Encryption and decryption technology: symmetric encryption and decryption Parties use the same key, encryption and decryption speed is very fast, the data is first divided into data blocks in plaintext, generally the same size, if the remaining data blocks cannot be the same size as other data blocks, add some padding to them, encrypt each data block one by one, and then send the encrypted data blocks to the other, each piece is managed together, but how is the encrypted block processed? Because each piece is processed independently, and each piece of data is cracked independently by the other party, that is to say, this encryption process is not helpful for anti-cracking. For the encrypted data blocks, there are two methods ECB: each one is encrypted separately, and one is encrypted to pass one, CBC: encryption or ciphertext blockchain is implemented through or computation. Each data block is used to perform an operation or operation between the data block and the previous data block before it is sent to the other party, and the result is sent to the other party, so it is useless to get the first block. Even the first block will be carried out with a random number or the biggest benefit of calculation is that, after two operations or operations, you can use the data restoration algorithm DES: Data Encryption Standard, Use 56-bit key length AES: Advanced Encryption Standard, you can use 128, 192, 256 three-length key 3DES: the original encryption three times, BlowfishTwofishRC6IDEACAST5 defects: 1. A person needs to write too many passwords when communicating with many objects. 2. Key Distribution is difficult, which is the biggest problem, there is no reliable means to send a key to an unseen object asymmetric encryption public key encryption algorithm: DSA, RSA, EIGamal encryption and decryption using different key functions: encryption and decryption of user identity authentication can be achieved by both RSA, while DSA can only encrypt the data public key. The private key public key is a feature extracted from the private key, the mainstream length of Public Keys hidden in private keys is 2048 defects: 1. encryption speed is slow, which is 1000 times slower than symmetric encryption, an order of 10 times 2. public key encryption is generally not used to encrypt data and is mainly used to implement user authentication. Data Encryption is mainly used to Implement User Authentication through symmetric encryption, there are two communication objects, one of which is relatively small and the other is relatively small. Now, the other is sending an email to Tom. However, when receiving an email, Tom does not want the content of his email to be tampered with. Then, Tom encrypts the email content and says that he is a hacker and generates a public key and a private key, the private key blacklist is carried with you and cannot be leaked. The public key is sent to Tom along with the email. If the hacker is able to decrypt the public key, it means that the hacker is the hacker... this achieves authentication. However, if the data encrypted by Xiao Hei is large, it takes a long time to add public key encryption. After encryption, Xiao Hei is speechless, therefore, it is not the feature value of the data that Xiao Hei encrypts. When it comes to the feature value, let's talk about the one-way encryption avalanche effect in "one-way encryption": the input data is a little different, the results may vary greatly. The main purpose is to prevent brute-force cracking. One-way encryption is to calculate the feature values of a piece of data. The encryption process is irreversible and is unique in computing a piece of data, verification of data integrity no matter how long the input data is, the output result is of the same length MD5: message digest, and the output result is of a fixed length of bitsha1: secure hash algorithm. The output result is fixed to-bit Identity Authentication: one-way encryption does not encrypt the entire data segment when implementing user identity authentication. Instead, the feature value of this data segment is calculated first, encrypt the feature value with the private key, attach it to the data after encryption, and send it to the other party. After the other party receives the data, the other party can verify the identity of the first user in two aspects, the second is the integrity of the data. The receiver decrypts the data with the sender's public key. If the decryption succeeds, the receiver verifies the identity of the other party. At this time, the receiver obtains the feature value of the data segment, then, the receiver uses the same algorithm to calculate the feature value of a data. If the two feature values are the same, the data is intact during transmission, it indicates that the data has been changed. The assumption is that both parties want to implement user authentication and Data Encryption during data transmission, what should I do if data integrity can be realized? Before sending data, Xiao Hei uses one-way encryption to calculate the feature value, and then uses the private key to decrypt and encrypt the feature value. Then, a one-time password is generated, use the public key of Tom to encrypt the password and put it on the data. Then, use symmetric encryption to encrypt all the passwords. At this time, the password is the ciphertext. After arriving at Tom, tom obtains the password with his private key, decrypts it with the password, obtains the feature value of the data, and computes an feature value with one-way decryption. If the two values are the same, it indicates that the data is in good condition, and the above process achieves triple verification, which is the basis of e-commerce. A tool that can implement this entire process: opsshgpg, but there are still some problems in these two processes. How does Tom get the blacklist Public Key? Spoofing may also occur when the public key is transmitted. How can this problem be solved? IKE: Internet Key Exchange, which enables both parties to exchange keys with each other. The key itself is not transmitted over the Internet. PKI: Public Key Infrastructure, or public key infrastructure, CA certificate authority, the certificate contains the public key information of the contact based on the certificate communication: both parties present the certificate during communication, which is issued by an authority, as long as the valid information in the certificate is verified, the identity of the other party can be verified. But how can we prevent fraud during the issuance? This is another question about egg and egg. How can this problem be solved? Therefore, some operating systems have already put the certificates of some authoritative issuing authority on your computer during installation, so that the certificate format can be resolved to a certain extent: X509, PKCS certificate discard list: the most common CRL attack "man in the middle" is mainly because the identity of both parties cannot verify session hijacking, data insertion, data tampering, these are common threats encryption and decryption: 1. User password/data sniffing 2. data manipulation 3. authentication manipulation 4. basic encryption algorithms for equivalent to mailing on postcards: kerckhoff's principle1. Generally, encryption does not rely on algorithms. Although the algorithm is key to converting plaintext into ciphertext, whether your data will be cracked is a real encryption process, it is mainly not dependent on algorithms, but on passwords. algorithms have a long research period, It is easy to change a password, but changing an algorithm requires a lot of effort. As long as the algorithm is not disclosed, it cannot be cracked. 2. Data Encryption must be ensured in the e-commerce process, make sure that the algorithm is not visible to others: 1. Reliable random number source ######## openssl ######### l many common encryption algorithms are implemented in C language: three components: 1. libcrypto library files are specially encrypted and decrypted library files. 2. libssl library files are mainly used to implement https protocols. 3. openssl multi-purpose encryption tools, you can also create a CA. Generally, openssl will be installed. You can use openssl and an incorrect option to see the usage of the option for single-item encryption: openssl enc-des3-salt-a-in inittab-out inittab. des3 implements encryption for a file. enc is encrypted.-des3 is the encryption algorithm.-Add an impurity to salt. Add the impurity to the file name. Openssl enc-d-des3-salt-a-in inittab. des3-out inittab-d indicates to decrypt openssl dgst-sha inittab, indicating to calculate the feature value of the inittab file. passwd usage during user authentication, how can I help you generate an openssl passwd-1-1 that uses the MD5 algorithm like the password saved in the/etc/shadow file? [root @ server46 ~] # Openssl passwd-1 Password: Verifying-Password: $1 $ 7HW0kv8y $ IntkyNppqtTQ2fHAJ1FMk1 openssl passwd-1-salt impurity the calculation result is the same [root @ server46 ~] # Openssl passwd-1 Password: Verifying-Password: $1 $ 7HW0kv8y $ IntkyNppqtTQ2fHAJ1FMk1 [root @ server46 ~] # Openssl passwd-1-salt 7HW0kv8y Password: $1 $ 7HW0kv8y $ IntkyNppqtTQ2fHAJ1FMk1man sslpasswd check usage asymmetric encryption: How does openssl issue: switch the directory to/etc/pki/tls/certs make *. key to generate a key make *. cert can generate a certificate. It mainly depends on the file suffix to generate a file. It is a convenient method provided by redhat to make my. key to generate a key (umask 66; openssl genrsa 1024> my. key) generate the private key file, which is carried out in a sub-shell. umask is only valid for the following command. After umask is executed, it is restored to the original extracted public key: openssl rsa-in my. key-pubout-out myr. pubkey [root @ server46 certs] # (Umask 66; openssl genrsa 1024> my. key) Generating RSA private key, 1024 bit long modulus... ++ ........ ++ e is 65537 (0x10001) [root @ server46 certs] # cat my. key ----- begin rsa private key ----- keys/8z5mzEKIjDZw63ffsxCDC9XWKO0vE FaxbPrgwZYF + keys/wUTnjsbL8mNbSclV/2m8 K0XZqSLsKzuhaBOFC + yaoaog Release + dpAlX + GCVj2BKd8YXOik/zookeeper/rXidOs + L3RVK release/q/release + zookeeper + iGrGiP/vH9H + AvDK7AJPNVng restart bM/release/IcAzLoGMRa2 0EQHdegLrVhc0 UEIcH2wPPtsVab/ipv2dakvmmy6hovcq0caed + i9yOVYIb/zookeeper Vz69 + certificate ----- end rsa private key ----- [root @ server46 certs] # openssl rsa-in my. key-pubout-out my. pubkey writing RSA key [root @ server46 certs] # cat my. pubkey ----- BEGIN PUBLIC KEY ----- Encrypt/8z5mz encrypt + decrypt 2GQ/wUTnjsbL8mNbSclV/2m8K0XZqSLsKzuhaBOFC + begin certificate ----- end public key ----- issuing steps: 1. First generate a KEY pair (S/p key) 2. Place the public key in a certificate issuing request (including your public key, name, address, and other column descriptions) send the certificate to the Certificate Authority. 3. The CRT certificate generates its own CA: 1. The cd/etc/pki/CA has a private file, private Key file dedicated to CA 2. Generate a key for yourself (Umask 66; openssl genrsa 2048> private/cakey. pem [this can only be called cakey. pem]) ll private: openssl req-new-x509-key private/cake. pem-out cacert. pem openssl req-new-x509-key private/cake. pem-out cacert. pem will prompt you to enter some information. After writing the information, it will be a self-signed certificate. Then you can issue view plaincopy to clipboardprint to others? Openssl req-new-x509-key private/cake. pem-out cacert. pem-days3655 openssl req-new-x509-key private/cake. pem-out cacert. pem-days3655 3. Edit the cA configuration file view plaincopy to clipboardprint? Vim/etc/pki/tls/openssl. cnf defines vim/etc/pki/tls/openssl. cnf defines to find the [CA_default] field and change dir to the absolute path. Here, some directories do not need to be created manually, we can find this configuration file and modify the default information here to make it a complete CA4. Next we will make a certificate for the web server: view plaincopy to clipboardprint? Cd/etc/httpd mkdir ssl cd ssl (umask 66; openssl genrsa 2048> web. key) cd/etc/pki/CA mkdir certs crl newcerts touch index.txt serial echo 01> serial openssl req-new-key wed. key-out wed. csr this is a certificate issuing request opssl ca-in wed. csr-out web. crt issues Certificate cd/etc/httpdmkdir sslcd ssl (umask 66; openssl genrsa 2048> web. key) cd/etc/pki/CAmkdir certs crl newcertstouch index.txt serialecho 01> serialopenssl req-new-key wed. key-out wed. csr this is a certificate issuing request opssl ca-in wed. csr-out web. the crt issues the certificate and then press ENTER twice.