Shulou(Shulou.com)06/01 Report--

Based on the previous article, we know the encryption methods and algorithms used in data encryption, as well as some authentication bodies.

So this article is used for practical operation, how to use commands to complete the encryption and decryption of data.

First of all, before you do this, you need to know about two protocols about secure transmission: SSL and TLS.

SSL: (Secure Socket Layer, secure socket layer), a protocol layer between reliable connection-oriented network layer protocols and application layer protocols. SSL ensures privacy by authenticating each other, using digital signatures, and using encryption to ensure secure communication between the client and the server. The protocol consists of two layers:

TLS: (Transport Layer Security, transport layer security protocol), used to provide confidentiality and data integrity between two applications.

SSL is developed by Netscape to protect Web communications for users, and the current version is 3.0. The latest version of TLS 1.0 is a new protocol developed by IETF (Engineering Task Force). It is based on the SSL 3.0 protocol specification and is a successor to SSL 3.0.

After understanding the above two protocols, the next step is to use the OpenSSL program to implement the above security protocols

OpenSSL is an open source project; it mainly consists of the following three components:

Openssl; versatile command line tool

Library of encryption and decryption algorithms implemented by libcrypto;

Libssl; Library for realizing SSL/TLS function

How to use openssl:

㈠ symmetric encryption

Symmetric encryption uses openssl. The standard command is enc. The specific usage is as follows:

Openssl enc-ciphername [- in filename] [- out filename] [- e] [- d] [- a/-base64] [- salt]

Common options:

-ciphername: algorithm name, including des3, des, aes, rc4,...

-e: encryption

-d: decrypt

-a/-base64: encoding in plain text format

-salt: add random salt

-in filename: the file path to be encrypted

-out filename: the output path of the encrypted file

Example:

[root@XZC ~] # mkdir / shiyan

[root@XZC ~] # cd / shiyan/

[root@XZC shiyan] # cp-a / etc/fstab. /

[root@XZC shiyan] # ls

Fstab

[root@XZC shiyan] # openssl enc-e-des-a-salt-in. / fstab-out. / fstab.aes

Enter des-cbc encryption password:

Verifying-enter des-cbc encryption password:

[root@XZC shiyan] # ls

Fstab fstab.aes

[root@XZC shiyan] # cat fstab.aes

U2FsdGVkX1/8MReIhI8TC8rl+oSgYbU5+c/bzZut1Kv+JylxuubCqgybgIJafKEe

Db1kH6YeCtU+zoAqrQMPdVGtyQ4X3kMPbyFZSRbnv91Ouj8QJxpjkO3ja5o3/qFk

AJ7HtP8R3cyXiKynOzu7M2zNU4N7uKDz2G1QOCY/ZB1ds7mT7CkM27vnGkisjxTy

3CiFZQZ0xex6P3MGK78IoWPMyv3tYnLb0Bz9vDbfWXWnj8ImEWSg0G1SbkZyTvcm

T13PrzzaRiP11JOSB1isG3Qz9G2r8hp/0SbqduIyeZtvTr2GmsGz5AZpULakT31s

ILmgfHtGtWCN0EGEbVh9zLzS7UsAY4D/r03iePY/BiGnEPY4leFqqOFfuqBL/1ec

8LkiKB2LAvRnQI4LLWzEPXTysk67ETqiXHZrOtKWE744qFkRAK9kliUT7R8KtefQ

Gl+0dWI0ODNbbdL+j9s+VZB4YdlFYXacfOhiA5Qb1R69S52RmErx+kvjq1XmwoVx

Ld0lcctrEeSsF2jMReSpZ84gmyvMC511VYMlL9QLYn6BFFE65ycXZuQfv43GRQKu

OeYYooaswQJQ5E4SjPQDMfSBgxblZqmIxuhKBH1Mve1FQZLAo9YZsn/CrzpOTSqa

W57DkPY8U9A2Zdz5I4qC05wCQoXhoLcmXmc6f4keHLK4IVtOOHa/7OIKn3bHpUyG

O/Aw4fNXYbwyst4yROvXQEJPKpmg6lD/Som0K6tDGvEyX/BZAgJu+5pInhDGLnaR

+ OkEyTN3otEXGytApEW2gxunQS3UFHzK+swVstUzjHYipXvzTBR0C3Aq4NkxWoK2

WeSYlDr6FujaqMIY6wbUoMR+gD7WdstDyVfgZtOo+sXMpagB8VEsAXtPHSow50yn

5iQdUrMRCUb70Cda7/JUNreL+cNAc2ufZaQ7FJl1+VvlxytgZf+9gn/68jHq0D6t

CL+7rwAr+7F9hvuq3BLFrBfid1+1PjUuJABiLaArSsUrmOc7iDB08QJrz6arMQuz

CziR6tCkN6SmiVk1j93WyTvYtjo45CMIye4t8uJsXZVOYmNKmEXfutmmw2Cxfaso

2WUjp8cbank VdkJ2Oqhx8cmYOnZWg5OmIEPTQvCmbRpbhGnsfvaoxdbR2mkXEXDnq0 +

L6Hvg pH bind 0g0 =

㈡ one-way encryption

The standard command for openssl used in one-way encryption is dgst. The specific usage is as follows:

Openssl dgst-ciphername / PATH/TO/SOME_FILE

Example:

[root@XZC ~] # echo "hello gril" | openssl dgst-md5

(stdin) = 886b7588265e1ddcaeb8f0c025efc167

[root@XZC ~] # openssl dgst-md5 / shiyan/fstab

MD5 (/ shiyan/fstab) = e05f16e951766776dbb825646b21dae1

㈢ generates random numbers

Random numbers are generated using openssl's standard command rand. The specific usage is as follows:

Openssl rand [- out file] [- rand file (s)] [- base64] [- hex] num

Example:

[root@XZC ~] # openssl rand-hex 10

B957e6cd51ff87ef47bd

[root@XZC] # openssl rand-hex-out / shiyan/a.rand 10

[root@XZC ~] # cat / shiyan/a.rand

A814ddf429ce79b2f296

㈣ generates user password

The user password is generated using passwd in the openssl standard command

Openssl passwd [- 1] [- salt string] [- stdin]

Common options:

-1: use md5 encryption algorithm

-salt string: add random numbers, up to 8 digits

-stdin: encrypts the content entered by the standard

Example:

[root@XZC ~] # echo "xuzongchao123" | openssl passwd-1-stdin

$1$ kRWLNvyk$HD1pT6kFEzSquqKSyOGeZ0

[root@XZC ~] # openssl passwd-1-salt `openssl rand-base64 10`

Password:

$1 $VY1BfSc9 $lkI2LeSIk3Ye5hTBWMvcQ.

Public key encryption algorithm generated by ㈤

The private key to generate the RSA algorithm is: openssl genrsa

To extract the RSA public key from the private key is: openssl rsa

Openssl genrsa [- out filename] [- des] [- des3] [- idea] [- f4] [- 3] [numbits]

-numbits: the size of the generated private key. Default is 2048.

Example:

[root@XZC] # (umask 077; openssl genrsa-out / shiyan/ga.genrsa 4096)

# parentheses mean to run the command in a child shell and use the umask mask to modify the permissions of the generated file

Generating RSA private key, 4096 bit long modulus

.... . + +

... + +

E is 65537 (0x10001)

[root@XZC ~] # ls-dl / shiyan/ga.genrsa

-rw-. 1 root root 3243 August 11 15:41 / shiyan/ga.genrsa

[root@XZC ~] # cat / shiyan/ga.genrsa

-BEGIN RSA PRIVATE KEY-

MIIJKQIBAAKCAgEA8+W/qjcEKMnbzLmCHxf2oigkTpuA11eVtD5ZvpMSH78ZtQvU

AuyRxrwqnr7Jvge2AawA6F7JvyBEux5v1AImFXFyBZpK9yMe/WUEyjKLrToA151b

ID6KbrT8OGGE0fNdNY+UuR1hvZ1Hz/+rjVZVDYKtnhi8TxrLPuTSaA90tn4WCajh

UtSn9d7tmBhBNmW0AEZIxFc2VnX9HexGGWR1sCcYV6oeojxv+1BZHPmcyB7zeQuB

AH1cB3c/mUKMdXBEgMUXf9BMycJpAZL3qzXpig5GHN6VKsAA6ELNmXmBaCEfDhH1

Bv2jetGAwL8GaImX0I+q6qjKp56NGI3tRfi420Ut7/kDFreqm8wUXykZMRGTaQic

3s0t5Q/jBMFjD6cBEvijzyLVSfhP3C2Tsb9pdEFquj8A7O47NtH0hermujq7ycqz

Dj0CuzjCsWfBooJfn2CIylQixl109gyvYuJ5q6xyNIwKCAQA1AYuaNo4Y/EXZW2Y

M0Fx/RZCrohs2rEcTxSRTvmenH9cGYn+tKmE4PcuyrulYkV88TmpRL12f64v1V3h

-END RSA PRIVATE KEY-

Openssl rsa [- in filename] [- out filename] [- pubout]

-pubout: extract the public key according to the private key, do not generate a file, and output the result on the display screen

Example:

[root@XZC] # openssl rsa-in / shiyan/ga.genrsa-pubout

Writing RSA key

-BEGIN PUBLIC KEY-

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8+W/qjcEKMnbzLmCHxf2

OigkTpuA11eVtD5ZvpMSH78ZtQvUauyRxrwqnr7Jvge2AawA6F7JvyBEux5v1AIm

LoR7sgFWoRASmiZCyAHPntzQUralQluU5xqinzXigO6CtKoAlyj/GU7xa+jW3aN8

G4NWwel6W9ZB9S6scPd1pj5efUwKZ+4nbzu96upppsmLdTuftDab513IYEA5iiRq

UeHCh6/oCC4ZMSiLSuOLQx8CAwEAAQ==

-END PUBLIC KEY-

㈥ establishes a private CA

① creates a private key file for CA

~] # (umask 077; openssl genrsa-out / etc/pki/CA/private/cakey.pem 4096)

② generates self-signed certificate

~] # openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days 3653

-new: generate a new certificate signing request

-x509: generate self-signed certificates and issue self-signed certificates for private CA

-key: specify the path to the private key file of CA

-out: generate the path saved by the self-signed certificate

-days: sets the validity period of the certificate (in days)

③ satisfies the layout of directory-level and text files necessary for CA:

~] # touch / etc/pki/CA/index.txt

~] # echo 01 > / etc/pki/CA/serial

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.