Linux about cryptographic decryption technology fundamentals, KPIs, and creating private CAs

Linux encryption and decryption technology fundamentals, KPIs, and creating private CAs

One, the encryption method is divided into:
1. Symmetric encryption: Encryption and decryption using the same key;
Symmetric encryption: The encryption method using single-key cryptography, the same key can be used as information encryption and decryption, this encryption method is called symmetric encryption, in symmetric encryption algorithm commonly used algorithms are: DES, 3DES, Tdea, AES, Blowfish, Twofish
IDE, ARC6, CAST5, and more.
Characteristics:
1, encryption, decryption using the same key;
2, strong raw data segmentation into fixed-size blocks, one by one encryption;
Defects:
1, too many keys;
2, key distribution difficulties;
2. Public key cryptography: keys are divided into public and private keys
Public Key cryptography: Also known as asymmetric encryption, belongs to the network security of communication technology level Two science, refers to the corresponding uniqueness of the key composition of the encryption method. It solves the issue of key publishing and management, is the core of the current commercial password, in the public key cryptography system, is not disclosed in plaintext, public is ciphertext, public key, algorithm.
Public key: Extracted from the private key; available to all; PubKey
Private key: Created by the tool, the user is retained by himself and must be kept private; secret key;

Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa;

Use:
Digital signature: The main purpose is to let the receiver confirm the identity of the sender;
Key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party;
Data encryption

Algorithms: RSA, DSA, ELGamal
Dss:digital Signature Standard
Dsa:digital Signature algorithm
3. One-way encryption: The data fingerprint is presented, can only be encrypted, not decrypted;
One-way encryption: Non-reversible encryption, is non-decrypted encryption method, extract data fingerprint. The common encryption algorithm has MD5, SHA, HMAC three kinds of encryption algorithm.
Characteristics: fixed-length output, avalanche effect;
function: completeness;
Algorithm:
Md5:message Digest 5, 128bits
Sha1:secure Hash algorithm 1, 160bits
sha224, sha256, sha384, sha512

Key exchange: IKE (Internet key Exchange)
Public Key Cryptography
DH (Deffie-hellman)
A:p, G
B:p, G

A:x
-P^x%g ==> B

A: (p^y%g) ^x=p^yx%g

B:y
-P^y%g ==> A

B: (p^x%g) ^y=p^xy%g
Second, the PKI
PKI is the initial acronym of Public Key Infrastructure, which is the key infrastructure; PKI is a standard technology and specification to use public key cryptography to provide a set of security foundation platform for e-commerce development.
Public Key Infrastructure:
Visa agency: CA is the core of the PKI, the CA is responsible for the management of all users under the PKI structure of the certificate, the user's public key and the user's other information bundled together to verify the identity of users on the Internet, CA also responsible for the user certificate blacklist level and blacklist release.
Registration Authority: RA
Certificate Revocation list: CRL
Certificate Access Library:
X.509v3: Defines the structure of the certificate and the standard of the authentication protocol
Version number
Serial number
Signature Algorithm ID
Issuer Name
Validity period
Principal Name
Principal public key
Issuer's unique identity
The unique identity of the subject
Extended
Issuer's signature

Ssl:secure Sockets Layer
netscape:1994
V1.0, V2.0, V3.0
Tls:transport Layer Security
ietf:1999
V1.0, V1.1, V1.2, V1.3

Layered design:
1, the bottom: the implementation of the basic algorithm primitives, AES, RSA, MD5
2, up a layer: the realization of various algorithms;
3, and then up a layer: the combined algorithm to achieve semi-finished products;
4, with a variety of components assembled into a variety of product cryptography protocol software;

Third, CA:
Public trust CA, private CA;

To establish a private CA:
Openssl
OpenCA

OpenSSL command:
Configuration file:/etc/pki/tls/openssl.cnf

To build a private CA:
Generate a self-visa book on the service that is configured as a CA, and provide the required directories and files for the CA;

Steps:
(1) Generate the private key;
~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/79/55/wKiom1aOXPiyoqTmAAAouuSkMUc013.png "title=" 5.PNG " alt= "Wkiom1aoxpiyoqtmaaaouuskmuc013.png"/>

(2) Generate self-signed certificate;
~]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/79/54/wKioL1aOXkDi42DnAABLwvkbedE867.png "title=" 6.PNG " alt= "Wkiol1aoxkdi42dnaablwvkbede867.png"/>

-new: Generate a new certificate signing request;
-x509: Generate a self-signed format certificate, designed to create a private CA;
-key: The private file path used to generate the request;
-out: The generated request file path, or if the self-signed operation will generate a signed certificate directly;
-days: The valid duration of the certificate, the Unit is day;
(3) Provide the required directories and documents for the CA;
~]# Mkdir-pv/etc/pki/ca/{certs,crl,newcerts}

~]# Touch/etc/pki/ca/{serial,index.txt}
~]# echo >/etc/pki/ca/serial

To use a certificate for secure communication with a server, you need to request a certificate from the CA:

Step: (Take httpd as an example)
(1) Use the certificate of the host to generate the private key;
~]# Mkdir/etc/httpd/ssl
~]# Cd/etc/httpd/ssl
~]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)
(2) Generate certificate signing request
~]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-out/etc/httpd/ssl/httpd.csr-days 365
(3) Send the request to the CA host by reliable means;

(4) Sign the certificate on the CA host;
~]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

To view the information in the certificate:
~]# OpenSSL X509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subject

To revoke a certificate:
Steps:
(1) The client obtains the serial of the certificate to be revoked (performed on the host using the certificate):
~]# OpenSSL X509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subject
(2) CA host Revocation Certificate
According to the serial and subject information submitted by the customer, the consistency of the data stored in the index.txt of the native database is compared.

Revoked:
# OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

One of the serial to be replaced by the true serial number of the certificate;

(3) Revocation number of the revocation certificate is generated (executed when the certificate is revoked for the first time)
# echo >/etc/pki/ca/crlnumber

(4) Update certificate revocation List
# OpenSSL Ca-gencrl-out thisca.crl

To view the CRL file:
# OpenSSL Crl-in/path/from/crl_file.crl-noout-text

Four, the encryption and decryption technology commonly used functions and algorithms;

(1) Symmetric encryption

Tools: OpenSSL enc, GPG

Encrypt/etc/fstab files using OpenSSL enc:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/79/54/wKioL1aOUuLBKZbgAAAmSJmlF4k182.png "title=" 1.PNG " alt= "Wkiol1aouulbkzbgaaamsjmlf4k182.png"/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/79/54/wKioL1aOVI-AAlr9AADXKcRRfCA117.png "title=" 2.PNG " alt= "Wkiol1aovi-aalr9aadxkcrrfca117.png"/>

Decrypt the/tmp/fstab file:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/79/55/wKiom1aOVLLhileJAABreGNkQ7s345.png "title=" 3.PNG " alt= "Wkiom1aovllhilejaabregnkq7s345.png"/>

(2) One-way encryption:

Tool: Sha1sum,md5sum,openssl dgst

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/79/55/wKiom1aOWbfiv9W3AAARVYFr1oA518.png "title=" 4.PNG " alt= "Wkiom1aowbfiv9w3aaarvyfr1oa518.png"/>

Linux about cryptographic decryption technology fundamentals, KPIs, and creating private CAs