cyber security is almost a topic for the industry to avoid, and to achieve cyber security, it is designed to target three goals: confidentiality, integrity and availability. This article mainly on the basic encryption and decryption technology, SSL protocol, and SSL protocol implementation Examples do some brief description and comb.
Encryption and decryption:
At present, most of the attacks on cyber security focus on "threat privacy attack", that is, the data disclosure, encryption and decryption are the most intuitive means to solve the confidentiality problem.
Several encryption methods:
symmetric encryption;
Features: Encryption and decryption using the same key, the data is divided into multiple fixed-size blocks, encryption by each;
Disadvantage: Too many keys (for server side, need to communicate with many people); Key distribution is difficult;
Algorithm: Des,3des,aes and so on;
Asymmetric encryption;
Features: Public-key encrypted data can only be decrypted by the private key that is paired with it, and vice versa;
Private key: Secret key, created by the tool, the user to save themselves, must ensure privacy;
Public key: PubKey, extracted from the private key, can be disclosed to everyone;
Use: digital signature; key exchange; Data encryption (asymmetric encryption is inefficient and generally not used for data encryption);
Algorithm: RSA,DSA and so on;
One-way encryption:
Use: Extract data fingerprint (signature), verify data integrity, only encrypt, cannot decrypt;
Features: fixed-length output, avalanche effect;
Algorithm: md5,sha{1-6}, etc.;
SSL protocol and OpenSSL
Secure Socket layer, secured socket layers, located between the application layer and the transport layer; The SSL protocol, developed by Netscape in 1994, has now developed to version 3.0, and its successor, Transport Layer Security, or TLS, is a secure protocol that provides confidentiality and integrity for network communications. security vulnerabilities were found in versions 1.0 to 3.0 of the SSL protocol, so SSL is now fading out, and its successor, TLS, is almost a de facto standard.
Implementation of the OPENSSL:SSL protocol.
In the CentOS 7 OpenSSL package, there are three main parts: Libcrypto,libssl and OpenSSL. The first two are primarily for developers, and our most commonly used is OpenSSL.
The process of SSL handshake protocol:ssl handshake;
The first stage: Client Hello;c sends the end to S end;
Send a supported protocol version to the S-side (such as TLS 1.2), send a random number (to generate a "session key"), a supported cryptographic algorithm (such as AES,RSA, etc., to facilitate negotiation of generating session keys, can use the same encryption algorithm), and the supported compression algorithm;
Phase II: Server Hello;s-side response;
Confirm the protocol version used, the S-side generates a random number (used as the generating session key), confirms which encryption algorithm to use, and sends the server certificate, (if the S-side needs to verify the C-terminal, there will be a request for C-Terminal certificate to send to the C-terminal);
Phase III: End of the C-end handshake;
Verify the server certificate, check out the public key (verify the Certification authority, certificate integrity, holder, expiration date, revocation list, etc.); Verify that the following message is sent to the S-end: A random number (for the server public key encryption), the Code change notification (indicating that subsequent information will be sent by a negotiated encryption method); C End handshake;
Phase four: The end of the s-end handshake;
The S end receives the third random number Pre-master-key from the C end, computes the session key of the session and sends the message to the C-side as follows: The Code change notification (indicating that the subsequent information will be sent in a negotiated encrypted manner); s end handshake;
The following is a simple encrypted transport diagram:
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/83/F9/wKiom1eCTs-xq9TrAAHIljU7t9Q542.jpg-wh_500x0-wm_3 -wmp_4-s_769316940.jpg "title=" encrypted transmission plot. jpg "alt=" wkiom1ects-xq9traahilju7t9q542.jpg-wh_50 "/>
(images can be seen in accessories)
OpenSSL related commands: standard commands, message digest commands, cryptographic commands, etc.;
Main INTRODUCTION standard command: ENC,CA,REQ,GENRSA;
Symmetric encryption: OpenSSL enc;
Support algorithm: 3des,aes,blowfish and so on;
Example: OpenSSL enc-e-des3-a-salt-in fstab-outfstab.ciphertext; fstab file is encrypted with 3DES algorithm;
One-way encryption (data signature): OpenSSL dgst,gpg,md5sum, etc.;
Example: OpenSSL dgst-md5/path/to/somefile = = Md5sum/path/to/somefile; The two algorithms are consistent, and the resulting signatures are the same;
Generate user password: OpenSSL passwd-1-salt 12345678;-1 represents MD5 algorithm,-salt can specify random number;
Generate random Number: OpenSSL rand-base64 Num;num represents the number of bytes,-base64 represents the text format, and the-hex representation format is 16 binary;
Public key cryptography: OpenSSL Genrsa
Algorithm: RSA (cryptographic decryption, digital signature), DH (often used as key exchange), DSA (digital signature);
Generate key:
OpenSSL Genrsa 1024;
OpenSSL genrsa 1024x768 >/tmp/mykey2.private 1024x768 ; Redirect to a file;
OpenSSL genrsa 1024-out/tmp/mykey2.private 1024x768 ; use out can also;
regular usage: ( usmak 077 openssl Genrsa 1024-out /path/mykey2.private 1024x768 ) guaranteed permission is 600
Span style= "font-family: ' Microsoft Yahei '; font-size:14px;" >
Present public key:
OpenSSL RSA In/path/from/private_key-pubout;
System Random number generator:
/dev/random: The random number is returned only from the entropy pool, and the random number is exhausted, and the block will occur;
/dev/urandom: The random number is returned from the entropy pool, the random number is exhausted, and the pseudo-random number is generated by the software, and is not blocked;
Pki:public key Infrastructure, public key infrastructure, mainly consists of the following four parts:
Visa agency: CA;
Registration authority: RA;
Certificate revocation list: CRL;
Certificate Access Library:
Self-built private CA;
The tools are OpenSSL and openca; here, for example, OpenSSL;
Build a private CA: Generate a self-visa book on the server that is configured as a CA, and provide the required directory files for the CA;
Generate the private key;
(umask 077;openssl Genrsa-out/etc/pki/ca/private/cakey.pem 4096)
OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655;;
If it is not from the visa book, do not add-x509;
-new: Generate a new certificate signing request;
-key: The private file path used to generate the request;
-x509: Generate a self-signed format certificate that is intended for use when creating a private CA;
-out: The generated request file path, if the self-signed operation will generate a signed certificate directly, no request this step;
-days: The valid duration of the certificate, the default unit day;
Finally, follow the prompts to fill in the relevant information can!
Mkdir-pv/etc/pki/ca{certs,crl,newcerts};
Touch/etc/pki/ca{serial,index.txt};
echo01 >/etc/pki/ca/serial;
Generate secret key:
Mkdir/etc/httpd/ssl
Cd/etc/httpd/ssl
(Umask 077;openssl Genrsa-out/etc/httpd/ssl/httpd.key 2048)
OpenSSL req-new-key http.key-out httpd.csr-days 365;
Fill in the relevant information;
and send the generated HTTPD.CSR to the previously created CA host; (using tools such as SCP)
OpenSSL ca-in/path/to/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365;
The resulting certificate file is then sent to the requested server host;
Above.
Encryption and decryption Technology Foundation, PKI and self-built private CA
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
