Data encryption features: confidentiality, integrity, and identity authentication.
Common cryptographic algorithms
Symmetric encryption
The symmetric encryption algorithm uses the same key during encryption and decryption, and cannot have a valid management key.
Symmetric encryption algorithms are: des;3des;aes:advanced;aes192 AES256 aes512;openssl;gpg
One-way encryption
can effectively guarantee the integrity of the data, one-way encryption algorithm, extract the signature; as input, the output must be the same; avalanche effect: A small change in the input can cause a huge change in the result; fixed-length output, no matter how large the original data, the result is the same size, it is irreversible, unable to restore the original by the signature The data. md4;md5;sha1;sha192,sha265,sha384;crc-32.
Public Key Cryptography
That is, asymmetric encryption, public key encryption will generate a pair of keys, public and private keys, with the public key encryption, can only be decrypted with the private key, and vice versa. The sender encrypts the data with its own private key, which can be decrypted with the public key, and authentication can be verified. The sender encrypts the data with the other's public key, which guarantees the confidentiality of the data (seldom used). Public key cryptography algorithms are seldom used to encrypt data: too slow.
Public Key cryptography: Identity Authentication (digital signature); Data encryption; key exchange; RSA: encryption, signature; DSA: signature; ElGamal Business algorithm
Openssl:ssl's Open Source implementation
Composition
Libcrypto: Universal Encryption Library
LIBSSL:TLS/SSL implementation, session-based, TLS/SSL library for identity authentication, data confidentiality, and session integrity
OpenSSL: Multi-purpose command-line tools
Implementing a private certification authority
1. Encryption, decryption
[[email protected] ~]# OpenSSL enc-des3-salt-a-in inittab-out inittab.des3 # Encrypt enter DES-EDE3-CBC encryption Passwor D:verifying-enter DES-EDE3-CBC encryption Password:[[email protected] ~]# OpenSSL enc-des3-d-salt-a-in Inittab.des3 -out Inittabbs #-d Decryption enter DES-EDE3-CBC decryption password:
2. Generate a password
[email protected] ~]# OpenSSL Passwd-1password:redhatverifying-password: $1$cvjwtheo$4bhztphdsp67isetsm0yz0[[email Protected] ~]# OpenSSL passwd-1-salt cvjwtheo #指定saltPassword: $1$cvjwtheo$4bhztphdsp67isetsm0yz0
3. Configure the CA to enable certificate issuance
Configuring/ETC/PKI/TLS/OPENSSL.CNF Modifications
[ req_distinguished_name ]countryname = Country Name (2 letter code) countryname_default = CNcountryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (Full name) stateorprovincename_default = jiangsulocalityname = locality name (eg, city) Localityname_default = wuxi0.organizationname = Organization Name (eg, company) 0. organizationname_default = tvmorganizationalunitname = Organizational Unit Name (eg, section) Organizationalunitname_default = tech
Create the appropriate file
[[email protected] ca]# Touch Index.txt[[email protected] ca]# echo > serial
Generate a key for a CA
[[Email protected] ca]# (umask 077; OpenSSL genrsa-out Private/cakey.pem 2048) generating RSA private key, 2048 bit long m Odulus...+++.................................................................+++e is 65537 (0x10001)
CA self-signed certificate
[[email protected] ca]# openssl req -new -x509 -key private/ cakey.pem -out cacert.pemyou are about to be asked to enter Information that will be incorporatedinto your certificate request. what you are about to enter is what is called a Distinguished name or a dn. there are quite a few fields but you can leave some blankfor some fields there will be a default value,if you enter '. ', the field will be left blank.-----country name (2 letter code) [CN]:State or Province Name (full name) [jiangsu]: locality name (eg, city) [WuXi]:Organization Name (eg, company) [tvm]:organizational unit name (eg, section) [Tech]:Common Name (eg, Your name or your server ' S hostname) []:d esktop3.example.comemail address []:[email protected]
4. Generate key and certificate and sign for app HTTPd
To create a key for app http
[Email protected] ssl]# (umask 077;openssl genrsa-out httpd.key 1024x768) generating RSA private key, 1024x768 bit long modulus. ... ++++++.....................++++++e is 65537 (0x10001)
Generate a certificate request for an httpd app
[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr you are about to be asked to enter information That will be incorporatedinto your certificate request. what you are about to enter is what is called a Distinguished name or a dn. there are quite a few fields but you can leave some blankfor some fields there will be a default value,if you enter '. ', the field will be left blank.-----country name (2 letter code) [CN]:State or Province Name (full name) [jiangsu]: locality name (eg, city) [WuXi]:Organization Name (eg, company)  [TVM] : Organizational unit name (eg, section) [Tech]:Common Name (eg, your name or your server ' S hostname) []:www.example.comEmail Address []:[email protected]please enter the following ' Extra ' attributesto be sent with your certificate requesta challenge password []:an optional company name []:
The CA signs the certificate
[[email protected] ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365using configuration from /etc/pki/tls/openssl.cnfcheck that the request matches the signaturesignature okcertificate details: Serial Number: 1 (0x1) Validity not before: sep 13 03:36:22 2015 GMT Not After : Sep 12 03:36:22 2016 GMT subject: countryname = CN stateOrProvinceName = jiangsu organizationname = TVM organizationalUnitName = Tech commonName = www.example.com emailAddress = [email protected] x509v3 extensions: x509v3 basic constraints: ca:false Netscape Comment: openssl generated certificate X509v3 Subject Key identifier: 3C:67:BB:BC:C4:B0:64:66:DF:DC:26:A7:FC:72:85:65:D4:9F:02:88 X509v3 Authority Key Identifier: keyid:38:e7:94:c4:86:9e:54:71:29:b4 : 25:70:63:58:fb:bb:34:a3:e3:bdcertificate is to be certified until sep 12 03:36:22 2016 GMT (365 days) sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]ywrite out database with 1 new entriesdata base updated
5. Two host based on key authentication
Generate a pair of keys
[[email protected] ~]$ ssh-keygen -t rsa -f .ssh/id_rsa -n " Generating public/private rsa key pair. Your identification has been saved in .ssh/id_rsa. your public key has been saved in .ssh/id_rsa.pub.the key Fingerprint is:0d:1d:d8:1b:a5:08:09:ce:2d:a0:cf:75:b7:a4:19:44 [email protected]the key ' s  RANDOMART IMAGE IS:+--[ RSA 2048]----+| . .oe. o... | | . + o...ooo | |. = + = oo | | o . o * +. | | o o s . | | | | | | | | |+------ -----------+
Transfer the public key to a. ssh/authorized_keys file in a user's home directory on the server side
[Email protected] ~]$ ssh-copy-id-i ssh/id_rsa.pub [email protected]the authenticity of host ' 192.168.0.1 (192.168.0.1) ' Can ' t be established. RSA key fingerprint is 4f:eb:da:77:1e:ab:bc:2a:f3:8f:52:db:b8:bc:44:9c. Is you sure want to continue connecting (yes/no)? yeswarning:permanently added ' 192.168.0.1 ' (RSA) to the list of known hosts. [email protected] ' s Password:now try logging into the machine, with "ssh" [email protected] ' ", and check in:. Ssh/author Ized_keysto Make sure we haven ' t added extra keys and you weren ' t expecting.
Test Login
This article from "Eagle" blog, declined reprint!
Data Encryption Openssl&openssh