Encryption and decryption Technology Foundation, PKI and private CA creation

Source: Internet
Author: User
Tags openssl x509 asymmetric encryption


In the OSI model and the TCP/IP model, the application sends a data to the server, through a number of paths to reach the server, on the way to the transmission, because the data is clear, and anyone can view, which poses a risk to the data. Therefore, encryption is necessary.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7E/A4/wKioL1cGJMzSg05tAAAxLpc6k60938.png "title=" QQ puzzle not named. png "alt=" Wkiol1cgjmzsg05taaaxlpc6k60938.png "/>

Common key algorithms and protocols
Symmetric encryption (encryption and decryption using the same key)
Public-Key cryptography (asymmetric encryption, public and private keys)
One-way encryption (can only be encrypted and cannot be decrypted)
Authentication protocol


Symmetric encryption

Symmetric cryptography uses symmetric cryptography, which is characterized by the use of encryption and decryption of the same key, that is, encryption key can also be used as the decryption key, this method is called symmetric encryption algorithm in cryptography, symmetric encryption algorithm is simple and fast to use, short key, and difficult to decipher, in addition to data Encryption Standard (DES), Another symmetric key encryption system is the International Data Encryption Algorithm (IDEA), which is better than the encryption of DES, and the computer function is not so high. The idea encryption standard is used by the PGP (Pretty good Privacy) system.

Work Process

Here's an example of how symmetric encryption works. A and B are a pair of business partners, they live in different cities. Because of business needs, they often mail important goods between each other. In order to ensure the safety of the goods, they agreed to make a safe box and put the items into them. They created two identical keys to be held separately in order to open the safe box with the key when the parcel was received, and to lock the safe box with the key before mailing the goods. 650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/7E/A4/wKioL1cGKIzxtvoqAADc8ThKohE521.jpg "title=" 8.jpg " alt= "Wkiol1cgkizxtvoqaadc8thkohe521.jpg"/>

The above is a traditional way of transferring important resources safely to a destination, so long as a B is carefully kept in the key, it cannot be opened even if someone gets a safety box. This idea was used to encrypt the information of modern computer communication. In symmetric encryption, the data sender sends the plaintext (the original data) and the encryption key together by a special encryption algorithm to make it into a complex cipher cipher. After receiving the ciphertext, if you want to interpret the original text, the encryption key and the inverse algorithm of the same algorithm will be used to decrypt the ciphertext, so that it can be restored to readable plaintext. In the symmetric encryption algorithm, only one key is used, both parties use the key to encrypt and decrypt the data.


Common algorithms for symmetric cryptography:

Des:data Encryption Standard;
3des:triple DES;
aes:advanced Encryption Standard; (128bits, 192bits, 256bits, 384bits)
Blowfish
Twofish
Idea
RC6
CAST5

Characteristics:
1, encryption, decryption using the same key;
2, the original data is divided into fixed-size blocks, one by one encryption;

Defects:
1, too many keys;
2, key distribution difficulties;


Public Key Cryptography

Unlike symmetric encryption algorithms, an asymmetric encryption algorithm requires two keys: Public key (PublicKey) and private key (Privatekey). Public key and private key is a pair, if the data encrypted with public key, only with the corresponding private key to decrypt, if the private key to encrypt the data, then only the corresponding public key can be decrypted. Because encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm.


Work process

1.A to send information to B, both A and B generate a pair of public and private keys for encrypting the Asymmetric encryption algorithm and decryption.

The private key of the 2.A is kept secret (self-preservation), A's public key tells B;b's private key to keep secret (own save), B's public key tells A.

3.A to send a message to B, a uses the public key of B to encrypt the information because a knows the public key of B.

4.A sends this message to B (the message has been encrypted with B's public key).

5.B after receiving this message, B decrypts a message with its private key. All other people who receive this message cannot decrypt it, because only B has a private key for B.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7E/A8/wKiom1cGK2jy1UwlAAA4YaF4W7Q869.png "title=" Np110602004820110602144156.png "alt=" Wkiom1cgk2jy1uwlaaa4yaf4w7q869.png "/>

Features:

Public key: Extracted from the private key; available to all; PubKey
Private key: Created by the tool and retained by the user, the private key must be guaranteed;
Characteristics:

Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa;

Use:
Digital signature: The main purpose is to let the receiver confirm the identity of the sender;
Key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party;
Data encryption

Algorithms: RSA, DSA, ELGamal
Dss:digital Signature Standard
Dsa:digital Signature algorithm


one-way encryption   

also known as a one-way hashing algorithm, also known as hash function, hash function (also known as hash function or hash algorithm) is the arbitrary long input message string changes into a fixed long output string of a function. This output string is called the hash value of the message. Generally used to generate message digest, key encryption and so on. That is to extract the data fingerprint, can only encrypt, cannot decrypt;

Characteristics: fixed-length output, avalanche effect;
function: Integrity verification;
Common algorithms:
Md5:message Digest 5, 128bits
SHA1: Secure Hash Algorithm Secure Hash Algorithm 1, 160bits
sha224, sha256, sha384, sha512

Key exchange:

IKE (Internet key Exchange) a protocol used to obtain an authentication key.

Two mechanisms for key exchange:

1, Public key encryption implementation:

The sender encrypts its own key with the public key of the receiver, and the receiver decrypts the sender's key with its own private key, and vice versa, thus realizing the key exchange.

2, using the DH algorithm: the precondition sender and the receiving party to negotiate the use of the same large prime number p and generate a few g, the respective generated random number x and Y. The sender will send the value of the X-square modp of G to the receiver, and the receiving party will send the value generated by the Y-modp of G to the sender, and the sender can do X-square operations on the received result, and the receiving party does a Y-operation on the received result, the final password is formed, and the key exchange is completed.


Communication phase encryption and decryption

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7E/A6/wKioL1cGO_ehhaLQAABFJ8xiENI016.png "title=" Cryptographic decryption base 1.png "alt=" Wkiol1cgo_ehhalqaabfj8xieni016.png "/>

Bob and Alice Communication phase

Black box A: Indicates the data to be transferred
Black box B: Is the single-entry encryption of this data extraction of the signature, this feature code at the same time using asymmetric encryption, the specific process is to use Bob's private key encryption, transmission to Alice, as long as the arrival of Alice can decrypt, indicating that the other party is really bob. This process also validates user authentication and data integrity. Black box B is also known as a digital signature
Red Box A: this phase generates a long random number (key) and then encrypts the black box A and black box B with the symmetric encryption algorithm, but how do we transfer the encrypted key to Alice? This is going to use the red box B.
Red Box B: This stage is to use Alice's public key to encrypt this string of random number (symmetric encryption phase of the key), Alice after receiving the data if you can use their private key decryption, it proves that the recipient really Alice

Encryption process:
First step: Extracting the eigenvalues of the data (black box a) with a one-way encryption algorithm
Step Two: Encrypt this feature value with your own private key to form a black box B
The third step: using symmetric encryption algorithm, black box A and black box B to encrypt, get red box A
Fourth step: Use Alice's public key to encrypt the key used in the third step, get the red box B


Decryption process:
First step: Alice uses her private key to decrypt the red box B to get a symmetric encrypted key
Second step: Use this key to decrypt the red box a content
Step three: Use Bob's public key to decrypt the black box B, if it succeeds, it means that the sender is actually Bob, which completes the authentication (the characteristic value of a string of data is obtained after decryption)
The fourth step: using the same single encryption algorithm to extract the eigenvalues of this data, if the same as the third step of the eigenvalues, the data is complete, this completes the data integrity of the checksum


Another question is how Bob and Alice get the other's public key, or how to prove that the public key they get is the other. This requires the introduction of the other certification authority CA, which is an explanation between the certification authority and Bob/alice


Black box C: Represents the public key, organization, address, and other information to be issued to the Bob/alice
Black box D: is a one-way encryption of black box C to get the digital signature, and then use their own private key to encrypt it, transfer to Bob and Alice, holding the public key of this certification authority (these certification authority's public key has been placed in Windows in advance by Microsoft, Of course other operating systems are the same) Bob and Alice If you can decrypt this certificate, it means that the certification authority is not impersonating
Red Box e: Represents the certificate issued to Bob and Alice


How the CA works:

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/7E/AB/wKiom1cGYB6xcHoiAADx_krf3Dg741.jpg "title=" ca.jpg "alt=" Wkiom1cgyb6xchoiaadx_krf3dg741.jpg "/>


Pki

PKI Public Key Infrastructure is a system or platform that provides public-key cryptography and digital signature services to manage keys and certificates. An organization can establish a secure network environment by using the PKI framework to manage keys and certificates. PKI mainly consists of four parts: Certificates in the form of X-V3 and certificate revocation List CRL (V2), CA operation Protocol, CA Management Protocol, CA policy development. A typical, complete and effective PKI application system should have at least the following five parts;

Public Key Infrastructure
Visa agency: CA
Registration Authority: RA
Certificate Revocation list: CRL
Certificate Access Library


Ca:
Public trust CA, private CA;

To establish a private CA:
Openssl
OpenCA


OpenSSL command:
Configuration file:/etc/pki/tls/openssl.cnf

To build a private CA:
Generate a self-visa book on the service that is configured as a CA, and provide the required directories and files for the CA;

Steps:

1. Generate Private key

2. Generate self-signed certificate

3. Provide the required directories and files for the CA


Operation Steps

(1) Generate the private key;

[[Email protected] ~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096) generating RSA private key, 4096 Bit long modulus ......................................................................................................................... ................................................................................................................ ++....................................................................................................................... ..... ..... ..... .... ++e is 65537 (0x10001), ... ..... ..... ..... ..... .....???????????????????????.

(2) Generate self-signed certificate;

 [[email protected] ~]# openssl req -new -x509 -key /etc/pki/ca/ Private/cakey.pem -out /etc/pki/ca/cacert.pem -days 365you are about to  be asked to enter information that will be incorporatedinto  your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [XX]:CNState or Province Name  (full name)  []: beijinglocality name  (eg, city)  [default  city]:beijingorganization name  (Eg, company)  [default company ltd]: testorganizational unit name  (eg, section)  []:testCommon Name  (eg,  Your name or your server ' S hostname)  []:testemail address []:[email  protected]

Option Explanation:

-new: Generate a new certificate signing request;
-x509: Generate a self-signed format certificate, designed to create a private CA;
-key: The private file path used to generate the request;
-out: The generated request file path, or if the self-signed operation will generate a signed certificate directly;
-days: The valid duration of the certificate, the Unit is day;

(3) Provide the required directories and documents for the CA;

[Email protected] ~]# mkdir-pv/etc/pki/ca/{certs,crl,newcerts}[[email protected] ~]# Touch/etc/pki/ca/{serial,ind Ex.txt}[[email protected] ~]# echo >/etc/pki/ca/serial


To use a certificate for secure communication with a server, you need to request a certificate from the CA:
Step: (Take httpd as an example)

(1) Use the certificate of the host to generate the private key;

[Email protected] ~]# MKDIR/ETC/HTTPD/SSL [[email protected] ~]# Cd/etc/httpd/ssl[[email protected] ~]# (Umask 077; OpenSSL Genrsa-out/etc/httpd/ssl/httpd.key 2048)

(2) Generate certificate signing request

[email protected] ~]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-out/etc/httpd/ssl/httpd.csr-days 365


(3) Send the request to the CA host by reliable means;
U disk copy or other reliable way


(4) Sign the certificate on the CA host;

[email protected] ~]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365


To view the information in the certificate:

[email protected] ~]# OpenSSL x509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subject


To revoke a certificate:
Steps:
(1) The client obtains the serial of the certificate to be revoked (performed on the host using the certificate):

[email protected] ~]# OpenSSL x509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subject


(2) CA host Revocation Certificate
According to the serial and subject information submitted by the customer, the consistency of the data stored in the index.txt of the native database is compared.

Revoked:

[email protected] ~]# OpenSSL CA-REVOKE/ETC/PKI/CA/NEWCERTS/SERIAL.PEM

Note: The serial to be replaced by the true serial number of the certificate;

(3) Revocation number of the revocation certificate is generated (executed when the certificate is revoked for the first time)

[Email protected] ~]# echo >/etc/pki/ca/crlnumber


(4) Update certificate revocation List

[email protected] ~]# OpenSSL ca-gencrl-out thisca.crl


To view the CRL file:

[email protected] ~]# OpenSSL Crl-in/path/from/crl_file.crl-noout-text



This article is from the "Tao Sound Still" blog, please make sure to keep this source http://zhaoyongtao.blog.51cto.com/10955972/1761505

Encryption and decryption Technology Foundation, PKI and private CA creation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.