Encrypt/decrypt & build private CAs with OpenSSL

Source: Internet
Author: User
Tags asymmetric encryption

With the Internet security and personal privacy increasingly critical today, encryption technology becomes particularly important and indispensable. In the password snow, encryption refers to the concealment of plaintext information, making it unreadable when special information is absent. This article is mainly about the encryption method used when transmitting data on the Internet. We all know OSI&TCP/IP network Reference Model, usually we will divide these two models into the communication subnet and the resource subnet two parts, but in the early stage of constructing the network, the information from the sending side to the receiving end is very difficult, so at the beginning of the design model did not consider too many security factors, So that neither the communication subnets nor the resource subnets involve the content of data encryption. To solve this problem, Netscape added a half-layer protocol between the resource subnet and the communication subnet, which was called the SSL layer earlier and is now called the TSL.

The Transport Layer Security Protocol (English: Transport, abbreviated to TLS) and its predecessor Secure Sockets Layer (secure Sockets layer,ssl) is a security protocol designed to provide security and data integrity assurance for Internet communications. While Netscape (Netscape) launched its first version of the Web browser, SSL,IETF SSL was standardized and the TLS standard file was published in 1999.

In the implementation of data security communication, we must consider these aspects: plaintext encryption/decryption, data integrity check, non-repudiation. According to these requirements we generally divide the encryption technology into three types: symmetric encryption, asymmetric encryption (public key secret), one-way encryption (discrete function). However, asymmetric encryption can also accomplish the function of one-way encryption. For these kinds of encryption technology I briefly introduce.

Symmetric encryption: That is, encryption and decryption using the same key, encryption and decryption faster, but in a one-to-many environment, the security of the key itself is not high. The common symmetric encryption algorithms are DES, 3DES, AES, Blowfish, Idea, RC5, RC6.

Asymmetric encryption: In this cryptography method, a pair of keys is required, one is a private key and the other is a public key. These two keys are mathematically related, and the information obtained by encrypting a user's key can only be decrypted with the user's decryption key. If one is known, it is not possible to calculate the other one. Therefore, if one of the two keys is exposed, it does not compromise the secret nature of the other. The public key is a public key, and the private key is not public. Public key cryptography is mainly applied in key exchange (the symmetric encrypted key is transmitted to the other party using the private key secret, the other party uses the public key decryption), authentication (the public key and private key must be paired, so that the use of one of the keys encrypted data only another key can be decrypted), encrypted data, etc. But a public key that is usually long enough to encrypt data can be quite resource-intensive. Common algorithms are: RSA, DSA, ELGamal.

One-way encryption: In fact, using a hash function to calculate a particular piece of data, you will get a string of signatures, and is irreversible, this pattern is similar to "fingerprint" information, as long as the use of the same hash algorithm, no matter how many times the same data generated by the signature code is always the same, If the original data has changed, even if it is subtle, then the signature will also have a huge change, this phenomenon is called the avalanche effect. Therefore, the data integrity check can be achieved. The common algorithms are: MD5, Sha family.

Understanding the above encryption technology then our secure communication in the Internet can be described in the following steps:

1.Alice ready to transmit the digital information (clear text);

2.Alice hashes The numeric information and obtains a summary of the information;

3.Alice Encrypt the information digest with its own private key get Alice's digital signature, and attach it to the digital information;

4.Alice randomly generates an encryption key, and uses this password to encrypt the information to be sent to form ciphertext;

5.Alice uses Bob's public key to encrypt the cryptographic key that was just randomly generated, and sends the encrypted DES key along with the cipher to Bob;

6.Bob received the cipher sent by Alice and encrypted Des Key, first with their own private key to decrypt the encrypted des Key, to get Alice randomly generated encryption key;

7.Bob then use the random key to decrypt the received ciphertext, get the digital information of the plaintext, and then discard the random key, when you can continue to use the symmetric key after completion of the communication.

8.Bob use Alice's public key to decrypt Alice's digital signature and get the information digest;

9.Bob uses the same hashing algorithm to perform a hash operation on the received plaintext, and obtains a new information digest;

10.Bob compares the summary of information received with the summary of the newly generated information and, if so, indicates that the information received has not been modified.

Add a little bit more about the key exchange algorithm, and the D-H algorithm. In simple terms, it is very difficult for the two sides to find a large prime number for the communication to power it, and it is very hard to open the root operation on the mathematical operation model now. Use a series of mathematical calculations to complete the key exchange:

Two prime numbers are p,g, respectively.

A's private number X

P^x%g à pass this number to B

(p^y%g) ^x=p^xy%g This number is the key

Private number Y of B

P^y%g à pass this number to a

(p^x%g) ^y=p^xy%g This number is the key

The key generated in this way is not transmitted over the network and only A and B two are recognized.

If a careful friend will find that in the process of data encryption communication is a loophole, that is, how to secure the communication between the two sides to obtain the other side of the public key, or how to confirm that the other party is indeed the other side and not the third parties disguised. In order to solve this problem, we need to use the CA.

Digital certificate Certification Authority (English: Certificate Authority, abbreviated as CA), also known as e-commerce Certification Center, e-commerce certification Authority, is responsible for the issuance and management of digital certificates authoritative institutions, and as a trusted third party in e-commerce transactions, Assume responsibility for the legality test of public key in public key system.

The CA will issue a digital certificate to a user who does not need to use the public key to prove that the user is himself and is recognized in the Internet. Some friends might think of that CA itself? Need no certification? The answer is: need. Before issuing a certificate to someone else, the CA will issue itself a self-visa and publish it to the Internet to prove itself. And then a friend would think, if the CA itself fake it? What to do? The answer is: there is no way, we can only trust him, fortunately, the Internet recognized several CAs are credible. Therefore, there is no absolute security in the world.

The certificate is actually the authentication of the user's public key issued by the certificate Visa Authority (CA). The contents of the certificate include: information of the electronic visa office, public key user information, public key, signature and expiration date of the authority, etc. At present, the format and verification methods of certificates generally follow the international standard.

Format of the digital certificate (V3):

Version number (versions)

Serial (serial number): CA is used to uniquely identify this certificate;

Signature Algorithm flags (Signature algorithm identifier)

The name of the issuer: the name of the CA itself;

Validity: Two date, start date and expiry date;

Certificate Principal Name: Certificate owner's own name

Certificate principal Public key information: The certificate owner's own public key;

Issuer's unique identity:

Unique identity of the certificate principal:

Extended information:

Signature: The digital signature of the CA for this certificate;

Certificate issuance is not enough, it needs to consist of a visa agency: CA, Registrar: RA, certificate revocation list: CRL, certificate Access library. The task of completing this column is called PKI.

Public Key Infrastructure (English: Public key Infrastructure, abbreviation: PKI), also known as publicly-key infrastructure, public key infrastructure, public key infrastructure, or public key infrastructure, is a set of infrastructure that consists of hardware, software, participants, management policies, and processes. The purpose is to create, manage, distribute, use, store, and revoke digital certificates.

Want to have their own digital certificate on the Internet need to apply to the CA, and to pay a certain amount, if only want to use secure communication mechanism within their own company then we can establish a private CA to our internal host or users to issue certificates, and establish a private CA we need to use the OpenSSL tool. OpenSSL components: Libcrypto: Encrypt, decrypt library files, Libssl:ssl protocol implementations, OpenSSL: Multipurpose command-line tools, each of which is implemented using dedicated subcommands.

To establish a private CA:

    1. Establish a private key

[[Email protected] ~]# (umask 077;openssl GENRSA-OUT/ETC/PKI/CA/PRIVATE/CAKEY.PEM 2048)

  1. Generate self-signed certificates

    650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6F/B8/wKioL1WmW0uQuNrwAAJSinnTgic028.jpg "/>

  2. Client Request Certificate

    Here we issue a certificate for the Web server to use the HTTPS service later

    650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6F/BA/wKiom1WmWXGC6BGtAANeOpenjuU450.jpg "/>

  3. Send a certificate signing request to the CA server

    650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/B8/wKioL1WmW0uiyrvgAADsK7Q5Alk772.jpg "/>

  4. The CA server signs the Web server certificate


  5. [[email protected] ca]# openssl ca -in /tmp/httpd.csr -out /tmp/ Httpd.crt -days 365using configuration from /etc/pki/tls/openssl.cnfcheck that  the request matches the signaturesignature okcertificate details:serial  Number: 2  (0x2) validitynot before: apr 25 15:31:15 2015 gmtnot  After : Apr 24 15:31:15 2016 GMTSubject:countryName                = CNstateOrProvinceName        = HAorganizationName           = CzcEduorganizationalUnitName    = WebcommonName                 =  Www.czcedu.comemailAddress     &nbSp;        = [email protected]x509v3 extensions:x509v3  Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3  subject key identifier:77:b6:3e:d4:7c:05:a2:34:2b:cf:e1:82:79:81:03:fd:7a:97:8e:f8x509v3  AUTHORITY KEY IDENTIFIER:KEYID:B4:72:B5:82:34:21:6D:2F:21:53:46:6F:6A:D0:F1:24:CC:F8:C7: ffcertificate is to be certified until apr 24 15:31:15 2016  gmt  (365 days) sign the certificate? [y/n]:y1 out of 1 certificate  requests certified, commit? [y/n]ywrite out database with 1 new  entriesData Base UpdatedWrite out database with 1 new  entriesdata base updated
  6. The client downloads the signed request from the CA

    650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/B8/wKioL1WmW0uSQcGBAADWd-c8tGw496.jpg "/>

This enables encrypted communication between the client and the clients when the Web server is configured. If the Web server's private key is lost or the certificate expires then we need to revoke the Web certificate on the CA server:

    1. Verify that the certificate information is consistent with the index file

      650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/BA/wKiom1WmWXHxJgqeAAFHZAIEbSs894.jpg "/>

    2. Revoking a certificate

      650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/B8/wKioL1WmW0yhXFKJAACDMueYvnQ752.jpg "/>

    3. Generate revocation certificate number, update certificate revocation List

      650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/BA/wKiom1WmWXKiBkyCAAB9n4yZuFE029.jpg "/>

OK, the basic workflow of our private CA server is completed, which can satisfy most of our application scenarios, if there are errors, please crossing correct.

This article is from the "Linuxlove" blog, make sure to keep this source http://linuxlover.blog.51cto.com/2470728/1675113

Encrypt/decrypt & build private CAs with OpenSSL

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.