PKI fundamentals and experiments based on Cisco IOS

We know that the transmission of plaintext data over the network is very insecure, and to realize the security of data transmission, the following aspects need to be considered:

Privacy: Data privacy is the encryption of data, even if the data is intercepted and do not know what the content is. Encrypt the data through an encryption algorithm.

Integrity: Data integrity ensures that data is not tampered with during transmission, and the integrity of the data is verified by hashing function algorithms.

Source authentication: The source authentication can verify the sender of the data, ensure that the data sender is legal, through the H-mac or digital signature to the data source authentication.

Non-repudiation: Also known as anti-repudiation, can ensure that people can not deny the data they send the behavior and data content, through the digital signature to achieve non-repudiation.

hash function:

Hash function is also called hash, used to verify the integrity of the data, common MD5, SHA. Features are as follows:

1. Unequal input, equal-length output. Data calculated by hash, regardless of the size of the original data, are fixed-length after calculation, for example MD5

is 128 bits, and SHA-1 is 160 bits after the calculation. Students can use Shell MD5 to calculate the test.

2. Avalanche effect: raw data as long as a bit becomes, the resulting hash will be different.

3. One-way: hash and encryption are different, only from the original data to get the hash value, but not from the hash to calculate the original data.

4. Conflict avoidance: Almost no two files have the same hash value, thus ensuring the uniqueness of the data.

How do I use hash functions for integrity testing?

The sender first will send the data a hash value calculation, to get the hash value A; and then package the data A and hash values together sent to the receiver, the receiver receives the data

After the data a hash calculation, get the hash value B, will receive the hash value A and the calculated hash value B to calculate, if the same, the data is complete,

Have not been tampered with. (This is just a simple process to explain, the actual calculation is certainly not so simple, the other issues are explained later.) ）

Encryption:

Encryption is the process of converting data from plaintext to redact, where the sender encrypts the plaintext and transmits it to the receiver, which is decrypted and then sent in plaintext to ensure that the data is transmitted

Even if the transmission process is intercepted, the interceptor can not see the real data and ensure the security of the data.

The encryption algorithm is divided into symmetric encryption algorithm and asymmetric encryption algorithm. Encryption algorithm uses the same key for encryption and decryption, the common algorithm is DES, 3DES, AES, etc., non-

Called encryption algorithm each device has a pair of keys, a public key and a private key, public key encryption private key decryption, private key encryption public key decryption, the common algorithm has RSA, DH and so on.

Note: The key described here is a random number generated by the device, not the password we usually enter, such as the key length of DES is 56 bits, 3DES is the key

The length is 168 bits.

Symmetric encryption algorithm:

The advantages of symmetric encryption algorithm are compact and fast, and the data encrypted by symmetric encryption algorithm is almost as large as the original data, only slightly larger than the original data. Symmetric plus

Cryptographic algorithms are fast to encrypt, and today's hardware devices can almost reach wire-speed forwarding. Therefore, the symmetric encryption algorithm is suitable for encrypting data (that is, the real data to be transmitted)

。 The first disadvantage of symmetric encryption algorithm is that the key transmission is not secure, the sender wants to encrypt a data to send to the receiver, take the DES encryption algorithm as an example, it first produces

A 56-bit key, which is then used to encrypt the plaintext data and then package the encrypted data with the 56-bit key and send it to the recipient;

After receiving the data, the ciphertext data is decrypted by using the key passed by the sender to clear the plaintext. And in this process, although the data is secret, but the key is not

There is no difference between being encrypted and transmitting data in plaintext. The second drawback is that the number of keys that each device needs to maintain is too large, and every two devices maintain a

Key, if there are 5 users, you need 5* (5-1)/2=10 key, symmetric key used too many keys, bad management and storage, and symmetric encryption calculation

Digital signatures are not supported by the method. Therefore, the symmetric encryption algorithm is not used in the encryption process.

Asymmetric Encryption algorithm:

The asymmetric encryption algorithm is characterized by the use of a key encryption, which must be decrypted with another key. Public key encryption, private key decryption, private key encryption, public key decryption.

Public key encrypted data private key cannot be decrypted, private key encrypted data private key is also not dense. Each non-symmetric cryptographic algorithm participants need to first generate a pair of keys, the package

Includes a public key and a private key. Where the private key can only be owned, stored in a secure place, the public key is distributed to other people. Asymmetric encryption algorithms can be used to encrypt the number

Data are digitally signed.

We find that both symmetric and asymmetric cryptographic algorithms have their advantages and disadvantages, so the solution is to use asymmetric encryption algorithms to encrypt the symmetric encryption calculation

The key generated by the law is very secure, and the symmetric encryption algorithm is used to encrypt the real data, which is compact, fast, and secure, which is the solution we usually use in the actual environment.

Solutions. But then there is a problem, is how the sender to get the receiver's public key? Due to the introduction of today's protagonist, PKI. PKI is used to solve large-scale deployments of public

To solve the problem of public key distribution.

Digital signature:

Before the digital signature, say the ordinary signature, in reality, the general use of signature way, so that information can not be denied, for example, contract negotiations, bank withdrawals, etc., have adopted the user

The form of a signature that proves that this information did occur. In network communication, it is common to use digital signature to realize the non-repudiation of information. Indicates that this information does occur

A The process of digital signature is the sender Zhang San the data to be sent hash value A, and then the hash after the data with the private key to encrypt, this is encrypted with the private key

Process is the process of digital signature, the result of this encryption is called digital signature. Then send the data and the digital signature to the receiver, the recipient sends

The public key to decrypt, get the hash value B, if the hash value a equals the hash value B, then prove that the data must be sent by the sender Zhang San, Zhang San can not deny him

This data has not been sent, which is non-repudiation.

PKI (publice key Infrastructure) PKI is a technical framework, not a specific technology, to support the large-scale deployment of public key, in order to issue certificates and

Introduced a series of software and hardware measures.

A CA (Certificate authority) server is a server that is used to issue certificates.

The certificate (certificates) contains the public key of the device and the digital signature of the CA. The certificate can be divided into a certificate for the equipment application and a certificate for the person to apply for the equipment certificate

is for routers, switches, servers, personal PCs to request a certificate, is a device-based certificate, common applications have VPN, 802.1X authentication, etc., and personal certificates

is based on users, such as the U-Shield used by bank network, the smart-pass card used by VPN (SmartCard) and so on.

The digital certificate contains the main content:

1. Personal information (Identity): Name, company, department and other information

2. Properties (Attributes):

3. Public key: The public key of the device or individual

4.CA Digital Signature (Signature): The CA's digital signature for the hash value of the above information

The certificate server proves that there is an association between a public key and an entity, and limits the scope of use of the certificate. (Note: The public key is clear)

PKI-related standards:

X.509v3:x.509v3 is an Internet PKI standard, based on the hierarchical PKI model, which is the IETF standard for PKI.

X.500: is a directory naming standard.

PEM encoding: PEM is a standard certificate file encoding format

SCEP: Simple online certificate application agreement, mainly for equipment online application certificate, originally Cisco private technology, and later public, features are as follows:

1. Mainly used for online certificate application

2. Technology primarily designed by Cisco

Industrial standard for 3.VPN device PKI certificate applications

4. Transmitting using the HTTP protocol

5. Supported by most VPN and CA vendors

6. Provide a simple and powerful certificate request method for VPN devices (VPN end users)

The standard of the PKCS#7:PKCS series is the standard of RSA security, not the industry standard. The pkcs#7 file extension is. p7b. p7c. Pkcs#7 is a closed

Data Standard, in a pkcs#7 package, you can place a user certificate issuing server root certificate

Pkcs#10:pkcs#10 is an encoding method that is used to apply certificates offline.

PKCS#12: Used to exchange public and private objects in a single file, which can contain certificates and associated private keys. It provides an encryption mechanism, so the private key is

Capable of being protected. Cisco priority hosting uses this mode to host PKI data. In Nvrom, Cisco recommends that you save it with the extension. P12 (Cisco). In

Microsoft in the extension. PFX (Microsoft)

Certificate Server Description:

There are two types of certificate servers, a public certificate Server, which provides certificate issuance worldwide, and most operating systems install them at the factory

The root certificate. The advantage of a public certificate is that once applied, the global is trusted; the problem is that it needs to be paid for, the audit is stricter, and the content and use of the certificate is limited. Another one

Certificate Server is a private Certificate server, its benefits are free, and the use is unrestricted, the problem is that the entity you want to use needs to install the root of the private certificate Server

Certificate.

Registration Authorization Server (RA) Description:

The main role of RA is to share the pressure of the CA, reducing the burden on the CA, which is the front-end agent of the CA.

Roles and Functions of RA:

1. Receiving a certificate request

2. Verify the requestor's identity

Trust relationship:

1. There is no need to establish a trust relationship between the requestor and RA because RA does not sign any certificates;

A trust relationship is required between the 2.RA and the CA.

Storage of keys and certificates:

The general system uses a password to protect the private key, and when a user unlocks the private key and loads it into memory, other users can steal the private key by reading the memory.

Using smartcards is more secure and flexible, issuing certificates to users rather than systems.

AnyConnect with Microsoft's certificate store, IPSEC VPN has its own certificate store location

On Linux, each running program has its own storage location

Cisco IOS certificate with key through file is stored in NVRAM, does not exist in Flash, does password recovery operation, private key is deleted

In the ASA OS, certificates and keys are stored in Flash through hidden files.

Procedures and procedures for PKI processing

First step: Sync time

Time synchronization, you must first ensure that the devices and hosts participating in the PKI system synchronize time to begin the deployment of the PKI.

Step Two: Deploy the Certificate Server

Step three: The client generates a key pair (public key, private key)

Fourth step: Verifying the Certificate Server

each entity needs to obtain the root certificate of the Certificate Server, which contains the public key of the Certificate server. After you obtain the root certificate, you can verify the Certificate Server offline by fingerprint

Fifth step: Apply for a personal certificate

Sixth step: Audit and sign the certificate

Each certificate request is audited by the administrator, and the personal information and public key contents are digitally signed, and the signed file is a digital certificate

Seventh Step: Issue Digital certificates

Certificate Server to issue personal certificates

This article is from "Yang Sen's It Road" blog, please be sure to keep this source http://senyang.blog.51cto.com/3427514/1693488

PKI fundamentals and experiments based on Cisco IOS