Encryption, decryption, and OpenSSL establishing a private CA

Source: Internet
Author: User
Tags openssl enc openssl rsa openssl x509

I. Introduction of OpenSSL
OpenSSL is a powerful Secure Sockets Layer cipher library that includes key cryptographic algorithms, common
The key and certificate encapsulation management features and SSL protocol, and provides a rich application for testing or other purposes to use.
The Ssl:secure socket layer Secure Sockets protocol can provide covert transmission over the Internet.

Second, encryption algorithm
Classification of cryptographic algorithms: symmetric, public key, and one-way encryption
1. Symmetric encryption:
Encryption and decryption with the same key, security depends on the key, not the algorithm.
(1) algorithm:
Des:data Encryption Standard, data encryption standards, 56bits
3des:des Enhanced Edition
aes:advanced encrption Standard Advanced Encryption Standards (128BITS,192,256,382,512,)
The number of encryption bits can be chosen by oneself, common algorithm
Blowfish
Twofish
Tdea
Rc6
Casts
(2) Features
1) Same key
2) separate plaintext into blocks of fixed size, encrypted one by one
(3) Defects
1) Too many keys
2) Key Distribution
2. Public Key cryptography:
(1) Private key and public key
Private key: Secret key, only allowed for personal use
Public keys: Public key, publicly available to everyone
The public key is extracted from the private key, and data encrypted with the public key can only be decrypted using the private key paired with this public key pair
(2) Use:
1) Identity authentication: The private key owner uses its own private key to encrypt the data, as long as its public key can be decrypted, can authenticate its identity;
2) Key exchange: Before communicating with the communication party, first obtain the other party's public key, generate an encrypted password, with the other party's public key encryption, and sent to each other;
3) Data encryption:
(3) algorithm:
Rsa
Dsa
ELGamal
(4) Features
1) Large key length, 512,2048
2) encryption and decryption are used relative to the keys in the key pair, respectively.
3) for data signing and key exchange
3, one-way encryption:
Extracting signatures for data
(1) Features
1) fixed-length output, regardless of the original data size, the same length of encryption
2) Avalanche effect: Small changes in raw data, resulting in huge changes in results
3) Non-reversible
(2) algorithm:
Md5:128bit
SHA1 160
sha256
sha384
sha512
(3) Use:
Data integrity
4, one time encryption communication process
Sent by:
(1) Extracting the data characteristic code
(2) Private key encryption feature code
(3) Generate a temporary key
(4) Temporary key encryption data and encrypted signatures
(5) Encrypt the temporary key using the receiver's public key, appended to the data
Receiving Party:
(1) Decryption with private key to obtain temporary key
(2) Decrypt data and signatures using temporary keys
(3) Decrypting the signature with the other's public key
(4) Calculation of signature, compared with decryption

Third, digital certificate
1, the definition of digital certificate:
Digital certificate: A string of numbers that mark the identity of the communication parties in Internet communications, providing a
How to verify the identity of a communication entity on the Internet, digital certificates are not digital * * *, but identity authentication
The body is covered by a chapter or seal on the number * * *.
It is made by an authority--CA agency, also known as Certificate Authority (Certificate authority)
Center, people can use it on the Internet to identify each other's identities.
2, the format of digital certificates and users
(1) Format of digital certificate (+/-):
Version number (versions)
Serial #: (serial number): CA used to uniquely identify a certificate
Signature Algorithm flags (Signature algorithm identifier)
Publisher name: The name of the CA itself
Valid certificate Principal Name: Name of the owner of the certificate
Certificate Style Public key information: Certificate owner's own public key
Issuer's unique identity
Unique identity of the certificate Principal
Extended information
Signature: The CA's digital signature for this certificate
(2) Certificates usually have two types of uses
User Certificate
Host certificate (HTTPD)
3, the certificate of revocation linked list:
The name of the algorithm-->CA--and this time--and the next update date--user certificate serial number, revocation date-->ca digital signature
4. How to obtain a certificate:
(1) Apply to RA Registration
(2) establishing a private CA

Four, OpenSSL encryption and decryption:
1. The components of OpenSSL
Libcrypto: Encrypt and Decrypt library files
LIBSSL:SSL Protocol Implementation
OpenSSL: Multi-purpose command-line tools, each using a dedicated sub-command to implement
2. Symmetric encryption
Tool: OpenSSL ENC
Algorithm: Des,3des,aes
OpenSSL enc-e-ciphername-a salt-in/path/from/somefile-out/path/to/file
OpenSSL enc-d-ciphername-a salt-in/path/from/somefile-out/path/to/file
#cp/etc/fstab./
#openssl enc-e-des3-a-salt-in fstab-out fstab.des3
#openssl enc-d-des3-a-salt-in fstab.des3-out fstab
3. Public key encryption
Tool: Gpg,openssl Rsautl
Digital Signature: Rsa,dsa,elgamal
Dsa:digital Signature Algorithm Digital Signature algorithm
Dss:digital Signature Standard digital signature standards
Operation procedure: Generate the private key, extract the public key from the private key
(1) Generate private key:
OpenSSL genrsa-out keyfile num_bits
#openssl Genrsa-out TestKey 2048
(umask 077;openssl genrsa-out key_file num_bits)
# (Umask 077;openssl genrsa-out testkey 2048)
Note: the command Plus () will run in the child shell and modify the default generate private key permissions
(2) Extracting the public key
#openssl rsa-in Key_file-pubout
#openssl rsa-in Testkey-pubout
4. One-way encryption
Algorithm: MD5,SHA1
Tool: OpenSSL dgst,md2sum,sha1sum
OpenSSL dgst-cipher/path/to/somefile ...
#openssl DGST-MD5 Fstab
#md5sum Fstab
5. Generate User password:
OpenSSL passwd-1-salt 8bits random number-1 means encrypted with MD5
#openssl passwd-1-salt 12345678
6. Generate Random Numbers
OpenSSL rand-hex|-base64 NUM
#openssl passwd-1-salt $ (OpenSSL Rand-hex 4)
Openssl
7. Random number generator
Random,urandom
Entropy pool: Saves random numbers generated by hardware interrupts
/dev/random only returns from the entropy pool, and when the entropy pool is exhausted, the process is blocked
/dev/urandom take random numbers, and when the entropy pool is exhausted, let the generator generate random numbers

V. Building a private CA
Configuration file:/etc/pki/tls/openssl.conf
Working directory:/etc/pki/ca/
1. Establish a private CA:
(1) Generate private key file/etc/pki/ca/private/cakey.pem
#cd/etc/pki/ca
# (Umask 077;openssl GENRSA-OUT/ETC/PKI/CA/PRIVATE/CAKEY.PEM 2048)
(2) Generate self-signed certificate
#openssl Req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3650
-new: Generate a new certificate signing request
-key private key file path for extracting the public key
-days N: Effective duration, days
-out: Output File Save location
-x509: Direct output of self-signed certificate files, only when building CAs
(3) providing supporting documents
#cd/etc/pki/ca
#touch/etc/pki/ca/index.txt
#echo >/etc/pki/ca/serial
2, to the node issued a certificate
(1) Node request certificate
1) Generate private key
#cd/etc/httpd
#mkdir SSL
# (Umask 077;openssl genrsa-out httpd.key 1024)
2) Generate Certificate signing request
#openssl Req-new-key httpd.key-out HTTPD.CSR
Attention:
A) Where the subject Information section is consistent with the CA
b) Common name to use this host in communication using the name
3) Send the request to the CA
(2) CA Issue Certificate
1) The information of the person who is verifying the request
2) Signing certificate
OpenSSL ca-in csr_file-out crt_file-days N
#openssl Ca-in/etc/httpd/ssl/http.csr-out/etc/httpd/ssl/httpd.crt-days 3650
3) Send the signed certificate back to the requester.
3. Revocation of certificates:
(1) Get the serial number of the revoked certificate
OpenSSL x509-in Crt_file-noout-serial-subject
#openssl X509-in/etc/httpd/ssl/httpd.crt-noout-serial-subject
(2) Implementing certificate revocation
1) revoking the certificate
#openssl Ca-revoke Crt_file
2) Generate Revocation certificate number
#echo >/etc/pkie/ca/crlnumber
3) Update the certificate revocation List
#openssl Crl-gencrl-out SCA.CRL

This article is from the "Linux class notes" blog, so be sure to keep this source http://linuxkingdom.blog.51cto.com/6334977/1636696

Encryption, decryption, and OpenSSL establishing a private CA

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.