Shulou(Shulou.com)06/01 Report--

Data encryption:

SSL: Secure Socket Layer secure socket layer

Openssl:ssl is a software implemented on Linux, open source

Ex.: if the ssl protocol is used, it is no longer the original protocol

Http (80)-- > ssl-- > https

NIST defines the basic rules for data security:

Confidentiality:

Data confidentiality

Privacy

Integrity:

Data integrity

System integrity

Availability:

Security *:

Passive *: monitoring

Active * *: camouflage, replay, message tampering, denial of service

Security mechanisms:

Encryption / decryption, digital signature, access control, data integrity, authentication exchange, traffic filling, routing control, notarization

Security Services:

Authentication

access control

Data confidentiality

Connection confidentiality

Connectionless confidentiality

Select domain confidentiality

Traffic confidentiality

Data integrity

Undeniability

Cryptographic algorithms and protocols:

Symmetrical encryption

Public key encryption [asymmetric encryption]

One-way encryption

Authentication protocol

Symmetric encryption: encrypts and decrypts using the same key; outputs one data stream combined with the encryption key to another data stream

Common algorithms:

DES:Data EncryptionStandard, 56bits

3DES:

AES:Advanced Encrpytion Standard, (128bits, 192,256,384, 512bits)

Blowfish

Twofish

IDEA

RC6

CAST5

Properties:

1. Use the same key for encryption and decryption

2. Divide the plaintext into fixed-size blocks and encrypt them one by one

3. Depend on: algorithm and key

Security depends on the key, not the algorithm

Defect:

1. Too many keys

2. Inconvenience of key distribution

Asymmetric encryption: public key encryption

It is divided into private key and public key, the private key is for personal use only, and the public key is publicly obtained for all. Common algorithms: RSA, DSA (only data signature can be implemented)

Private key: secret key, only allowed by individuals

Public key: public key, open to all acquirer

The public key is extracted from the private key; data encrypted with the public key can only be decrypted using the private key of the pair with the public key, and vice versa

Use:

1. Identity authentication: private key owners can authenticate data encrypted with their own private keys as long as they can be decrypted with their public keys

two。 Key exchange: before communicating with the communicating party, first obtain the other party's public key, generate an encrypted password, encrypt it with the other party's public key, and send it to the other party.

3. Data encryption: but it takes a long time to encrypt and is generally not used for data encryption

Properties:

1. The key length is large, such as 512bits, 2048 bits, 4096bits

2. Encryption and decryption are carried out relative to each other using the key pair.

3. Commonly used for data signature and key exchange

One-way encryption: propose the signature of the data

Used for data integrity check

Properties:

1. Fixed-length output: no matter how big the original data is, the encryption result is the same length.

2. Avalanche effect: a small change in the original data will lead to a great change in the result.

3. Irreversible:

Algorithm:

MD5:128bits fixed length output

SHA1:160bits fixed length output

SHA256

SHA384

SHA512:

An encrypted communication process

Sender:

1. Use one-way encryption algorithm to extract the feature code of the generated data.

2. Use your own private key to encrypt the signature and append it to the data

3. Generate a temporary key for symmetric encryption

4. Encrypt the data with this temporary key and the signature that has been encrypted with the private key

5. Encrypt the temporary key using the receiver's public key and append it to the symmetrically encrypted data

Recipient:

1. Use your own private key to decrypt the encrypted temporary key; thus get the symmetric key

2. Use symmetric key to decrypt symmetrically encrypted data and signature ciphertext encrypted by private key, so as to obtain data and signature ciphertext.

3. Decrypt the signature ciphertext using the sender's public key, so as to obtain the signature generated from the calculation.

4. Calculate the signature of the data using the same one-way encryption algorithm as the other party, and compare it with the decrypted one.

Digital Certificate:

CA: visa agency

Function: to ensure the safe distribution of public key information of the communicating party

Format of the digital certificate (x.509 v3):

Version number (version)

Serial number (serial number): CA is used to uniquely identify this certificate

Signature algorithm flag (Signature algorithm identifier)

Name of the publisher: that is, the name of CA itself

Validity period: two dates, start date and end date

Certificate principal name: the name of the certificate owner

Certificate principal public key information: certificate owner's own public key

Unique logo of the publisher:

Unique identity of the certificate principal:

Extended Information:

Signature: CA's digital signature of this certificate

Certificates usually serve two types of purposes:

User certificate

Host Certificate (httpd)

Revoke the certificate: when the private key is lost

PKI: Public KeyInfrastructure Public key Infrastructure

Visa authority: CA

Registered institution: RA

Certificate revocation list: CRL

Certificate access Store:

Components of openssl:

Libcrypto: encrypt and decrypt library files

Libssl: implementation of ssl protocol

Openssl: a multi-purpose command line tool, with each function implemented using a dedicated subcommand

Openssl:

Subcommand classification:

Standard command

Message digest command

Encryption and decryption related commands

Encrypted files (symmetric encryption):

Tools: openssl enc, gpg

Algorithm: des, 3des, aes, blowfish, twofish, idea, cast5

Enc tool:

Encryption:

# openssl enc-e-encryption algorithm-a-salt-in files to be encrypted-files output after out encryption

Example:-e-des3 indicates that the specified encryption method is des3-a, which file you want to output in ASCII format-salt plus impurities-which file is encrypted by in-which file is output after out encryption

Decryption:

# openssl enc-d-decryption algorithm-a-salt-in file to be decrypted-file output after out decryption

Example: opensslenc-d-des3-a-salt-in fstab.drs3-out fstab2

-d-des3 indicates what algorithm to decrypt-an indicates that you want to output your content in ASCII format-salt plus impurities-which file is decrypted by in-which file is output after out decryption

One-way encryption:

Algorithm: md5, sha1

Tools: openssl dgst, md5sum, sha1sum, sha224sum, sha256sum, sha384sum,sha512sum

# openssl dgst-encryption algorithm file name

Example: extract the signature of the fstab file and output it to the screen

Generate user password:

# openssl passwd-1-salt 8-bit random number [as an impurity]

Example:-1 specify MD5 algorithm

Generate random numbers:

# openssl rand-hex [hexadecimal] |-base64 [text format] NUM

Example: openssl rand-hex 4

Random number generator:

Any random number is obtained from these two.

Random,urandom

Entropy pool: save random numbers generated by hardware interrupts

/ dev/random: only returns random numbers from the entropy pool. When the random numbers in the entropy pool are exhausted, the process of fetching random numbers will be blocked.

/ dev/urandom: first take a random number from the entropy pool. When the random number in the entropy pool is exhausted, the random number is generated through the pseudo-random number generator.

Generate key pairs:

Operation procedure: generate the private key and extract the public key from the private key

# key length of private key file generated by openssl genrsa-out [1024 20484096]

Example:

Note: commands executed in parentheses on the bash command line are actually executed by opening a child shell process

Because the private key should be viewable only to the owner, the permission should be 400 or 600

# (key length of private key file generated by umask277; openssl genrsa-out [10242048 4096])

Example:

Manually extract the public key from the private key:

# openssl rsa-in generated private key file-pubout

Format of X.509 v3 digital certificate:

Certificate revocation chain:

How to obtain a certificate:

Apply for registration with RA

Establish a private CA:

OpenSSL

OpenCA

Use OpenSSL to build a private CA:

1. Generate a private key: when the private key is used to issue a certificate, add a digital signature to the certificate.

2. Generate a self-signed certificate: each communicating party imports this certificate to the trusted Certificate Authority

Configuration file: / etc/pki/tls/openssl.cnf

Working directory: / etc/pki/CA/

Establish a private CA:

1. Generate the private key file: / etc/pki/CA/private/cakey.pem

# (umask 077; openssl genrsa-out / etc/pki/CA/private/cakey.pem 2048)

2. Generate self-signed certificate

# openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out/etc/pki/CA/cacert.pem-days #

-new: generate a new certificate signing request

-key: private key file path, which is used to extract the public key

-days N: the validity period of the certificate (in "days")

-out: where the output file is saved

-x509: output directly from the signed certificate file, which is usually used only when building CA

3. Provide auxiliary documents

# touch / etc/pki/CA/index.txt [that is, index file]

# echo 01 > / etc/pki/CA/serial

Issue a certificate to the node:

1. Node applies for certificate

Perform the following steps on the host of the certificate request:

(1) generate a private key

# (umask 077; openssl genrsa-out private key bits [1024])

(2) generate certificate signing request; openssl req-new key private key-out request .csr

# openssl req-new-key httpd.key-out httpd.csr-days #

Note:

(a) the subject information part should be consistent with that of CA.

(B) Common Name wants to use this host to use the real name in the communication

(3) send the request to CA

2. CA issued the certificate

(1) verify the information of the requestor

(2) sign the certificate

# openssl ca-in request .CSR-out certificate .crt-days N

(3) return the signed certificate to the requestor

Revoke the certificate:

1. Obtain the serial number of the revocation certificate

# openssl x509-in certificate. CRT-noout-serial-subject

2. Realize certificate revocation

(0) ensure that the serial number is consistent with the serial number in index.txt

(1) revocation of certificate

# openssl ca-revoke certificate .crt

(2) generate the number of the revocation certificate

Echo digit [original revocation + 1] > / etc/pkie/CA/crlnumber

Echo 01 > / etc/pkie/CA/crlnumber

(3) Update the certificate revocation list

# openssl crl-gencrl-the revocation chain file being used by out. Crl

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.