Digital certificates, CAs, and Pki,openssl use

Symmetric encryption: Des,3des AES

Function: Confidentiality is guaranteed only

Asymmetric encryption: (Public key cryptography): It is calculated by mathematical functions. Common RSA,DSS (only encrypted, not signed), ECC (elliptic curve algorithm, more secure than RSA, but immature)

Features: Authentication, key exchange, confidentiality

One-way encryption: Extracts the signature of the data. MD5,SHA1 SHA2 SHA3 (Secure Hash algorithm)

Features: Data integrity

1. The sender calculates the signature of the original data using the selected one-way encryption algorithm.

2. The sender uses its own private key encryption signature, appended to the original data.

3. The sender generates a one-time symmetric key and encrypts the data using this key (raw Data + code after the overweight)

4. The sender encrypts a one-time symmetric key using receiver pays's public key, appended to the encrypted data

5. Send

1. The receiver decrypts the encrypted one-time symmetric key using its own private key:

2, the use of symmetric key to decrypt the data, to obtain the encrypted signature and raw data.

3. Use the public key of the sending to decrypt the encrypted signature.

4. Use the same one-way encryption algorithm as the sender to recalculate the signature of the data and compare it with the decrypted signature. This completes the inspection data integrity operation.

Public Key Distribution

Digital certificates:

X509v3

Version number (versions)

Serial number (): The certificate itself is uniquely identified in the CA:

Signature Algorithm Flags:

Publisher Name:

Validity:

Certificate Principal Name: (Organization (body), individual)

Certificate principal public key information:

Publisher Unique logo

Unique flag for the certificate principal:

Extended:

Signature:

Pki:public Key Infrastructure

End Entity (requester)

Registration Authority (RC)--

Visa Agency (CA)

Certificate Revocation list (CRL) Publishing Authority

Certificate Access Library

Ssl:

STARTTLS: Encryption and non-encryption can be provided on one port.

SSL V1,v2,v3

Tls:transport Lanyer Security

TLS v1

Openssl:

Major packages

Libcrypto: Encrypt, decrypt

LIBSSL: Implementing SSL

openssl version    #版本号OpenSSL  1.0.1e-fips 11 feb 20131, encrypt a file [email  protected] ~]# openssl enc -des3 -in fstab -e -out  Fstab.des3enter des-ede3-cbc encryption password:verifying - enter des-ede3-cbc  encryption password:2, decrypt a file [[email protected] ~]# openssl enc -des3  -in fstab.des3 -d -out fstab.txt[[email protected] ~]# cat fstab.txt##  /etc/fstab# created by anaconda on thu jun 30 10:38:23 2016 ## accessible filesystems, by reference, are maintained under  '/dev/ Disk ' # see man pages fstab (5),  findfs (8),  mount (8)  and/or blkid (8)  for more info#/dev/mapper/VolGroup-lv_root /                        ext4    defaults         1 1UUID=fd2f1ae1-8eef-4211-a9f3-7db3f3379818 /boot                     Ext4    defaults        1 2........3, Encryption Algorithm openssl dgst -md5 fstab.txt[[email protected] ~]# openssl dgst - md5 fstab.txt   #获取文件的特征码, as long as the algorithm is the same, the same signature, with Md5sum can also. MD5 (fstab.txt) = 085b811b0c1b10057c5aa43371234c284, testing the speed of the current host encryption algorithm Openssl speed des-ede3[[email  protected] ~]# openssl speed des-ede3Doing des ede3 for 3s  On 16 size blocks: 2296748 des ede3 ' S in 3.00sdoing des ede3  for 3s on 64 size blocks: 642682 Des ede3 ' s in 3.00sdoing des ede3 for 3s on 256 size  Blocks: 160988 des ede3 ' S in 3.00sdoing des ede3 for 3s on  1024 size blocks: 40291 des ede3 ' S in 3.00sdoing des ede3  for 3s on 8192 size blocks: 5038 des ede3 ' s in  3.00sopenssl 1.0.1e-fips 11 feb 20135, sslpasswd  encryption [[email protected] ~]#  openssl passwd -1 -salt 12345678password:$1$12345678$xek. cpjquvgdf/p2n9kqf/random number generation [[email protected] ~]# openssl rand -base64 8sjkppyt8nio= [[email protected] ~]# openssl passwd -1 -salt  ' openssl rand - Hex4 ' password:$1$openssl  $IOYGACZVeLM 3hedyiv5g5.6, generating the private key [[email protected] ~]# openssl  Genrsa 1024generating rsa private key, 1024 bit long modulus...................++++++.................++++++e is  65537  (0x10001)-----begin rsa private key-----miicxqibaakbgqdwaz6o19ov7omrg/n7m/ oggzhabmtxr/mekccbh4qo+nuoot/ m9fpgdaex5tnto79udgobenjhu9sjsqrvkmrhbfhgu51nfgakdaqkbd29vvna0c68zrkrmtoxorivwpwyooqris0j04v9ady9frvnbmui0+ symqj4hmaktkszpwidaqabaogbal2d99gxhkwbtvoa/nbmne4zatmx+gehkysvkumamel03xdrqys8siskt9eqy6gyrggw429zu6+ ywtyhxnxkrcmauvixbnlyishuazjx4l+wyaowffnq+1m5tidoqgocsxvlqxb9kehwmqesvxhclaor2q/ nrtoubx7fw2hwjwvbakea8wfxmhigp5ez0ez4kivfiwgizi6mxnzpxx1ioxys+/nt/xmqkhah4ganurd2dfe+kwehls/xwvgii+ tkygfahwjbaongbcsoe+flf7ynzgbyjwaf7n8jepqb/xhduhbj/rvphcddsvttwwgqn/wo+eqx1ijuni7fykxh7i+ 3vtrfauecqbcoi5b6kpqm8dzmxod/byqmsutyvwnph82rx13iyponhmdyiyl73fqh2sbqptej0fdiesnyy0uypy0k7qr6ke0cqqcvy6wufnxes +qvll191+czsewjpef0lamrnor8o7whneioz7vutnwt4pzehnkqzy7ekele5t5giu8/ XBMT87VHAKBAWT02VREXIELBSD9HKSW368SIIB0E1DMZXVMHQNVW7JSTP+/AN6S/V4PACIBDIJCP3AQNU6NG4YRAR0O60IDC-----END  RSa private key-----[[email protected] ~]# openssl genrsa 1024 >  mykey.privategenerating rsa private key, 1024 bit long modulus .........++++++.......++++++e is 65537  (0x10001) Encrypting private key [[email protected] ~]#  Openssl genrsa -des3 2048enter pass phrase:verifying - enter pass  phrase:-----Begin rsa private key-----proc-type: 4,encrypteddek-info:  DES-EDE3-CBC,2D8AA1C9D62164FB7, generating the public key [[email protected] ~]# openssl rsa -in  Mykey.pri -puboutwriting rsa key-----begin public  KEY-----miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqea8mgapnk2xg1a3lfy+apxfmfyl+1dwgwf03uh/mb47w+ Og0mtybpee5jqsgzr6tlq7znjkjndk9sfv19qqpjmmh+4kqa1nsfqho83ruztfqnckm9/ub3tiocstev08+r80ap7vdsloevroecb46y2vgmmr +kwdhi+ccb4mlwkrsyiixzx2bm4zrot0u/ypia5huymf/e6ig+j4chy2yqpwa1+zuacrphv6qo7n6etvbz+xhvcpeieps+slLwkydnljuf6nx1ptr+0teqchonttalxu5r6+byahdcvtzbl1b20jtg6fqsgtyx3t6j/sdjzlkrumw/lqw5hwwrmoqht0widaqab-----END  public key-----Set permissions directly with Umask, be sure to add (). Umask is executed against the shell and is not valid for the current. Otherwise the operation will be 600. [[email protected] ~]#  (umask 077; openssl genrsa -out /root/ mykey2.pri 2048) Generating rsa private key, 2048 bit long modulus ...................................+++.........................................+++e is 65537  ( 0X10001) [[Email protected] ~]# ll -h /root/mykey2.pri-rw-------.  1 root  root 1.7k 7 month   14 11:47 /root/mykey2.pri    #600

Digital certificates, CAS, and Pki,openssl use