Encryption and decryption principles and OpenSSL self-built ca

Introduction to OpenSSL Protocol

SSL (Secure Socket Layer) is a standard for Secure Web communication proposed by Netscape. In general network protocol applications, data is packaged several times from top to bottom in the machine, and then enters the network. If these packets are intercepted, it is easy to obtain the data in the network protocol.

SSL is the protocol generated to encrypt the data. It can be understood as a layer between the bit and the application layer and TCP/IP. The data is encrypted when it flows out, then, send the data to TCP/IP, and the data enters the TCP/IP layer before being decrypted. At the same time, it can also verify the identity of the two network connections. Therefore, it is particularly important to understand the security knowledge of data encryption and decryption in the network.

I. Information security standards

Three factors of network information security and confidentiality (CIA ):

Confidentiality integrity availability

In addition to the CIA, two other standards are also frequently reminded:

Authenticity Traceability

Ii. encryption methods and Algorithms

(1) symmetric encryption: the encryption method using a single-key password system. The same key can be used for both information encryption and decryption.

Symmetric encryption algorithm:

Des: Data Encryption Standard (56-bit key)

3DES

AES: Advanced Encryption Standard (128,192,256,384,512)

Blowfish

Twofish

Idea

Rc6

Cast5

Features of symmetric encryption:

A) The same password is used for encryption and decryption;

B) separate plain text into fixed blocks and encrypt them one by one

Symmetric encryption defects:

A) Too many keys;

B) key transmission;

Key Exchange, identity verification, and data integrity

(2) public key encryption: It is composed of a pair of unique keys (public keys and private keys.

(The Public Key is extracted from the private key .)

(Public key encryption: only private keys can be decrypted. The private key can only be decrypted by the public key .)

Key: public key, secret key (P/S)

Common encryption algorithms:

RSA, DSA, EIGamal

(DSA: can only be used for identity authentication)

(3) one-way encryption: irreversible encryption

Unidirectional encryption features:

Fixed-length output: No matter how big the raw data is, the results are of the same size.

Avalanche effect: small changes in input will cause huge changes in results

One-way encryption algorithms: MD5 (128 bits), sha1, sha256, sha384, and sha512

 

Iii. encryption process and principles

 

Iv. self-built private CA process

A

① Generate a key

[[Email protected] ~] # (Umask 077; OpenSSL genrsa-out/etc/pki/CA/private/cakey. pem2048)
Generating RSA private key, 2048 bit long Modulus
................ ++
... ++
E is 65537 (0x10001)
[[Email protected] ~] #

② Self-signed certificate

[[Email protected] ~] # OpenSSL req-New-X509-key/etc/pki/CA/private/cakey. pem-out/etc/pki/CA/cacert. pem-days 365
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [XX]: CN
State or province name (full name) []: Henan
Locality name (eg, city) [Default City]: ZhenZhou
Organization Name (eg, company) [Default Company Ltd]: mageedu
Organizational unit name (eg, section) []: ops
Common name (eg, your name or your server's hostname) []: bogon
Email Address []: [email protected]

③ Initialize the environment (required for the first time)

# Touch/etc/pki/CA/ingress index.txt, serial}

# Echo 01>/etc/pki/CA/serial (specify the serial number starting from that number)

B

① Node certificate application:

(1) node generation request

Mkdir/etc/httpd/SSL

[[Email protected] ~] # Ls/etc/httpd/
Conf/CONF. d/logs/modules/run/SSL/

② Generate a key pair

[[Email protected] ~] # (Umask 077; OpenSSL genrsa-out/etc/httpd/SSL/httpd. Key 2048)
Generating RSA private key, 2048 bit long Modulus
........................................ ........................................ ........................................ .......... ++
.................... ++
E is 65537 (0x10001)
[[Email protected] ~] # ......

③ Generate a Certificate Signing Request

[[Email protected] ~] # OpenSSL req-New-key/etc/httpd/SSL/httpd. Key-out/etc/httpd/SSL/httpd. CSR
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [XX]: CN
State or province name (full name) []: Henan
Locality name (eg, city) [Default City]: ZhenZhou
Organization Name (eg, company) [Default Company Ltd]: mageedu
Organizational unit name (eg, section) []: ops
Common name (eg, your name or your server's hostname) []: bogon
Email Address []: [email protected]

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: 00 woaioo
An optional company name []: 00 woaioo

 

C. Ca sign the certificate

① Verify the information in the certificate;

② Sign the certificate

[[Email protected] ~] # OpenSSL ca-in/etc/httpd/SSL/httpd. CSR-out/etc/httpd/SSL/httpd. CRT-days 1000
Using configuration from/etc/pki/tls/OpenSSL. CNF
Check that the request matches the signature
Signature OK
Certificate details:
Serial number: 1 (0x1)
Validity
Not before: Aug 3 21:05:10 2014 GMT
Not after: APR 29 21:05:10 2017 GMT
Subject:
Countryname = Cn
Stateorprovincename = Henan
Organizationname = mageedu
Organizationalunitname = Ops
CommonName = bogon
Emailaddress = [email protected]
X509v3 extensions:
X509v3 basic constraints:
CA: false
Netscape comment:
OpenSSL generated Certificate
X509v3 Subject Key Identifier:
CA: 6B: 7e: 1f: CD: 78: D7: E6: 9d: EE: 65: 86: E0: F0: 8c: A3: 64: 4d: 01: B2
X509v3 Authority Key Identifier:
Keyid: 1E: B0: D5: A7: 25: BF: 58: 40: 13: 76: 10: 6B: 8e: F6: 7b: BA: AB: 8d: 86: 5A

Certificate is to be certified until APR 29 21:05:10 2017 GMT (1000 days)
Sign the certificate? [Y/n]:

③ Send to the requester;

 

This article is from the "from scratch" blog, please be sure to keep this source http://zerofly.blog.51cto.com/4476065/1535137