Encrypting and decrypting principle and building your own CA based on OpenSSL

First, the encryption and decryption process description:

Internet data transmission needs to be realized: confidentiality, data integrity, identity authentication and key exchange;

For example: Alice transmits data to Bob;

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/70/AF/wKiom1W7NCPzdNBQAAO11nn3gCQ199.jpg "title=" 2.1. JPG "alt=" wkiom1w7ncpzdnbqaao11nn3gcq199.jpg "/>

Data encryption Process:

1,Alice generated the original data, using a one-way encryption algorithm to calculate the original data signature;

2, with their own private key to encrypt the original data signature and attached to the back of the original data;

3. Symmetric encryption key is generated for the whole data encryption using symmetric cryptographic algorithm;

4 . Encrypt the symmetric encryption key with the public key provided by Bob and append it to Bob after the encrypted data .

Data decryption Process:

1. Bob receives the data, decrypts the symmetric encryption key with his private key, and determines the identity of the data receiver Bob;

2.decrypt the encrypted data with the decrypted key, and ensure the privacy of the data ;

3 . Decrypt the signature of the original data with the public key provided by Alice and verify the identity of the data sender Alice;

4, using the same one-way encryption algorithm to calculate the original data signature and the decrypted signature to compare, ensure data integrity.

In the process of data transmission, it is necessary for both parties to obtain the other's public key, that is, the key exchange, the public key in the network transmission process is easy to be stolen or tampered with, can not guarantee credibility, and this process requires a trusted third-party institutions, namely CA.

based on The CA completes the key Exchange workflow:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/70/AF/wKiom1W7NF7RqUkJAALPfwMfcyk545.jpg "title=" 2.2. JPG "alt=" wkiom1w7nf7rqukjaalpfwmfcyk545.jpg "/>

Application Certificate:

1. Alice generates the key and signs the request, and requests a certificate from the CA ;

2,the CA received the request, verify the information in the certificate;

3,CA sign certificate,CA uses one-way encryption algorithm to generate the certificate signature;

4. The identity code of the private key encryption certificate of the CA's self-visa book is appended to the certificate and sent to Alice.

Authentication:

1. Alice Gets the certificate to communicatewith Bob, and Alice carries the certificate to send the access request to Bob;

2,Bob receives the request,Bob uses the CA 's self-visa book's public key to decrypt the certificate signature, completes the authentication of the CA;

3, using the same one-way encryption algorithm to calculate the signature of the certificate and the decryption of the characteristics of the code to compare, to ensure the integrity of the certificate;

4. Bob extracts Alice 's public key information, and then sends her own certificate to Alice.

Second, CA The concept of:

PKI:public key Infrastructure, key Infrastructure, is a platform that provides public-key cryptography and digital certificate signing.

the implementation process of PKI:

Identification of the certificate is legal

Verifying the integrity of a certificate

Verify that the host name and requester name are the same

Check the validity period of a certificate

Check if the certificate has been revoked

The PKI consists of the following and parts:

CA: Visa authorities

RA: Registration Authority

CRL: Certificate revocation List

Certificate Access Library

CA is the core of PKI, responsible for issuing, certification, management has issued certificates;

The current Universal Certificate format standard is zero , which defines the certificate structure and the authentication protocol standard:

the Certification Agreement standard is: IP Security, Tls/ssl, and S/MIME

The certificate structure is:

Certificate version number

Certificate serial Number

Algorithm parameters

Issuer Name

Validity period

Principal Name

Principal public Key

issued by Id

Main body Id

Third, Openssl Build Private CA :

in the case of an enterprise that does not involve external network communication, it can be A private CA is built on a Linux server based on Openssl.

# RPM–QL OpenSSL

#/etc/pki/tls/openssl.cnf:openssl master config file; #/etc/pki/ca#/etc/pki/ca/certs: Certificate storage location; #/etc/pki/ca/private: Root certificate storage location: #/etc/pki/ca/newcerts: Where the new certificate is stored; #/etc/pki/ca/crl: The location where the certificate was revoked;

Lab Environment:

CA Server,IP:192.168.1.10, System version:CentOS6.6 x86_64;

Communication node, IP:192.168.1.11, System version:CentOS6.6 x86_64;

Experimental topology:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/AF/wKiom1W7NjKDOfqoAACf8xDpnxw710.jpg "title=" 2.3. JPG "alt=" wkiom1w7njkdofqoaacf8xdpnxw710.jpg "/>

Third, the experimental process:

(i), establish CA Server:

1. Generate Key:

# (Umask 077; OPENSSLGENRSA-OUT/ETC/PKI/CA/PRIVATE/CAKEY.PEM 2048) Genrsa: Generate key; Umask 077: Guaranteed key file permissions, executed within (), represented in child shell Run, does not affect the current shell's umask value;-out: Indicates the key file save location; 2048: The key length, can be customized;

The key file permission is $ , and theumask value does not change:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/AC/wKioL1W7OITAz9imAADcE7TrB0w277.jpg "title=" 2.4. JPG "alt=" wkiol1w7oitaz9imaadce7trb0w277.jpg "/>

2, self-signed certificate;

# OpenSSL Req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3650 req: Generate certificate signing request;-new: for new please Request, the user will be required to fill out the certificate information;-x509: Generate self-signed certificate;-key: Specify private key file;-out: Specify the certificate location;-days: Number of days for certificate validity;

# Country Name (2 letter code) [XX]:CN//Country # State or province name (full name) []:henan//Province (Continent) # Locality Name (eg, City) [Default City]:nanyang//Cities # Organization Name (eg, company) [Default companies Ltd]:chencer//Corporation # Organization Al Unit name (eg, section) []:ops//Department # Common name (eg, your name or your server ' s hostname) []:ca.chencer.org//ca Server Host name # email address []:[email protected]//CA admin mailbox;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/70/AF/wKiom1W7NxzgKtNgAAHDC8w_wak041.jpg "title=" 2.5. JPG "alt=" wkiom1w7nxzgktngaahdc8w_wak041.jpg "/>

3, the initialization of the working environment;

# touch/etc/pki/ca/{index.txt,serial} index.txt: Certificate microcosm database; Serial: Sign the certificate number file; # echo >/etc/pki/ca/serial: Import number initial value, indicating Starting from 01;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/AC/wKioL1W7OYCyD7O5AABYgGZLKNM863.jpg "title=" 2.6. JPG "alt=" wkiol1w7oycyd7o5aabyggzlknm863.jpg "/>

(ii), Communication node Generation certificate:

Assumptions: the CA server is dedicated for implementing HTTPS for the httpd service ;

1, communication node generation request;

# (Umask 077; OpenSSL genrsa-out/etc/httpd/httpd.key 2048): Generate key pair; # OpenSSL Req-new-key/etc/httpd/httpd.key-out /ETC/HTTPD/HTTPD.CSR: Generate Certificate Signing request

In addition to the following options, the other must be The CA server certificate option is the same;

# Common name (eg, your name or your server ' s hostname) []:www.chencer.org//Communication node hostname; # Email Address []:[email protected ]//Communication node Administrator mailbox; # A Challenge Password []://Set password, if password is set, the password needs to be provided to the CA server; # an optional company name []:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/AF/wKiom1W7N-mDVkI9AAMH8MJwOGI032.jpg "title=" 2.7. JPG "alt=" wkiom1w7n-mdvki9aamh8mjwogi032.jpg "/>

# SCP/ETC/HTTPD/HTTPD.CSR 192.168.1.10:/etc/pki/ca/: Send the signature request file to the CA server;

(iii), CA The server signs the certificate;

# OpenSSL Ca-in/etc/pki/ca/httpd.csr-out/etc/pki/ca/httpd.crt-days 3650: Signing certificate;

Verify the information and confirm the signature:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/AF/wKiom1W7OD-AKDtcAAJw00prxeM494.jpg "title=" 2.8. JPG "alt=" wkiom1w7od-akdtcaajw00prxem494.jpg "/>

# SCP/ETC/PKI/CA/HTTPD.CRT 192.168.1.11:/etc/httpd/: Sent to the requestor;

# cat/etc/pki/ca/serial: View signed certificate number file; # Cat/etc/pki/ca/index.txt: View Certificate Microcosm database

Certificate number each time you check the value plus 1, the certificate Microcosm database records information, preceded by a V identification:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/70/AC/wKioL1W7OmuDJJt3AACwd18w9lU730.jpg "title=" 2.9. JPG "alt=" wkiol1w7omudjjt3aacwd18w9lu730.jpg "/>

(iv) Revocation of certificates:

1, the communication node request revocation;

# OpenSSL X509-in/etc/httpd/httpd.crt-noout-serial-subject: Obtain certificate serial;

The CA server serial and subject information submitted by the communication node to Verify that the information in the Index.txt file is consistent;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/AF/wKiom1W7OKmgcsf2AAB0q4HdfGc475.jpg "title=" 2.10. JPG "alt=" wkiom1w7okmgcsf2aab0q4hdfgc475.jpg "/>

2,CA revocation certificate;

# OpenSSL CA-REVOKE/ETC/PKI/CA/NEWCERTS/01.PEM: revoking certificates

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/70/AC/wKioL1W7OtTgaePoAABhyp8ewLA092.jpg "title=" 2.11. JPG "alt=" wkiol1w7ottgaepoaabhyp8ewla092.jpg "/>

# Cat/etc/pki/ca/index.txt: View the certificate microcosm database;

The V- ID becomes R:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/AC/wKioL1W7OvjxPgxjAABsFlVPM8Y271.jpg "title=" 2.12. JPG "alt=" wkiol1w7ovjxpgxjaabsflvpm8y271.jpg "/>

# echo >/etc/pki/ca/crlnumber: Generate the number of revoked certificates (if the first revocation);

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/70/AF/wKiom1W7OS-wZpPGAABAjQxkMRU691.jpg "title=" 2.13. JPG "alt=" wkiom1w7os-wzppgaabajqxkmru691.jpg "/>

# OpenSSL CA-GENCRL-OUT/ETC/PKI/CA/CRL/THISCA.CRL: Update certificate revocation list; # OpenSSL Crl-in/etc/pki/ca/crl/thisca.crl-noout–tex T: If necessary, view the contents of the CRL file:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/AF/wKiom1W7OUSw4iQgAAN6ctZrOuQ191.jpg "title=" 2.14. JPG "alt=" wkiom1w7ousw4iqgaan6ctzrouq191.jpg "/>

The above is only the basic operation for OpenSSL to build its own CA , and then after completing httpd service Learning, we will continue to implement the HTTPS protocol httpd server-side configuration.

This article is from the "Pony Learning Record" blog, make sure to keep this source http://masachencer.blog.51cto.com/8683770/1680616

Encrypting and decrypting principle and building your own CA based on OpenSSL