Shulou(Shulou.com)06/01 Report--

This article will explain in detail what are the common encryption algorithms under Linux. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

The common encryption algorithms in Linux system are: symmetric encryption, asymmetric encryption, one-way encryption, SSL/TLS; key exchange and so on.

1. Symmetric encryption

Using the encryption method of single-key cryptosystem, the same key can be used for both encryption and decryption of information. This encryption method is called symmetric encryption, also known as single-key encryption.

Common algorithms of symmetric encryption: DES, 3DES, AES, IDEA, RC6, CAST5, etc.

Introduction of common encryption techniques in Linux _ Linux

(1) advantages

It is efficient to use the same key for encryption and decryption.

(2) shortcomings

The secret key must be agreed upon: both parties must agree on the secret key before data transmission. It is agreed online that there is a risk of theft

The source cannot be confirmed: if the key is stolen, the thief can communicate by pretending to be the other party, and the receiver cannot confirm the source.

Key management hassle: each pair of users needs a unique key, which makes the number of keys owned by both parties huge.

(3) implement simple symmetric encryption:

[root@node1 ~] # echo maohua > a.txt

* * [root@node1] # openssl enc-e-des3-a-salt-in a.txt-out aa.txt # * * uses des3 encryption algorithm

* * enter des-ede3-cbcencryption password: # * * the key is 123

* * Verifying-enterdes-ede3-cbc encryption password: # * * the key is 123

[root@node1 ~] # cat a.txt aa.txt

* * maohua # * * data content before encryption

* * U2FsdGVkX19necsoBCPCTiyGxhr3h7eX # * * encrypted data content

* * [root@node1 ~] # openssl enc-d-des3-a-salt-in aa.txt-out b.txt # * * decrypt encrypted files with the original encryption algorithm

* * enter des-ede3-cbcdecryption password: # * * enter the secret key 123 for encryption

[root@node1 ~] # cat a.txt aa.txt b.txt

Maohua

U2FsdGVkX19necsoBCPCTiyGxhr3h7eX

Maohua

2. Asymmetric encryption

Asymmetric encryption algorithms use two completely different but perfectly matched pairs of keys-the public key and the private key. When using asymmetric encryption algorithm to encrypt files, the encryption and decryption of plaintext can be completed only by using a matching pair of public and private keys. Common algorithms of asymmetric encryption: RSA (can be used to encrypt and decrypt, but also can be used to achieve user authentication), DSA (can only be used to encrypt and decrypt), ELGamal, etc.

Introduction of common encryption techniques in Linux _ Linux_02

(1) excellent characteristics:

The key appears in pairs, and the data is encrypted with the public key, and can only be decrypted using the paired private key, and vice versa; the public key: (publickey) is open to all hosts; the private key: (secretkey) the host is retained, and its privacy must be guaranteed; (2) disadvantages: the key is long, and the encryption and decryption efficiency is inefficient.

(3) examples of asymmetric encryption technology:

[root@node1 ~] # openssl genrsa-out private.key 1024

* * # private.key** contains a public key and a key. The file can be used for both encryption and decryption. 1024 is the length of the key.

* * [root@node1 ~] # openssl rsa-in private.key-pubout-out pub.key # * * generate the public key from the key private.key

[root@node1 ~] # echo "123456" | openssl rsautl-encrypt-inkey pub.key-pubin > encode.result

* encrypt the character "123456" using the public key pub.key

[root@node1 ~] # catencode.result | openssl rsautl-decrypt-inkey private.key

* the private key private.key is used to decrypt the public key encrypted file encode.result to get the original character "123456"

(4) asymmetric encryption application scenario: the implementation of ssh remote login without secret key is to use asymmetric encryption technology.

* * [root@node1 ~] # ssh-keygen-t rsa-f / root/.ssh/id_rsa-P "# * * asymmetric encryption outputs private and public keys

[root@node1 ~] # ls/root/.ssh/

* * id_rsa id_rsa.pub # id_rsa** private key. Id_rsa.pub is the public key. If you copy the public key to the remote host, you can log in without a password.

3. One-way encryption

One-way encryption algorithm, also known as hash function (also known as hash function or hash algorithm) is a function that changes an arbitrarily long input message string into a fixed-length output string. This output string is called the hash value of the message. It is generally used to generate message digest, key encryption, etc.

Common algorithms of one-way encryption: md5, sha1, sha224, sha256, sha384, sha512 (1) characteristics of one-way encryption

The data is the same, the summary is the same; the data is different, the summary is different; the source data cannot be extrapolated through the summary; the same algorithm, the length of the summary is the same.

(2) simple practice of individual hashing:

[root@node1 ~] # echo maohua | md5sum

Summary of the * * 8de05c05333e0d7897bd7989ec054fbd-# * * character "maohua"

[root@node1 ~] # echo mao hua | md5sum

The summary of the * * 29f86ecfc01cb2f584143118b58dc22e-# * * character "maohua" is completely different from the "maohua" summary, with only one more space.

[root@node1 ~] # echo 1 | md5sum

* * b026324c6904b2a9cb4b88d6d61c81d1-# * * A summary of the character "1" is also 128bits

(3) in the aspect of password encryption, the security of the password can be improved by adding 'salt'. Under the condition of the same data in the same algorithm: the salt is the same, the result is the same; if the salt is different, the result must be different; if the data is different, the result must be different. Here is a simple practice:

MD5 encryption algorithm for "linux":

* * [root@node1 ~] # grub-md5-crypt # * * use md5 encryption and automatically add salt to the encrypted object

* * Password: # * * enter linux for md5 encryption

Retype password:

VyRD5/Zk92HqQ/loWEfWpUwxwYy1 #\ * encryption result. Three fields are separated by "", and the second field is salt (salt).

* * [root@node1 ~] # openssl passwd-1-salt "VyRD5/" # * * specify the same encryption algorithm and add the same salt with the same characters to be encrypted

* * Password: # * * enter "linux"

* * VyRD5/$Zk92HqQ/loWEfWpUwxwYy1 # * * output the same encryption result

* * [root@node1 ~] # openssl passwd-1-salt "VyRD5?" # * * specify the same encryption algorithm with the same characters to be encrypted and add different salt

* * Password: # * * enter "linux"

* * VyRD5?$fxhBzsEq38F6s8W7mpzfS0 # * * output completely different encryption results

SSL/TLS

Handshake protocol: including negotiation of security parameters and cipher suite, server authentication (optional for client authentication), key exchange ChangeCipherSpec protocol: a message indicates that the handshake protocol has completed the Alert protocol: the error reminders for some anomalies in the handshake protocol are divided into two levels: fatal and warning. The fatal type error will directly break the SSL link, while the warning level error SSL link can continue, only giving an error warning. Record protocol: including message segmentation, compression, message authentication and integrity protection, encryption and other HTTPS protocols: it is the combination of "HTTP protocol" and "SSL/TLS protocol". "HTTPover SSL" or "HTTPover TLS" encrypts the text data of the http protocol and transmits it in binary form.

5. Key exchange

IPsecIKE: network key Exchange Protocol (IPsecIKE: Internet Key Exchange Protocol) Network key Exchange (IPsecIKE) is a major protocol in the IPsec architecture. It is a hybrid protocol that uses partial Oakley and partial SKEME, and works with ISAKMP to provide key generation materials and other secure connections, such as AH and ESP for IPsec DOI. DH: (Diffie-Hellman) A way to ensure that a shared KEY traverses an insecure network securely, and it is an integral part of Oakley. The ingenuity of this mechanism is that both parties who need secure communication can use this method to determine the symmetric key. You can then use this key for encryption and decryption. DH can only be used for the exchange of keys, but not for message encryption and decryption.

* * additional, * * openssl usage details

Files in openssl with the following suffix

(1) * .key format: private key

(2) * .crt format: certificate file, abbreviation of certificate

(3) * .csr format: certificate signature request (certificate request file), including public key information, abbreviation of certificatesigning request

(4) * .crl format: certificate revocation list, abbreviation of CertificateRevocation List

(5) * .pem format: the format of the certificate used to export and import the certificate.

Use of openssl:

#-encryption-#

* * # * * encrypt the fstab file with des3 to generate an encrypted file fstab.des3. Parameter:-d

[root@stu2~] # openssl enc-des3-in fstab-e-out fstab.des3

* * # openssl enc** specifies the type of encryption, des3 means to use symmetric encryption,-in specifies the file to be encrypted,-e indicates encryption, and-out saves the file name

#-decryption-- #

# # * * decrypt the fstab.des3 file with des3 and generate the decrypted file fstab.txt. Parameter: *-e *

[root@stu2~] # openssl enc-des3-in fstab.des3-d-out fstab.txt

# * * openssl enc specifies the type of encryption, des3 indicates symmetric encryption,-in indicates encrypted file *,-d indicates decryption, and-out file name to be saved *

#-one-way encryption * (or md5sum) obtain the signature of the file *-- #

* * [root@stu2~] # openssl dgst-md5-hex fstab # * * obtain the signature in hexadecimal. The default is hexadecimal, which can be omitted.

* * in addition to the openssl command to obtain file signature, you can also use the md5sum command to obtain file signature:

* * [root@stu2~] # md5sum fstab # * * obtain file signature

#-* Review signing * * CA certificate signing-- #

* * generate a private key for CA

[root@stu2 CA] # (umask 077 / OpenSSL genrsa-out private/cakey.pem 2048)

* CA is responsible for signing the certificate

* * [root@stu2**CA] # openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 3656

* add the serial number signed by the certificate

[root@stu2CA] # touch serial index.txt

[root@stu2CA] # echo 01 > serial

* Mr. into the private key and public key file of the certificate, as well as the certificate, and then CA signs the certificate:

* * [root@stu2~] # (umask 077th Openssl genrsa-out httpd_private.key 2048) # * * generate a private key file

* * [root@stu2~] # openssl req-new-key httpd.key-out httpd.csr # * * generate a certificate

* * [root@stu2~] # openssl ca-in httpd.csr-out httpd.crt-days 3656 # * * sign the generated certificate on the CA host

This is the end of this article on "what are the common encryption algorithms under Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.