In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article shows you how to analyze openssl learning. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.
Elements of the transmission process: integrity, confidentiality, authentication
1. Encryption algorithm
1) symmetric encryption:
2) Public key encryption algorithm (asymmetric encryption algorithm):
Public key: anyone can see it.
Private key: only you can see it.
3) ike: secret key exchange protocol
4) PKI: public key Infrastructure
Symmetric encryption:
Use the same password
Encryption algorithm: DES, 3DES
AES192 、 AES256 、 AES512
One-way encryption:
Algorithm: MD5, SHA1, CRC-32, SHA192
Public key encryption: identity authentication, data encryption
Algorithm: RSA (encryption, signature), DSA (signature), Elgamal
Open source implementation of OpenSSL:SSL
General encryption Library: libcrypto
The realization of libssl:TLS/SSL
Session-based TLS/SSL library that implements authentication, data confidentiality, and session integrity
Openssl: command line tool
Implement private certificate issuance
[root@192] # rpm-Q opensslopenssl-1.0.2k-12.el7.x86_64 [root@192] # openssl versionOpenSSL 1.0.2k-fips 26 Jan 2017 [root@192] #
Openssl official website: https://www.openssl.org/
Subcommand:
-?
Openssl speed Speed Test tool
[root@192 ~] # openssl speed desDoing des cbc for 3s on 16 size blocks: 11523085 des cbc's in 2.96sDoing des cbc for 3s on 64 size blocks: 3017947 des cbc's in 2.98sDoing des cbc for 3s on 256size blocks: 767332 des cbc's in 2.98sDoing des cbc for 3s on 1024 size blocks: 189100 des cbc's in 2.97sDoing des cbc for 3s on 8192 size blocks: 23942 des cbc's in 2.97sDoing des ede3 for 3s on 16 size blocks: ^
Openssl enc: encrypt, decrypt files
[root@192 demo] # openssl enc-des3-salt-in / tmp/demo/1.txt-out 1.txt.des3enter des-ede3-cbc encryption password:Verifying-enter des-ede3-cbc encryption password: [root@192 demo] # Total amount of ll 8 root root 10 October 21 22:01 1.txt RW root root-1 root root 32 November 24 23:47 1.txt.des3 [root@192 demo] # view 1.txt [root @ 192 demo] # view 1.txt.des3 [root@192 demo] #
Openssl dgst: computing software signature
[root@192 demo] # md5sum 1.txtc7fd8dfd6902d5503d5d1f41940174bf 1.txt [root@192 demo] # sha1sum 1.txt7eac1643c87e8a425c3e361c7e0a2a48e8bba9b8 1.txt [root@192 demo] # md5sum 1.txt.2c7fd8dfd6902d5503d5d1f41940174bf 1.txt.2 [root@192 demo] # openssl dgst-md5 1.txtMD5 (1.txt) = c7fd8dfd6902d5503d5d1f41940174bf [root@192 demo] #
Openssl passwd-1: produce encrypted strings
[root@192 demo] # openssl passwd-1Password: Verifying-Password: $1 $93NfzJP4 $vIiNiNwVPt.kqR232B6KJ. [root@192 demo] #
2. Certificate revocation list: CRL
3. CA: certificate authority
PKI: defines the trust relationship between CA,CA and the revocation list of CA
PKI:TLS/SSL:x509
PKI:OpenGPG
4. Certificate format:
1) x509:TLS/SSL
Public key, expiration date
The rightful owner of the certificate
How certificates should be used
How certificates should be used
CA information
Public key and private key of CA signature
2) pkcs12
5 、 TLS/SSL OpenGPG
Four-layer model: link layer, network layer, transport layer, application layer
Seven-layer model: physical layer, data link layer, network layer, transport layer, session layer, presentation layer, application layer
TCP/IP 、 http 、 smtp 、 ftp
Https: using port 443
SSL: secure socket sercure socket layer
SSLv2 、 SSLv3
TLS: transport layer Security Protocol
HTTP: based on TCP protocol
HTTPS: using port 443
0) TCP three-way handshake
1) establish a SSL session
2) the server sends the certificate to the client
3) client verifies certificates and generates random symmetric keys
4) client transmits the password encrypted by the public key and sends it to server
2. Openssl implements private CA
2.1. Generate a pair of keys
[root@192 demo] # openssl genrsa 2048 > > server.keyGenerating RSA private key 2048 bit long modulus. . +. .. + + e is 65537 (0x10001) [root@192 demo] # ll Total usage 16 root root RW root@192 demo-1 root root 10 October 21 22:01 1.txtMurray RW Mustang RW Mustang-1 root root 10 November 24 23:49 1.txt.2Mor RW Mustang-1 root root 32 November 24 23:47 1.txt.des3 RW- Rmuri Rafael-1 root root 1675 November 25 00:15 server.key
2.2. Generate public key
[root@192 demo] # openssl rsa-in server.key-pubout-out client.keywriting RSA key [root@192 demo] # ll Total usage 20MurrWhashasha-1 root root 10 October 21 22:01 1.txtMurray RWFLY Rafael-1 root root 10 November 24 23:49 1.txt.2MUTHUM RFI-1 root root 32 November24 23:47 1.txt.des3MIWMUR Muir-1 root root 451 November 25 00:20 client.key-rw-r--r-- 1 root root 1675 November 25 00:15 server.key
2.3. Generate self-signed certificate
[root@192 demo] # openssl req-new-x509-key server.key-out server.crt-days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: shanghaiLocality Name (eg) City) [Default City]: shanghaiOrganization Name (eg, company) [Default Company Ltd]: fullgoalOrganizational Unit Name (eg, section) []: ITCommon Name (eg Your name or your server's hostname) []: testEmail Address []: test@test.com [root@192 demo] # ll Total usage 24 root root 10 October 21 22:01 1.txtMurray RW Mustang r Mustang-1 root root 10 November 24 23:49 1.txt.2Mashi RW Musashi-1 root root 32 November 24 23:47 1.txt.des3 Mustang RWMui r Muir-1 root root 451 November 25 00:20 client.key-rw-r--r-- 1 root root 1391 November 25 00:24 server.crt-rw-r--r-- 1 root root 1675 November 25 00:15 server.key [root@192 demo] #
2.4. Output certificate information
[root@192 demo] # openssl x509-text-in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: e4:15:8c:18:56:55:8c:4e Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=shanghai, L=shanghai, O=fullgoal, OU=IT, CN=test/emailAddress=test@test.com Validity Not Before: Nov 24 16:24:04 2018 GMT Not After: Nov 24 16:24:04 2019 GMT Subject: C=CN ST=shanghai, L=shanghai, O=fullgoal, OU=IT CN=test/emailAddress=test@test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:ba:c2:13:78:d5:51:56:85:aa:99:6d:61:73: 8d:87:c4:57:a1:ca:90:2d:4c: D0:6c:61:15:98:82: 1d:c4:e5:4a:d9:57:e4:86:46:f5:f2:9b:84:f5:76: 69:d2:11:7a:7d:d5:c1:57:c2:35:8f:6f:46:51:fb: d7:35:dc:21:cd:e9:f2:16:3c: 00:dd:56:f1:6e:76: 58:a3:cd:52:31:6b:fa:04:51:e1:92:a9:f0:d9:2a: 57:20:aa:c1:88:df:b2:ca:45:14:cc:06:18:d1:2f: 62:da:5c:90:50:a4:ed:c8:42: 49:2b:81:4c:ae:1f: a3:3c:88:38:21:25:7a:9f:8b:c5:69:8e:69:2d:af: 23:65:03:0e:69:16:ab:b9:48:18:25:08:ff:4e:ce: c0:10:39:a7:ed:94:9f:a1:a9: D3:cb:f3:4b:c2:24: 4d:fe:87:86:f9:91:80:a7:23:01:0f:ad:8c:f4:e1: d3:ff:85:24:07:39:64:32:02:46:a8:df:5a:83:bf: 70:2e:d0:a3:7e:0c:d5:71:39: A7:21:fa:2d:5a:a3: 41:16:1a:06:38:7c:37:c4:12:59:fc:c2:83:c5:93: 0f:b8:de:f1:ca:57:64:ad:9f:5f:a7:2c:43:63:b2: 61:93:dd:fc:4a:bb:bf:d8:e2: E2:9e:a3:82:a8:1a: 27:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 59:88:62:54:A7:93:A7:7D:71:D2:97:45:29:6C:5A:63:0A:55:14:90 X509v3 Authority Key Identifier: Keyid:59:88:62:54:A7:93:A7:7D:71:D2:97:45:29:6C:5A:63:0A:55:14:90 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 8e:f7:ad:3a:04:7d:dd:41:67:df:b2:3b:d3:31:02:33:c2:e1: 20:d0:29:0d:7e : 98:c8:8c:87:e0:2b:62:70:3a:6e:fb:d3:9a: 20:a6:89:ef:04:5d:d6:3f:ac:ae:12:91:ce:fb:a4:bf:b5:32: 49:cb:09:e5:f1:09:71:a9:e8:4b:1c:84:de:cc:e7:70:7c:24: 8d:66:38:05:63 : 7f:40:bd:1a:c7:1b:43:df:69:9b:0c:de:22: 26:b0:26:00:b7:2b:61:12:a8:d4:18:7f:b8:24:59:f3:43:35: 26:d4:90:23:db:80:8a:37:a4:63:74:aa:9f:50:bf:9c:a6:86: 0c:a1:60:65:1d : 80:20:8b:e2:0d:fb:32:a4:00:01:99:9a:df: e6:f8:6b:15:7a:3b:52:3c:92:0a:51:d6:9e:31:03:6e:65:90: af:ca:77:e7:37:69:ac:75:f7:3e:09:fa:64:b7:39:3b:a1:e3: c3:02:e7:5f:85 : 25:7f:78:cf:c6:37:1a:80:41:1b:a2:e3:7d: c0:fc:bc:e1:a8:70:3a:da:29:79:c2:83:2b:63:07:ce:8e:81: 0b:1f:47:91:84:df:23:1f:bc:67:2d:5c:3a:3e:95:f2:b4:82: d5:99:0e:8e:b3 : 0e:cd:2a:74:98:37:50:b0:1c:e7:01:7e:4f: b8:6c:0f:7c-BEGIN CERTIFICATE-MIID1TCCAr2gAwIBAgIJAOQVjBhWVYxOMA0GCSqGSIb3DQEBCwUAMIGAMQswCQYDVQQGEwJDTjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMREwDwYDVQQKDAhmdWxsZ29hbDELMAkGA1UECwwCSVQxDTALBgNVBAMMBHRlc3QxHDAaBgkqhkiG9w0BCQEWDXRlc3RAdGVzdC5jb20wHhcNMTgxMTI0MTYyNDA0WhcNMTkxMTI0MTYyNDA0WjCBgDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMREwDwYDVQQHDAhzaGFuZ2hhaTERMA8GA1UECgwIZnVsbGdvYWwxCzAJBgNVBAsMAklUMQ0wCwYDVQQDDAR0ZXN0MRwwGgYJKoZIhvcNAQkBFg10ZXN0QHRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAybrCE3jVUVaFqpltYXONh8RXocqQLUzQbGEVmIIdxOVK2Vfkhkb18puE9XZp0hF6fdXBV8I1j29GUfvXNdwhzenyFjwA3VbxbnZYo81SMWv6BFHhkqnw2SpXIKrBiN+yykUUzAYY0S9i2lyQUKTtyEJJK4FMrh+jPIg4ISV6n4vFaY5pLa8jZQMOaRaruUgYJQj/Ts7AEDmn7ZSfoanTy/NLwiRN/oeG+ZGApyMBD62M9OHT/4UkBzlkMgJGqN9ag79wLtCjfgzVcTmnIfotWqNBFhoGOHw3xBJZ/MKDxZMPuN7xyldkrZ9fpyxDY7Jhk938Sru/2OLinqOCqBonxQIDAQABo1AwTjAdBgNVHQ4EFgQUWYhiVKeTp31x0pdFKWxaYwpVFJAwHwYDVR0jBBgwFoAUWYhiVKeTp31x0pdFKWxaYwpVFJAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAjvetOgR93UFn37I70zECM8LhINApDX6YyIyH4CticDpu+9OaIKaJ7wRd1j+srhKRzvukv7UyScsJ5fEJcanoSxyE3szncHwkjWY4BWN/QL0axxtD32mbDN4iJrAmALcrYRKo1Bh/uCRZ80M1JtSQI9uAijekY3Sqn1C/nKaGDKFgZR2AIIviDfsypAABmZrf5vhrFXo7UjySClHWnjEDbmWQr8p35zdprHX3Pgn6ZLc5O6HjwwLnX4Ulf3jPxjcagEEbouN9wPy84ahwOtopecKDK2MHzo6BCx9HkYTfIx+8Zy1cOj6V8rSC1ZkOjrMOzSp0mDdQsBznAX5PuGwPfA==-END CERTIFICATE- [root@192 demo] #
2.5.Create CA
[root@192 demo] # cd / etc/pki/tls/ [root@192 tls] # vi openssl.cnf [root@192 CA] # (umask 077 Openssl genrsa-out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus...+++.+++e is 65537 (0x10001) [root@192 CA] # ll total dosage 0drwxr-xr-x. 2 root root 6 April 11 2018 certsdrwxr-xr-x. 2 root root 6 April 11 2018 crldrwxr-xr-x. 2 root root 6 April 11 2018 newcertsdrwx-. 2 root root 23 November 25 00:35 private [root@192 CA] # ll private/ Total consumption 4murrw-1 root root 1679 November 25 00:35 cakey.pem [root@192 CA] # openssl req-new-x509-key private/cakey.pem-out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: shanghaiLocality Name (eg, city) [Default City]: shanghaiOrganization Name (eg, company) [Default Company Ltd]: fullgoalOrganizational Unit Name (eg, section) []: ITCommon Name (eg) Your name or your server's hostname) []: fullgoalEmail Address []: fullgoal@fullgoal.com [root@192 CA] # ll Total usage 4 root 25 November 00:37 cacert.pemdrwxr-xr-x. 2 root root 6 April 11 2018 certsdrwxr-xr-x. 2 root root 6 April 11 2018 crldrwxr-xr-x. 2 root root 6 April 11 2018 newcertsdrwx-. 2 root root 23 November 25 00:35 private [root@192 CA] # touch index.txt [root@192 CA] # echo 01 > serial [root@192 CA] # lscacert.pem certs crl index.txt newcerts private serial [root@192 CA] #
2.6. apply for permission from CA
[root@192 ~] # cd / tmp/demo/ [root@192 demo] # ls1.txt 1.txt.2 1.txt.des3 client.key server.crt server.key [root@192 demo] # mkdir ssl [root@192 demo] # cd ssl/ [root@192 ssl] # pwd/tmp/demo/ssl [root@192 ssl] # (umask 077 Openssl genrsa-out httpd.key) Generating RSA private key 2048 bit long modulus..+++...+++e is 65537 (0x10001) [root@192 ssl] # lshttpd.key [root@192 ssl] # cat httpd.key- -BEGIN RSA PRIVATE KEY-MIIEpAIBAAKCAQEAm44b6MFJgXjNr87q+Tz4uaxj+IuCJe9yA0aGVSN7ZLAW/oejEko8n5CRjQDdxn8zRK+bNZFoLknIJe8d58DynsqBQkPvjD2NdsT6TPnsbOQaujhq5/TKiFH7dkSUI/bsf3fkMhSqy0hlgfu9PlBMHnIf4mPjKvr4ZpztgKi9ejsyUxhbcM8N/37er8+xUjI1TG6PtfET/LVoePdesIpH8gQV9qfDWfJ71ikVUpeqMqQH42wgzaVhvUZFdG0WppvUOIL1f65fYQ1ZjvkLCxXBubbn3jgSrY/E6A+nu4+nvpIdjyAou5l3X5Z7VytM3+Lb5CE9x4Fz1nla0iNHreE6XwIDAQABAoIBADtw00Ne0MrTsa1zoSB6ZwT0VgM8tA/w7p1Hzr8r3tP74d2DURIFIiNLKAM8iIJ4Ssv9Wo7esHO3p+6u77uGZG+/LCN5OElbn/n5jTfq7Kgzhe8Q7fES/m2W/kMUM5OGoJqY4q8sbJNfZ8KCwq7UGjIsI/jreHwNCOyVHMBkOntBGRhF8Yzj0cYRnD4N0SLVid91q03v3HygbH1iME9tDqX1F07zcntsG9ZuKAYo5YzsmzBHAcKZRG9IiaD+5gGgIqKYyp1BV/98hdy2UtqjLSTQx1uMHv6EANa9yLAzKAlf7cYLTGD0iwyz83tZpo1ccAPjBDE9tTB48736NtHOwckCgYEAx7Zlh50L6B/Y7vHjPyMlcWZMc0AsBuzlNX/On2rsq15dmvuVlI6E/t2Llmc8ksg9smXpLknHpnO8VkI/w5Zeq0Xn94tcOoDrRxibW4zO+9v6ooKpPhtpHghMyN5ZBzezsh0wOPVtMLjFo1PDiCHTRGfPBS+Zn8w3rJ5Si3pDm10CgYEAx2WuXL/GjjHNROiFEzNd9wLVDpedTUthVfdx8VsB5ytqPKoaDLRHMTzr5abDo5uRZlvD664qjX7UG+8fcUFOGIiAqsjIthYxstmFgZrwlwbxWqsFqRFo7i2T/xM68EGaIee/9/2HNE9iKe7D0ohH5zeYdV+M59wHg0I9WbVaTOsCgYEAgO0a9jrz6NJGdVrqXSQPU/m6eNyAj6f3AGaVuQyJ5Mdynk6z7cdjzDSxnFLhI9DpI3Xu5tbycF5ew0DZcSZtzxu9+GybCZmYSbl08dEg/i6wyqCXKWUAo0awayw/RQ2Mj/uP2fV2m/FshVfZ7tQHUy3A05Q7FJH9jw5WM3ymkHECgYEAoDKMJI4bCvDuFvesuqFhU+vdmsyqn4f5WqTj0WIppD1YLAcJyL0qGV/1slsKAS8iYRdGz9ns7CNCbHLwUwCBquo4XX3U653nLebfASKnOt9kF1EhyhRntju+FIexqYc7OxRDQg1Zi+hfWIswnrvI8PXUsjAjN8Cp9IXKXoF6XCMCgYBmqpdLGf08mVzjiwlTxGmVITe8coC4wvdQ7rWMy555KR9rG60ixrlaCXBBSAw+WWkrlnLv/zguwzH3U9SLAH5LgSIWFviUwNieheU9IGa3eC+1vw3/Ij/7h7k/Csn9ceukVsEcIZV1l3mutqAAl5jh6v7MZ8pg85ZLHpR8Pwu27A==-END RSA PRIVATE KEY- [root@192 ssl] # openssl req-new-key httpd.key-out httpd.csr You are about to be asked to enter information that will be Incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: shanghaiLocality Name (eg, city) [Default City]: shanghaiOrganization Name (eg, company) [Default Company Ltd]: fullgoalOrganizational Unit Name (eg, section) []: ITCommon Name (eg) Your name or your server's hostname) []: www.full.comEmail Address []: full@full1.com Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []: [root@192 ssl] # lshttpd.csr httpd.key [root@192 ssl] # openssl ca-in httpd.csr-out httpd.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1 ) Validity Not Before: Nov 24 16:45:54 2018 GMT Not After: Nov 24 16:45:54 2019 GMT Subject: countryName = CN stateOrProvinceName = shanghai organizationName = fullgoal organizationalUnitName = IT commonName = www.full.com emailAddress = full@full1.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D8:67:DC:DA:25:5F:1C:FC:7C:CB:BC:4F:9B:85:20:2B:9D:47:A2:61 X509v3 Authority Key Identifier: keyid:36:9F:EF:EF:DC:DF:CB:37:E7:69:EE:8C:EA:91:A0:30:A1:88:17:B8Certificate is to be certified until Nov 24 16:45:54 2019 GMT (days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [y/n] yWrite out database with 1 new entriesData Base Updated [root@192 ssl] # lshttpd.crt httpd.csr httpd.key [root@192 ssl] # cd / etc/pki/CA/ [root@192 CA] # cat index.txtV 191124164554Z 01 unknown / C=CN/ST=shanghai/O=fullgoal/OU=IT/CN=www.full.com/emailAddress=full@full1.com [root@192 CA] #
Private Certificate issuance process:
Create CA: generate encrypted string-> generate certificate-> put it to the path specified by openssl.conf
Apply for certificate: generate encrypted string-> generate private certificate-> send it to CA for signature
III. Client
Sshd: host key
Ssh profile: ssh_config client, sshd_config server
The above content is how to analyze openssl learning. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.