Encryption, decryption, and OpenSSL private CA
I. Common Algorithms
Common encryption algorithms and protocols include symmetric encryption, asymmetric encryption, and one-way encryption.
1. symmetric encryption: one key is used for encryption and decryption. algorithms can be made public and keys cannot be public, because encryption relies on keys. Security depends on keys rather than algorithms;
Common algorithms:
DES (Data Encryption Standard, 56 bits), 3DES, AES (Advanced EncryptionStandard), Blowfish, Towfisk, IDEA, RC6, CASTS
Features:
1. Use the same key for encryption and decryption
2. Separate plain text into fixed blocks and encrypt them one by one;
Defects:
1. Too many keys;
2. Key distribution;
2. asymmetric encryption: public key encryption
Password pair: the private key (secret key) and public key (public key); the private key can only be used by individuals; the public key is public to all;
The public key and private key do not appear in pairs when they are created, while the Public Key is extracted from the private key. When creating a public key, you only need to create a private key and use a tool from the private key, extract the public key from the private key.
Working features: data encrypted with the public key can only be decrypted using the private key pair with the public key, and vice versa.
Usage:
1. Identity Authentication: If the private key owner decrypts the data encrypted with its own private key, the owner can authenticate the data. Private Key Encryption cannot ensure data security, only used for identity authentication;
2. Password exchange: Before communication, the communication party obtains the public key of the other party, generates an encrypted password (symmetric encryption password), encrypts it with the public key of the other party, and sends it to the other party;
3. Data Encryption:
Why not use asymmetric encryption to encrypt data? Asymmetric encryption is 10 ^ 3 times slower than symmetric encryption. symmetric encryption is used to encrypt data and asymmetric encryption is used to encrypt symmetric encryption keys.
Common algorithms:
RSA, DSA, ELGamal
Features:
1. The key length is large, for example, 512 bits, 2048,4096 bits
2. encryption and decryption respectively use the key pair;
3. It is often used for digital signatures and key exchange;
3. unidirectional encryption
The data signature is proposed. Each data has a unique feature code, which is heavily dependent on algorithms.
Features:
1. fixed-length output: No matter how big the original data is, the encryption results have the same length;
2. avalanche effect; minor changes to raw data will lead to huge changes in results;
3. irreversible;
Algorithm:
MD5, SHA1, SHA256, SHA384, and SHA512
One-way encryption has been run in the username and password encryption/etc/shadow file in the CentOS operating system, where MD5 running in CentOS 5 and SHA512 running in CentOS 6.
Use: Data Integrity
Ii. encrypted and decrypted communication process
Iii. Digital Certificate Format (x.509 v3 ):
Version)
Serial number (serial number): an integer. The CA uses a unique number to identify the certificate;
Signature algorithmidentifier
Issuer name: the name of the CA.
Validity Period: two dates: start date and end date;
Certificate subject name: name of the certificate owner
Certificate subject Public Key Information: The certificate owner's own public key
Unique issuer ID: (optional)
Unique ID of the certificate subject: (optional) digital ID of the certificate owner
Extended information:
Signature: CA digitally signs the certificate to verify that the certificate is issued by itself.
Iv. https
Three handshakes are performed between the client and the server. ssl is also implemented based on TCP. After three handshakes, the client requests a certificate from the server, and the server sends the certificate to the client, at this time, the client obtains the Certificate for verification. First, use the locally saved root certificate to find the CA to give the certificate a bookmark. Therefore, if there is a local CA certificate, we trust this certificate, then, use CA to decrypt the digital signature in the certificate. The decryption result indicates that the certificate was issued by CA. The decryption result is a signature, and then the certificate signature is calculated using the same one-way encryption algorithm, after comparison, the results are the same, indicating that the certificate is reliable, otherwise the certificate is not reliable. The domain name (FQDN) accessed during verification must be consistent with the subject in the certificate, otherwise, the client will think that it is not the server certificate, and it will be valid for verification;
If all of the above are valid, extract the public key information of the other party from the certificate, and both parties start to establish negotiation. Which symmetric encryption algorithm is used by both parties and which one-way encryption algorithm is used, which public key encryption algorithm is used. Then, the client generates a temporary encryption key and uses the public key of the other party to encrypt the key and sends it to the server. Therefore, the server has obtained the page of the client access request, after the page is sent to the client through symmetric encryption, the client can display the page in the browser with the private key for decryption;
Step 1: Verify the certificate subject, validity period, and whether the certificate revocation list is medium;
Step 2: extract the peer's public key information from the certificate;
Step 3: generate a symmetric encryption key and use the public key of the other party to encrypt the key and send it to the server;
Step 4: The server uses the private key to decrypt the ciphertext;
Step 5: Use the symmetric encryption key to encrypt the client request page and send it to the client;
Step 6: the client uses the symmetric encryption key to decrypt the request page and displays the page in the browser;
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
Use OpenSSL to sign multi-domain certificates
For more details, please continue to read the highlights on the next page: