Encryption and decryption of learning notes, PKI,CA

1. Encrypt and decrypt

Background: In network communication in order to achieve security needs, such as communication confidentiality, to ensure information integrity and availability, this requires some technology, the following to introduce the relevant technology

Technologies include: Encryption and decryption

Service (a service that is designed to protect against attacks, that is, a security service that is specifically engineered for the above-mentioned security objectives)

Encryption and decryption:

Traditional encryption Method: Alternative encryption method and substitution encryption method

Modern encryption method: mainly modern block encryption method

Note: True encryption relies primarily on the key rather than on the encryption algorithm

Service:

Authentication mechanism

Access control mechanism

Encryption includes:

Symmetric encryption

Public Key Cryptography

One-way encryption

Authentication encryption

2. For Linux systems: In order to achieve the above security objectives, some tools are required to services to achieve these functions, while Linux's common tools are:

Linux is often used for the above functions (that is, encryption algorithms, protocols or services, etc.)

The solution's tools are mainly two OpenSSL (SSL), GPG (PGP)

OpenSSL (SSL): An implementation of the SSL protocol and encryption decryption

GPG (PGP): The implementation of GPG protocol

3. What is OpenSSL?

OpenSSL is made up of three parts:

Libencrypt Libraries (libraries for encrypting and decrypting)

Libssl Library (library for implementing SSL Secure communication Mechanism)

OpenSSL multi-purpose command-line tool (for encryption, decryption, etc.)

4. Detailed encryption and decryption

Cryptographic algorithms and protocols: (We know the working mode is OK)

4.1 Symmetric encryption : Encryption and decryption using the same key

A common way:

Des:data Encryption Standard uses 16-bit encryption

3des:triple des (i.e. three times times des)

aes:advanced Encryption Standart Advanced Encryption

(128bits,192bits,256bits,384bits)

Blowfish

Twofish

Idea

RC6

Casts

Cryptographic algorithm Features:

1, encryption and decryption using the same key

2. Separate the original data into fixed-size blocks and encrypt them individually

Defects:

1. Too many keys ()

2. Difficulty in issuing keys

4.2 Public Key cryptography: keys are divided into public and private keys

Public key: Extracted from the private key; available to all; PubKey

Private key: Created by the tool and retained by the user, it must be guaranteed private: Secret key

Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired;

Algorithm for public key cryptography:

Algorithm: Rsa,dsa,elgamal

DSA cannot be used for cryptographic decryption and can only be used for signing

RSA: Can be encrypted and decrypted and used for signing

Dss:digital Signature Standard (digital signature)

Dsa:digital Signature Algorthm

Public Key cryptography uses:

Digital signature: The main purpose is to let the receiver confirm the identity of the sending party

Key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party

Data encryption

mainly the first two types of

encryption process steps for both sides of the communication:

First: the sender (a) into a copy of the data, in order to ensure that the data security and confidentiality of the delivery to the receiver (B), A must first use a one-way encryption algorithm to calculate the signature of this data

Second: A will encrypt the signature with its own private key and append the result to the data,

Third: A generates a temporary symmetric key and encrypts the entire piece of data using this symmetric key

IV: A will get the public key of B and use the public key of B to encrypt the whole piece of data that has been encrypted in the previous step, and send it to B for secret communication

the decryption process between the two sides:

First: B uses its own private key to decrypt the symmetric key sent over

Second: Decrypt the entire block of encrypted content with a symmetric key

Third: Use A's public key to decrypt the signature code, can decrypt the judgment is a sent over, A's identity is verified.

The second is to use the same symmetric encryption algorithm to calculate the signature of this data, and compare with the decrypted, if the same, the data integrity is verified, and the confidentiality is also verified.

Thinking: There is a security risk in the middle of a person is impersonating, while impersonating AB, then the middleman will be AB's information to read all over. To solve this problem, we have a third-party CA

4.3 One-way encryption: Extract data Fingerprint (signature), can only encrypt, cannot decrypt

Characteristics: fixed-length output, avalanche effect (small changes in initial results will result in a dramatic change in results)

Function: Realize the integrity check of data

Algorithm: Md5:message digest5,128bits message digest algorithm

SHA1, sha256,sha224, sha384, sha512

Sha1:secure Hash Algorthm 1, Secure Hash algorithm

5. Pki:public Key Infrastructure

Public Key Infrastructure

It is another security agency built with CA as its core

Its composition:

Visa agency: CA

Registration Authority: RA

Certificate Revocation list: CRL

Certificate Access Library

What the certificate contains:

X509v3 (Digital certificate Architecture Standard Version V3): Defines the structure of the certificate and the standard of the authentication protocol

Version number:

Serial Number: Serial

Signature Algorithm ID (calculated by what algorithm)

Issuer Name

Validity period

Principal Name (information of the owner)

Principal public key

Issuer's unique identity

Unique identity of the subject

Extended

Issuer's signature

Section: The following

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7F/4E/wKiom1cZiPbD5SqBAABJk420JP4356.png "title=" Image 1.png "alt=" Wkiom1czipbd5sqbaabjk420jp4356.png "/>

6. CA:

CA kind: Public trust CA, private CA;

Establish a private CA:(when used only in private scope)

Tool: OpenSSL: can be used to generate a CA using a small scope

OpenCA

6.1 Building a private CA:

Generate a self-visa book on the service that is configured as a CA, and provide the required directories and files for the CA;

Step:(to be familiar with)

(1) Generate the private key;

~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096)

(2) Generate self-signed certificate;

~]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655

The above command content description:

-new: Generate a new certificate signing request;

-x509: Generate a self-signed format certificate, used exclusively for creating a private CA;

-key: The private file path used to generate the request;

-out: The generated request file path, or if the self-signed operation will generate a signed certificate directly;

-days: The valid duration of the certificate, the Unit is day;

(3) Provide the required directories and documents for the CA;

~]# mkdir-pv/etc/pki/ca/{certs,crl,newcerts}# #一般就已经存在

~]# Touch/etc/pki/ca/{serial,index.txt}

~]# echo >/etc/pki/ca/serial # #此为给一个序列号

Note: Only when a private build CA is created is it created in the/etc/pki/ca/directory only as a CA host, which is the example above. Use the certificate directory to create a server in its corresponding directory, such as the following example implementation, to HTTPD server as an example. Its directory is/etc/httpd/ssl

6.2 A server that uses a certificate for secure communication requires that a certificate be signed to the CA:

Step 123 Execute on server 172.18.26.22

Step 4 perform on the host 172.18.26.21

Step: (Take httpd as an example)

(1) Use the certificate host A to generate the private key;

~]# Mkdir/etc/httpd/ssl

~]# Cd/etc/httpd/ssl

~]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

(2) Generate certificate signing request

~]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-out/etc/httpd/ssl/httpd.csr-days 365

(3) Send the request to the CA host by reliable means;

For example, remote replication:

#scp HTTPD.CSR [Email protected]:/tmp/

(4) Sign the certificate on the CA host;

Create a file first

~]# Touch/etc/pki/ca/{serial,index.txt}

~]# echo >/etc/pki/ca/serial

Re-sign

~]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

Note: In the second step, configure the service address such as httpd note that it starts with www.

To view the information in the certificate:

~]# OpenSSL X509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subject

-serial = view serial number

-subject View

Knowledge Supplement: 1.SCP command: Copy the native files to the remote host

Encryption and decryption of learning notes, PKI,CA