1. Encrypt and decrypt
Background: In network communication in order to achieve security needs, such as communication confidentiality, to ensure information integrity and availability, this requires some technology, the following to introduce the relevant technology
Technologies include: Encryption and decryption
Service (a service that is designed to protect against attacks, that is, a security service that is specifically engineered for the above-mentioned security objectives)
Encryption and decryption:
Traditional encryption Method: Alternative encryption method and substitution encryption method
Modern encryption method: mainly modern block encryption method
Note: True encryption relies primarily on the key rather than on the encryption algorithm
Service:
Authentication mechanism
Access control mechanism
Encryption includes:
Symmetric encryption
Public Key Cryptography
One-way encryption
Authentication encryption
2. For Linux systems: In order to achieve the above security objectives, some tools are required to services to achieve these functions, while Linux's common tools are:
Linux is often used for the above functions (that is, encryption algorithms, protocols or services, etc.)
The solution's tools are mainly two OpenSSL (SSL), GPG (PGP)
OpenSSL (SSL): An implementation of the SSL protocol and encryption decryption
GPG (PGP): The implementation of GPG protocol
3. What is OpenSSL?
OpenSSL is made up of three parts:
Libencrypt Libraries (libraries for encrypting and decrypting)
Libssl Library (library for implementing SSL Secure communication Mechanism)
OpenSSL multi-purpose command-line tool (for encryption, decryption, etc.)
4. Detailed encryption and decryption
Cryptographic algorithms and protocols: (We know the working mode is OK)
4.1 Symmetric encryption : Encryption and decryption using the same key
A common way:
Des:data Encryption Standard uses 16-bit encryption
3des:triple des (i.e. three times times des)
aes:advanced Encryption Standart Advanced Encryption
(128bits,192bits,256bits,384bits)
Blowfish
Twofish
Idea
RC6
Casts
Cryptographic algorithm Features:
1, encryption and decryption using the same key
2. Separate the original data into fixed-size blocks and encrypt them individually
Defects:
1. Too many keys ()
2. Difficulty in issuing keys
4.2 Public Key cryptography: keys are divided into public and private keys
Public key: Extracted from the private key; available to all; PubKey
Private key: Created by the tool and retained by the user, it must be guaranteed private: Secret key
Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired;
Algorithm for public key cryptography:
Algorithm: Rsa,dsa,elgamal
DSA cannot be used for cryptographic decryption and can only be used for signing
RSA: Can be encrypted and decrypted and used for signing
Dss:digital Signature Standard (digital signature)
Dsa:digital Signature Algorthm
Public Key cryptography uses:
Digital signature: The main purpose is to let the receiver confirm the identity of the sending party
Key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party
Data encryption
mainly the first two types of
encryption process steps for both sides of the communication:
First: the sender (a) into a copy of the data, in order to ensure that the data security and confidentiality of the delivery to the receiver (B), A must first use a one-way encryption algorithm to calculate the signature of this data
Second: A will encrypt the signature with its own private key and append the result to the data,
Third: A generates a temporary symmetric key and encrypts the entire piece of data using this symmetric key
IV: A will get the public key of B and use the public key of B to encrypt the whole piece of data that has been encrypted in the previous step, and send it to B for secret communication
the decryption process between the two sides:
First: B uses its own private key to decrypt the symmetric key sent over
Second: Decrypt the entire block of encrypted content with a symmetric key
Third: Use A's public key to decrypt the signature code, can decrypt the judgment is a sent over, A's identity is verified.
The second is to use the same symmetric encryption algorithm to calculate the signature of this data, and compare with the decrypted, if the same, the data integrity is verified, and the confidentiality is also verified.
Thinking: There is a security risk in the middle of a person is impersonating, while impersonating AB, then the middleman will be AB's information to read all over. To solve this problem, we have a third-party CA
4.3 One-way encryption: Extract data Fingerprint (signature), can only encrypt, cannot decrypt
Characteristics: fixed-length output, avalanche effect (small changes in initial results will result in a dramatic change in results)
Function: Realize the integrity check of data
Algorithm: Md5:message digest5,128bits message digest algorithm
SHA1, sha256,sha224, sha384, sha512
Sha1:secure Hash Algorthm 1, Secure Hash algorithm
5. Pki:public Key Infrastructure
Public Key Infrastructure
It is another security agency built with CA as its core
Its composition:
Visa agency: CA
Registration Authority: RA
Certificate Revocation list: CRL
Certificate Access Library
What the certificate contains:
X509v3 (Digital certificate Architecture Standard Version V3): Defines the structure of the certificate and the standard of the authentication protocol
Version number:
Serial Number: Serial
Signature Algorithm ID (calculated by what algorithm)
Issuer Name
Validity period
Principal Name (information of the owner)
Principal public key
Issuer's unique identity
Unique identity of the subject
Extended
Issuer's signature
Section: The following
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7F/4E/wKiom1cZiPbD5SqBAABJk420JP4356.png "title=" Image 1.png "alt=" Wkiom1czipbd5sqbaabjk420jp4356.png "/>
6. CA:
CA kind: Public trust CA, private CA;
Establish a private CA:(when used only in private scope)
Tool: OpenSSL: can be used to generate a CA using a small scope
OpenCA
6.1 Building a private CA:
Generate a self-visa book on the service that is configured as a CA, and provide the required directories and files for the CA;
Step:(to be familiar with)
(1) Generate the private key;
~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096)
(2) Generate self-signed certificate;
~]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655
The above command content description:
-new: Generate a new certificate signing request;
-x509: Generate a self-signed format certificate, used exclusively for creating a private CA;
-key: The private file path used to generate the request;
-out: The generated request file path, or if the self-signed operation will generate a signed certificate directly;
-days: The valid duration of the certificate, the Unit is day;
(3) Provide the required directories and documents for the CA;
~]# mkdir-pv/etc/pki/ca/{certs,crl,newcerts}# #一般就已经存在
~]# Touch/etc/pki/ca/{serial,index.txt}
~]# echo >/etc/pki/ca/serial # #此为给一个序列号
Note: Only when a private build CA is created is it created in the/etc/pki/ca/directory only as a CA host, which is the example above. Use the certificate directory to create a server in its corresponding directory, such as the following example implementation, to HTTPD server as an example. Its directory is/etc/httpd/ssl
6.2 A server that uses a certificate for secure communication requires that a certificate be signed to the CA:
Step 123 Execute on server 172.18.26.22
Step 4 perform on the host 172.18.26.21
Step: (Take httpd as an example)
(1) Use the certificate host A to generate the private key;
~]# Mkdir/etc/httpd/ssl
~]# Cd/etc/httpd/ssl
~]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)
(2) Generate certificate signing request
~]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-out/etc/httpd/ssl/httpd.csr-days 365
(3) Send the request to the CA host by reliable means;
For example, remote replication:
#scp HTTPD.CSR [Email protected]:/tmp/
(4) Sign the certificate on the CA host;
Create a file first
~]# Touch/etc/pki/ca/{serial,index.txt}
~]# echo >/etc/pki/ca/serial
Re-sign
~]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365
Note: In the second step, configure the service address such as httpd note that it starts with www.
To view the information in the certificate:
~]# OpenSSL X509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subject
-serial = view serial number
-subject View
Knowledge Supplement: 1.SCP command: Copy the native files to the remote host
Encryption and decryption of learning notes, PKI,CA