Data Encryption, digital signature, CA Creation

Data security-> Encryption

1. Basic concepts:

Confidentiality: prevent others from getting data

Integrity: data is not damaged

Authentication: ensure the data source

PKI (Public Key Infrastructure): Public Key Infrastructure.

Generate password through negotiation: interne Key Exchange (IKE)

Diffie-Hellman protocol (this is a common security Ike)

Principle;

Negotiate between A and B: select two numbers, P and g (large prime number, number generated)

A: automatically generate random numbers x

B: automatically generate random number y

A: Calculate G ^ X % P and send it to B.

B: Calculate G ^ y % P to send to

Data transmitted over the network: g, P, G ^ X % P, G ^ y % P

This cannot identify X and Y.

A: Calculate (G ^ y % P) ^ x = G ^ Yx % P

B: Calculate (G ^ X % P) ^ y = G ^ XY % P

At this time, G ^ Yx % P is the key of both parties, but no one knows what the key is.

2. Confidentiality:

Symmetric encryption: encryption and decryption use a key.

Features: Fast Acceleration

Disadvantage: different keys are used between different sessions, so too many keys are maintained.

Implementation:

Des: Data Encryption Standard 56bit encryption (this is not commonly used)

3DES: After three des

AES: Advanced Encryption Standard, which has many variants, such as aes192 aes256

Blowfish: This is a charge.

3. Integrity:

Single-item encryption: The data extraction signature.

Features: the same input, so the same output;

Avalanche effect: a small change in input results in a huge change.

Fixed-length output: regardless of the size of the raw data, the result size is the same.

Irreversible: the original data cannot be restored Based on the signature.

Implementation:

Md4, MD5 (128bit)

Sha1 sha1_sha256 sha384 sha512.

Linux Commands include sha1hmac sha224sum sha256sum sha384sum sha512sum.

Sha1sum sha256hmac sha384hmac sha512hmac

 

4. Authentication:

Asymmetric Key: it can be divided into public key and private key, public key secret Private Key decryption, and private key encryption Public Key decryption.

Public Key (extracted from the private key): confidential data

Private Key: Authentication

Features: 1. The speed of Public Key Data Encryption is very slow, so public key data encryption is generally not required.

2. the private key is mainly used for identity authentication.

Implementation:

RSA: encryption and signature

DSA: Signature

ElGamal: Billing

5. network data transmission process:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4D/A5/wKioL1RWOM3xsXyHAAN61_87r7E095.jpg "Title =" Capture. PNG "alt =" wkiol1rwom3xsxyhaan61_87r7e095.jpg "/>

For

1. the user wants to send a secret email to user B. First, the plain text of user a gets an information digest through the hash function. Then, use the private key pair of user a to sign and obtain a digital envelope, the digital envelope, also known as the digital fingerprint, is undeniable. That is to say, we can confirm that this email was sent by a according to the digital envelope. What is the purpose of this digital signature, now we know.

2. plaintext A's digital signature a's public key and three unique symmetric encryption keys are used for encryption. This step is usually transparent to users, in other words, the system automatically encrypts data using symmetric encryption algorithms to prevent information listening on the Internet.

3. use the public key of user B to encrypt the symmetric encryption key and obtain a digital envelope. We know that the asymmetric encryption algorithm is encrypted with the public key of user B, only user B's private key can be decrypted, and user B's private key is stored on user B's personal PC, so that even if the information is intercepted during transmission, the private key of user B cannot be opened,

4. User A sends the information to the Internet

For user B, there are also four steps required.

1. first, decrypt the digital envelope with the private key of B, because the file we send is obtained using the symmetric encryption algorithm, there is a key for the symmetric encryption algorithm, user B does not know the symmetric encryption key. OK, user B First decrypts the digital envelope with his private key to obtain the symmetric encryption key.

2. the ciphertext is decrypted using the symmetric encryption key. At this time, user B can see the plaintext of the file. By decrypting user B, the user B can also obtain three files in plaintext, a's digital signature, A's public key. Someone asked at this time, so we cannot forge a's public key? First, the public key of a is opened by using the private key and symmetric encryption algorithm of B through asymmetric encryption. To obtain the public key of a, we are the enemy of symmetric encryption and asymmetric encryption, even if the public key of a can be forged, the private key of a cannot be forged. We know that for asymmetric encryption algorithms, keys are paired. Encryption with private keys can only be unencrypted by public keys, the two are interrelated. Even if someone spoofs a's public key, the ciphertext cannot be decrypted. This step is also transparent to users.

3. now let's talk about the digital signature. We use the public key of a to decrypt the digital signature. If we can solve this problem, the file is sent by user A, which is non-repudiation, in this way, we can see why digital signatures are also called digital fingerprints. In this way, we get an information abstract. Similarly, we can obtain an information abstract by performing hash operations on plaintext.

4. By comparing the two, we can see that the information is transmitted correctly. Otherwise, the file has been tampered.

6. For the above transmission process, a fair unit is required to prove the identity, that is, to let others know who I am, rather than counterfeiting.

At this time, a Ca (Certificate Authority) Certificate Authority is required.

1. A complete CA is an accredited certificate authority.

2. the CA maintains a Certificate Revocation List for the CRL (Certificate Revocation List) certificate.

3. the CA standard is X509 (commonly used) and PKCS12 (not commonly used)

X509 content:

1. Public Key and its validity period

2. Legal owner of the certificate

3. How to Use the certificate

7. Implementation of PKI: TLS/SSL and opengpg

1. SSL: This is developed by Netscape. A half-layer SSL is added to the transmission layer and application layer of TCP to encrypt data.

It is actually a library that implements data encryption.

SSL version: sslv1 SSLv2 SSLv3, now sslv1 is no longer used.

SSL stands for the Security Socket Layer Secure Socket Layer.

2. TSL: Transport Layer Security, which is developed by international standards.

Tlsv1 is equivalent to SSLv3, and its implementation principle is the same.

8. SSL session creation process

Example: HTTP (TCP)

Client Server

1. The client requests the session. 1. The server receives the request

2. Construct SSL sessions through negotiation, including algorithms 2. Construct SSL sessions through negotiation, including Algorithms

3. Accept the client certificate. 3. Send your own certificate to the client

4. Random generation of symmetric keys and other packaging data 4. Accept data and verify data

5. Repeat the above actions 5. Repeat the above actions

6. Close the session after use 6. Close the session

Note: The Diffie-Hellman protocol is not used.

9. OpenSSL: a powerful tool that implements the open-source SSL function.

1. Composition: libcrypto: Encrypted Library File

Libssl: library file of SSL

OpenSSL: A Multi-Purpose command line tool.

2. The OpenSSL command has many sub-commands:

For example:

1. symmetric encryption File

OpenSSL ENC-des3-salt-a-in file name-out file name

Decryption:

OpenSSL ENC-des3-salt-D-in file name-out file name

2. One-way encrypted file (calculate MD5)

Example: md5sum + File

Note: MD5 encryption has salt, which makes the same password have different encryption results.

3. OpenSSL indicates that RSA and DSA encrypt files. The corresponding sub-commands are rsautl and DSA.

Random Number encryption is also supported. For example, OpenSSL rand-base64 indicates the length of the encrypted number.

10. Use OpenSSL to implement private CA:

1. Generate a pair of keys first;

(Umask 077; OpenSSL genrsa-out file name)

2. Generate a public key with the private key

OpenSSL RSA-in private key file-pubout

3. req can generate a certificate or apply for a signature

OpenSSL req-New-X509-key private key file-out file name. CRT-days

Note: At this time, the CA may not be usable. You need to configure and complete the settings according to/etc/pki/tls/OpenSSL. CNF.

After the above steps, you can complete the creation of the CA, and the next step is the method of certificate,

1. You need to have your own key to apply for a visa, for example, an HTTP server.

(Umask 077; Open SSL genrsa-out httpd. Key 1024)

2. Generate a request. (This is from the same machine. Otherwise, the request must be transmitted over the network and then sent for a visa)

OpenSSL req-New-key-out httpd. CSR

CSR: Certificate Signing Request certificate request file

3. Apply for a visa:

OpenSSL ca-in httpd. CSR-out httpd. CRT-days 365

This article is from the "technology first" blog, please be sure to keep this source http://wuxiangdong.blog.51cto.com/8274747/1571024

Data Encryption, digital signature, CA Creation