Let's introduce the next three encryption methods:
- Symmetric encryption
- Public Key Cryptography
- One-way encryption
Symmetric encryption
Implementation Tool OpenSSL ENC introduction
[[email protected] sh]# man encenc - symmetric cipher routines 对称密码-in filename -out filename-salt-S 十六进制salt-nosalt-e 加密 encrypt the input data-d 解密decrypt the input data.-a -base64 加密得到base64-A 得到一行的base64-p print out the key and IV used.错误的话会报错-P print out the key and IV used.错误的话会不会输出 明文-z 压缩-pass pass:"123" #密码是123 -pass pass:123 #密码是123 -pass evn:VAR #密码从环境变量VAR中去 -pass file:p.txt #密码从文件p.txt第一行去,不包括换行符,注意DOS格式的^M及回车符。 -pass fd:3 #密码从文件描述符3中读 -pass stdin #标准输入
String Encryption decryption
#默认salt des3[[email protected] sh]# echo ‘zander‘|openssl enc -e -des3 -salt -pass pass:"99" -aU2FsdGVkX194kB7nt8HybghJn3KAHoIo[[email protected] sh]# echo "U2FsdGVkX194kB7nt8HybghJn3KAHoIo"| openssl enc -d -des3 -salt -pass pass:"99" -azander#指定salt aes256[[email protected] sh]# echo ‘zanderzanderzander‘|openssl enc -e -aes256 -S 012F -pass pass:"99" -aU2FsdGVkX18BLwAAAAAAAFPXPKSxoUEf7dQpfiY73AwBz3aaH00+pVnf+W54DT0k[[email protected] sh]# echo "U2FsdGVkX18BLwAAAAAAAFPXPKSxoUEf7dQpfiY73AwBz3aaH00+pVnf+W54DT0k"| openssl enc -d -aes256 -S 012F -pass pass:"99" -azanderzanderzander
File operations
#保存到文件 [[email protected] test]# OpenSSL enc-e-des3-a-salt-in fstab-out fstab.cipher-pass pass:abc[[email Protected] test]# Cat fstab.cipheru2fsdgvkx1/wiszajnpysk94ra0wkxt3sjk/27b9fh10xwsrjpplpk8bgia58ojh/ crbiiqpg6dxje3cvmkd0te++9txs8sdkue6ray+a5yancyyxhwjwvxsewzgoqu0gbzuxvvlsndpalp7gjohrsqxdguaz+ 2s9znivwpqh0jcwuszjqb6uea4jbljjy3krs2t3ixuqpknakvvwhxcub0wz/yevhbchakvxglh4vzkk2ee9pryzhmvy8svoisp4p/yebpnih+ 7ynim6go5w2/bong+ 2nabh3vvcsmpauqbgjwqbhuqg3b58etuded0sxsuz2tjhdmgz2cuq0uptyvlkaxj9jc2swkersb39xkfczpohzvzpr2ffr8iopkp5ptgbvgfs6dpt3ayvzuwk eauloxhwysgbbumwlphdnx6ndb1m1vcntcw0rhijvlhdpqi/85b5ngh2mn7lpef8u+2h+/ 3ukdecp3cfkvswhcvve3ls684xdwal2xdxu5ue8jun+8yfkk86zpqmgb5rehbvcguh6ikginlf2jcogbg/ Fnjg0as8a16lw7pjx5evs7nbnhwld7o7lhx1/39m9zdfejbfclh9pvaefvouubsqcadvsj2gtisihdjimrtbkte6wl0blhiq/9yz+ne+ rgiv4yffqbmyt93iict4ywtwrxbk5aeqw== #解密 [[email protected] test]# OpenSSL enc-d-des3-a-salt-in fstab.cipher-out Fstab.decrypt-pass pass:abc[[email protected] test]# cat fstab.decrypt##/etc/fstab# Created by Anaconda on Sun April 06:26:44 2018## Accessible filesystems, by reference, is M aintained under '/dev/disk ' # See mans Pages Fstab (5), Findfs (8), mount (8) and/or Blkid (8) for more info#uuid=7ceb028a-a8b8- 467C-B6D4-36910C06C5AC/XFS Defaults 0 0uuid=3d81b92c-abeb-41f5-8de0-b46d3ffbcf4c/boot XFS defaults 0 0uuid=943c7e04-b733-42fe-a1e2-eabf93693f6b swap swap def Aults 0 0[[email protected] test]# diff fstab Fstab.decrypt
Public Key Cryptography
Public key cryptography is also called asymmetric encryption, and private key production relies on random numbers
/dev/random: Only random numbers are returned from the entropy pool, and random numbers are exhausted and blocked;
/dev/urandom: The random number is returned from the entropy pool, and the random number is exhausted, and the pseudo-random number is generated by the software, non-blocking;
Public key Private key production
#(umask 077;openssl genrsa 1024 >mykey.private) # (umask 077;openssl genrsa -out mykey.private 1024)#生产私钥[[email protected] test]# (umask 077;openssl genrsa -out mykey.private 1024) #() 中的命令要在子shell中运行, umask 077 不影响默认Generating RSA private key, 1024 bit long modulus....++++++....................................................++++++e is 65537 (0x10001)[[email protected] test]# ll mykey.private-rw-------. 1 root root 887 May 8 09:50 mykey.private#提取公钥 openssl rsa -in mykey.private -pubout -out mykey.public[[email protected] test]# openssl rsa -in mykey.private -pubout > mykey.public writing RSA key
[[email protected] test]# openssl rsautl -encrypt -inkey mykey.public -pubin -in w.txt -out w.en[[email protected] test]# openssl rsautl -decrypt -inkey mykey.private -in w.en -out w.de[[email protected] test]# diff w.txt w.de[[email protected] test]#
One-way encryption
Tool OpenSSL Dgst
[[email protected] test]# man dgst-c:打印出两个哈希结果的时候用冒号来分隔开。仅仅设置了[-hex]的时候有效。-hex:显示ASCII编码的十六进制摘要结果,默认选项。-d:打印出BIO调试信息值。-binary:以二进制的形式来显示摘要结果值。-r:用coreutils格式来输出摘要值。-out filename:输出对象,默认为标准输出。-sign filename:用filename中的私钥文件对数据进行签名。-keyform arg:filename中的证书格式,该命令中仅仅支持PEM以及ENGINE格式。-verify filename:用filename中的公钥文件对数据进行验证签名。输出结果仅仅是"Verification OK" 和 "Verification Failure"中的一种。-hmac key:用密钥“key”创建一个哈希值MAC。 很好用file:你要哈希的文件,如果没有指定,就使用标准输入。
String manipulation
#字符串 #-----------------Shell--------------------------------[[email protected] test]# echo-n Zander|openssl dgst-md5 (stdin) = 4d484333d33a97eaf9c50d617301778b#----------------- Python--------------------------------Import hashlibhl = Hashlib.md5 () hl.update ("Zander". Encode (encoding= ' utf-8 ') ) Print (Hl.hexdigest ()) #4d484333d33a97eaf9c50d617301778b # strongly recommended for hmac#----------------- Shell--------------------------------[[email protected] test]# echo-n zander|openssl dgst-sha512-hmac ' abc ' ( stdin) = f358e2e97da822e152a2f946ac1e629d9adcf14d2f1b2aafabc357659a1ac8c8a9cc728f5f6cc6413ba836a888779e4789921ffdc932c4bd39ba36241 6a22703#-----------------python--------------------------------Import hashlib,hmachl = hmac.new (' abc '. ENCODE ( encoding= ' Utf-8 '), "Zander". Encode (encoding= ' utf-8 '), digestmod= ' sha512 ') print (Hl.hexdigest ()) # # f358e2e97da822e152a2f946ac1e629d9adcf14d2f1b2aafabc357659a1ac8c8a9cc728f5f6cc6413ba836a888779e4789921ffdc932c4bd39ba36241 6a22703
File MD5
#文件md5值[[email protected] test]# openssl dgst -md5 fstabMD5(fstab)= df49cbcbbc00c2e8cf302a458eed1388[[email protected] test]# md5sum fstabdf49cbcbbc00c2e8cf302a458eed1388 fstab
MD5 encryption
#密码[[email protected] test]# man sslpasswd #只支持 md5[[email protected] test]# echo zander|openssl passwd -1 -salt 88 -stdin$1$88$qMX4lD4kTYz5R5q/ZfKK1/
SSL handshake diagram
Analysis of network encryption process
Build an enterprise-level backend HTTPS two-way authentication backend
1. Build a private CA: Generate a self-visa book on the service that is configured as a CA, and provide the required directories and files for the CA;
# (1) Generate private key; [[email protected] sh]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096) [[email Protected] sh]# LL/ETC/PKI/CA/PRIVATE/CAKEY.PEM-RW-------. 1 root root 3243 May 8 09:49/etc/pki/ca/private/cakey.pem# (2) Generate self-signed certificate; [[email protected] sh]# OpenSSL req-new-x509 -key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655You is about to being asked to enter information T Hat'll be Incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:cnstate or province name (full name) []:zhejianglocalit Y name (eg, city) [default city]:nborganization name (eg, company) [Default company ltd]:zanderorganizational Unit name (E g, section) []:opscommon name (eg, your name or your server ' s hostname) []:ca.zanDer.comemail Address []:[[email protected] sh]# ll/etc/pki/ca/cacert.pem-rw-r--r--. 1 root root 2004 May 8 10:00/etc/pki/ca/cacert.pem# (3) provide the required directories and files for the CA; [[email protected] sh]# mkdir-pv/etc/pki/c A/{certs,crl,newcerts}[[email protected] sh]# touch/etc/pki/ca/{serial,index.txt}[[email protected] sh] # echo >/etc/pki/ca/serial
2, client request Visa
#客户端 [[email protected] yii_test]# pwd/usr/local/www/nginx/conf/ssl/yii_test[[email protected] yii_test] # OpenSSL Req-new-key httpd.key-out httpd.csr-days 3650You is about to being asked to enter information that'll be Inc Orporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:cnstate or province name (full name) []:zhejianglocalit Y name (eg, city) [Default City]:nborganization Name (eg, company) [Default company Ltd]:zander #申请ca组织必须跟ca保持一致! Organizational Unit name (eg, section) []:opscommon name (eg, your name or your server ' s hostname) []:yii-test.localemail Address []:P lease Enter the following ' extra ' attributesto be sent with your certificate Requesta challenge password []:ab Cdan optional company name []: #发送给ca服务进行签证 [[EMail protected] yii_test]# SCP HTTPD.CSR [email protected]:~/
3, CA visa, and return
[[email protected] ~]# OpenSSL ca-in httpd.csr-out/etc/pki/ca/certs/yii-test.crt-days 3650Using configuration fr Om/etc/pki/tls/openssl.cnfcheck that the request matches the Signaturesignature okcertificate details:serial Numb Er:2 (0x2) Validity not Before:may 8 23:46:53 2018 GMT not after:may 5 23:46:53 2028 GM T Subject:countryname = CN stateorprovincename = zhejiang org Anizationname = Zander Organizationalunitname = Ops CommonName = yii-test . local X509v3 extensions:x509v3 Basic Constraints:CA:FALSE Netscape Comment: OpenSSL Generated Certificate x509v3 Subject Key identifier:ae:25:74:75:c3:ee:e 4:FF:B4:17:F6:28:B4:23:1F:61:67:55:35:DF x509v3 Authority Key IDENTIFIER:KEYID:F8:3B:8D:6B:EF:B 8:ae:13:9e:97:81:06:b3:e4:7c:a6:18:68:16:10certificate is to be certified until 5 23:46:53 2028 GMT (3650 days) sign the certificate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base updated[[email protected] ~]# cat/etc/pki/ca/index.txtr 28050 5142027Z 180508143504Z unknown/c=cn/st=zhejiang/o=zander/ou=ops/cn=www.zander.comv 280505234653Z unkn own/c=cn/st=zhejiang/o=zander/ou=ops/cn=yii-test.local# returns the client Visa certificate and the CA server's certificate [[email protected] ~]# Scp/etc/pki /CA/CERTS/YII-TEST.CRT [email protected]:/usr/local/www/nginx/conf/ssl/yii_test# server sends CA public key to client client authentication time required [[ Email protected] ~]# Scp/etc/pki/ca/cacert.pem [email protected]:/usr/local/www/nginx/conf/ssl/yii_test
4. Configure client Services with Nginx as an example
server { charset utf-8; client_max_body_size 128M; listen 443; server_name yii-test.local; root /mydata/code/php/yii-test.dev/web; index index.php; ssl on; ssl_certificate /usr/local/www/nginx/conf/ssl/yii_test/yii-test.crt; ssl_certificate_key /usr/local/www/nginx/conf/ssl/yii_test/httpd.key; ssl_client_certificate /usr/local/www/nginx/conf/ssl/yii_test/cacert.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;# ssl_verify_client on; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include fastcgi.conf; fastcgi_pass 127.0.0.1:9000; try_files $uri =404; } error_page 404 /404.html; location ~ /\.(ht|svn|git) { deny all; }}
The above HTTPS configuration is complete.
5. Configure HTTPS bidirectional Authentication Client Configuration
[[email protected] yii_test]# openssl pkcs12 -export -clcerts -inkey httpd.key -in yii-test.crt -out yii-test.p12 #p12文件是客户端通过私钥跟以签证证书生产Enter Export Password:Verifying - Enter Export Password:[[email protected] yii_test]# lshttpd.key yii-test.crt yii-test.p12
6. Modify Nginx configuration file to open two-way authentication
ssl on; ssl_certificate /usr/local/www/nginx/conf/ssl/yii_test/yii-test.crt; ssl_certificate_key /usr/local/www/nginx/conf/ssl/yii_test/httpd.key; ssl_client_certificate /usr/local/www/nginx/conf/ssl/yii_test/cacert.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_verify_client on;
Customer needs to install YII-TEST.P12 access
Linux Secure encrypted communication OpenSSL introduction