Cryptography principles and OpenSSL, private CA Setup

Source: Internet
Author: User
Tags openssl enc openssl rsa

Public key cryptography: The key is a pair of children appear
Public key: public to all; PubKey
Private key: Keep it for yourself, must ensure its privacy; secret key
Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa;
Realize:
Digital signature: The main purpose is to allow the receiver to confirm the sender identity, with their own private key encryption;
Key exchange

Mode (IKE):

①. The sender encrypts a symmetric key with the other's public key and sends it to the other party;

②.DH algorithm, will not send the secret key on the network, so even if the crack can not get the secret key, want to understand the DH algorithm please Google


Secure Communication Process parsing:(assuming A and b to transmit data securely, a to send data to B)

Sender A:

1.A Use one-way encryption algorithm to hash the actual data, and use their own private key to encrypt the hash obtained by the signature code

2.a use the random symmetric key to encrypt the actual data and the signature just obtained from the hash, and use B's public key to encrypt the random symmetric key.

3. ⑴ The data and signatures encrypted with the newly symmetric key, ⑵ the symmetric key with B's public key to send to B

Receiving Party B:

1. decrypt the sender's random symmetric key with its own private key

2. decrypt the data with a symmetric key to get the signature and actual data encrypted with the private key of a

3. Decrypt the encrypted signature with A's public key

4. The actual data hash ratio to the above-mentioned signature code to achieve integrity check


The process looks perfect, but there's a loophole:

A How do I get the public key of B? What if C fake B tells A that he is B? How does B get the public key of a?

At this point, you need to use the CA, CA is the certification authority, B will send its own public key to the CA, let CA prove B is B (will be issued to B's certificate (the certificate is embedded in the B's public key) cover a chapter, to achieve the identity of B, which is the digital signature)


In order to keep the private key from being lost, the private key needs to be encrypted, but what if someone decrypts it?

so: CA agencies need to have a certificate revocation list (the certificate actually has an expiration date), each time the receiving party will see the certificate is not trusted authority issued, and will see the certificate revocation list on the CA server has the sender of this certificate, and some will not be trusted

Pki:public Key Infrastructure
Visa agency: CA
Registration Authority: RA
Certificate Revocation list: CRL
Certificate Access Library

Certificate format:

The structure of the certificate and the standard of the authentication protocol are defined
Version number
Serial number
Signature Algorithm ID
Issuer Name
Validity period
Principal Name
Principal public key
Issuer Unique identity
The unique identity of the subject
Extended
Issuer Signature

The above process is still a loophole, in case someone impersonating a CA? So how does the person who receives the CA certificate Verify the reliability of the CA?

At this time, the CA will use its own private key to encrypt the certificate issued to a or B signatures, then, the CA's public key to decrypt to get the signature, the CA's certificate is used, the CA himself issued a certificate, When a or B receives a certificate issued to itself by a CA and verifies that the CA's signature is reliable (not a trusted CA), how is it validated? When the system is installed, the system will embed all the certificates of the trusted CA Notary Authority, and the CA public key will be extracted from the system's embedded certificate, unless the system is pirated

The certificate that comes with Windows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/3F/wKiom1X4KMDCOQiHAANjaeDQoU0218.jpg "title=" 290. PNG "alt=" wkiom1x4kmdcoqihaanjaedqou0218.jpg "/>


SSL/TLS: a half layer is added between the application layer and the Transport layer

Layered design:
1, the lowest layer: the implementation of the basic algorithm primitives, AES, RSA, MD5
2, up a layer: the implementation of various algorithms
3, and then up a layer: the combination algorithm to achieve semi-finished
4. All kinds of finished cryptographic protocols/software assembled with various components:
TLS, SSH,

Three components:
OpenSSL: Multi-purpose command-line tool;
Libcrypto: public encryption library;
Libssl: library, the implementation of SSL and TLS;


The OpenSSL command on Linux uses:

1.enc command:
Encryption: ~]# OpenSSL enc-e-des3-a-salt-in fstab-out fstab.ciphertext
Decryption: ~]# OpenSSL enc-d-des3-a-salt-in fstab.ciphertext-out fstab
OpenSSL? can get help

2. One-way encryption:
Tools: Md5sum, Sha1sum, Sha224sum, sha256sum,..., OpenSSL dgst
dgst command: OpenSSL dgst-md5/path/to/somefile


Mac:message authentication Code, one-way encryption extension application, used to ensure the integrity of the transmitted data in network communication;
Mechanism: Cbc-mac HMAC: Using the MD5 or SHA1 algorithm

3. Generate Random Numbers:
OpenSSL Rand-base64|-hex NUM
NUM: Represents the number of bytes,-hex, 4 bits per character, the number of characters appearing is num*2;

4. Generate the key pair:
OpenSSL Genrsa-out/path/to/privatekey. FILE num_bits
# (Umask 077; OpenSSL genrsa-out key.pri 2048)
Extract the Public key:
# OpenSSL Rsa-in/path/from/privatekey. File-pubout (public key can be extracted from the private key)


This article is from the "After Tomorrow" blog, please be sure to keep this source http://leeyan.blog.51cto.com/8379003/1695150

Cryptography principles and OpenSSL, private CA Setup

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.