Encryption algorithm and security authentication

Briefly:

Important data in the Internet transmission must ensure the security of the data, need to do from four aspects:

1. Ensure that the data is sent from a real source, not someone else (source authentication)

2. ensure that data has not been tampered with during transmission (integrity of data)

3. ensure that the data in the process of transmission other people do not understand (the privacy of data)

4. guarantee of non-repudiation of data (non-repudiation)

Encryption algorithm 1, symmetric encryption

Concept: Encrypt and decrypt using the same secret key

Algorithms: DES, 3DES, AES, Blowfish, Twofish, Idea, RC6, CAST5, etc.

Advantages: high efficiency; split data into fixed-size blocks, encrypted one by one

Disadvantage: A secret key is required for each communication; The key transfer is unsafe; The data source cannot be determined

2. Asymmetric encryption

Public key and private key: The public key is publicly available to everyone; the private key can be inferred from the private key, but the public key cannot be exited through the private key, the private key must be decrypted with public key encryption, or the public key must be decrypted with a private key;

Algorithms: RSA, DSA, ELGamal

Advantages and Disadvantages: The digital signature can be implemented to verify the data source, the symmetric key can be exchanged securely, time encryption can be achieved, but the corresponding large data decryption efficiency is too low, suitable for encrypting a small amount of data

3, one-way hash (hash)

Characteristics:

1) Avalanche effect: Different data, abstract must be very different

2) One-way: No data can be pushed back

3) Summary Length fixed size

Algorithms: md5:128, sha1:160, sha224, sha256, sha384, sha512

Function: Used to verify the integrity of the data

4. Secret key exchange Algorithm (DH)

1) A and B are negotiated to generate a public integer A, a large prime number p

2) A: Generate Privacy data: X (x<p), calculated a^x%p, sent to B;b: Generate private Data: Y (y<p), calculated a^y%p, sent to A

3) A: calculated [(a^y%p) ^x]%p = a^xy%p, born into a key; B: calculated [(a^x%p) ^y]%p = a^xy%p, born as a key

5, in the process of secure communication:

Alice:

1) The original data through the hash algorithm to obtain a summary;

2) Encrypt the digest with Alice's private key;

3) Encrypt the digest and the original data using a symmetric secret key;

4) Then use Bob's public key to encrypt the symmetric secret key;

5) Ciphertext data transmission ———— >

Bob:

1) < ———— accept ciphertext data;

2) Use Bob's private key to decrypt the symmetric secret key;

3) Decrypt the original data and the encrypted digest using the symmetric secret key;

4) Decrypt the digest using Alice's public key;

5) Calculates the hash summary of the original data and compares it with the decrypted digest to determine the integrity of the original data.

CAs and certificates

Digital certificate Certification authority (Certificate Authority, abbreviated as CA) , also known as e-commerce Certification Center, e-commerce certification Authority, is responsible for the issuance and management of digital certificates authoritative institutions, and as a trusted third party in e-commerce transactions, assume the public key system of the legitimacy of the responsibility test.

PKI: Public key infrastructure, including visa authorities (CAS), registration Authorities (RA), certificate revocation lists (CRLs), and certificate access libraries.

Zero: Defines the structure of the certificate and the criteria for the authentication protocol, including the version number, serial number, Signature algorithm, issuer, expiration date, principal name, principal public key, CRL distribution point, extended information, publisher signature, and other information

The CA certification authority points to the root CA and the child CA, the root CA's certificate is the self-visa book, and then the certificate is issued for the child CA, and the user trusts the certificate issued by the child CA as long as the certificate is trusted by the root CA.

Related configuration files:/etc/pki/tls/openssl.cnf

####################################################################[CA]default_ca = CA_default #默认CA, in a Server can build multiple ca[ca_default] #默认CA的配置dir =/etc/pki/ca #工作目录certs = $dir/cert s #存放证书crl_dir = $dir/crl #存放证书吊销列表database = $dir/index.txt #数据库索引文件, need to be created manually New_certs_dir = $dir/newcerts #新证书的路径certificate = $dir/cacert.pem #CA的证书文件serial = $dir/seri          Al #下一个要颁发的证书序列号, 16 binary crlnumber = $dir/crlnumber #下一个要吊销的证书序列号crl = $dir/crl.pem #证书吊销列表private_key = $dir/private/cakey.pem#ca's private key file Randfile = $dir/private/.rand #生成私钥需要用到的随机数文件
Default_days = 365 #默认颁发证书的有效期default_crl_days = #30天发布一次证书吊销列表default_md = sha256 #preserve = no #policy = Policy_match #策略匹配, defines when the client and the server request a certificate Information matching policy [policy_match]countryname = Match #必须匹配stateOrProvinceName = Matchorganizationname = M Atchorganizationalunitname = Optional #不要求必须匹配commonName = supplied #必须提供emailAddress = O Ptional

Example: Building a private CA

Service-Side building:

1. Generate the private key of the CA

# (Umask 066; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096)

2. Generate self-signed certificate

# OpenSSL Req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3650Country Name (2 letter C ODE) [Xx]:cnstate or province name (full name) []:beijinglocality name (eg, city) [Default city]:beijingorganization name (eg, company) [Default company ltd]:testorganizational Unit name (eg, section) []:itcommon name (eg, your name or your server ' s hostname ) []:ca.test.com Email Address []:

• -new: Generate a new certificate signing request
• -x509: Dedicated to CA generate self-signed certificate
• -key: The private key file used to generate the request
• -days N: Validity period of certificate, Unit is day, default is 365 days
• -out/path/to/somecertfile: Save path to Certificate

3, create the necessary documents

# touch/etc/pki/ca/index.txt# Echo >/etc/pki/ca/serial

# OpenSSL X509-in/etc/pki/ca/cacert.pem-noout-text [-subject |-issuer |-dates]  View certificate information

The client generates a request for registration:

1. Generate Private key

# (Umask 077; OpenSSL genrsa-out app.key 1024)

2. Generate a signing request

# OpenSSL Req-new-key app.key-out app.csrcountry name (2 letter code) [Xx]:cnstate or province name (full name) []:beij inglocality name [eg, city] [default city]:beijingorganization name (eg, company) [Default company Ltd]:testorganizationa L Unit name (eg, section) []:itcommon name (eg, your name or your server ' s hostname) []:app.test.comemail Address []:a Cha Llenge Password []:an optional company name []:

3. Send the signing request to CA

# SCP APP.CSR 192.168.0.7:/etc/pki/ca/

Server-side signing:

1. Signature issue

# OpenSSL Ca-in/etc/pki/ca/app.csr-out/etc/pki/ca/certs/app.crt-days 100

2. Send the signed certificate back to the client

# SCP/ETC/PKI/CA/CERTS/APP.CRT 192.168.0.6:/root

Management of CA Revocation certificates

Copy code generation revocation list [[email protected] ca]# echo on>/etc/pki/ca/Crlnumber[[email protected] ca]# OpenSSL CA-GENCRL- outCRL.PEM View revocation list [[email protected] ca]# OpenSSL CRL-inchCrl.pem-noout-text View certificate status [[email protected] ca]# cat Index.txtv (normal certificate) 180826054533Z onunknown/c=cn/st=bj/o=test/ou=it/cn=Www.test.com[[email protected] ca]# OpenSSL CA-status onUsing Configuration from/etc/pki/tls/openssl.cnf on=Valid (V) (normal certificate) revocation certificate [[email protected]centos7 ca]# OpenSSL CA-revoke newcerts/ on. PEM [[email protected] ca]# cat index.txtr (has been revoked) 180826054533Z 180518060712Z onUnknown
/c=cn/st=bj/o=test/ou=it/cn=Www.test.com

Management tools

GPG: Gunpg

• -C File: Encrypting files
• -O file-d file.gpg: Decrypt file
• --gen-key: Generating Asymmetric keys
• --list-keys: Viewing an existing public key
• -e-r keyname File: Encrypting files with the specified public key
• --import Filename.pubkey: Import Public key
• -A--export-o Filename.pubkey: exporting the Public key
• --delete-secret-keys KeyName: Delete private key
• --delete-keys KeyName: Deleting the public key

# rngd-r/dev/urandom  #提供随机数来生成秘钥

Openssl:

Multi-purpose Tool Set

OpenSSL is an open source project consisting mainly of three components: OpenSSL: Multi-purpose Command line tool Libcrypto: Cryptographic algorithm Library LIBSSL: Crypto Module Application library, SSL and TLS implementedOpenSSL can be implemented: Key certificate management, symmetric encryption, and asymmetric encryptionThe standard command to use for symmetric encryption is enc, as follows: Common options are:-in filename: Specifies the file storage path to encrypt-out filename: Specifies the encrypted file path-salt: Automatically inserts a random number as the file content encryption, Default option-E: You can specify a cryptographic algorithm, if not the default encryption algorithm-D: Decryption, decryption can also specify the algorithm, if not specified using the default algorithm, but must be consistent with the algorithm of encryption-a/- Base64: The standard command used to generate random numbers using the-BASE64 bit encoding format for Rand the common options are:-out file: Save the generated random number to the specified file-base64: Using the Base64 encoding format-hex: Using the 16-in-one encoding format

Encryption algorithm and security authentication