Twelve. HTTPS Website security access practices

Mid-term Cluster architecture-12th Chapter-HTTPS Security Certificate Access connection practice configuration
=========================================

01: Issues related to cyber security:
①. Network security issues-data confidentiality issues
Transmitted data may be visible to third parties at all times

②. Network security issues-data integrity issues
Transferred data cannot be arbitrarily modified by anyone

③. Network security Issues-authentication issues
In the first communication, it is necessary to confirm the identity of both sides of the communication

02: Issues related to cyber security:
①. Network security issues-resolving data confidentiality issues
A) Use common cryptographic algorithms to address confidentiality
Using the corresponding algorithm, the transmitted data (plaintext data) is encrypted (ciphertext data), and then the corresponding algorithm is used to decrypt the encrypted data into real data.
Advantages: The data secret transmission is realized, which avoids the danger of transmitting data in plaintext.
Disadvantage: The use of encryption algorithm, the text is converted to ciphertext, if the third party obtains the encryption algorithm, can transfer ciphertext again into clear text

b) using symmetric encryption algorithms to address confidentiality (an important encryption method)
Symmetric cryptography is like putting the rules of a common algorithm into a safe, and only getting the safe and safe keys to get the algorithm handbook
Advantages: The key encryption algorithm is very fast and solves the security problem of ordinary encryption algorithm.
Disadvantage: The security of the encryption and decryption process is completely dependent on the key, and the symmetric encryption key is public and cannot resolve the key management problem when there are too many communication encryption objects.

②. Network security issues-resolving data integrity issues
a) using a single encryption algorithm (full network backup data integrity)
generate signatures based on data (data fingerprint information), receive data to obtain data information to calculate the signature, verify that it is consistent with the signature sent over
If the signature is consistent, the data integrity is not destroyed; If the signature is inconsistent, the data is corrupted and discarded directly.
****************************************************************************
Extension Description:
01: The characteristics of different data (data fingerprint information) is not consistent
individual encryption algorithm features
• Same as data input, signature information output must be the same
• Avalanche effect, small input change, will cause a huge change in output
• Fixed-length output, no matter how large the source data, but the results are the same
• Irreversible, can not be based on the data fingerprint, restore the original data information.
****************************************************************************

Advantages: Effective resolution of data integrity issues
Cons: No consideration of the impact of a man-in-the-middle attack on data information

b) Using a single encryption algorithm (cryptographic signature)
The symmetric encryption algorithm is used to encrypt the data, and the characteristic code is also encrypted.
The receiver has the same key as the sender to decrypt the encrypted data and signatures
But the man- in-the-middle encryption signature is no way for the receiver to decrypt, so the receiver can not get the signature, directly discard the data
****************************************************************************
Extension Description:
01: How can the symmetric key be effectively made available to both sides of the communication?
a symmetric key negotiation process is required, that is, through the key exchange mechanism (Internet key exchange IKE)
the protocol that implements the key exchange mechanism is called the Diffie-hellman protocol.
****************************************************************************

③. Network security Issues-authentication Problem resolution
a) Using asymmetric key encryption algorithm (public key encryption algorithm)
The sender establishes the private key and the public key, sends the public key to the receiver, thereby enabling the authentication of the sending data party

Ask your mother to verify your father's identity and your mother is called a certification authority
Public key information is called a certificate (identity card) during web site access.

Network security Problem Conclusion: to achieve network security, the order to solve the problem is
1. Resolve the authentication issue
2. Resolve Data integrity Issues
3. Resolving data confidentiality issues

03: Network Security certificate Origin:
According to the above conclusions, the first problem of network security is authentication;
The main way to solve the authentication problem is to use the private key and the public key
and the main public key information acquisition becomes particularly important; using third party justice, impartial public key information

The current standard certificate storage format is X509, and there are other certificate formats that need to contain the following:
certificate = = ID Card
? Public key information, and certificate expiration Time
the legal owner information of the certificate
how the certificate should be used (no concern)
? CA issuing Authority Information
? Check code for CA signature

04:openssl Software Detailed description
to obtain version information for the OpenSSL software:
Rpm-qa OpenSSL
OpenSSL version<-viewing OpenSSL version information

get the OpenSSL profile information:
/etc/pki/tls/openssl.cnf <-OpenSSL profile, used primarily when configured as a private CA
Description: Basically the OpenSSL configuration file does not require an operation to modify the configuration too much

using OpenSSL software to implement HTTPS access process
Implement https:
First step: Create a private key file (birth certificate)---Ops people need to be
The OpenSSL genrsa 2048 >server.key<-creates the private key information and specifies a private key length of 2048, and generates
The private key information is saved in a file
OpenSSL genrsa-out Server.key 2048<-The private key information is stored directly, the length of the encryption must be placed in the output
behind Files
(umask 077;openssl genrsa-out server1024.key 1024x768)
<-uses parentheses to implement child shell functions,
temporarily modify the umask so that it creates a private key file permission of
Step two: Generate certificate file information
①. Generate a self-signed certificate---Operations personnel can operate on their own
[email protected] ~]# OpenSSL req-new-x509-key server.key-out server.crt-days 365
req<-used to request the creation of a certificate file
new<-represents the creation of a new certificate
x509<-indicates that the format of the definition certificate is in standard format
key<-represents the private key file information for the call
out<-indicates output certificate file information
days<-indicates the validity period of the certificate
You is about-to is asked to- enter information that'll be incorporated
into your certificate request.
What's about -to-enter is called a distinguished Name or a DN.
there is quite a few fields but can leave some blank
for some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [xx]:cn<-defines the country that generated the certificate
State or province name (full name) []:bj<-defines the province in which the certificate is generated
Locality Name (eg, city) [Default city]:bj<-defines the cities that generate certificates
Organization Name (eg, company) [Default Ltd]:oldboy <-defines the organization that generated the certificate
organizational unit Name (eg, section) []:it <-define the function that generated the certificate
Common name (eg, your name or your server ' s hostname) []:oldboy.com.cn <-define host server name
Note: This output information is very important, before the client obtains the certificate, it uses the host name to establish a connection between the corresponding server, and then obtains the certificate
Email Address []:

②. Requesting a certificate from a certification authority---CA certificate version authority completed
Generate request certificate file (Hukou)---operations personnel completed
OpenSSL req-new-key httpd.key-out HTTPD.CSR
Get a certificate file (ID)---CA authority completed
omitted

Step Three: Configure the Web site service to load the private key and certificate information

server {
server_name your_domainname_here;
listen 443;
SSL on;
ssl_certificate/usr/local/nginx/conf/server.crt;
Ssl_certificate_key/usr/local/nginx/conf/server.key;
}

server {
Listen;
server_name www.etiantian.org;
rewrite ^ (. *) $ https://$host $ permanent;
}
server {
listen 443;
server_name www.etiantian.org;
SSL on;
ssl_certificate/server/key/server.crt;
Ssl_certificate_key/server/key/server.key;
root html/www;
index index.html index.htm;
}

Fourth step: Access the test with the browser

SSL Module official Link: http://nginx.org/en/docs/http/ngx_http_ssl_module.html

Twelve. HTTPS Website security access practices