Cryptographic decryption, OpenSSL, private CA creation Process

First, encryption and decryption

Encryption technology is the technology of encoding and decoding information, encoding is the original readable information (also known as plaintext) translated into code form (also known as ciphertext), the inverse process is decoding (decryption), the key point of encryption technology is the encryption algorithm.

PlainText: A message that the sender, the recipient, and anyone who accesses the message can understand

Ciphertext: PlainText messages are encoded by some kind of code, resulting in ciphertext messages

Encryption: Converts plaintext messages into ciphertext messages

Decrypting: Turning ciphertext messages into plaintext messages

Algorithm: Takes an input text, produces an output text

Encryption algorithm: The sender encrypts the algorithm

Decryption algorithm: The algorithm for the receiver to decrypt

One-way encryption algorithm: can only encrypt, cannot decrypt, its function is extracts the characteristic code of the data, to verify the data integrity

Symmetric encryption algorithm: encryption and decryption using the same key, which is characterized by the original data can be divided into fixed-size blocks, encryption, the disadvantage is too many keys, key distribution difficulties

Asymmetric encryption Algorithm (public key cryptography): Keys are paired, encryption and decryption use different keys

Public key: public to everyone

Private key (set permissions): You must keep it private.

Features: Data encrypted with the public key can only be decrypted with the corresponding private key; and vice versa.

Functions: Identity authentication (digital signature), key exchange ( Public key encryption function ); Data encryption       

Common algorithms:

RSA: An algorithm that can be used for encryption and digital signatures, and is the most influential public-key cryptographic algorithm to withstand currently known password attacks

DSA: Digital Signature

One-way encryption: can only encrypt, cannot decrypt; Extract data fingerprint (data signature: ensure data integrity)

Characteristics: fixed-length output

hashing algorithm, which mainly verifies the integrity of the data, that is, to ensure that the message has not been tampered with before it is sent and accepted. The hashing algorithm used in SSL is mainly

MD5: A one-way hashing algorithm developed by RSA Data security Company

SHA1: The maximum length of the input message is not more than 264 bits, the resulting output is a 160-bit message digest, the input is processed by 512-bit packets, is irreversible, anti-collision, and has good avalanche effect

Second, encryption technology:

Pgp:pretty Good Privacy, is an opportunity asymmetric encryption algorithm of RSA public key system of the message encryption technology, not only can encrypt e-mail, but also can attach a digital signature to e-mail, so that the recipient can clearly understand the sender's true identity.  

Pki:public Key Infrastructure is a public key infrastructure that can provide security services to the network with asymmetric encryption technology, and PKI technology is initially applied in the Internet environment to provide unified authentication for complex Internet systems, Data encryption and integrity assurance mechanism, can effectively solve the application of confidentiality, integrity, authenticity and storage control security issues, PKI system contains a certificate authority (CA), registration Center (RA), policy Management, key and certificate management, key backup and recovery, revocation system and other functional modules combined.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/70/wKiom1X-C36wj_nxAAKck48VE3w837.jpg "title=" Qq20150920090711.png "alt=" Wkiom1x-c36wj_nxaakck48ve3w837.jpg "/>

Third, SSL

Secure Socket Layer = = Security Socket layers, is between the application layer and the transport layer, the application layer data is no longer sent directly to the transport layer, but first to the SSL layer, the SSL layer of the data received from the application layer encryption, and add their own SSL header information.

OpenSSL is an open source project that implements SSL, which consists of three components:

OpenSSL: Multi-purpose command-line tools

Libcrypto: Public Encrypted library

Libssl: library, the implementation of SSL and TLS and other functions

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/70/wKiom1X-C9rze8ePAAFbNpDCfWc022.jpg "title=" Qq20150920092845.png "alt=" Wkiom1x-c9rze8epaafbnpdcfwc022.jpg "/>

Simplified process for SSL sessions (figure)

(1) The client sends an alternative encryption method (need to negotiate with the server, send both the algorithms supported), and request a certificate to the server;

(2) The server side sends the certificate and the selected encryption method to the client;

(3) The client obtains the certificate and verifies the certificate: The main purpose of this step is to verify the server-side public key!

If you trust the CA to which the certificate is issued:

(a) legality of the source of the verification certificate; The digital signature on the certificate is decrypted with the CA's public key;

(b) Legality of the content of the positive certificate: completeness of the verification

(c) Check the validity period of the certificate;

(d) Check whether the certificate has been revoked;

(e) The name of the owner of the certificate, consistent with the target host of the visit;

(4) The client generates a temporary session key (symmetric key) and uses the server-side public key to encrypt the data sent to the server to complete the key exchange;

(5) The service uses this key to encrypt the resource requested by the user, responding to the client;

Iv. process of establishing a private CA

Both the CA and the application certificate are on the same machine.
1, CA-side operation process
Operation Steps:
1, generate the private key file;
2, generate self-signed certificate;
3. Related Supporting documents
Touch/etc/pki/ca/index.txt
Echo01 >/etc/pki/ca/serial

Note:
(1) When the private key is used to sign a certificate, it is used to add a digital signature to the certificate;
(2) Certificate: Each Communication party imports this certificate to "trusted certification authority";

1) configuration file

/etc/pki/tls/openssl.cnf

####################################################################

[ ca_default ]  //defines the associated path of OpenSSL as a CA when dir              = /etc/pki/CA            //indicates the CA's own working directory certs           =  $dir/certs             //the access location of the issued certificate crl_dir          =  $dir/crl               //Revocation List Table access location for revoked certificates database        =  $dir the index file location of the/index.txt        //database #unique_subject = no                      //  indicates whether the overall information of the certificate is to be unique                                          new_certs_dir   =  $dir/newcerts          //  newly signed certificate storage location certificate     =  $dir/CACERT.PEM       //ca your own certificate (the CA establishes its own ID certificate file before issuing it to other people) serial           =  $dir/serial          // The serial number of the certificate, the serial number of the next certificate to be issued, how to add 1crlnumber       =  for each serial number $dir/crlnumber        //number of revoked certificate list                                           crl              =  $dir/crl.pem          //The revocation chain that is currently in use Private_ key     =  $dir/PRIVATE/CAKEY.PEM   // CA private key storage location  randfile         =  $dir/private/.rand    // Get position of random number x509_extensions = usr_cert          // "User certificate" is defined in the extended information for the

2) Working directory

[Email protected] ~]# ll/etc/pki/cadrwxr-xr-x. 2 root root 4096 Sep 04:46 certs//certificate file storage location drwxr-xr-x. 2 root root 4096 Oct the CRL//Revocation List storage location drwxr-xr-x. 2 root root 4096 Sep 04:46 newcerts//New certificate storage location drwx------. 2 root root 4096 Sep 03:52 private//CA private key storage location

3) Create the CA's own private key

[Email protected] ca]# (umask 077; OpenSSL genrsa-out Private/cakey.pem 2048) generating RSA private key, 2048 bit long modulus.....+++ ..... ..... +++e is 65537 (0x10001)

4) generate a self-signed certificate for a CA

This self-signed certificate in the/ETC/PKI/TLS/OPENSSL.CNF file definition must be placed in the CA directory called CACERT.PEM, extract the public key from the private key, and build a certificate signing request, and then let the CA to sign;
Format: OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days #
-x509: Indicates a self-signed certificate and does not represent a certificate signing request;
-key: Automatically extracts the public key from that private key and creates a certificate signing request;
-days: Specify the validity period for signing a certificate to yourself

[[Email protected] ca]# openssl req -new -x509 -key private/cakey.pem  -out cacert.pem -days 7300you are about to be asked to  enter information that will be incorporatedinto your certificate  request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [XX]:CN              //Country name state or province name  (full name)  []:BEIJING&NBsp;    //province locality name  (eg, city)  [Default City]:Beijing     //real name organization name  (Eg, company)  [default company ltd]: bengbengtu.com      //Company Name organizational unit name  (eg,  Section)  []:ops            //Department common  name  (Eg, your name or your server ' S hostname)  []: ca.bengbengbengtu.com //certificate subject to your own name, someone else communicates with you using this name to contact you, and then your name in the certificate and the name used in the communication must be consistent, otherwise it is considered that certificate validation cannot be passed;email  address []:[email protected]  //Contact Mailbox

5) Create a secondary file

[[email protected] ca]# Touch Index.txt[[email protected] ca]# echo > serial

2, to the node issued a certificate
Operation Steps:
1. Node Application certificate
The following steps are performed on the host of the certificate request;
(1) Generate private key
(2) Generate certificate signing request;
(3) Send the request to the CA;
2. CA Issue Certificate
(1) Verifying requestor information
(2) Signing certificate
(3) Send the signed certificate back to the requester.
1) in the HTTP directory as an example, to the HTTP signing certificate:

[[email protected] httpd]#  (umask 077; openssl genrsa -out /etc/httpd/ ssl/httpd.key 2048) [[email protected] httpd]# openssl req -new -key  ssl/httpd.key -days 365 -out ssl/httpd.csrcountry name  (2 letter code)  [XX]:CNState or Province Name  (Full name)  []:beijinglocality name   (eg, city)  [Default City]:BeijingOrganization Name  (eg, company)  [ default company ltd]:bengbengtu.comorganizational unit name  (eg, section)  [ ]:ops            common name  (eg,  Your name or your server ' S hostname)  []:www2.bengbengtu.com // This name is consistent with the FQDN of the certificate requester email address []:[email protected]please enter the following   ' Extra '  attributesto&nBsp;be sent with your certificate requesta challenge password []:an  optional company name []:

#注: The above country, province name, city name and CA's are consistent

Send the generated HTTPD.CSR to the CA and let the CA give the visa the process as follows

[[email protected] ~]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/www2.bengbengtu.com.crt-days 365//Visa

#httpd-M | grep mod_ssl//Check to see if httpd is loading mod_ssl if not installed #yum-y install Mod_ssl # Vim/etc/httpd/conf.d/ssl.conf<virtualhost *: 443>documentroot "/web/vhosts/www2/" ServerName www2.bengbengtu.comsslcertificatefile/etc/httpd/ssl/ Www2.bengbengtu.com.crtsslcertificatekeyfile/etc/httpd/ssl/httpd.key

At this point, the CA is established, test can!!!

This article is from the "Bengbengtu" blog, make sure to keep this source http://bengbengtu.blog.51cto.com/9505633/1696468

Cryptographic decryption, OpenSSL, private CA creation Process