Shulou(Shulou.com)06/01 Report--

Several aspects of data security services:

1, authentication access control prevents unauthorized access to resources 2, data confidentiality 3, data integrity to ensure that the data sent by the sender has not been modified. 4. Non-repudiation

First, how to verify the integrity of the data. That's how to know that the data has not been modified in the process of transmission. This requires the use of an one-way encryption algorithm to extract the fingerprint (signature) of the data.

The two sides of data transmission are: an and B

A: before the data transmission, extract the "fingerprint" of the data and then attach the fingerprint to the data and send it to B.

B: after receiving the data, extract the "fingerprint" of the data. Compare with the fingerprint of the data attached to the data, if the same

It is proved that the data is complete and has not been modified in the process of transmission.

Example:

1. Use [md5sum] one-way encryption algorithm to extract the data fingerprint of file secure.

[root@server test] # md5sum secure1f66b7c25cd47ba8dbe78ee4c28dfd36 secure

2. Add a blank line to the secure file

Before increase

[root@server test] # tail-2 secureAug 2 09:48:27 stu13 sshd [2231]: pam_unix (sshd:session): session opened for user admin by (uid=0) Aug 2 09:48:33 stu13 su: pam_unix (su-l:session): session opened for user root by admin (uid=

Use redirection to add blank lines

[root@server test] # echo "" > secure [root@server test] # tail-2 secureAug 2 09:48:33 stu13 su: pam_unix (su-l:session): session opened for user root by admin (uid=502)

3. Extract the fingerprint of the file secure

[root@server test] # md5sum secureffc2cd02fa9e936c29302c802131e629 secure

Description:

As can be seen from the above example, the data fingerprint of the file secure has changed dramatically after the addition of blank lines. Similar to the "butterfly effect", it is called "avalanche effect" in one-way encryption algorithms. This is why the integrity of data can be verified by data fingerprinting.

If, in the data transmission link between An and B, C intercepts the data packet. The above method does not ensure that the data has not been tampered with in the process of transmission.

Both sides of the communication: an and B

* *: C

A: before sending the packet to B, extract the data fingerprint and attach it to the data and send it to B.

C: in the transmission link of the data packet, a tool is used to intercept the data packet sent by A to B. Modify the data content and regenerate the data

Fingerprint, and then send it to B.

B: after receiving the data packet, extract the data fingerprint. Compare the data with fingerprints, it's the same. B thinks that the data is in the process of transmission.

It hasn't been tampered with. In fact, the data has been tampered with.

Reason: receiving data party B, there is no way to verify whether the data fingerprint attached to the data packet is extracted by A. So, how can B verify that the data fingerprint must have been extracted by A, and the data fingerprint has not been modified in the process of transmission. This uses the function of asymmetric encryption.

The keys of asymmetric encryption appear in pairs, which are divided into public key (public key) and private key (secret key).

This encryption has one feature:

The public key is public and the private key is self-retaining. The public key is extracted from the private key. Data encrypted by the public key can only be decrypted using the private key. Data encrypted by a private key can only be decrypted using a public key.

Premise:

The two sides of the communication are: an and B

Before the data exchange, each side of the communication generates a key pair, each gives the public key to the other, and the private key is retained by itself.

Data transfer:

A: extract the fingerprint of the data, encrypt the data fingerprint using the nominal name of recipient B, and then send it to B together with the data.

B: after receiving the data, use your own private key to decrypt the data fingerprint, if the decryption is successful

It is proved that A must be the one who extracted the data fingerprint. And then extract the fingerprints of the data. Compare the data fingerprints, if they're the same.

It means that the data has not been tampered with in the process of transmission.

If C intercepts the data on the data transmission link, tampers with the data, and reextracts the fingerprint of the data. However, C does not have the private key of data sender A, and receiver B will find that the data fingerprint has been modified when using A's public key to verify the identity of the maker of the data fingerprint. In this way, it is possible to detect whether the data has been modified during transmission. Even if someone intercepts the data, the receiver can correctly judge whether the data has been tampered with in the process of transmission. That is the integrity of the data.

However, the data sent by A to B is transmitted in clear text, which only ensures the integrity of the data and does not meet the requirements of data confidentiality. If the data they transmit is confidential, eavesdroppers on the data link will intercept the data and see the top secret content in the packet. Therefore, our data should be encrypted and then transmitted.

Second, how is the confidentiality of data realized?

There are two ways to encrypt data:

1. Symmetric encryption 2. Asymmetric encryption

The key of asymmetric encryption is very long, and the speed of encrypting data is much slower than that of symmetric encryption. The difference in speed is at least a hundred times. If the data transmitted by the web server uses asymmetric encryption, it will affect the experience of the user. So symmetric encryption is generally used for data encryption.

However, using one-way encryption of data, the key exchange between the two sides of the communication is also a problem, what to do?

Asymmetric encryption can realize the exchange of keys, and the speed of symmetrically encrypting data is very fast, so together they can solve the problem: data encryption and key exchange.

A: use symmetrical encryption method to encrypt data and data fingerprint together. Then use B's public key to encrypt the symmetrically encrypted key.

Send them together to B.

B: after receiving the packet:

Decrypt the symmetrically encrypted key with your own private key (An encrypts the key with B's public key)-> get the symmetric addition of plaintext

Secret key

Use key decryption, data and data fingerprinting. -> obtain the data fingerprints encrypted with B public key respectively.

And plaintext data

Use your own private key to decrypt data fingerprints-> get plaintext data fingerprints

Extract data fingerprints-> compare data fingerprints.

In the previous data communication between Party An and Party B: the confidentiality of the data, the use of symmetrical encryption. Key exchange is accomplished by asymmetric encryption. Data integrity, using one-way encryption. Encrypting data fingerprints and verifying the identity of the makers of data fingerprints are all done by asymmetric encryption.

Both involve the public keys of both sides of the data communication. If in the process of public key exchange, C intercepts the public key sent by B to An in the data link, C generates its own key pair and sends its own public key to A. In this way, C will pretend to be B to communicate with A. The so-called "middleman". So how does A make sure that the person who communicates with him must be B? Or that the public key you get must be B's? This is about to use the data certificate.

Third, how to distinguish the authenticity of the public key?

This requires a third-party organization, certification authority CA. To prove it, this proof is the so-called data certificate. This data certificate contains part of the user's information (such as host name, email address) and public key information. By looking up the data certificate, A knows that the public key must be B. In this way, A can safely exchange data with B.

However, how does A know that this data certificate of B must be issued by a legitimate notarized CA institution?

This requires authentication, just like the Public Security Bureau stamped *, CA uses his private key to add a data signature to B's digital certificate. A can tell the authenticity of a data certificate by using the public key of CA.

Linux is used: Openssl can achieve one-way encryption, symmetric encryption, asymmetric encryption, certificate issuance production and simple construction of a PKI (public key infrastructure), is an open source implementation.

Openssl consists of three main components:

1. Libcrypto this is an encryption library, which is specially used for encryption functions called by other software. 2. Libssl is a library used to implement the ssl protocol. Many network applications can use ssl to encrypt data. Such as: web server Apache3, command line tools: openssl can achieve data integrity check, encryption, decryption, certificate generation, including the generation of certificate requests, certificates and so on.

View the use of the openssl tool

[root@server ~] # openssl-hopenssl:Error: a subcommand of the'- h' is an invalid command.##openssl command. # # dgst indicates the signature (data fingerprint) of the extracted data. # # enc means to use symmetric encryption algorithm to encrypt data # # getrsa to generate private key # # req to extract the public key from the private key, and you are required to enter the company name, host, mailbox, company address, etc. Generate a certificate signing request # # after the ca CA institution examines the certificate signing request Use this subcommand to issue a certificate # # passwd encrypted plaintext password Standard commandsasn1parse ca ciphers cmscrl crl2pkcs7 dgst dhdhparam dsa dsaparam encengine errstr gendh gendsagenpkey genrsa nseq ocsppasswd Supported by pkcs12 pkcs7 pkcs8pkey pkeyparam pkeyutl primerand req rsa rsautls_client s_server s_time sess_idsmime speed spkac tsverify version x509 Symmetrical encryption algorithm Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecbaes-256-cbc aes-256- supported by Message Digest commands (see the `fingerprint) md2 md4 md5 rmd160sha sha1## Ecb base64 bfbf-cbc bf-cfb bf-ecb bf-ofbcamellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecbcamellia-256-cbc camellia-256-ecb cast cast-cbccast5-cbc cast5-cfb cast5-ecb cast5-ofbdes des-cbc des-cfb Des-ecbdes-ede des-ede-cbc des-ede-cfb des-ede-ofbdes-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofbdes-ofb des3 desx rc2rc2-40-cbc rc2- 64-cbc rc2-cbc rc2-cfbrc2-ecb rc2-ofb Rc4 rc4-40seed seed-cbc seed-cfb seed-ecbseed-ofb zlib

If you use openssl for symmetric encryption:

[root@server] # openssl enc-des3-salt-a-in fstab-out fstab.des3enter des-ede3-cbc encryption password:-> enter the password Verifying-enter des-ede3-cbc encryption password:

View encrypted file types

[root@server ~] # file fstab.des3-> the file type is the same as before encryption. But the opening is garbled. Fstab.des3: ASCII text

Decrypt fatab.des3

[root@server ~] # openssl enc-d-des3-salt-a-in fstab.des3-out fstabenter des-ede3-cbc decryption password:-> enter the password

One-way encryption uses the command dgst

[root@server ~] # openssl dgst-md5 fstabMD5 (fstab) = 53b4962a89e6eb77a83cb7592ee7f783

Encrypt plaintext password

[root@server ~] # openssl passwd-1 Password:-> enter the plaintext password Verifying-Password:$1$ CgFeVKbO$8.KGlawM.3vHADcOS1VZT.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.