Shulou(Shulou.com)06/01 Report--

SSL Agreement Encyclopedia Business Card

SSL is Secure Socket Layer (secure Sockets layer Protocol) that provides secret transmission over Internet. When Netscape launched the first Web browser, it also proposed the SSL protocol standard. Its goal is to ensure the confidentiality and reliability of communication between the two applications, which can be supported on both the server side and the user side.

The SSL protocol is based on a reliable transport layer protocol (TCP). The advantage of SSL protocol is that it is independent of application layer protocols, and high-level application layer protocols (HTTP,FTP,TELNET, etc.) can be built transparently on top of SSL protocol. SSL protocol has completed the encryption algorithm, communication key negotiation and server authentication before the application layer protocol communication.

The secure channel provided by SSL protocol has the following three characteristics:

1. Confidentiality: ensure that the data is confidential and private.

2. Integrity: ensure that the information received is complete.

3. Availability: ensuring that the entire performance can be used as a sign of security verification.

OpenSSL is a powerful secure socket layer password library that Apache uses to encrypt HTTPS,OpenSSH to encrypt SSH. It is also a multi-purpose, cross-platform password tool. OpenSSL contains a command line tool to complete all the functions in the OpenSSL library.

Second, a brief introduction to Openssl

OpenSSL is a powerful secure socket layer password library, Apache uses it to encrypt HTTPS,OpenSSH, uses it to encrypt SSH, not only can it be used as a library, but also a multi-purpose, cross-platform password tool. OpenSSL contains a command line tool to complete all the functions in the OpenSSL library.

The whole package of OpenSSL can be divided into three main functional parts.

1. Libcrypto: password algorithm library, which is responsible for encryption and decryption

2. Libssl:SSL protocol library, a session library that implements ssl protocol functions.

3. Httpd mod_ssl: openssl command line tool.

III. Digital certificates

Digital certificate is a kind of authoritative electronic document, which is issued by an authoritative and impartial third party, namely CA Center.

The encryption technology with digital certificate as the core (encryption transmission, digital signature, digital envelope and other security technologies) can encrypt and decrypt the information transmitted on the network, digital signature and signature verification to ensure the confidentiality and integrity of the information transmitted on the network and the non-repudiation of the transaction.

Digital certificates can be used for secure electronic transaction processing and secure electronic transaction activities such as sending secure e-mail, visiting secure sites, online securities trading, online bidding procurement, online office, online insurance, online taxation, online signing and online banking.

PKI:Public Key Infrastructure refers to a universal security infrastructure that uses public key concepts and technologies to implement and provide security services.

A complete PKI system must have some basic components, such as registration authority (RC), authoritative certification authority (CA), digital certificate library, key backup and recovery system, certificate revocation system (CRL), end entity (API) and so on.

IV. Certificate format

At present, the format of digital certificate generally adopts X.509V3 international standard. A standard X.509 digital certificate contains the following contents: certificate version information.

Serial number of the certificate, each certificate has a unique certificate serial number

The signature algorithm used by the certificate

The name of the issuer of the certificate. The naming rules are generally in X.500 format.

The validity period of the certificate, now the general certificate generally uses the UTC time format, its timing range is 1950-2049

The name of the owner of the certificate. The naming rules are generally in X.500 format.

The public key of the certificate owner

The signature of the certificate by the certificate publisher.

5. Relevant orders for making certificates by using Openssl

1. Encrypt data

# openssl enc-des3-in / path/to/somefile-e-out / path/to/somefile.des3

2. Decrypt data

# openssl enc-des3-in / path/to/somefile.des3-d-out / path/to/somefile

3. Obtain the signature required for encryption

# openssl dgst-md5-hex / path/to/somefile# md5sum

4. Test the encryption speed

# openssl speed

5. Calculate the password value when adding a password

# openssl passwd-l-salt

6. Generate random numbers

# openssl rand-base64 num# openssl rand-hex num

7. Generate a private key

# openssl genrsa 2 ^ n > / path/to/keyfile# openssl genrsa-out / path/to/keyfile 2 ^ n # (umask 077; openssl genrsa-out / root/mykey2.pri 2048)

8. Extract the public key

# openssl rsa-in / path/to/keyfile-pubout

How to apply for a certificate

1. Generate a private key

2. Make a certificate signing request

# openssl req-new-key / path/to/private_key-out / paht/to/certificate.csr

3. CA is responsible for signing the certificate.

7. How to build CA by yourself

1. Generate a private key for CA

# cd / etc/pki/CA/# (umask 077; openssl genrsa-out private/cakey.pem 2048)

2. Generate self-signed certificate

# openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 364th touch index.txt# echo 01 > serial

3. Sign the certificate

# openssl ca-in / path/to/certreq.csr-out / path/to/certfile.crt-days 365

8. Client test CA certificate

# openssl s_client-connect HOST:PORT-CAfile / path/to/cacertfile |-CApath / paht/to/cacertfiles_dir/-ssl2 |-ssl3 |-tls1

9. Files with Openssl suffixes

1) .key format: private key

2) .crt format: certificate file, abbreviation of certificate

3) .csr format: certificate signature request (certificate request file), containing public key information, abbreviation of certificate signing request

4) .crl format: certificate revocation list, abbreviation for Certificate Revocation List

5) .pem format: the format of the certificate used for export and import, with the beginning and end of the certificate

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.