Internet security mechanism and OpenSSL self-built ca

In the early days of the emergence of the network, there were very few hosts that could access the network. At that time, there was basically no concept of network security. Later, as more and more hosts were connected to the Internet, the previous network access environment became increasingly difficult to adapt to the development of the network. As the saying goes, "All birds and birds have a forest." Therefore, network security is becoming more and more important, next, let's talk about the concept of network security.

I. Important features of Internet Security

Important network security standards: data confidentiality; data integrity; undeniable. To achieve data confidentiality, you must encrypt the transmission process. To prevent data from being illegally authorized, intruded, and modified, data must be authenticated to protect data integrity, many cryptographic algorithms and protocols are required to implement this series of security processes.

Ii. cryptographic algorithms and protocols

Symmetric encryption: the same password is used for encryption and decryption.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/A6/wKiom1PboGLQ-2Z2AADTm7n44c8679.jpg "Title =" symmetric encryption .png "alt =" wKiom1PboGLQ-2Z2AADTm7n44c8679.jpg "/>

Asymmetric encryption: different keys are used for encryption and decryption. They are divided into public and private keys. The public key is extracted from the private key and can be disclosed to others. The private key can only be used by itself, encryption with the public key can only be decrypted with the corresponding private key, and encryption with the private key can only be decrypted with the corresponding public key.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/A7/wKiom1PboivTq-v3AAC6IlroZas649.jpg "Title =" asymmetric encryption .png "alt =" wKiom1PboivTq-v3AAC6IlroZas649.jpg "/>

One-way encryption: extract the data pattern. The pattern has two features: fixed-length output and avalanche effect. A small data change will cause a huge change in the proposed pattern, this feature plays an important role in verifying data integrity.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/A7/wKioL1PbpD3DuOt0AADdfwnRvrw404.jpg "Title =" single-direction encryption .png "alt =" wkiol1pbpd3duot0aaddfwnrvrw404.jpg "/>

The secure transmission process on the internet is implemented by several encryption algorithms. Next we will analyze the encrypted transmission process on the Internet.Question: Now there are two people a and B. A wants to communicate with B now. How does a make B know that he is a and the data transmitted has not been modified ?.

To implement this process, a needs the "one-way encryption" algorithm to extract the signature of the data to be transmitted, and then a performs "asymmetric encryption" on the proposed signature using its own private key ". In this case, the encrypted data (assuming data C) is transmitted to B. B is using the public key of a (everyone can have the public key of a) for decryption, and the identity of a can be decrypted, the decrypted data is the signature code provided by a from the transmitted data (A is the encryption of the Data signature), and then B uses "one-way encryption" (same algorithm) the data signature is extracted. If the signature is the same, the data integrity is proved.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/43/C5/wKioL1PcUYDAUcg3AAC56Xai614078.jpg "Title =" encrypt.png "alt =" wkiol1pcuydaucg3aac56xai614078.jpg "/>

Question: How can only B view the data transmitted by A to B?

A uses a symmetric algorithm to obtain a password, and uses this password to encrypt the data C above to obtain another password, at this time, a encrypted the password with the public key of B and sent it to B after the data is stored. If B can use its own private key to unbind the data and obtain the password, it indicates the data sent to B, in this case, B obtains the password used when adding a secret, and then B obtains data C using the same algorithm and password. The rest of the process is to repeat the first question, in this way, the entire secure transmission process is completed, and B can also unlock the data sent by a (meaning that only B can unlock the data security line for verification ), B can also verify the identity of a (decryption with the public key of a, authentication of identity), B can also ensure the integrity of data (extraction of signatures, data integrity is guaranteed ).

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/43/C5/wKioL1PcUwuxn2qJAAFcopWl4SA254.jpg "Title =" encryption 2.png "alt =" wkiol1pcuwuxn2qjaafcopwl4sa254.jpg "/>

 Q:Some people may wonder how to ensure that the public key of an important participant in this process is valid even though it can solve some problems of secure transmission?

We can only issue the legitimacy of a public key through a moral institution, which we all accept by default is moral and credible. Of course, if you only implement CA certificate certification within your company, you can also ask the boss to send a text to build a ca visa service within the company.

Q:How can I verify the validity of CA?

Use the CA Public Key to decrypt the ca. The decryption instructions are issued by the ca. The decryption result is a piece of signature code, and the user uses the same algorithm to calculate the signature of the CA, and compare whether the CA signature is the same. If the signature is the same, the Ca has not been modified. You must also verify whether the CA certificate expires or is revoked.

To sum up, if you want to ensure your identity, use your private key for encryption. If you want to ensure data security, use the public key of the other party for encryption.

Iii. SSL & TSL

The above briefly introduces some mechanisms for secure transmission over the Internet. Next we will learn about the next open-source secure transmission standard SSL & TSL (Open Secure Socket Layer ).

SSL (Secure Socket Layer): Secure Sockets Layer is a security protocol designed to provide security and data integrity for Internet communication. At the same time as Netscape launched its first web browser, it proposed SSL. IETF standardized SSL and published the TLS standard file in 1999.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/C9/wKiom1Pch8mxH9UbAAC3Z3j_-D0129.jpg "Title =" ssl.png "alt =" wKiom1Pch8mxH9UbAAC3Z3j_-D0129.jpg "/>

Transmission process: 1) the client sends a session request and generates a string of numbers randomly to generate a session key and send it to the server.

2) the server sends a response signal and negotiates the encrypted version with the client. If the browser and the server support different versions, the server closes the encrypted communication and a random number generated by the server, later, it is used to generate a "dialog key" and confirm the encryption method used, such as RSA public key encryption and server certificate.

3) when both parties know the connection parameters, the client exchanges certificates with the server (depending on the selected public key system ). These certificates are generally based on X.509, but there are also certificates based on openpgp.

4) The server requests the public key of the client. The client has a certificate, that is, two-way identity authentication. When there is no certificate, the Public Key is randomly generated.

5) the client and the server negotiate the primary and private keys through the Public Key for confidentiality (both parties negotiate randomly), which is achieved through the pseudo-random number function carefully designed, the CMK is used for encryption of all other key data ".

TLS: TLS uses key algorithms to provide end-point identity authentication and communication confidentiality on the Internet. It is based on the public key infrastructure (PKI ). However, in typical examples of implementation, only the network service provider is verified with a reliable identity, while its client is not necessarily. This is because public key infrastructure is widely used for commercial operation, and electronic signature certificates usually need to be paid. --- Wikipedia

Iv. OpenSSL

1) OpenSSL Definition

OpenSSL is an open-source software library package that implements SSL and TLS protocols. Its main library is written in C language and implements basic encryption functions. OpenSSL can run on most Unix-like operating systems (including Solaris, Linux, Mac OS X, and various open-source BSD operating systems), OpenVMS, and Microsoft Windows. It also provides a portable version that can run on IBM I (OS/400.

This software is developed based on ssleay written by Eric Young and Tim Hudson. ssleay stops development as they go to RSA. --- Wikipedia

2) Establish a private CA server through OpenSSL

To create a private ca using OpenSSL, you must first generate your own key and use your self-signed certificate.

• Generate key

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/C8/wKiom1PcZsbDRFkZAAEHc_bysC4534.jpg "Title =" 1.1generate ca .png "alt =" wkiom1pczsbdrfkzaaehc_bysc4534.jpg "/>

• Self-signed certificate

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/43/C8/wKiom1PcaPby3GnmAAOVTMa86ZQ113.jpg "Title =" 2.2 .png "alt =" wkiom1pcapby3gnmaaovtma86zq113.jpg "/>

Req: generate a Certificate Signing Request

-News: new request

-Key/path/to/Keyfile: Specifies the private key file.

-Out/path/to/somefile:

-X509: generate a self-signed certificate

-Days N: Valid days

• CA Initialization

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/C9/wKioL1Pca0SiruToAAECQH4qxkg620.jpg "Title =" cachanghua .png "alt =" wkiol1pca0sirutoaaecqh4qxkg61_jpg "/>

3) node Certificate Application

• Nodes generate their own key pairs

(Umask 077; OpenSSL genrsa-out/etc/httpd/SSL/httpd. Key 2048)

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/C8/wKiom1Pca3zhsnMRAAE-R5put68534.jpg "Title =" 3.3generate node secret .png "alt =" wKiom1Pca3zhsnMRAAE-R5put68534.jpg "/>

• Generate a Certificate Signing Request

OpenSSL req-New-key/etc/httpd/SSL/httpd. Key-out/etc/httpd/SSL/httpd. CSR

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/C8/wKiom1PcbMnxbt8zAAO36x9x30o641.jpg "Title =" 4.4 node signing request. PNG "alt =" wkiom1?mnxbt8zaao36x9x30o641.jpg "/>

• Sign Certificate

Because the CA Service and node of this experiment are on the same host, no certificate transfer request is signed.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/C9/wKioL1Pcb9nBwXqkAAJiinsYcTU110.jpg "Title =" 5.5 .png "alt =" wkiol14259nbwxqkaajiinsyctu110.jpg "/>

• Deliver the certificate to the signer (the effect of putting the certificate on Windows)

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/C9/wKioL1PccG2CSW2FAAIgePZMDaY165.jpg "Title =" Certificate .png "alt =" wkiol1pccg2csw2faaigepzmday165.jpg "/>

• To sign other nodes, you must hand over the signed certificate to the signing server.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/43/C9/wKioL1PcdPLhBRU4AADgg7NrODU637.jpg "Title =" 1.png" alt = "wkiol1pcdplhbru4aadgg7nrodu637.jpg"/>

• Sign

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/C8/wKiom1PccyrzvAoWAAGIVE8jJ9I892.jpg "Title =" 6.6.6 .png "alt =" wkiom1pccyrzvaowaagive8jj9i892.jpg "/>

Now, the two certificates are signed.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/C8/wKiom1PcdAOAZTQvAADXc5McqFM232.jpg "Title =" Certificate 2.png "alt =" wkiom1pcdaoaztqvaadxc5mcqfm232.jpg "/>

4) How to revoke a certificate

• Get certificate serial

OpenSSL X509-in/etc/pki/CA/certs/httpd. CRT-noout-serial-subjectserial = 01

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/43/C8/wKiom1PcdWvSXs56AAC_xjFE56c418.jpg "Title =" 7.7discount certificate .png "alt =" wkiom1pcdwvsxs56aac_xjfe56c418.jpg "/>

• Check whether the serialand subjectinformation provided by the local node is consistent with the information in the index.txt File

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/C9/wKioL1PcdueSnoRjAAFjeWnvxPo171.jpg "Title =" advertising validation .png "alt =" wkiol1pcduesnorjaafjewnvxpo171.jpg "/>

• Revoke Certificate

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/C9/wKiom1PceBuAv0xFAABjIJckRDY636.jpg "Title =" 8hanging certificate .png "alt =" wkiom1pcebuav0xfaabjijckrdy636.jpg "/>

• View the result after revocation

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/C9/wKioL1PceXyyz1YkAADZ99i5pFo364.jpg "Title =" 9th release after the suspension status .png "alt =" wkiol1pcexyyz1ykaadz99i5pfo364.jpg "/>

Conclusion: As more and more hosts access the Internet and the arrival of mobile Internet, Internet security is becoming more and more important. Although Internet designers are constantly fighting with The Destructors, in order to ensure our Internet environment, but we also need to develop a good habit of surfing the Internet, as much as possible to protect our privacy information. The OpenSSL heartbleed vulnerability does not appear any more.

This article is from the Slayer blog, please be sure to keep this source http://slayer.blog.51cto.com/4845839/1534131