Linux Cryptographic decryption basics, PKI and SSL, creating private CAs

Source: Internet
Author: User
Tags cas md5 encryption openssl enc openssl x509

Linux Cryptographic decryption basics, PKI and SSL, creating private CAs


1. Encryption and Decryption Basics:

Data in the network transmission process to ensure that three points:

(1) Data integrity: To prevent the data in the transmission process by unauthorized users of the destruction or tampering.
(2) Confidentiality of data: Prevent the disclosure of file data to unauthorized users so that it can be exploited
(3) Availability of data: Ensure that authorized users can access file data on demand

2. Common Encryption Technologies:

Symmetric encryption
Public Key Cryptography
One-way encryption

(1) Symmetric encryption: Encryption and decryption using the same key, the original data is divided into fixed-size blocks, encrypted one by one

Encryption algorithm:
Des:data Encryption Standard (data encryption standards)
3des:des Enhanced Version
Aes:advance Encryption Standard (Advanced encryption standards)
(128bits,192,458,384,512bits)
(2) Public key cryptography: The key is used in pairs, encrypted with the public key, must be decrypted with the private key paired with it, and vice versa.
Public key: Public to everyone, PubKey
Private key, retained by oneself, must guarantee its privacy. Secret key

Encryption algorithm:
RSA: A cryptographic algorithm proposed by the MIT Ron Rivest, Adi Shamir, Leonard Adleman, named after three initials
Dsa:digital Signature Algorithm (digital Signature algorithm)
(3) One-way encryption: Only encryption can not decrypt, extract data signatures
Encryption algorithm:
Md5:128bits
Sha1:160bits
sha256
Sha386
sha512

Pki:public Key infrastructrure (public key Infrastructure)
PKI is a specification that uses public key technology and digital certificates to ensure system information security, and is responsible for verifying the identity of the digital certificate holder of a system.

Composition
Visa agency: CA
Registration Authority: RA
Certificate Revocation list: CRL
Certificate Access Library
A CA is a PKI organization that specializes in signing and issuing certificates.

: Define the structure of the certificate and the standard of the authentication protocol:
Composition
Version number: V1,v2,v3
Serial Number: Unique identification number
Signature Algorithm ID: identifier
Publisher Name:
Validity period
Principal Name
Principal public key
Issuer uniquely identifies
Unique identity of the subject
Extended information
Issuer Signature

Ssl:secure socket Layer (Secure sockets layers)
1995 by Netscape Design, release SSL2.0 version, after the launch of version 3.0, 1999 launched TLS1.0, equivalent to SSL3.0 upgrade version, now commonly used TLS1.2 version

Layered design:
1, the lowest layer: the implementation of the basic algorithm primitives, AES, RSA, MD5
2, up a layer: the implementation of various algorithms
3, and then up a layer: the combination algorithm to achieve semi-finished
4. All kinds of finished cryptographic protocols/software assembled with various components: TLS, SSH


3.ssl/tls Open Source project: OpenSSL
 
          (1) Three components of OpenSSL:
                    OPENSSL: Multi-purpose command-line tool; Implement private certificate issuance within the company to verify its identity
                    libcrypto: public cryptographic Library; provides various cryptographic functions
                    LIBSSL: Library , SSL and TLS are implemented,
  
      openssl command:

ENC, CA, dgst

Symmetric encryption:
Tools: OpenSSL enc, GPG
Algorithm: 3DES, AES, Blowfish, Twofish

ENC command:
Encryption: ~]# OpenSSL enc-e-des3-a-salt-in fstab-out fstab.ciphertext
Decryption: ~]# OpenSSL enc-d-des3-a-salt-in fstab.ciphertext-out fstab

One-way encryption:
Tools: Md5sum, Sha1sum, Sha224sum, sha256sum,..., OpenSSL dgst

DGST command:
OpenSSL dgst-md5/path/to/somefile

[email protected] ~]# OpenSSL Dgst-md5/tmp/fstab
MD5 (/tmp/fstab) = 32402066BD3DB486A37AC6BD26B201FB#MD5 encryption


4. Establish a private CA:
OpenCA
Openssl

Certificate Application and signing procedure:
1. Generate application request;
2, RA nuclear inspection;
3, CA sign;
4, obtain the certificate;

To create a private CA:
OpenSSL configuration file:/etc/pki/tls/openssl.cnf

   (1) Create required files
   # touch index.txt
   # echo > Serial
   #
   (2) CA self-visa book
   # (umask 077; OpenSSL genrsa-out/etc/pki/ca/ PRIVATE/CAKEY.PEM 2048)
   # OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.epm-days 7300-out /ETC/PKI/CA/CACERT.PEM
    -new: Generate a new certificate signing request;
    -x509: Private to CA generate self-signed certificate ;
    -key: The private key file used to generate the request;
    -days N: The validity period of the certificate;
     -out/path/to/somecertfile: The path where the certificate is saved;

(3) Issuing certificates
(a) Generate a certificate request from the host using the certificate;
# (Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)
# OpenSSL Req-new-key/etc/httpd/ssl/httpd.key-days 365-OUT/ETC/HTTPD/SSL/HTTPD.CSR
(b) Transfer the request file to the CA;
(c) The CA signs the certificate and sends the certificate back to the requestor;
# OpenSSL Ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

To view the information in the certificate:
OpenSSL x509-in/path/from/cert_file-noout-text|-subject|-serial

(4) Revocation of certificates
(a) The client obtains the serial of the certificate to be revoked
# OpenSSL X509-in/path/from/cert_file-noout-serial-subject

(b) CA
Based on the serial and subject information submitted by the customer, the comparison test is consistent with the information in the Index.txt file;

To revoke a certificate:
# OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

(c) The number of the revocation certificate is generated (the first time a certificate is revoked)
# echo >/etc/pki/ca/crlnumber

(d) Updating the certificate revocation List
# OpenSSL Ca-gencrl-out thisca.crl

To view the CRL file:
# OpenSSL Crl-in/path/from/crl_file.crl-noout-text



Linux Cryptographic decryption basics, PKI and SSL, creating private CAs

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.