Graphic SSL and encryption and decryption
1. SSL Principle
Secure Sockets Layer (Secure Socket Layer) is located between TCP/IP and various application Layer protocols, providing security support for data communication. It is used to ensure the security of data transmission over the Internet. Data Encryption technology ensures that data is not intercepted or eavesdropped during network transmission.
2. SSL session Process
SSL sessions are divided into three steps:
1. The client requests and verifies the certificate from the server;
2. Both parties negotiate to generate a "session key ".
3. Both parties adopt the "session key" for encrypted communication;
3. encryption algorithms and protocols
3.1 symmetric encryption
The same key is used for encryption and decryption.
Common encryption algorithms:
DES, 3DES, AES, Blowfish, Twofish, IDEA, RC6, and CAST5
Features:
1. The same key is used for encryption and decryption;
2. Split the original data into blocks of a fixed size and encrypt them one by one;
Defects:
1. Too many keys;
2. Difficulty in key distribution;
3.2 public key encryption
Keys are classified into public and private keys.
Public Key: extracted and generated from the private key; can be made public to everyone;
Private Key: It is created using tools and kept by the user. The private key must be kept confidential;
Features: data encrypted with the public key can only be decrypted using the private key of the matching child; and vice versa;
Purpose:
Digital Signature: allows the recipient to confirm the sender's identity;
Key Exchange: the sender encrypts a symmetric key with the other party's public key and sends it to the other party;
Data Encryption:
3.3 unidirectional encryption
Data fingerprint extraction (pattern); only encrypted, not decrypted;
Common algorithms: md5 and sha1
Features: fixed-length output and avalanche effect;
Function: integrity;
3.4 Key Exchange
IKE (Internet Key Exchange)
1. Public Key Encryption
2. DH (maid)
4. PKI
PKI is the abbreviation of Public Key Infrastructure. It is translated as a Public Key Infrastructure; PKI is a standard technology and specification that uses public key encryption technology to provide a security basic platform for the development of e-commerce.
The Public Key Infrastructure mainly includes the following four:
Visa authority: CA
Registry: RA
Certificate Revocation List: CRL
Certificate access library
5. openssl commands
Openssl has many sub-commands, which can be divided into three types:
1. Standard Commands
2. Message Digest command (dgst subcommand)
3. Encryption command (enc subcommand)
5.1 symmetric encryption
Encryption: ~] # Openssl enc-e-des3-a-salt-in fstab-out fstab. ciphertext
Decryption: ~] # Openssl enc-d-des3-a-salt-out fstab-in fstab. ciphertext
5.2 unidirectional encryption
~] # Openssl dgst-md5/PATH/TO/SOMEFILE
5.3 generate User Password
~] # Openssl passwd-1-salt $ (openssl rand-hex 5)
5.4 generate random number
~] # Openssl rand-hex NUM
~] # Openssl rand-base64 NUM
5.5 public key encryption
Generate private key: ~] # (Umask 077; openssl genrsa-out/PATH/TO/PRIVATE_KEY_FILE NUM_BITS)
Extract Public Key: ~] # Openssl rsa-in/PATH/FROM/PRIVATE_KEY_FILE-pubout
6. Build a private CA
1. Generate a private key on the CA Server
[Root @ ch sysroot] # (umask 077; openssl genrsa-out/etc/pki/CA/private/cakey. pem4096)
2. generate self-signed documents
[Root @ ch sysroot] # openssl req-new-x509-key/etc/pki/CA/private/cakey. pem-out/etc/pki/CA/cacert. pem-days 365
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: Beijing
Locality Name (eg, city) [Default City]: Beijing
Organization Name (eg, company) [Default Company Ltd]: CH
Organizational Unit Name (eg, section) []: Ops
Common Name (eg, your name or your server's hostname) []: ch
Email Address []:
3. Provide required directories and files for CA
123 [root @ ch sysroot] # mkdir-pv/etc/pki/CA/{certs, crl, newcerts}
[Root @ ch sysroot] # touch/etc/pki/CA/{serial,index.txt}
[Root @ ch sysroot] # echo 01>/etc/pki/CA/serial
The preceding steps are performed on the CA server.
--------------------------------------------------------------------------------
The http server requests the CA to sign the certificate.
A. The host generates the Private Key
[Root @ localhost ~] # Mkdir/etc/httpd/ssl
[Root @ localhost ~] # Cd/etc/httpd/ssl
[Root @ localhost ssl] # (umask 077; openssl genrsa-out/etc/httpd/ssl/httpd. key 1028)
B. Generate a Certificate Signing Request
[Root @ localhost ssl] # openssl req-new-key/etc/httpd/ssl/httpd. key-out/etc/httpd/ssl/httpd. csr-days 365
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: Beijing
Locality Name (eg, city) [Default City]: Beijing
Organization Name (eg, company) [Default Company Ltd]: CH
Organizational Unit Name (eg, section) []: Ops
Common Name (eg, your name or your server's hostname) []: www.test.com
Email Address []:
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
C. Send requests reliably to the CA Server
[Root @ localhost ssl] # scp httpd. csr root@172.18.20.4:/tmp/
The preceding operations are performed on the http server.
--------------------------------------------------------------------------------
4. Sign the certificate on the CA Host
[Root @ ch tmp] # openssl ca-in/tmp/httpd. csr-out/etc/pki/CA/certs/httpd. crt-days 365
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 26 04:17:02 2016 GMT
Not After: Mar 26 04:17:02 2017 GMT
Subject:
CountryName = CN
StateOrProvinceName = Beijing
OrganizationName = CH
OrganizationalUnitName = Ops
CommonName = www.test.com
Certificate is to be certified until Mar 26 04:17:02 2017 GMT (365 days)
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
5. View information in the certificate
[Root @ ch tmp] # openssl x509-in/etc/pki/CA/certs/httpd. crt-noout-serial-subject
Serial = 01
Subject =/C = CN/ST = Beijing/O = CH/OU = Ops/CN = www.test.com
--------------------------------------------------------------------------------
If the private key of the http service is lost, we need to revoke the certificate.
(A). The client obtains the serial of the certificate to be revoked
[Root @ localhost ssl] # openssl x509-in/etc/pki/CA/certs/httpd. crt-noout-serial-subject
Serial = 01
Subject =/C = CN/ST = Beijing/O = CH/OU = Ops/CN = CH
(22.16.ca serithe serialand subjectinformation provided by the customer, and compare it with the stored in the local data warehouse index.txt
[Root @ ch tmp] # cd/etc/pki/CA/
[Root @ ch CA] # cat index.txt
V 170326010902z 01 unknown/C = CN/ST = Beijing/O = CH/OU = Ops/CN = www.test.com
(3). CA Server Certificate Revocation
[Root @ ch CA] # openssl ca-revoke/etc/pki/CA/newcerts/01.pem
Using configuration from/etc/pki/tls/openssl. cnf
Revoking Certificate 01.
Data Base Updated
(4). Generate the revocation Number of the revocation certificate (only when the certificate is revoked for the first time)
[Root @ ch CA] # echo 01>/etc/pki/CA/crlnumber
(5). Update the Certificate Revocation List
[Root @ ch CA] # openssl ca-gencrl-out/etc/pki/CA/httpd. crl
View crl files
[Root @ ch CA] # openssl crl-in httpd. crl-noout-text
This article permanently updates the link address: