Linux encryption and decryption, the basic application of OpenSSL and the process of CA implementation

First, data encryption method

Encryption is divided into: one-way encryption, symmetric encryption and public key cryptography.

1. Symmetric encryption

Symmetric encryption: Using the encryption method of single-key cryptosystem, the same key can be used as the encryption and decryption of information, which is called symmetric encryption, also known as single-key encryption. The algorithms commonly used in symmetric cryptography are: DES, 3DES, Tdea, Blowfish, RC2, RC4, RC5, Idea, skipjack, AES, etc.

Characteristics:

1, encryption, decryption using the same key;

2, the original data is divided into fixed-size blocks, one by one encryption;

Defects:

1, too many keys;

2, Key distribution;

The symmetric encryption process is as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/DC/wKiom1YI2R6xzzqYAAHmHXHQm9o092.jpg "title=" 1.png " alt= "Wkiom1yi2r6xzzqyaahmhxhqm9o092.jpg"/>

2. Public Key Cryptography

Public key cryptography, also known as asymmetric (key) cryptography, is a two-level discipline of network security under communication technology, which refers to an encryption method consisting of a corresponding pair of unique keys (that is, public key and private key). It solves the issue of key publishing and management, is the core of the current business password. In the public key cryptography, there is no explicit text, the public is ciphertext, public key, algorithm.

Common algorithms are RSA, ElGamal, knapsack algorithm, Rabin (Rabin encryption method can be said to be a special case of the RSA method), Diffie-hellman (D-H) key exchange protocol, the public key encryption algorithm, Elliptic Curve Cryptography (ECC, Elliptic curve encryption algorithm). The most widely used RSA algorithm (by the inventor Rivest, Shmir, and Adleman initials) is the famous public key encryption algorithm, ElGamal is another commonly used asymmetric encryption algorithm.

The public key cryptography process is as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/DA/wKioL1YI20mwlnfKAAEE8CQDswk498.jpg "title=" 2.png " alt= "Wkiol1yi20mwlnfkaaee8cqdswk498.jpg"/>

3. One-way encryption

One-way encryption is non-reversible encryption, which is a non-decrypted encryption method that extracts the fingerprint of the data. The common encryption algorithm has MD5, SHA, HMAC three kinds of encryption algorithm. We usually only use them as the basis for encryption, pure three kinds of encryption is not reliable.

One-way encryption such as:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/DD/wKiom1YI3ZehpnMxAAB1fTgDh_Q522.jpg "title=" 3.png " alt= "Wkiom1yi3zehpnmxaab1ftgdh_q522.jpg"/>

Second, KPI

PKI is the initial acronym of Public Key Infrastructure, which is the key infrastructure; PKI is a standard technology and specification to use public key cryptography to provide a set of security foundation platform for e-commerce development.

1. Basic composition

PKI public Key infrastructure is a system or platform that provides public-key cryptography and digital signature services to manage keys and certificates. An organization can establish a secure network environment by using the PKI framework to manage keys and certificates. PKI mainly consists of four parts: Certificates in the form of X-V3 and certificate revocation List CRL (V2), CA operation Protocol, CA Management Protocol, CA policy development. A typical, complete, and effective PKI application system should have at least the following five parts:

(1) Certification Center CA

CA is the core of PKI, CA is responsible for the management of all users under the PKI structure (including various applications) of the certificate, the user's public key and the user's other information bundled together to verify the identity of users on the Internet, the CA also responsible for the user certificate blacklist registration and blacklist publishing, followed by a detailed description of the CA.

(2) X.500 directory server

X.500 directory server is used to publish the user's certificate and blacklist information, the user can use the standard LDAP protocol to query their own or other people's certificates and download blacklist information.

(3) Secure WWW server with high-strength cryptographic algorithm (SSL)

Originally developed by the Netscape Enterprise, the Secure Socket Layer (SSL) protocol is now a global standard for authenticating Web sites and web browser identities, and for encrypting communications between users of browsers and Web servers.

(4) Web (Secure communication platform)

The web has two parts, Web client side and Web server side, which are installed on the clients and server side, and ensure the confidentiality, integrity and authentication of the client and server side data through the SSL protocol with high strength cryptographic algorithm.

(5) Self-developed safety application system

Self-developed Security application system refers to a variety of specific applications developed by various industries, such as banking, securities application system. A complete PKI includes the formulation of the certification policy (including the technical standards to be followed, the subordinate or sibling relationships among the CAs, security policies, security, service objects, management principles and frameworks, etc.), certification rules, the formulation of operational systems, the content of the legal relations of the parties involved, and the realization of the technology.

2.CA

Certification Center CA as a core part of PKI, CA realizes some important functions in PKI, in a word, the functions of Certification center (CA) are: Certificate issuing, certificate updating, certificate revocation and certificate verification. The core function of CAS is to issue and manage digital certificates, as described below:
(1) Receive an application to verify the end-user digital certificate.
(2) Determine whether to accept the application of the end-user digital certificate-Certificate approval.
(3) issuing and refusing to issue digital certificates to the applicant-issuance of certificates.
(4) Receive and process the end user's digital certificate update request-The update of the certificate.
(5) Receive the end-user digital certificate query, revocation.
(6) Generate and publish certificate revocation lists (CRLs).
(7) Archiving of digital certificates.
(8) Key archiving.
(9) Historical data archiving.
Certificate Authority CA In order to realize its function, mainly consists of the following three parts:
Registered Servers: Sites established through WEB Server provide 24x7 service to customers. The client presents the certificate application and fills in the corresponding certificate application form online.
Certificate application acceptance and approval agency: responsible for the application and audit of the certificate. Its main function is to accept the client certificate request and review it.
Certificate Authority server: A running entity that generates and issues digital certificates, and provides services such as management of issuing certificates, generation and processing of certificate revocation lists (CRLs).
In concrete implementation, the CA must do the following:
1) Verify and identify the identity of the certificate requester.
2) Ensure the quality of the asymmetric key used by the CA for signing the certificate.
3) Ensure the security of the entire visa process and ensure the security of the signed private key.
4) Management of certificate data information (including public key certificate serial number, CA identification, etc.).
5) Determine and check the validity period of the certificate.
6) Ensure that the identity of the certificate body is unique and prevent duplicate names.
7) Publish and maintain a list of obsolete certificates.
8) Logging the entire certificate signing process.
9) give notice to the applicant.
One of the most important of these is the management of the CA's own pair of keys, which must ensure its high degree of confidentiality and prevent other parties from forging certificates. The CA's public key is exposed on the web, so the entire network system must guarantee integrity. The CA's digital signature guarantees the legitimacy and authority of the certificate (which is essentially the holder's public key).

Third, OpenSSL

Linux encryption and decryption, the basic application of OpenSSL and the process of CA implementation