Cryptographic decryption principle and OpenSSL basic application

Source: Internet
Author: User
Tags cast5 openssl enc openssl version sha1 domain privacy asymmetric encryption

Objective:

In the early days of the Internet, the number of hosts connected to the Internet was small and applications were few, so the network protocols that were designed early in the morning did not take into account the concept of network security, and the transmission of data in the network was transmitted in clear text. With the rapid development of the Internet, network communication has become the main way of information transmission, and the data in the clear text of the environment is very insecure, if there is no set of data encryption mechanism, so that the data in the network transmission process in the presence of eavesdropping, tampering and other security issues, will bring immeasurable loss to users


I. Definition of information security:

1. NIST defines the computer security ternary group: CIA

Confidentiality ( Confidentiality ): Only authorized users can obtain information;

Data confidentiality;

privacy;

Integrity ( integrality ): information in the process of input and transmission, is not illegally authorized to modify and destroy, to ensure the consistency of data;

Data integrity;

system integrity;

Availability ( Availability ): ensure that legitimate users ' use of information and resources will not be improperly rejected;


Authenticity: an instance is real and can be verified, the data sender will not be imposter;

Traceability: after an intrusion event, the attacker's source data can be found;

2 . The OSI defines the x.800:

Security attacks:

Passive attack: eavesdropping

Active attacks: Spoofing, replay, message modification, denial of service

Security Mechanisms:

Encryption, digital signature, rhetorical question control, data integrity, authentication switching traffic filling, routing control, fairness (third-party mechanism);

Security services:

Certification

Access control

Data privacy:

Connection privacy

No connection confidentiality

Select Domain Privacy

Traffic confidentiality

Data integrity
Non-repudiation


Second, encryption algorithm and protocol:

1. Authentication Agreement:

IKE ( Internetkey Exchange , key exchange protocol ): Commonly used to ensure a virtual private network VPN security when communicating with a remote network or host;

  ssl ecure sockets layer Secure Sockets Layer) : network communication provides security and data integrity of a security protocol.

TLS ( Transport Layer Security , Transport Layer Security protocol) : is modeled SSL designed to provide confidentiality and data integrity between two communication applications.


2. Encryption and decryption:

Encryption: The plaintext data is converted into ciphertext data by the algorithm;

Decryption: The cipher data is converted into plaintext data by the algorithm;

Key: The required parameters in the process of encrypting and decrypting;


3. Symmetric encryption:

Key: Encryption and decryption using the same key;


commonly used symmetric encryption algorithms:DES (+),3DES,AES ( +,192, the,384,+ ),Blowfish,Twofish, Idea,RC6,CAST5


Characteristics:

Encrypt, decrypt and use the same password;

The plaintext is separated into fixed-size blocks, which are encrypted one by one;

Defects:

too many maintenance keys;

key transmission is not secure;


Application scenario: Data concealment;


4. Asymmetric encryption (public key cryptography):

Key:

A pair appears, the public key ( Public Key ) is implied in the private key ( secret key ) in; The data encrypted with the public key must be decrypted with the matching private key, and the data encrypted with the private key must be decrypted with the public key that matches it;

Public key: can be made public;

Private key: Must be retained on its own;


common public key encryption algorithms: RSA, Dsa,eigamal


Defect: Encryption, decryption time is too long, usually not for simple communication;


Application Scenario: Identity authentication, key exchange;


Key Exchange: IKE ( Internet Keyexchange )

DH algorithm: Diffie Hellman


4, one-way encryption:

The sender and receiver can generate the signature of the data based on the algorithm, that is, the data fingerprint, and compare it for the data integrity check;


Common one-way encryption algorithm: MD5,SHA1,SHA256,SHA384,SHA512


Characteristics:

Fixed-length output: No matter how large the input data, the length of the output signature code is fixed;

Butterfly Effect: Small changes in input data can cause great changes in the output signature;


Application Scenario: data integrity check;


Third, the encryption and decryption process description:

Internet data transmission needs to be realized: confidentiality, data integrity, identity authentication and key exchange;

For example: Alice transmits data to Bob;

Data encryption Process:

1,Alice generated the original data, using a one-way encryption algorithm to calculate the original data signature, to ensure data integrity;

2, with their own private key to encrypt the original data signature and appended to the original data behind, to achieve identity authentication;

3. Symmetricencryption keys are generated for the whole data encryption using the symmetrical cryptographic algorithm to ensure data concealment;

4, using the public key provided by Bob to encrypt the symmetric encryption key, and appended to the encrypted data after a concurrent send to Bob, the realization of key exchange;

Data decryption Process:

1. Bob receives the data, decrypts the symmetric encryption key with his private key, realizes the key exchange;

2.decrypt the encrypted data with the decrypted key to ensure that the data is not tapped;

3, using the public key provided by Alice to decrypt the signature of the original data, verify the identity of the sender of the data Alice;

4, using the same one-way encryption algorithm to calculate the original data signature and the decrypted signature for comparison, to ensure that the data has not been tampered with;

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/70/68/wKioL1W3T6jAtTu6AAO11nn3gCQ545.jpg "title=" 1.1.jpg "alt=" wkiol1w3t6jattu6aao11nn3gcq545.jpg "/>

Four, OpenSSL basic usage of:

OpenSSL: Open source Secure Sockets Layer, is a strong Secure Sockets Layer cipher Library , multi-purpose command line tools;

Libcrypto: Public Encrypted library

implementation of the LIBSSL:SSL protocol


To install the OpenSSL package:

# Yuminstall OpenSSL


To view the OpenSSL version number:

# OpenSSL version


OpenSSL command options:

-e: Specified as encryption, can not write default for encryption;-DES3: Specify algorithm algorithm;-salt: default setting, generate a string of strings placed at the front of the password to encrypt, improve the decryption difficulty;-A: Based on base64 processing data, encryption results are base64 encoded ;-in: Read the file for encryption;-out: output to there;-D: Specified for decryption;


1. Symmetric encryption:

tools:gpg,OpenSSL enc;

algorithm: DES,3DES,AES, Blowfish,twofish,RC6,idea,CAST5 ;


Encryption:

# opensslenc-des3-a-salt-in/path/from/somefile-out/path/to/somecipherfile


Decrypt:

# opensslenc-d-des3-a-salt-in/path/from/somecipherfile-out/path/to/somefile


2, one-way encryption:

Tools: md5sum , Sha1sum , OpenSSL dgst , Chsum ;

algorithm: Md5(128bit),SHA1(160bit),sha256,sha384,sha512;


# openssldgst [-MD5|-SHA1] [-out/path/to/filename]/path/from/somefile


MAC : Message Digest code, one-way encryption extension class application

Application: Used to ensure the integrity of the transmitted data in network communication

Mechanism:

CBC MAC;

HMAC: an algorithm using MD5 or SHA1;


User password:

# opensslpasswd-1-salt Salt


generate random Number:

# opensslrand-base64| -hex num


3. Public Key cryptography:

tools:gpg,opensslrsautl;

algorithm: RSA , Eigamal ;


Digital signature:

algorithm: RSA,eigamal,DSA;

DSA:digitalsignature algorithm

DSS:digitalsignature Standard

Key Exchange: IKE

algorithm: Public key encryption, Dh

DH:Diffie Hellman


Generate key:

# (umask077; OpenSSL genrsa-out/path/to/keyfile numberofbits)


Present public key:

# Opensslrsa-in/path/from/private_key_file–pubout


Five, OpenSSL Basic Application Examples:

1. Copy the/etc/rc.d/init.d/functions file to the/root directory and save the /root/functions file for symmetric encryption to /tmp/ Functions.cipher;

2, the /tmp/functions.cipher file decryption save to /tmp/functions;

3, using one-way encryption to generate the original file /root/functions and decrypted file /tmp/functions signature for comparison.

Symmetric cryptographic operations:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/68/wKioL1W3Ua3SoLD_AAJRTivuHmY333.jpg "title=" 1.2. JPG "alt=" wkiol1w3ua3sold_aajrtivuhmy333.jpg "/>


Decrypt the functions.cipher file:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/6B/wKiom1W3T9awTx3NAADHLvPQbm4168.jpg "title=" 1.3. JPG "alt=" wkiom1w3t9awtx3naadhlvpqbm4168.jpg "/>


generate the original file /root/functions and the decrypted file /tmp/functions signature for comparison:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/70/6B/wKiom1W3T-nT1cVCAAEv0epD1_0073.jpg "title=" 1.4. JPG "alt=" wkiom1w3t-nt1cvcaaev0epd1_0073.jpg "/>

This article is from the "Pony Learning Record" blog, make sure to keep this source http://masachencer.blog.51cto.com/8683770/1679317

Cryptographic decryption principle and OpenSSL basic application

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.