Detailed description of encryption and decryption principles and the self-built CA process of OpenSSL

1. Introduction to encryption and decryption

1. Information security standards

NIST (National Institute of Standards and Technology) National Institute of Standards and Technology, developed three elements of network information security and confidentiality:

 Confidentiality ):Information is not disclosed to unauthorized users, entities, or processes, or features that are available to them. (This generally includes data confidentiality and privacy .)

 Integrity ):Features that cannot be changed without authorization. That is, information is stored or transmitted without modification, destruction, or loss. (This generally includes data integrity and system integrity .)

 Availability ):Features that can be accessed by authorized entities and used as needed. That is, whether the required information can be accessed when necessary. For example, denial of service in the network environment, network damage, and normal operation of related systems are all attacks against availability;

(These three elements are referred to as: CIA)

Although the three elements can ensure the security and confidentiality of network information, feedback from many researchers engaged in network security found that apart from the CIA, there are also two other standards frequently reminded:

Authenticity:An entity is real and verifiable. Make sure that the data sender is indeed the person it claims.

Traceability:Once an attack occurs, it can trace the original location of the attack.

2. The security framework x.800 defined by the OSI Organization

Security Attack:

Passive attacks: eavesdropping, (Common packet capture and listening traffic)

Active attacks: camouflage, replay, message modification, and Denial of Service

Security Mechanism:

Encryption, digital signature, access control, data integrity, authentication exchange, traffic fill, route control, notarization

Security Service:

Certification: equivalent entity authentication

Access Control

Data Confidentiality:

Connection confidentiality

No connection confidentiality

Select domain confidentiality

Traffic confidentiality

Data Integrity: Insertion, deletion, modification, and replay are not allowed.

Non-Repudiation

3. encryption methods and Algorithms

(1) symmetric encryption: the encryption method using a single-key password system. The same key can be used for both information encryption and decryption.

Symmetric encryption algorithm:

Des: Data Encryption Standard (56-bit key)

3DES

AES: Advanced Encryption Standard (128,192,256,384,512)

Blowfish

Twofish

Idea

Rc6

Cast5

Features of symmetric encryption:

A) The same password is used for encryption and decryption;

B) separate plain text into fixed blocks and encrypt them one by one

Symmetric encryption defects:

A) Too many keys;

B) key transmission;

Key Exchange, identity verification, and data integrity

(2) public key encryption: It is composed of a pair of unique keys (public keys and private keys.

(The Public Key is extracted from the private key .)

(Public key encryption: only private keys can be decrypted. The private key can only be decrypted by the public key .)

Key: public key, secret key (P/S)

Common encryption algorithms:

RSA, DSA, EIGamal

(DSA: can only be used for identity authentication)

(3) one-way encryption: irreversible encryption

Unidirectional encryption features:

Fixed Length output: No matter how big the raw data is, the results are of the same size.

Avalanche effect:Slight changes in input will cause huge changes in results

Unidirectional encryption algorithm: MD5 (128 bits), sha1, sha256, sha384, and sha512

Ii. encryption and decryption processes and principles

First, let's ask a question: If B communicates with a and B sends a packet to a, how can B Ensure that B's packet is received securely and reliably by a and that the packet data integrity is ensured?

Next, let's take a look at this question.

The encryption and decryption processes and principles are as follows:

650) This. width = 650; "style =" border-right-0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1406995218UTFH.png "width =" 1065 "Height =" 517 "/>

Detailed description of encryption and decryption processes and principles:

1. Sender B:

(1) to ensure security, the packets must be encrypted. There are three types of encryption methods: symmetric encryption, public key encryption, and one-way encryption. Symmetric encryption is not secure, and one-way encryption is irreversible. Therefore, public key encryption is used.

Q: public key encryption is secure (generally 2048 bits), but the encryption process is too slow and does not apply to current network requirements. What should I do?

(2) to solve the preceding problem, B can use one-way encryption to extract the pattern of the message (the pattern can ensure the data integrity of the message ), then, use the private key to encrypt the signature (the signature data is small, and the public key encryption speed is fast), and append the encrypted signature to the message. (Private key encryption is used to verify identity)

Q: What should I do if this method can verify data integrity and identity authentication without the data confidentiality of packets?

(3) to solve the preceding problem, B attaches the encrypted signature to the message and treats the signature and message as a data (assumed as data ), use the symmetric encryption algorithm to encrypt the data to obtain a password, and then attach the password to the data. To prevent the password from being acquired or tampered with during transmission, use the public key of a to encrypt the password (only the private key of a can decrypt it ), after attaching the encrypted password to the data, the encrypted password is sent to.

2. acceptor:

(1) A receives a message from B and decrypts it using its own private key to obtain the password. Only the private key of a can decrypt the packets sent by B (using a's public key to encrypt the password). This prevents others from decrypting the transmitted packets and obtaining the information, this ensures data confidentiality.

(2) A uses the obtained password to decrypt the symmetric encrypted data and obtain the encrypted signature and original packets.

(3) A decrypts the signature using the public key of B. If it can be decrypted, the message is sent by B and identity authentication is realized. (Assume that the decrypted signature is fcode)

(4) A uses the same one-way encryption algorithm to extract the signature of the received original message. Use this pattern to compare with the obtained fcode. If the same pattern is used, it indicates that the data of the original packet is complete.

Problem: the above method ensures data integrity, identity authentication, and data confidentiality. The public key of the other party must be used during encryption and decryption, how to securely and reliably obtain the other party's public key during transmission becomes a key link. What should we do?

A: The Ca (Certificate Authority) Certificate Authority is used to securely and reliably obtain the public key of the other party.

So next, let's talk about ca.

Iii. Ca (Certificate Authority)

1. CA certificate standard: X.509

X.509: defines the certificate structure and authentication protocol standards (based on public keys and digital signatures)

Used for: IP Security, TLS/SSL (Transport Layer Security), and S/MIME (Secure Email communication)

650) This. width = 650; "style =" border-right-0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1406975167jWGF.png "width =" 592 "Height =" 621 "/>

X.509 certificate standard details:

(1) version number (the default value is 1. If there are multiple extensions, it may be 3)

(2) certificate serial number (an integer that uniquely identifies the number of issued certificates in the CA)

(3) algorithm parameters (marked with the algorithm)

(4) issuer's name (CA's own name)

(5) Validity Period

(6) Subject name (certificate owner name) (key !!!) (A user uses a personal user name. The host must use a host name rather than an IP address)

(7) Public Key (most important) (the Public Key is provided by the certificate owner)

(8) issuer ID (Unique id of CA)

(9) ID of the subject (unique ID of the certificate owner generated by the CA)

(10) Scaling

(11) Ca signature (used to verify the source legality of CA)

Ca is a trusted institution relative to sender B and receiver.

2. process of verifying the digital certificate

B will verify the authenticity of a digital certificate before sending it, or a will receive B's digital certificate before receiving it.

Take B's digital certificate obtained before sending as an example.Digital Certificate verification process:

(1) Use the public key of the CA that issued the digital certificate to a to decrypt the signature of the CA, it means that the digital certificate of A is indeed the certificate issued by the trusted ca.

(2) decrypt a signature, and B uses the same one-way encryption algorithm to extract the signature of a's digital certificate, and compare whether the two signatures are the same. If they are the same, it indicates that the digital certificate obtained by a is complete.

(3) After that, verify that the holder of the digital certificate is a. If the verification is passed, you can determine that the digital certificate is indeed a digital certificate.

(4) After confirming that the digital certificate owner is a, check whether the digital certificate is valid and whether it is in the CA's Digital Certificate Revocation List.

Iv. SSL Layer

1. SSL Layer

SSL (Secure Sockets Layer) and its successor Transport Layer Security (TLS) are a security protocol that provides security and data integrity for network communication.

Versions: sslv1, SSLv2, and SSLv3

(SSL is a half layer between the network layer and the transport layer. It is generally made into a public shared library. To use SSL, you must call the SSL shared library .)

650) This. width = 650; "style =" border-right-0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1406975169J2nn.png "width =" 458 "Height =" 420 "/>

2. HTTPS communication process

HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) is an HTTP channel designed for security. It is simply a secure version of HTTP. That is, the SSL layer is added under HTTP, and the security foundation of HTTPS is SSL.

Taking HTTPS as an example, we further explain how to rely on Ca to obtain the public key of the Communication peer reliably.

650) This. width = 650; "style =" border-right-0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1406984872QRQ8.png "width =" 918 "Height =" 666 "/>

The main implementation process of https:

(1) Before communication, the server generates a pair of keys through the encryption algorithm and sends the public key to the CA to apply for a digital certificate. After the CA review, it generates a digital certificate based on the information sent from the server, and send the digital certificate back to the server.

(2) the client and the server are handshaking three times over TCP to establish a preliminary connection.

(3) the client sends an HTTP packet request and negotiates which encryption algorithm is used.

(4) The server responds to the message and sends its digital signature to the server.

(5) The client downloads the CA's public key and verifies whether the digital certificate owner is a server (this process can obtain the public key of the server ). (Generally, the client verifies the identity of the server. The server does not need to verify the identity of the client .)

(6) If the verification passes, the client generates a random symmetric key, which is used to encrypt the URL link request to be sent, and then encrypts the key with the public key of the server, send the Encrypted Key and encrypted URL link together to the server.

(7) The server uses its own private key for decryption, obtains a symmetric key, and uses the symmetric key to decrypt the encrypted URL link to obtain the URL link application.

(8) The server obtains the webpage of the link based on the obtained URL link and encrypts the webpage with the symmetric key sent by the client and sends it to the client.

(9) When the client receives an encrypted webpage, it decrypts it with its own symmetric key to obtain the webpage content.

(10) TCP waved four times and the communication ended.

5. Detailed description of the self-built CA process of OpenSSL

OpenSSL is an open-source software library package that implements SSL and TLS protocols. Its main library is written in C language and implements basic encryption functions.

OpenSSL can run on most Unix-like operating systems (including Solaris, Linux, Mac OS X, and various open-source BSD operating systems), OpenVMS, and Microsoft Windows. It also provides a portable version that can run on IBM I (OS/400.

This software is developed based on ssleay written by Eric Young and Tim Hudson. ssleay stops development as they go to RSA.

Although this software is open-source, its authorization terms conflict with GPL. Therefore, when using OpenSSL (such as wget) for GPL software, OpenSSL must be given an exception.

The process of creating a private ca using OpenSSL:

Prerequisites:

Install OpenSSL: # Yum install OpenSSL

650) This. width = 650; "style =" border-right-0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1407006045hC2S.png "width =" 994 "Height =" 157 "/>

1. Create a CA Server:

(1) generate a key

# (Umask 077; OpenSSL genrsa-out/etc/pki/CA/private/cakey. pem2048)

650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1407006053uZf1.png "" 995 "Height =" 182 "/>

Command explanation:

() Indicates that a new sub-shell will be created in the current shell, and the commands in () will be placed in the sub-shell for execution. After the execution is complete, close the sub-shell and return to the current shell.

You can use umask to modify the default permission settings for the generated cakey. pem file. In order not to affect the default permission settings of the Current Shell, use () to put these commands in the subshell and execute them!

Genrsa: specifies that the RSA algorithm is used to generate a private key.

-Out: Specifies the storage location of the generated private key (Note: The storage location is defined by default in the configuration file, and the path and file name cannot be modified at will !!!)

2048: generate a 2048-bit private key

(2) Self-signed documents

# OpenSSL req-New-X509-key/etc/pki/CA/private/cakey. pem-out/etc/pki/CA/cacert. pem-days 3655

650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1407006064fLxl.png "" 1056 "Height =" 285 "/>

Command explanation:

Req: generate a Certificate Signing Request

-News: new request

-Key/path/to/Keyfile: Specifies the private key file (the req command can automatically extract the public key based on the private key)

-Out/path/to/somefile: (Note: you do not need to modify the path and file name at will !)

-X509: used to generate self-signed certificates

-Days N: Valid days (generally, it makes sense to use it with-X509 .)

(3) initialize the work environment (the work environment needs to be initialized only when the CA is created for the first time)

# Touch/etc/pki/CA/ingress index.txt, serial}

# Echo 01>/etc/pki/CA/serial (specify the serial number starting from that number)

650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1407006070JPVf.png "" 640 "Height =" 227 "/>

2. node certificate application:

(1) node generation request

650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1407006074IL0s.png "" 726 "Height =" 197 "/>

A. Generate a key pair

# (Umask 077; OpenSSL genrsa-out/etc/httpd/SSL/httpd. Key 2048)

650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_1407006077jhIa.png "" 1027 "Height =" 145 "/>

B. Generate a Certificate Signing Request

# OpenSSL req-New-key/etc/httpd/SSL/httpd. Key-out/etc/httpd/SSL/httpd. CSR

650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/2/5970897_14070060870ZCQ.png "" 1040 "Height =" 431 "/>

. CSR: Certificate Signing Request, generally with such a suffix

C. Send the signing request file to the CA Service

# SCP

(2) Ca signs the certificate

A. verify the information in the certificate;

B. Sign the certificate

# OpenSSL ca-in/path/to/somefile. CSR-out/path/to/somefile. CRT-days n

[[Email protected] CA] # OpenSSL ca-in/etc/httpd/SSL/httpd. CSR-out/etc/httpd/SSL/httpd. CRT-days 1000
Using configuration from/etc/pki/tls/OpenSSL. CNF
Check that the request matches the signature
Signature OK
Certificate details:
Serial number: 1 (0x1)
Validity
Not before: Jul 3 14:07:23 2014 GMT
Not after: Mar 29 14:07:23 2017 GMT
Subject:
Countryname = Cn
Stateorprovincename = Guangdong
Organizationname = 51 ctoblog
Organizationalunitname = Ops
CommonName = www.hjqjk.com
Emailaddress = [email protected]
X509v3 extensions:
X509v3 basic constraints:
CA: false
Netscape comment:
OpenSSL generated Certificate
X509v3 Subject Key Identifier:
F9: DB: 00: 04: 8A: D7: 17: C8: 21: B7: 2D: 15: F2: E9: 89: 66: BB: 6d: D5: F9
X509v3 Authority Key Identifier:
Keyid: 98: 56: B3: 30: B0: 9d: 75: A1: 69: AD: BF: 2f: e4: 0d: Fe: 3f: 17: 87: B0: a8

Certificate is to be certified until Mar 29 14:07:23 2017 GMT (1000 days)
Sign the certificate? [Y/n]: Y

1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated
[[Email protected] CA] # ls/etc/httpd/SSL
Httpd. CRT httpd. CSR httpd. Key

C. Send it to the requester;