Encryption and decryption and OpenSSL applications

This article is a brief introduction;

I. Data encryption methods;

2. Basic Applications of Openssl and creation of CA certificates and certification;

I. Data encryption methods;

1. symmetric encryption: the encryption and decryption Parties use the same algorithm to cut data into data blocks and gradually encrypt the data. The data blocks are associated with each other, decryption is to obtain the block quantity for calculation and perform decryption.

Common symmetric encryption algorithms include:

DES (56 bits), 3DES, AES (128 bits), Blowfish

Twofish, IDEA, RC6, CAST5, Serpent

Features: the same password is used for encryption and decryption.

Splits the original text into fixed-size data blocks and encrypts these data blocks.

Fast Encryption

Disadvantage; password transmission, low security

Too many passwords, not easy to remember

 

2. public key encryption (also called asymmetric encryption). The main difference with symmetric encryption algorithms is that the encryption and decryption keys are different ), A private key ). It solves the problem of Key Distribution Management of symmetric encryption algorithms and improves the algorithm security.

Asymmetric algorithms include RSA, EIGamal, and DSA.

Feature; the sender uses the public key of the receiver for data transmission, and the receiver uses its own private key for decryption.

Identity Authentication is performed by the sender using his/her own private key. The receiver decrypts the identity using the public key of the sender to ensure data security.

Disadvantage: the encryption and decryption efficiency of asymmetric encryption algorithms is relatively low.

 

3. One-way encryption, which generates signatures for data according to certain rules and algorithms, is irreversible.

Algorithms for extracting data signatures are: MD5, SHA1, SHA512, CRC-32

Message Authentication Algorithm; CBC-MAC and HMAC

Features;

Message Authentication. It is only used to verify the message itself and requires encryption.

Avalanche effect. A small change in input data may lead to a large change in results.

Set the length of the output. If no input data is long, the output results are of the same length as long as the same one-way encryption algorithm is used.

See the preceding three encryption methods;

As shown in, three encryption algorithms are used together. symmetric encryption achieves data confidentiality. public key encryption implements identity authentication, while one-way encryption implements data integrity.

2. Basic Applications of Openssl and creation of CA certificates and certification;

1) Openss is a set of encryption tools for SSL (Secure Socket Layer)/TLS (Transport Layer Security) protocols. It consists of the following three components;

1. libcrypto; general function encryption library;

2. libssl; used to implement SSL/TLS Functions

3. Multi-Function Command tools

It can also generate keys, create digital certificates, calculate information summaries, and manually encrypt and decrypt data.

2) symmetric encryption and decryption methods;

Common algorithms include DES, 3DES, AES, Blowfish, Twofish, RC6, and CAST5.

Encryption; openssl enc-des3-a-salt-in/etc/issue-out/tmp/issue_cipher
[Root @ localhost ~] # Cat/etc/issue contents before encryption
CentOS release 6.5 (Final)
Kernel \ r on an \ m
[Root @ localhost ~] # Openssl enc-des3-a-salt-in/etc/issue-out/tmp/issue_cipher
Enter des-ede3-cbc encryption password: enter your password
Verifying-enter des-ede3-cbc encryption password: enter again
[Root @ localhost ~] # Cd/tmp/
[Root @ localhost tmp] # ls
Issue_cipher yum. log
[Root @ localhost tmp] # cat issue_cipher view Encrypted File Content
U2FsdGVkX1 + A3cLqRI09pTWDT6BhqierBK69evESmUcH9SOHUaA + 0nw87hM5sDCT
2/PlBNgiqTMiiKelkoAyBw =
Decryption; openssl enc-d-des3-a-salt-in/tmp/issue_cipher-out/mnt/issue
[Root @ localhost ~] # Openssl enc-d-des3-a-salt-in/tmp/issue_cipher-out/mnt/issue
Enter des-ede3-cbc decryption password: enter decryption password
[Root @ localhost ~] # Cat/mnt/issue view decrypted content
CentOS release 6.5 (Final)
Kernel \ r on an \ m
User Authentication; public key encryption; Private Key decryption

Digital signature; private key encryption; Public Key decryption

3) Digital Certificate Format (x509 );

Public Key and validity period;

Registrant's personal identity information;

Certificate usage;

Information of the certificate issuing authority;

Verify that the digital signature of the CA is valid;

4) generate a private CA certificate based on openssl;

Lab environment; Server, 172.16.34.200

Client, 172.16.34.2

1. The server becomes a key pair;
[Root @ station154 CA] # (umask 077; openssl genrsa-out private/cakey. pem2048)
Generating RSA private key, 2048 bit long modulus
........................................ ........................................ ..................................... ++
... ++
E is 65537 (0x10001)
2. The server completes the self-signed certificate;

3. Create required files;
[Root @ station154 CA] # touch index.txt serial crlnumber
[Root @ station154 CA] # ls
Cacert. pem certs crl crlnumber index.txt newcerts private serial
[Root @ station154 CA] # echo 1> serial
[Root @ station154 CA] # cat serial
1
[Root @ station154 CA] #
4. The client implements certificate application;

Generate a key on the host and save it to the configuration file directory of the service that applies this certificate;
Mkdir/etc/httpd/ssl
Cd/etc/httpd/ssl
[Root @ localhost ssl] # (umask 077; openssl genrsa-out httpd. key 1024)
Generating RSA private key, 1024 bit long modulus
. ++
...
E is 65537 (0x10001)
[Root @ localhost ssl] # ls
Httpd. key
[Root @ localhost ssl] #
5. Generate a Certificate Signing Request:

[Root @ localhost ssl] # openssl req-new-key httpd. key-out httpd. csr
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: BJ
Locality Name (eg, city) [Default City]: BJ
Organization Name (eg, company) [Default Company Ltd]: Ouyang
Organizational Unit Name (eg, section) []: linux
Common Name (eg, your name or your server's hostname) []: ca.ouyang.com
Email Address []: caadmin@ouyang.com
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: RedHat
An optional company name []: redhat
(The information entered by the Client must be consistent with that of the server)

6. The Clientc client sends the request file to the Server;

Scp httpd. csr 172.16.34.200:/tmp

7. The CA signs the certificate application from the Client;

Openssl ca-in/tmp/httpd. csr-out/tmp/httpd. csr-days 3655

8. Send the certificate back to the applicant after signing the certificate;

Scp httpd. crt 172.16.34.20:/etc/httpd/ssl
9. revoke the certificate. revoke the certificate to the Server;

Openssl ca-revoke/tmp/httpd. crt

OpenSSL details: click here
OpenSSL: click here

Recommended reading:

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.