Data Encryption Openssl&openssh

Source: Internet
Author: User
Tags openssl enc asymmetric encryption

Data encryption features: confidentiality, integrity, and identity authentication.

Common cryptographic algorithms

Symmetric encryption

The symmetric encryption algorithm uses the same key during encryption and decryption, and cannot have a valid management key.

Symmetric encryption algorithms are: des;3des;aes:advanced;aes192 AES256 aes512;openssl;gpg


One-way encryption

can effectively guarantee the integrity of the data, one-way encryption algorithm, extract the signature; as input, the output must be the same; avalanche effect: A small change in the input can cause a huge change in the result; fixed-length output, no matter how large the original data, the result is the same size, it is irreversible, unable to restore the original by the signature The data. md4;md5;sha1;sha192,sha265,sha384;crc-32.


Public Key Cryptography

That is, asymmetric encryption, public key encryption will generate a pair of keys, public and private keys, with the public key encryption, can only be decrypted with the private key, and vice versa. The sender encrypts the data with its own private key, which can be decrypted with the public key, and authentication can be verified. The sender encrypts the data with the other's public key, which guarantees the confidentiality of the data (seldom used). Public key cryptography algorithms are seldom used to encrypt data: too slow.

Public Key cryptography: Identity Authentication (digital signature); Data encryption; key exchange; RSA: encryption, signature; DSA: signature; ElGamal Business algorithm


Openssl:ssl's Open Source implementation

Composition

Libcrypto: Universal Encryption Library

LIBSSL:TLS/SSL implementation, session-based, TLS/SSL library for identity authentication, data confidentiality, and session integrity

OpenSSL: Multi-purpose command-line tools

Implementing a private certification authority


1. Encryption, decryption

[[email protected] ~]# OpenSSL enc-des3-salt-a-in inittab-out inittab.des3 # Encrypt enter DES-EDE3-CBC encryption Passwor  D:verifying-enter DES-EDE3-CBC encryption Password:[[email protected] ~]# OpenSSL enc-des3-d-salt-a-in Inittab.des3 -out Inittabbs #-d Decryption enter DES-EDE3-CBC decryption password:

2. Generate a password

[email protected] ~]# OpenSSL Passwd-1password:redhatverifying-password: $1$cvjwtheo$4bhztphdsp67isetsm0yz0[[email Protected] ~]# OpenSSL passwd-1-salt cvjwtheo #指定saltPassword: $1$cvjwtheo$4bhztphdsp67isetsm0yz0

3. Configure the CA to enable certificate issuance

Configuring/ETC/PKI/TLS/OPENSSL.CNF Modifications

[ req_distinguished_name ]countryname                      = Country Name  (2 letter  code) countryname_default             =  CNcountryName_min                  = 2countryName_max                  = 2stateOrProvinceName              = State or Province Name  (Full name) stateorprovincename_default     = jiangsulocalityname                     =  locality name  (eg, city) Localityname_default    = wuxi0.organizationname               = Organization Name  (eg, company) 0. organizationname_default      = tvmorganizationalunitname           = Organizational Unit Name  (eg, section) Organizationalunitname_default  = tech

Create the appropriate file

[[email protected] ca]# Touch Index.txt[[email protected] ca]# echo > serial

Generate a key for a CA

[[Email protected] ca]# (umask 077; OpenSSL genrsa-out Private/cakey.pem 2048) generating RSA private key, 2048 bit long m Odulus...+++.................................................................+++e is 65537 (0x10001)

CA self-signed certificate

[[email protected] ca]# openssl req -new -x509  -key private/ cakey.pem -out cacert.pemyou are about to be asked to enter  Information that will be incorporatedinto your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [CN]:State or Province Name  (full name)  [jiangsu]: locality name  (eg, city)  [WuXi]:Organization Name  (eg, company)   [tvm]:organizational unit name  (eg, section)  [Tech]:Common Name  (eg,  Your name or your server ' S hostname)  []:d esktop3.example.comemail address  []:[email protected]

4. Generate key and certificate and sign for app HTTPd

To create a key for app http

[Email protected] ssl]# (umask 077;openssl genrsa-out httpd.key 1024x768) generating RSA private key, 1024x768 bit long modulus. ... ++++++.....................++++++e is 65537 (0x10001)

Generate a certificate request for an httpd app

[[email protected] ssl]# openssl req -new -key httpd.key -out  httpd.csr you are about to be asked to enter information  That will be incorporatedinto your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [CN]:State or Province Name  (full name)  [jiangsu]: locality name  (eg, city)  [WuXi]:Organization Name  (eg, company)  [TVM] : Organizational unit name  (eg, section)  [Tech]:Common Name  (eg, your name  or your server ' S hostname)  []:www.example.comEmail Address []:[email  protected]please enter the following  ' Extra '  attributesto be sent with  your certificate requesta challenge password []:an optional company  name []:

The CA signs the certificate

[[email protected] ssl]# openssl ca -in httpd.csr -out httpd.crt  -days 365using configuration from /etc/pki/tls/openssl.cnfcheck that the  request matches the signaturesignature okcertificate details:         Serial Number: 1  (0x1)          Validity            not before: sep  13 03:36:22 2015 GMT             Not After : Sep 12 03:36:22 2016 GMT         subject:            countryname                = CN             stateOrProvinceName       =  jiangsu            organizationname           = TVM             organizationalUnitName    = Tech             commonName                 = www.example.com             emailAddress               = [email protected]        x509v3  extensions:            x509v3 basic  constraints:                 ca:false             Netscape Comment:                  openssl generated certificate             X509v3 Subject Key  identifier:                  3C:67:BB:BC:C4:B0:64:66:DF:DC:26:A7:FC:72:85:65:D4:9F:02:88             X509v3 Authority Key Identifier:                  keyid:38:e7:94:c4:86:9e:54:71:29:b4 : 25:70:63:58:fb:bb:34:a3:e3:bdcertificate is to be certified until sep 12  03:36:22 2016 GMT  (365 days) sign the certificate? [y/n]:y1 out of 1 certificate  requests certified, commit? [y/n]ywrite out database with 1 new  entriesdata base updated

5. Two host based on key authentication

Generate a pair of keys

[[email protected] ~]$ ssh-keygen -t rsa -f .ssh/id_rsa -n  " Generating public/private rsa key pair. Your identification has been saved in .ssh/id_rsa. your public key has been saved in .ssh/id_rsa.pub.the key  Fingerprint is:0d:1d:d8:1b:a5:08:09:ce:2d:a0:cf:75:b7:a4:19:44 [email protected]the key ' s  RANDOMART IMAGE IS:+--[ RSA 2048]----+|  . .oe. o...     | |  . + o...ooo     | |.    = + = oo     | |  o . o * +.      | |   o   o s .      | |                  | |                  | |                  | |                  |+------ -----------+

Transfer the public key to a. ssh/authorized_keys file in a user's home directory on the server side

[Email protected] ~]$ ssh-copy-id-i ssh/id_rsa.pub [email protected]the authenticity of host ' 192.168.0.1 (192.168.0.1) ' Can ' t be established. RSA key fingerprint is 4f:eb:da:77:1e:ab:bc:2a:f3:8f:52:db:b8:bc:44:9c. Is you sure want to continue connecting (yes/no)? yeswarning:permanently added ' 192.168.0.1 ' (RSA) to the list of known hosts. [email protected] ' s Password:now try logging into the machine, with "ssh" [email protected] ' ", and check in:. Ssh/author Ized_keysto Make sure we haven ' t added extra keys and you weren ' t expecting.

Test Login

This article from "Eagle" blog, declined reprint!

Data Encryption Openssl&openssh

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.