Shulou(Shulou.com)06/01 Report--

This article shows you how to analyze openssl learning. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

Elements of the transmission process: integrity, confidentiality, authentication

1. Encryption algorithm

1) symmetric encryption:

2) Public key encryption algorithm (asymmetric encryption algorithm):

Public key: anyone can see it.

Private key: only you can see it.

3) ike: secret key exchange protocol

4) PKI: public key Infrastructure

Symmetric encryption:

Use the same password

Encryption algorithm: DES, 3DES

AES192 、 AES256 、 AES512

One-way encryption:

Algorithm: MD5, SHA1, CRC-32, SHA192

Public key encryption: identity authentication, data encryption

Algorithm: RSA (encryption, signature), DSA (signature), Elgamal

Open source implementation of OpenSSL:SSL

General encryption Library: libcrypto

The realization of libssl:TLS/SSL

Session-based TLS/SSL library that implements authentication, data confidentiality, and session integrity

Openssl: command line tool

Implement private certificate issuance

[root@192] # rpm-Q opensslopenssl-1.0.2k-12.el7.x86_64 [root@192] # openssl versionOpenSSL 1.0.2k-fips 26 Jan 2017 [root@192] #

Openssl official website: https://www.openssl.org/

Subcommand:

-?

Openssl speed Speed Test tool

[root@192 ~] # openssl speed desDoing des cbc for 3s on 16 size blocks: 11523085 des cbc's in 2.96sDoing des cbc for 3s on 64 size blocks: 3017947 des cbc's in 2.98sDoing des cbc for 3s on 256size blocks: 767332 des cbc's in 2.98sDoing des cbc for 3s on 1024 size blocks: 189100 des cbc's in 2.97sDoing des cbc for 3s on 8192 size blocks: 23942 des cbc's in 2.97sDoing des ede3 for 3s on 16 size blocks: ^

Openssl enc: encrypt, decrypt files

[root@192 demo] # openssl enc-des3-salt-in / tmp/demo/1.txt-out 1.txt.des3enter des-ede3-cbc encryption password:Verifying-enter des-ede3-cbc encryption password: [root@192 demo] # Total amount of ll 8 root root 10 October 21 22:01 1.txt RW root root-1 root root 32 November 24 23:47 1.txt.des3 [root@192 demo] # view 1.txt [root @ 192 demo] # view 1.txt.des3 [root@192 demo] #

Openssl dgst: computing software signature

[root@192 demo] # md5sum 1.txtc7fd8dfd6902d5503d5d1f41940174bf 1.txt [root@192 demo] # sha1sum 1.txt7eac1643c87e8a425c3e361c7e0a2a48e8bba9b8 1.txt [root@192 demo] # md5sum 1.txt.2c7fd8dfd6902d5503d5d1f41940174bf 1.txt.2 [root@192 demo] # openssl dgst-md5 1.txtMD5 (1.txt) = c7fd8dfd6902d5503d5d1f41940174bf [root@192 demo] #

Openssl passwd-1: produce encrypted strings

[root@192 demo] # openssl passwd-1Password: Verifying-Password: $1 $93NfzJP4 $vIiNiNwVPt.kqR232B6KJ. [root@192 demo] #

2. Certificate revocation list: CRL

3. CA: certificate authority

PKI: defines the trust relationship between CA,CA and the revocation list of CA

PKI:TLS/SSL:x509

PKI:OpenGPG

4. Certificate format:

1) x509:TLS/SSL

Public key, expiration date

The rightful owner of the certificate

How certificates should be used

How certificates should be used

CA information

Public key and private key of CA signature

2) pkcs12

5 、 TLS/SSL OpenGPG

Four-layer model: link layer, network layer, transport layer, application layer

Seven-layer model: physical layer, data link layer, network layer, transport layer, session layer, presentation layer, application layer

TCP/IP 、 http 、 smtp 、 ftp

Https: using port 443

SSL: secure socket sercure socket layer

SSLv2 、 SSLv3

TLS: transport layer Security Protocol

HTTP: based on TCP protocol

HTTPS: using port 443

0) TCP three-way handshake

1) establish a SSL session

2) the server sends the certificate to the client

3) client verifies certificates and generates random symmetric keys

4) client transmits the password encrypted by the public key and sends it to server

2. Openssl implements private CA

2.1. Generate a pair of keys

[root@192 demo] # openssl genrsa 2048 > > server.keyGenerating RSA private key 2048 bit long modulus. . +. .. + + e is 65537 (0x10001) [root@192 demo] # ll Total usage 16 root root RW root@192 demo-1 root root 10 October 21 22:01 1.txtMurray RW Mustang RW Mustang-1 root root 10 November 24 23:49 1.txt.2Mor RW Mustang-1 root root 32 November 24 23:47 1.txt.des3 RW- Rmuri Rafael-1 root root 1675 November 25 00:15 server.key

2.2. Generate public key

[root@192 demo] # openssl rsa-in server.key-pubout-out client.keywriting RSA key [root@192 demo] # ll Total usage 20MurrWhashasha-1 root root 10 October 21 22:01 1.txtMurray RWFLY Rafael-1 root root 10 November 24 23:49 1.txt.2MUTHUM RFI-1 root root 32 November24 23:47 1.txt.des3MIWMUR Muir-1 root root 451 November 25 00:20 client.key-rw-r--r-- 1 root root 1675 November 25 00:15 server.key

2.3. Generate self-signed certificate

[root@192 demo] # openssl req-new-x509-key server.key-out server.crt-days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: shanghaiLocality Name (eg) City) [Default City]: shanghaiOrganization Name (eg, company) [Default Company Ltd]: fullgoalOrganizational Unit Name (eg, section) []: ITCommon Name (eg Your name or your server's hostname) []: testEmail Address []: test@test.com [root@192 demo] # ll Total usage 24 root root 10 October 21 22:01 1.txtMurray RW Mustang r Mustang-1 root root 10 November 24 23:49 1.txt.2Mashi RW Musashi-1 root root 32 November 24 23:47 1.txt.des3 Mustang RWMui r Muir-1 root root 451 November 25 00:20 client.key-rw-r--r-- 1 root root 1391 November 25 00:24 server.crt-rw-r--r-- 1 root root 1675 November 25 00:15 server.key [root@192 demo] #

2.4. Output certificate information

[root@192 demo] # openssl x509-text-in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: e4:15:8c:18:56:55:8c:4e Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=shanghai, L=shanghai, O=fullgoal, OU=IT, CN=test/emailAddress=test@test.com Validity Not Before: Nov 24 16:24:04 2018 GMT Not After: Nov 24 16:24:04 2019 GMT Subject: C=CN ST=shanghai, L=shanghai, O=fullgoal, OU=IT CN=test/emailAddress=test@test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:ba:c2:13:78:d5:51:56:85:aa:99:6d:61:73: 8d:87:c4:57:a1:ca:90:2d:4c: D0:6c:61:15:98:82: 1d:c4:e5:4a:d9:57:e4:86:46:f5:f2:9b:84:f5:76: 69:d2:11:7a:7d:d5:c1:57:c2:35:8f:6f:46:51:fb: d7:35:dc:21:cd:e9:f2:16:3c: 00:dd:56:f1:6e:76: 58:a3:cd:52:31:6b:fa:04:51:e1:92:a9:f0:d9:2a: 57:20:aa:c1:88:df:b2:ca:45:14:cc:06:18:d1:2f: 62:da:5c:90:50:a4:ed:c8:42: 49:2b:81:4c:ae:1f: a3:3c:88:38:21:25:7a:9f:8b:c5:69:8e:69:2d:af: 23:65:03:0e:69:16:ab:b9:48:18:25:08:ff:4e:ce: c0:10:39:a7:ed:94:9f:a1:a9: D3:cb:f3:4b:c2:24: 4d:fe:87:86:f9:91:80:a7:23:01:0f:ad:8c:f4:e1: d3:ff:85:24:07:39:64:32:02:46:a8:df:5a:83:bf: 70:2e:d0:a3:7e:0c:d5:71:39: A7:21:fa:2d:5a:a3: 41:16:1a:06:38:7c:37:c4:12:59:fc:c2:83:c5:93: 0f:b8:de:f1:ca:57:64:ad:9f:5f:a7:2c:43:63:b2: 61:93:dd:fc:4a:bb:bf:d8:e2: E2:9e:a3:82:a8:1a: 27:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 59:88:62:54:A7:93:A7:7D:71:D2:97:45:29:6C:5A:63:0A:55:14:90 X509v3 Authority Key Identifier: Keyid:59:88:62:54:A7:93:A7:7D:71:D2:97:45:29:6C:5A:63:0A:55:14:90 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 8e:f7:ad:3a:04:7d:dd:41:67:df:b2:3b:d3:31:02:33:c2:e1: 20:d0:29:0d:7e : 98:c8:8c:87:e0:2b:62:70:3a:6e:fb:d3:9a: 20:a6:89:ef:04:5d:d6:3f:ac:ae:12:91:ce:fb:a4:bf:b5:32: 49:cb:09:e5:f1:09:71:a9:e8:4b:1c:84:de:cc:e7:70:7c:24: 8d:66:38:05:63 : 7f:40:bd:1a:c7:1b:43:df:69:9b:0c:de:22: 26:b0:26:00:b7:2b:61:12:a8:d4:18:7f:b8:24:59:f3:43:35: 26:d4:90:23:db:80:8a:37:a4:63:74:aa:9f:50:bf:9c:a6:86: 0c:a1:60:65:1d : 80:20:8b:e2:0d:fb:32:a4:00:01:99:9a:df: e6:f8:6b:15:7a:3b:52:3c:92:0a:51:d6:9e:31:03:6e:65:90: af:ca:77:e7:37:69:ac:75:f7:3e:09:fa:64:b7:39:3b:a1:e3: c3:02:e7:5f:85 : 25:7f:78:cf:c6:37:1a:80:41:1b:a2:e3:7d: c0:fc:bc:e1:a8:70:3a:da:29:79:c2:83:2b:63:07:ce:8e:81: 0b:1f:47:91:84:df:23:1f:bc:67:2d:5c:3a:3e:95:f2:b4:82: d5:99:0e:8e:b3 : 0e:cd:2a:74:98:37:50:b0:1c:e7:01:7e:4f: b8:6c:0f:7c-BEGIN CERTIFICATE-MIID1TCCAr2gAwIBAgIJAOQVjBhWVYxOMA0GCSqGSIb3DQEBCwUAMIGAMQswCQYDVQQGEwJDTjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMREwDwYDVQQKDAhmdWxsZ29hbDELMAkGA1UECwwCSVQxDTALBgNVBAMMBHRlc3QxHDAaBgkqhkiG9w0BCQEWDXRlc3RAdGVzdC5jb20wHhcNMTgxMTI0MTYyNDA0WhcNMTkxMTI0MTYyNDA0WjCBgDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMREwDwYDVQQHDAhzaGFuZ2hhaTERMA8GA1UECgwIZnVsbGdvYWwxCzAJBgNVBAsMAklUMQ0wCwYDVQQDDAR0ZXN0MRwwGgYJKoZIhvcNAQkBFg10ZXN0QHRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAybrCE3jVUVaFqpltYXONh8RXocqQLUzQbGEVmIIdxOVK2Vfkhkb18puE9XZp0hF6fdXBV8I1j29GUfvXNdwhzenyFjwA3VbxbnZYo81SMWv6BFHhkqnw2SpXIKrBiN+yykUUzAYY0S9i2lyQUKTtyEJJK4FMrh+jPIg4ISV6n4vFaY5pLa8jZQMOaRaruUgYJQj/Ts7AEDmn7ZSfoanTy/NLwiRN/oeG+ZGApyMBD62M9OHT/4UkBzlkMgJGqN9ag79wLtCjfgzVcTmnIfotWqNBFhoGOHw3xBJZ/MKDxZMPuN7xyldkrZ9fpyxDY7Jhk938Sru/2OLinqOCqBonxQIDAQABo1AwTjAdBgNVHQ4EFgQUWYhiVKeTp31x0pdFKWxaYwpVFJAwHwYDVR0jBBgwFoAUWYhiVKeTp31x0pdFKWxaYwpVFJAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAjvetOgR93UFn37I70zECM8LhINApDX6YyIyH4CticDpu+9OaIKaJ7wRd1j+srhKRzvukv7UyScsJ5fEJcanoSxyE3szncHwkjWY4BWN/QL0axxtD32mbDN4iJrAmALcrYRKo1Bh/uCRZ80M1JtSQI9uAijekY3Sqn1C/nKaGDKFgZR2AIIviDfsypAABmZrf5vhrFXo7UjySClHWnjEDbmWQr8p35zdprHX3Pgn6ZLc5O6HjwwLnX4Ulf3jPxjcagEEbouN9wPy84ahwOtopecKDK2MHzo6BCx9HkYTfIx+8Zy1cOj6V8rSC1ZkOjrMOzSp0mDdQsBznAX5PuGwPfA==-END CERTIFICATE- [root@192 demo] #

2.5.Create CA

[root@192 demo] # cd / etc/pki/tls/ [root@192 tls] # vi openssl.cnf [root@192 CA] # (umask 077 Openssl genrsa-out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus...+++.+++e is 65537 (0x10001) [root@192 CA] # ll total dosage 0drwxr-xr-x. 2 root root 6 April 11 2018 certsdrwxr-xr-x. 2 root root 6 April 11 2018 crldrwxr-xr-x. 2 root root 6 April 11 2018 newcertsdrwx-. 2 root root 23 November 25 00:35 private [root@192 CA] # ll private/ Total consumption 4murrw-1 root root 1679 November 25 00:35 cakey.pem [root@192 CA] # openssl req-new-x509-key private/cakey.pem-out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: shanghaiLocality Name (eg, city) [Default City]: shanghaiOrganization Name (eg, company) [Default Company Ltd]: fullgoalOrganizational Unit Name (eg, section) []: ITCommon Name (eg) Your name or your server's hostname) []: fullgoalEmail Address []: fullgoal@fullgoal.com [root@192 CA] # ll Total usage 4 root 25 November 00:37 cacert.pemdrwxr-xr-x. 2 root root 6 April 11 2018 certsdrwxr-xr-x. 2 root root 6 April 11 2018 crldrwxr-xr-x. 2 root root 6 April 11 2018 newcertsdrwx-. 2 root root 23 November 25 00:35 private [root@192 CA] # touch index.txt [root@192 CA] # echo 01 > serial [root@192 CA] # lscacert.pem certs crl index.txt newcerts private serial [root@192 CA] #

2.6. apply for permission from CA

[root@192 ~] # cd / tmp/demo/ [root@192 demo] # ls1.txt 1.txt.2 1.txt.des3 client.key server.crt server.key [root@192 demo] # mkdir ssl [root@192 demo] # cd ssl/ [root@192 ssl] # pwd/tmp/demo/ssl [root@192 ssl] # (umask 077 Openssl genrsa-out httpd.key) Generating RSA private key 2048 bit long modulus..+++...+++e is 65537 (0x10001) [root@192 ssl] # lshttpd.key [root@192 ssl] # cat httpd.key- -BEGIN RSA PRIVATE KEY-MIIEpAIBAAKCAQEAm44b6MFJgXjNr87q+Tz4uaxj+IuCJe9yA0aGVSN7ZLAW/oejEko8n5CRjQDdxn8zRK+bNZFoLknIJe8d58DynsqBQkPvjD2NdsT6TPnsbOQaujhq5/TKiFH7dkSUI/bsf3fkMhSqy0hlgfu9PlBMHnIf4mPjKvr4ZpztgKi9ejsyUxhbcM8N/37er8+xUjI1TG6PtfET/LVoePdesIpH8gQV9qfDWfJ71ikVUpeqMqQH42wgzaVhvUZFdG0WppvUOIL1f65fYQ1ZjvkLCxXBubbn3jgSrY/E6A+nu4+nvpIdjyAou5l3X5Z7VytM3+Lb5CE9x4Fz1nla0iNHreE6XwIDAQABAoIBADtw00Ne0MrTsa1zoSB6ZwT0VgM8tA/w7p1Hzr8r3tP74d2DURIFIiNLKAM8iIJ4Ssv9Wo7esHO3p+6u77uGZG+/LCN5OElbn/n5jTfq7Kgzhe8Q7fES/m2W/kMUM5OGoJqY4q8sbJNfZ8KCwq7UGjIsI/jreHwNCOyVHMBkOntBGRhF8Yzj0cYRnD4N0SLVid91q03v3HygbH1iME9tDqX1F07zcntsG9ZuKAYo5YzsmzBHAcKZRG9IiaD+5gGgIqKYyp1BV/98hdy2UtqjLSTQx1uMHv6EANa9yLAzKAlf7cYLTGD0iwyz83tZpo1ccAPjBDE9tTB48736NtHOwckCgYEAx7Zlh50L6B/Y7vHjPyMlcWZMc0AsBuzlNX/On2rsq15dmvuVlI6E/t2Llmc8ksg9smXpLknHpnO8VkI/w5Zeq0Xn94tcOoDrRxibW4zO+9v6ooKpPhtpHghMyN5ZBzezsh0wOPVtMLjFo1PDiCHTRGfPBS+Zn8w3rJ5Si3pDm10CgYEAx2WuXL/GjjHNROiFEzNd9wLVDpedTUthVfdx8VsB5ytqPKoaDLRHMTzr5abDo5uRZlvD664qjX7UG+8fcUFOGIiAqsjIthYxstmFgZrwlwbxWqsFqRFo7i2T/xM68EGaIee/9/2HNE9iKe7D0ohH5zeYdV+M59wHg0I9WbVaTOsCgYEAgO0a9jrz6NJGdVrqXSQPU/m6eNyAj6f3AGaVuQyJ5Mdynk6z7cdjzDSxnFLhI9DpI3Xu5tbycF5ew0DZcSZtzxu9+GybCZmYSbl08dEg/i6wyqCXKWUAo0awayw/RQ2Mj/uP2fV2m/FshVfZ7tQHUy3A05Q7FJH9jw5WM3ymkHECgYEAoDKMJI4bCvDuFvesuqFhU+vdmsyqn4f5WqTj0WIppD1YLAcJyL0qGV/1slsKAS8iYRdGz9ns7CNCbHLwUwCBquo4XX3U653nLebfASKnOt9kF1EhyhRntju+FIexqYc7OxRDQg1Zi+hfWIswnrvI8PXUsjAjN8Cp9IXKXoF6XCMCgYBmqpdLGf08mVzjiwlTxGmVITe8coC4wvdQ7rWMy555KR9rG60ixrlaCXBBSAw+WWkrlnLv/zguwzH3U9SLAH5LgSIWFviUwNieheU9IGa3eC+1vw3/Ij/7h7k/Csn9ceukVsEcIZV1l3mutqAAl5jh6v7MZ8pg85ZLHpR8Pwu27A==-END RSA PRIVATE KEY- [root@192 ssl] # openssl req-new-key httpd.key-out httpd.csr You are about to be asked to enter information that will be Incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: shanghaiLocality Name (eg, city) [Default City]: shanghaiOrganization Name (eg, company) [Default Company Ltd]: fullgoalOrganizational Unit Name (eg, section) []: ITCommon Name (eg) Your name or your server's hostname) []: www.full.comEmail Address []: full@full1.com Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []: [root@192 ssl] # lshttpd.csr httpd.key [root@192 ssl] # openssl ca-in httpd.csr-out httpd.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1 ) Validity Not Before: Nov 24 16:45:54 2018 GMT Not After: Nov 24 16:45:54 2019 GMT Subject: countryName = CN stateOrProvinceName = shanghai organizationName = fullgoal organizationalUnitName = IT commonName = www.full.com emailAddress = full@full1.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D8:67:DC:DA:25:5F:1C:FC:7C:CB:BC:4F:9B:85:20:2B:9D:47:A2:61 X509v3 Authority Key Identifier: keyid:36:9F:EF:EF:DC:DF:CB:37:E7:69:EE:8C:EA:91:A0:30:A1:88:17:B8Certificate is to be certified until Nov 24 16:45:54 2019 GMT (days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [y/n] yWrite out database with 1 new entriesData Base Updated [root@192 ssl] # lshttpd.crt httpd.csr httpd.key [root@192 ssl] # cd / etc/pki/CA/ [root@192 CA] # cat index.txtV 191124164554Z 01 unknown / C=CN/ST=shanghai/O=fullgoal/OU=IT/CN=www.full.com/emailAddress=full@full1.com [root@192 CA] #

Private Certificate issuance process:

Create CA: generate encrypted string-> generate certificate-> put it to the path specified by openssl.conf

Apply for certificate: generate encrypted string-> generate private certificate-> send it to CA for signature

III. Client

Sshd: host key

Ssh profile: ssh_config client, sshd_config server

The above content is how to analyze openssl learning. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.