openssl rsa-in / path/to/keyfile-pubout cluster private key

Then how to apply for a certificate?

The command req used

-in specifies which file to read from

-key specifies where the private key file is located

-new implementation to create certificate application

-days specifies the time that the certificate is expected to use

-out saves the certificate application under that file

For example, how to make a certificate application:

Openssl req-new-key / path/to/private_key-out / paht/to/certificate.csr

Let's implement the process of self-building CA, making certificate application, and distributing certificates:

Self-built CA:

# cd / etc/pki/CA/

1. Generate a private key for CA:

[root@www CA] # (umask 077; openssl genrsa-out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus..+++.+++e is 65537 (0x10001) 2, generate self-signed certificate:

[root@www CA] # openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 3650You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'. The field will be left blank.-Country Name (2 letter code) [XX]: CN / / specify country code State or Province Name (full name) []: Henan / / designated province Locality Name (eg, city) [Default City]: Zhengzhou / / specify city Organization Name (eg, company) [Default Company Ltd]: magedu / / specify organization name Organizational Unit Name (eg, section) []: Tech / / specify the department Common Name (eg) Your name or your server's hostname) []: www.magelinux.org / / specify hostname Email Address []: / / email [root@www CA] # [root@www CA] # touch index.txt serial / / provide the serial number file [root@www CA] # lscacert.pem certs crl index.txt newcerts private serial [root@www CA] # echo 01 > serial Note: you must add-x509 when you sign the certificate. If it is not specified, it is a certificate application.

In this way, our own CA will be created, and the self-signed certificate will be good, so we can work with the certificate.

3. Sign the certificate:

# openssl ca-in / path/to/certreq.csr-out / path/to/certfile.crt (certificate files all end in crt)-days 365

It's a digital signature process.

Client

Generate a private key

[root@www] # mkdir / key [root@www] # (umask 077 Openssl genrsa-out / key/httpd.key 2048) Generating RSA private key 2048 bit long modulus....+++.. . + + e is 65537 (0x10001) [root@www ~] # request for making a certificate:

[root@www ~] # openssl req-new-key/ key/httpd.key-out / key/httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HenanLocality Name (eg) City) [Default City]: ZhengzhouOrganization Name (eg, company) [Default Company Ltd]: mageduOrganizational Unit Name (eg, section) []: TechCommon Name (eg, your name or your server's hostname) []: www.magelinux.orgEmail Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []: [root@www ~] # sign the certificate:

[root@www ~] # openssl ca-in / key/httpd.csr-out / key/httpd1.csr-days 365Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 27 06:15:30 2013 GMT Not After: Aug 27 06:15:30 2014 GMT Subject: countryName = CN StateOrProvinceName = Henan organizationName = magedu organizationalUnitName = Tech commonName = www.magelinux.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A7:B0:1A A0:BB:FB:AE:36:18:D0:72:1B:C5:A7:7C:8E:D5:F5:01:1F X509v3 Authority Key Identifier: keyid:7E:76:06:55:50:E5:CB:EE:F0:A7:F0:2E:DB:4D:CD:2B:54:C6:AF:39Certificate is to be certified until Aug 27 06:15:30 2014 GMT (365days) Sign the certificate? [yplan]: dedicated client testing tool:

# openssl s_client-connect HOST:PORT-CAfile / path/to/cacertfile |-CApath / paht/to/cacertfiles_dir/-ssl2 |-ssl3 |-tls1

-connect indicates which port to link to that server for detection

-CAfile specifies which CA certificate to use for detection

-CApath specifies the CA certificate under that path, and choose one of the two to use with-CAfile

-ssl2 designated protocol

-state displays its status

Files in openssl with the following suffix

.key format: private key

.crt format: certificate file, abbreviation for certificate

.csr format: certificate signing request (certificate request file), containing public key information, abbreviation of certificate signing request

.crl format: certificate revocation list, abbreviation for Certificate Revocation List

.pem format: the format of the certificate used for export and import, with the beginning and end of the certificate

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.