Encryption and decryption in linux

Encryption and decryption in linux
Encryption/Decryption: encryption protocol: encryption and decryption use the same key: 3des, aes public key encryption: Public Key private key pair digital signature, key exchange RSA, DSA data signature algorithm (DSS Data signature standard) one-way encryption: md5, sha1, sha256, sh512 (MD5 output 128bit, SHA1 output 160bit, SHA256 output 256bit) Key Exchange: DH: for details about the Deffie-Hellman process, refer to the following SSL handshake ============================ ================================== SSL: secure socket layer ssl: sslv3 current version IETF: tlsv1.0 sslv3 tlsv1.2 now ssl handshake: client-> server: Algorithms supported by the client itself, request server Digital Certificate Server-> client: the server supports encryption algorithms to send digital certificates (after the client verifies the information, the public key of the server is obtained in the digital certificate, and the encrypted sending server ). User verification data: 1. whether the server name and Certificate Name are consistent; 2. use the trusted CA Public Key cached locally to decrypt the certificate and check whether the certificate is consistent. 3. checks whether the certificate content has been tampered with. One-way password verification is added. 4. check whether the certificate expires. 5. Check whether the certificate expires. Client> service end: send encrypted data to the client, exchange symmetric keys, and then encrypt the communication digital certificate: CA: issue a security certificate, ensure data security =========== openssl: components: libcrypto: encryption and decryption file libssl: ssl protocol experiment openssl: multi-purpose command line tool, custom gpg: pgp standard implementation openssl encryption command: Encrypted File (symmetric encryption ): tool: openssl enc, gpg algorithm: des, 3des, aes, blowfish, twofish, idea, cast5 enc tool: encryption openssl enc-e-Algorithm -A-salt-in encrypted file-out output file decryption openssl enc-d-algorithm-a-salt-in encrypted file-out output file can be through openssl? View-a: Text Encoding output-salt plus random number TEST: unidirectional encryption: algorithm: md5, sha1 tool: openssl dgst, md5sum, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum openssl dgst-algorithm PATH the algorithm here is the above algorithm and is not limited to the above algorithm, but different from the encryption algorithm mac code: used to represent the value mechanism of data integrity: CBC-MAC HMAC: md5 or sha1 Algorithm
Generate User Password: openssl passwd-1-salt 8-bit random number generation random number: openssl rand-hex 4 public key encryption: tool: gpg, openssl rsautl generation key pair: operation process: generate a private key and extract the command in the brackets of the public key openssl genrsa-out PATH NUM_BITS from the private key: open a sub-shell process (umask 077; openssl genrsa-out PATH NUM_BITS) for the sake of security, the sub-shell operation does not affect the original environment to extract the public key from the private key: openssl rsa-in PATH-pubout public key encryption: to complete the key exchange private key encryption: complete identity verification random number generator: random (high security factor), urandom entropy pool: stores random numbers generated by hardware interruptions/dev/random: returns random numbers only from the entropy pool, when the random number in the entropy pool is exhausted The process will be blocked./dev/urandom: first, the random number is obtained from the entropy pool. When the random number in the entropy pool is exhausted, the random number is generated through the pseudo random number generator. Use openssl to build a private CA: 1. generate a key 2. generate self-signed signature (1) when the private key is used to issue the certificate, add a digital signature to the certificate for use; (2) certificate: each communication party imports the certificate to a trusted Certificate Authority. Create the CA configuration file:/etc/pki/tls/openssl. cnf (view the storage location and related information of the configuration file) working directory:/etc/pki/CA/1. create a private key file:/etc/pki/CA/private/cakey. pem (umask 077; openssl genrsa-out/etc/pki/CA/private/cakey. pem 2048) 2. generate self-signed signature: extract the public key and digital signature certificate from the key to/etc/pki/tls/openssl. certifi specified by cnf Cate location # openssl req-new-x509-key/etc/pki/CA/private/cakey. pem-out/etc/pki/CA/cacert. pem-days #-new: generate a new Certificate Signing Request;-key: private key file path, used to extract the public key;-days N: certificate validity period, the Unit is "day";-out: the storage location of the output file;-x509: The self-signed certificate file is directly output, which is usually used only when the CA is built; 3. provide auxiliary files: Provide help files and Input serial numbers touch/etc/pki/CA/index.txt echo 01>/etc/pki/CA/serial Distribution Certificate: TEST: Openssh: ssh: secure shell (Listening to tcp/22) is used to replace talnet (plaintext transmission, listening to tcp/23). Currently, the mainstream version is V2 two verification methods: 1. user Password 2. key pair Verify Openssh: ssh open-source software sshd: Server ssh: client scp: secure cross-host replication tool, implemented based on the ssh protocol; sftp: Secure ftp server configuration file: sshd: /etc/ssh/sshd_config client configuration file: ssh:/etc/ssh/ssh_config based on key authentication: generate a pair of keys on the client and keep them by yourself; the Public Key is privately saved to a file dedicated to ssh communication in the home directory of a user of the remote service to log on to. The key is generated: ssh-keygen-t rsa transmission key: ssh-copy-id-I ~ /. Ssh/id_rsa.put user @ host scp remote replication command: push: scp [-rp]/path/from/somefile user @ host:/path/to/somewhere pull: scp [-rp] user @ host:/path/from/somefile/path/to/somewhere-P portnumber (this parameter is required once the default port is changed) sshd server configuration: /etc/ssh/sshd_config directive value Port 22 listening Port AddressFamily any listening address (through which services are provided externally) Protocol 2 version Protocol restrictions can be logged on to the user: PermitRootLogin: allow the Administrator to log on directly; AllowUsers user1 user2... allow access to the whitelist AllowGroups grp1 grp2... allow login Group White List DenyUsers user1... allow login to the blacklist DenyGroups grp1... allowed to log on to the blacklist only listens to the IP address that needs to be monitored: ListenAddress 0.0.0.0 Max allowed login attempts: MaxAuthTries 6 ssh Login log:/var/log/secure