Objective:
In the early days of the Internet, the number of hosts connected to the Internet was small and applications were few, so the network protocols that were designed early in the morning did not take into account the concept of network security, and the transmission of data in the network was transmitted in clear text. With the rapid development of the Internet, network communication has become the main way of information transmission, and the data in the clear text of the environment is very insecure, if there is no set of data encryption mechanism, so that the data in the network transmission process in the presence of eavesdropping, tampering and other security issues, will bring immeasurable loss to users
I. Definition of information security:
1. NIST defines the computer security ternary group: CIA
Confidentiality ( Confidentiality ): Only authorized users can obtain information;
Data confidentiality;
privacy;
Integrity ( integrality ): information in the process of input and transmission, is not illegally authorized to modify and destroy, to ensure the consistency of data;
Data integrity;
system integrity;
Availability ( Availability ): ensure that legitimate users ' use of information and resources will not be improperly rejected;
Authenticity: an instance is real and can be verified, the data sender will not be imposter;
Traceability: after an intrusion event, the attacker's source data can be found;
2 . The OSI defines the x.800:
Security attacks:
Passive attack: eavesdropping
Active attacks: Spoofing, replay, message modification, denial of service
Security Mechanisms:
Encryption, digital signature, rhetorical question control, data integrity, authentication switching traffic filling, routing control, fairness (third-party mechanism);
Security services:
Certification
Access control
Data privacy:
Connection privacy
No connection confidentiality
Select Domain Privacy
Traffic confidentiality
Data integrity
Non-repudiation
Second, encryption algorithm and protocol:
1. Authentication Agreement:
IKE ( Internetkey Exchange , key exchange protocol ): Commonly used to ensure a virtual private network VPN security when communicating with a remote network or host;
ssl ecure sockets layer Secure Sockets Layer) : network communication provides security and data integrity of a security protocol.
TLS ( Transport Layer Security , Transport Layer Security protocol) : is modeled SSL designed to provide confidentiality and data integrity between two communication applications.
2. Encryption and decryption:
Encryption: The plaintext data is converted into ciphertext data by the algorithm;
Decryption: The cipher data is converted into plaintext data by the algorithm;
Key: The required parameters in the process of encrypting and decrypting;
3. Symmetric encryption:
Key: Encryption and decryption using the same key;
commonly used symmetric encryption algorithms:DES (+),3DES,AES ( +,192, the,384,+ ),Blowfish,Twofish, Idea,RC6,CAST5
Characteristics:
Encrypt, decrypt and use the same password;
The plaintext is separated into fixed-size blocks, which are encrypted one by one;
Defects:
too many maintenance keys;
key transmission is not secure;
Application scenario: Data concealment;
4. Asymmetric encryption (public key cryptography):
Key:
A pair appears, the public key ( Public Key ) is implied in the private key ( secret key ) in; The data encrypted with the public key must be decrypted with the matching private key, and the data encrypted with the private key must be decrypted with the public key that matches it;
Public key: can be made public;
Private key: Must be retained on its own;
common public key encryption algorithms: RSA, Dsa,eigamal
Defect: Encryption, decryption time is too long, usually not for simple communication;
Application Scenario: Identity authentication, key exchange;
Key Exchange: IKE ( Internet Keyexchange )
DH algorithm: Diffie Hellman
4, one-way encryption:
The sender and receiver can generate the signature of the data based on the algorithm, that is, the data fingerprint, and compare it for the data integrity check;
Common one-way encryption algorithm: MD5,SHA1,SHA256,SHA384,SHA512
Characteristics:
Fixed-length output: No matter how large the input data, the length of the output signature code is fixed;
Butterfly Effect: Small changes in input data can cause great changes in the output signature;
Application Scenario: data integrity check;
Third, the encryption and decryption process description:
Internet data transmission needs to be realized: confidentiality, data integrity, identity authentication and key exchange;
For example: Alice transmits data to Bob;
Data encryption Process:
1,Alice generated the original data, using a one-way encryption algorithm to calculate the original data signature, to ensure data integrity;
2, with their own private key to encrypt the original data signature and appended to the original data behind, to achieve identity authentication;
3. Symmetricencryption keys are generated for the whole data encryption using the symmetrical cryptographic algorithm to ensure data concealment;
4, using the public key provided by Bob to encrypt the symmetric encryption key, and appended to the encrypted data after a concurrent send to Bob, the realization of key exchange;
Data decryption Process:
1. Bob receives the data, decrypts the symmetric encryption key with his private key, realizes the key exchange;
2.decrypt the encrypted data with the decrypted key to ensure that the data is not tapped;
3, using the public key provided by Alice to decrypt the signature of the original data, verify the identity of the sender of the data Alice;
4, using the same one-way encryption algorithm to calculate the original data signature and the decrypted signature for comparison, to ensure that the data has not been tampered with;
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/70/68/wKioL1W3T6jAtTu6AAO11nn3gCQ545.jpg "title=" 1.1.jpg "alt=" wkiol1w3t6jattu6aao11nn3gcq545.jpg "/>
Four, OpenSSL basic usage of:
OpenSSL: Open source Secure Sockets Layer, is a strong Secure Sockets Layer cipher Library , multi-purpose command line tools;
Libcrypto: Public Encrypted library
implementation of the LIBSSL:SSL protocol
To install the OpenSSL package:
# Yuminstall OpenSSL
To view the OpenSSL version number:
# OpenSSL version
OpenSSL command options:
-e: Specified as encryption, can not write default for encryption;-DES3: Specify algorithm algorithm;-salt: default setting, generate a string of strings placed at the front of the password to encrypt, improve the decryption difficulty;-A: Based on base64 processing data, encryption results are base64 encoded ;-in: Read the file for encryption;-out: output to there;-D: Specified for decryption;
1. Symmetric encryption:
tools:gpg,OpenSSL enc;
algorithm: DES,3DES,AES, Blowfish,twofish,RC6,idea,CAST5 ;
Encryption:
# opensslenc-des3-a-salt-in/path/from/somefile-out/path/to/somecipherfile
Decrypt:
# opensslenc-d-des3-a-salt-in/path/from/somecipherfile-out/path/to/somefile
2, one-way encryption:
Tools: md5sum , Sha1sum , OpenSSL dgst , Chsum ;
algorithm: Md5(128bit),SHA1(160bit),sha256,sha384,sha512;
# openssldgst [-MD5|-SHA1] [-out/path/to/filename]/path/from/somefile
MAC : Message Digest code, one-way encryption extension class application
Application: Used to ensure the integrity of the transmitted data in network communication
Mechanism:
CBC MAC;
HMAC: an algorithm using MD5 or SHA1;
User password:
# opensslpasswd-1-salt Salt
generate random Number:
# opensslrand-base64| -hex num
3. Public Key cryptography:
tools:gpg,opensslrsautl;
algorithm: RSA , Eigamal ;
Digital signature:
algorithm: RSA,eigamal,DSA;
DSA:digitalsignature algorithm
DSS:digitalsignature Standard
Key Exchange: IKE
algorithm: Public key encryption, Dh
DH:Diffie Hellman
Generate key:
# (umask077; OpenSSL genrsa-out/path/to/keyfile numberofbits)
Present public key:
# Opensslrsa-in/path/from/private_key_file–pubout
Five, OpenSSL Basic Application Examples:
1. Copy the/etc/rc.d/init.d/functions file to the/root directory and save the /root/functions file for symmetric encryption to /tmp/ Functions.cipher;
2, the /tmp/functions.cipher file decryption save to /tmp/functions;
3, using one-way encryption to generate the original file /root/functions and decrypted file /tmp/functions signature for comparison.
Symmetric cryptographic operations:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/68/wKioL1W3Ua3SoLD_AAJRTivuHmY333.jpg "title=" 1.2. JPG "alt=" wkiol1w3ua3sold_aajrtivuhmy333.jpg "/>
Decrypt the functions.cipher file:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/6B/wKiom1W3T9awTx3NAADHLvPQbm4168.jpg "title=" 1.3. JPG "alt=" wkiom1w3t9awtx3naadhlvpqbm4168.jpg "/>
generate the original file /root/functions and the decrypted file /tmp/functions signature for comparison:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/70/6B/wKiom1W3T-nT1cVCAAEv0epD1_0073.jpg "title=" 1.4. JPG "alt=" wkiom1w3t-nt1cvcaaev0epd1_0073.jpg "/>
This article is from the "Pony Learning Record" blog, make sure to keep this source http://masachencer.blog.51cto.com/8683770/1679317
Cryptographic decryption principle and OpenSSL basic application