Encryption and decryption technology of Linux CA

First, the basic knowledge

Symmetric encryption:

The encryption and decryption parties use the same key to solve the data confidentiality, but the way the key is passed to the other party is not easy to implement;

Public Key cryptography:

Keys are paired, secret key (key) and public key (public key) must be encrypted with their corresponding

The private key is decrypted and the public key is extracted from the private key, and there is a private key to know what the public key is, but knowing the public key is not known

The public key is public, and the private key is not public, but public-key cryptography is 3 orders of magnitude (1000 times times) slower than symmetric encryption,

The encryption speed is quite slow, so it is difficult to use this encryption method alone; Public key encryption function:

One-way encryption:

Not really to implement encryption, but to extract data signatures, verify data integrity, he has an avalanche effect ((Butterfly Effect):

The characteristics of the source data are a little bit different, the result is not the same, and the fixed-length output is the same as the result length after single-phase encryption;

Common algorithms for one-way encryption:

Md5:message Degist, developed by the MIT AI Lab, fixed-length output

128bit;

Md5sum: Calculates the characteristic value of the file MD5 format;

Sha1:secure Hash algorithm 1, fixed length output 160bit;

SHA256: The longer the length, the greater the change;

SHA512: The longer the length, the greater the change;

Second, the encryption process:

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-22503 "border=" 0 "alt=" wps_clip_image-22503 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687595hhv6.png "" 631 "height="/>

1. The sender uses one-way encryption algorithm to calculate the characteristic code of the data;

2. The sender uses its own private key to encrypt the feature code and add it to the tail of the data;

3, the sender generates a symmetric key;

4. The sender uses this symmetric key to encrypt the data and encrypt the characteristic code;

5. The transmitting party encrypts the symmetric key with the public key of the receiver, attaches it to the tail of the cipher, and sends it;

Decryption process:

1. The receiving party decrypts the encrypted symmetric password with its own private key;

2. The receiving Party uses the password to decrypt the text;

3, the receiver uses the sender's public key to decrypt the sender's private key encryption signature;

4, the receiver uses the same one-way encryption algorithm to calculate the original data signature;

5, the receiver compares two sections of the signature code;

Sender: Calculate data eigenvalues----> encrypt eigenvalues with private key---> randomly generate password symmetry

Encrypt entire data---> Encrypt password with recipient public key
Receiver: Use the private key to decrypt the password----> decrypt the entire data----> verify the identity with the public key

----> Compare Data eigenvalues

Third, the role of CA certificate

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-30525 "border=" 0 "alt=" wps_clip_image-30525 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687611tnft.png "" 143 "height=" 362 "/>

CA Certificate Model

1 key exchange, also known as ike:internet key exchange Internet Key exchange;

2, digital signature, for authentication, anti-repudiation;

We found that the above encryption method relies heavily on the other party's public key, and how to determine the other party's public key, so this is

A specialized agency is needed to ensure the legitimacy of the public key source and to give the other a digital certificate, in fact the digital certificate is like

Our own * * * *, and that specialized agency is like a public security organ issued to us, the following

Say something.

Digital certificates and CAS (certificate authority);

Digital Certificate contains the certificate owner information and the public key as well as the CA's signature and additional CRLs (certificate

Book revocation list);

CA (certification authority): Extract the signature of the certificate data using the one-way encryption algorithm for the certificate, then use your own private

The key encryption signature is appended to the end of the data, and the CA is divided into two categories: public CA and private CA

Pki:

Public key Infrastructure is the core framework for the realization of modern Internet e-commerce, it is only a standard, its core

Is the CA, as well as the key verification and password exchange mechanism to ensure that the verification process is reliable.

SSL (Secure Socket Layer) Secure sockets layers;

Iv. Linux encryption and decryption technology

In the PCP5 layer model of the AL (Application layer) and TL (Transport layer) in the middle of the addition of a half layer is SSL, in fact, SSL is only a

Protocol, need to rely on other software to present, this software in Linux is the most common and popular is OpenSSL, currently OpenSSL

Software version

Here are a few:

SSLV1 has been abandoned;

Sslv2 is currently in use;

SSLv3 is currently in use;

Tls:

Transport Layer Security (Transport layer Secure) protocol, most commonly used is the TLSV1 version (with the SSLv3 ERA);

There are two commonly used encryption and decryption tools on Linux:

1, GPG realization RPM package signature is more commonly used;

2, the implementation of the open source version of OpenSSL SSL, a total of three components:

1) Libcrypto Universal Library;

2) LIBSSL implementation of SSL and TLS protocol;

3) OpenSSL multi-purpose cryptographic components;

Here we focus on OpenSSL:

OpenSSL is a multi-purpose cryptographic component, command-line tool, which can implement symmetric encryption algorithm, asymmetric encryption algorithm,

A one-way encryption algorithm, as a simple CA (OpenCA), relies on a configuration file that defaults to/etc/pki/tls/

OPENSSL.CNF can also be defined by itself; OpenSSL is issued as a simple CA with the certificate format x509

(more general, define the format of the certificate, similar to pkcs#10), pkcs#12 and Pkcs#17 define the

How to format the certificate; OpenSSL can also implement the conversion of the certificate format.

Common Tools for OpenSSL:

1. Confidentiality of data
Information encryption is to convert the plaintext input file into an encrypted file using an encryption algorithm to achieve the confidentiality of the data.

The encryption process requires a key to encrypt the data and then decrypt it. Without the key, you cannot unlock the encrypted

Data. After the data is encrypted, only the key must be transmitted in a secure way. Encrypted data can be exposed

to transmit.

2. Consistency of data
Encryption also ensures consistency of data. Example: Message verification Code (MAC), ability to verify user-supplied encryption

Information, the receiver can use the Mac to verify the encrypted data and ensure that the data has not been tampered with during transmission.

3. Security verification
Another use of encryption is used as a personal identity, and the user's key can be verified as his security

Identity. SSL is the use of public key cryptography (RSA) to act as a client-server

Encrypted communication protocol at the time of secret data.

Five, the experiment

OpenSSL establishes a private CA:

1. Generate key

2. Self-signed certificate

Node:

1, generate key pair child

2. Generate Certificate Signing request

3. Send the request to the CA

Ca:

1. Verify the information of the requestor;

2, sign the certificate;

3. Send the signed certificate to the requesting person;

First, establish the CA server:

1. Generate key

# (Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-5736 "border=" 0 "alt=" wps_clip_image-5736 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687642ue4x.png "" 741 "height=" 305 "/>

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-974 "border=" 0 "alt=" wps_clip_image-974 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687689gkpm.png "" 741 "height=" 252 "/>

2. Self-signed certificate

Req: Generate certificate Signing request

-news: New Request

-key/path/to/keyfile: Specifying a private key file

-out/path/to/somefile:

-x509: Generate self-signed certificate

-days N: Active days

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-21401 "border=" 0 "alt=" wps_clip_image-21401 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687743dae1.png "857" height= "/>"

3. Initializing the Working environment

# touch/etc/pki/ca/{index.txt,serial}

# echo >/etc/pki/ca/serial

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-29234 "border=" 0 "alt=" wps_clip_image-29234 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687753s04x.png "755" height= "/>"

Second, the node application certificate:

(i) Node generation requests

1, generate key pair child

# (Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-10920 "border=" 0 "alt=" wps_clip_image-10920 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_14076877923pq9.png "" 761 "height=" 346 "/>

2. Generate Certificate Signing request

# OpenSSL REQ-NEW-KEY/ETC/HTTPD/SSL/HTTPD.KEY-OUT/ETC/HTTPD/SSL/HTTPD.CSR

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-18927 "border=" 0 "alt=" wps_clip_image-18927 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687863uqwr.png "" 768 "height=" 384 "/>

3. Send the signature request file to the CA service

# SCP

(ii) CA sign Certificate

1. Verify the information in the certificate;

2. Signing certificate

# OpenSSL Ca-in/path/to/somefile.csr-out/path/to/somefile.crt-days N

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-16850 "border=" 0 "alt=" wps_clip_image-16850 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687884v7zt.png "" 771 "height="/>

3, sent to the requestor;

Iii. Revocation of certificates

(a) node

1, obtain the certificate serial

# OpenSSL X509-in/path/to/certificate_file.crt-noout-serial-subject

(ii) CA

2, according to the serial and subject information submitted by the node to verify that the information in the Index.txt file is consistent;

3. Revocation of certificates

# OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

4. Generate the number of the revocation certificate (if it is the first revocation)

# echo >/etc/pki/ca/crlnumber

5. Update the certificate revocation List

# cd/etc/pki/ca/crl/

# OpenSSL Ca-gencrl-out thisca.crl

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-2546 "border=" 0 "alt=" wps_clip_image-2546 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687911jg9m.png "" 774 "height=" 222 "/>

If necessary, view the contents of the CRL file:

# OpenSSL Crl-in/path/to/crlfile.crl-noout-text

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-20327 "border=" 0 "alt=" wps_clip_image-20327 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687946qi7v.png "" 778 "height=" 265 "/>

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" wps_clip_image-24061 "border=" 0 "alt=" wps_clip_image-24061 "src=" http://img1.51cto.com/ Attachment/201408/10/8400375_1407687994jhwj.png "" 776 "height=" 337 "/>