Encryption and security under Linux

1. Symmetric encryption algorithm

Symmetric encryption algorithm is the use of a key encryption decryption algorithm, encryption with this key encryption, decryption with this key decryption, its biggest advantage lies in the fast encryption and decryption, the characteristics of the original data into a fixed size of blocks, one by one encryption. And its shortcomings are obvious, the key distribution of too much, if you want to send 1000 people need to give these 1000 people secret key, and the key transmission is not secure, anyone can just intercept the secret key to modify the data at will, when we receive a data, can not guarantee the reliability of the source of the data, it may have tampered with.
We often use the symmetric encryption algorithm mainly has des algorithm, 3des,aes and other algorithms.

2. Asymmetric Encryption algorithm

Asymmetric encryption algorithm is the use of encryption decryption is not the same key, using public private key encryption, public key public, anyone who wants to have, can give him, private key only own hold. Public private key encryption decryption rules are public key encryption of the data only the private key can be solved, the private key encryption data only the public key can be solved, we can use the following figure to explain the public private key encryption process.

, when B wants to send data to a, there is a generated a pair of public key, public key PA, private key SA, public key public, B,C can have a public key PA, but as long as a has its own private key SA, then, B want to send data to a, only need to use A's public key encryption, generate data segment PA Because the use of a public key encryption, only A's private key can be solved, and only a and a private key SA, and C does not have a private key, even if the packet caught can not open the packet, so that the encryption security, and there is no secret key to pass the security hidden. However, the encryption and decryption process is cumbersome, so the use of asymmetric encryption algorithm and decryption data efficiency is not high.

3.CA and certificates

Although the use of asymmetric encryption algorithm solves the secret key transmission of the hidden danger, the data is also encrypted security, but there is a problem, is a received from the B data, but this b is not the real B, but C pseudo, because C also has a public key, C, although there is no private key of a, can not untie b a data, But he was able to intercept the data and impersonate B, using A's public key encryption to send a data to a,a not to feel the source of the data is wrong, still believe that C is what they want B, it is unsafe, the solution is to use digital signature.
1. One-way hash hash function
The purpose of a one-way hash is to generate a fixed-size fingerprint of a piece of data, which we call a message digest, which is irreversible and cannot be reversed by a message digest. It is characterized by any length input, fixed-length output, if the original data is modified, the resulting message digest will also change, the commonly used algorithm is MD5, for example

md5sum hello.txt

The results of the implementation are as follows:

Modify the data in the Hello.txt and execute the above command again, the result is as follows:

The MD5 value of the two output is different, we can use md5sum to generate the message digest we need.
2.CA Center
CA Center is our public trust, can help us to determine the identity of B is B,ca also has a pair of public and private keys, public key everyone can have, the private key only CA own hold. I can create my own CA center myself.
To view the CA configuration file, the path is/ETC/PKI/TLS/OPENSSL.CNF, you can see some CA configurations, and the CA's home directory is in/ETC/PKI/CA:

There are other file storage paths:

There are a few other items:

Start deploying the CA now:
1. Create a root CA in Centos7
To create a root CA requires two files, we generate:

touch index.txtecho 00>>serial

Enter the CA home directory, use the following command to generate the private key,-out the specified path, must be the same as the configuration file, the private key password is arbitrary, this is set to CentOS:

(umask 066;openssl genrsa -out private/cakey.pem -des3 2048)

The public key is then extracted from the private key with the following command:

openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300

The results of the implementation are as follows:

Note The password entered here is the password for the public key.
2. Create a sub CA in CENTOS6
Some of the files needed to create a child CA:
Enter the CA directory

touch index.txtecho 00>>serial

Then generate the private key for the child CA:

(umask 066;openssl genrsa -out private/cakey.pem -des3 2048)

The results of the implementation are as follows:

The public key is then generated based on the private key:

openssl req -new  

The results of the implementation are as follows:

Because it is a sub-CA, so the information in the configuration file in accordance with the requirements to fill in, that is, the state and the province have the same location, the city and the company name at will, the department must not be the same.
The root CA is then required to sign the public key of the child CA, as follows
Pass the public key to the root CA with the following command:

scp subca.csr [email protected]:/etc/pki/CA

The root CA then signs the public key of the child CA, with the following command:

 openssl ca -in subca.csr -out certs/subca.crt -days 3650

Once the signature has been completed, the signed file needs to be passed back to the child CA with the following command:

scp certs/subca.crt [email protected]:/etc/pki/CA/cacert.pem

3. Deploying the server
The server must first have its own public private key and generate its own private key with the following command:

(umask 066;openssl genrsa -out server.key 1024)

The results of the implementation are as follows:

The public key is then generated from the private key, with the following command:

openssl req -new -key rhel5.key -out server.csr

The results are as follows:

The public key is then passed to the child CA for signature, with the following command:

scp server.csr [email protected]:/etc/pki/CA

The child CA signs the public key, generates a certificate, and commands the following:

openssl ca -in server.csr -out certs/server.crt -days 365

The results of the implementation are as follows:

Then pass the certificate back to the server with the following command:

scp server.crt [email protected]:/app

This allows the server to have a certificate.
4. Digital signature
can refer to:

When b wants to send data to a, B data Dataa uses a one-way hash method to generate a message digest, generate the data datab, and then send the message digest to CA,CA to sign the message digest with its own private key encryption and pass it back to B, b The digital signature returned by DATAA and CA is encrypted with A's public key, a receives the data, unlocks with its own private key, generates DATAA and a digital signature, a uses the CA's public key to decrypt the digital signature, gets the message digest A, and a uses the same one-way hash to generate a digital signature for the data dataa, If the two summaries are the same, it proves that the data has not been changed in the transmission process, if a can unlock the digital signature, the B that sends the data is the real B, cannot be solved, the description is not CA admits B.
Of course, we have a certificate does not need to be so troublesome, b only need to use their own certificate to encrypt the Datab, if C wants to impersonate B, he will prove to the CA is B, but the CA will not give him a certificate.
The certificate has b information, which is what the CA admits.

Encryption and security under Linux