Linux Secure encrypted communication OpenSSL introduction

Let's introduce the next three encryption methods:

1. Symmetric encryption
2. Public Key Cryptography
3. One-way encryption

Symmetric encryption

Implementation Tool OpenSSL ENC introduction

[[email protected] sh]# man encenc - symmetric cipher routines   对称密码-in filename  -out filename-salt-S   十六进制salt-nosalt-e  加密 encrypt the input data-d  解密decrypt the input data.-a  -base64  加密得到base64-A  得到一行的base64-p  print out the key and IV used.错误的话会报错-P  print out the key and IV used.错误的话会不会输出 明文-z  压缩-pass pass:"123"      #密码是123  -pass pass:123        #密码是123  -pass evn:VAR         #密码从环境变量VAR中去  -pass file:p.txt      #密码从文件p.txt第一行去，不包括换行符，注意DOS格式的^M及回车符。  -pass fd:3            #密码从文件描述符3中读  -pass stdin           #标准输入  

String Encryption decryption

#默认salt  des3[[email protected] sh]# echo ‘zander‘|openssl enc -e  -des3 -salt -pass pass:"99" -aU2FsdGVkX194kB7nt8HybghJn3KAHoIo[[email protected] sh]# echo "U2FsdGVkX194kB7nt8HybghJn3KAHoIo"| openssl enc -d -des3 -salt -pass pass:"99" -azander#指定salt  aes256[[email protected] sh]# echo ‘zanderzanderzander‘|openssl enc -e  -aes256 -S 012F -pass pass:"99" -aU2FsdGVkX18BLwAAAAAAAFPXPKSxoUEf7dQpfiY73AwBz3aaH00+pVnf+W54DT0k[[email protected] sh]# echo "U2FsdGVkX18BLwAAAAAAAFPXPKSxoUEf7dQpfiY73AwBz3aaH00+pVnf+W54DT0k"| openssl enc -d -aes256 -S 012F -pass pass:"99" -azanderzanderzander

File operations

#保存到文件 [[email protected] test]# OpenSSL enc-e-des3-a-salt-in fstab-out fstab.cipher-pass pass:abc[[email  Protected] test]# Cat fstab.cipheru2fsdgvkx1/wiszajnpysk94ra0wkxt3sjk/27b9fh10xwsrjpplpk8bgia58ojh/ crbiiqpg6dxje3cvmkd0te++9txs8sdkue6ray+a5yancyyxhwjwvxsewzgoqu0gbzuxvvlsndpalp7gjohrsqxdguaz+ 2s9znivwpqh0jcwuszjqb6uea4jbljjy3krs2t3ixuqpknakvvwhxcub0wz/yevhbchakvxglh4vzkk2ee9pryzhmvy8svoisp4p/yebpnih+ 7ynim6go5w2/bong+ 2nabh3vvcsmpauqbgjwqbhuqg3b58etuded0sxsuz2tjhdmgz2cuq0uptyvlkaxj9jc2swkersb39xkfczpohzvzpr2ffr8iopkp5ptgbvgfs6dpt3ayvzuwk eauloxhwysgbbumwlphdnx6ndb1m1vcntcw0rhijvlhdpqi/85b5ngh2mn7lpef8u+2h+/ 3ukdecp3cfkvswhcvve3ls684xdwal2xdxu5ue8jun+8yfkk86zpqmgb5rehbvcguh6ikginlf2jcogbg/ Fnjg0as8a16lw7pjx5evs7nbnhwld7o7lhx1/39m9zdfejbfclh9pvaefvouubsqcadvsj2gtisihdjimrtbkte6wl0blhiq/9yz+ne+ rgiv4yffqbmyt93iict4ywtwrxbk5aeqw== #解密 [[email protected] test]# OpenSSL enc-d-des3-a-salt-in fstab.cipher-out Fstab.decrypt-pass pass:abc[[email protected] test]# cat fstab.decrypt##/etc/fstab# Created by Anaconda on Sun April 06:26:44 2018## Accessible filesystems, by reference, is M aintained under '/dev/disk ' # See mans Pages Fstab (5), Findfs (8), mount (8) and/or Blkid (8) for more info#uuid=7ceb028a-a8b8-                   467C-B6D4-36910C06C5AC/XFS Defaults 0 0uuid=3d81b92c-abeb-41f5-8de0-b46d3ffbcf4c/boot XFS defaults 0 0uuid=943c7e04-b733-42fe-a1e2-eabf93693f6b swap swap def Aults 0 0[[email protected] test]# diff fstab Fstab.decrypt

Public Key Cryptography

Public key cryptography is also called asymmetric encryption, and private key production relies on random numbers
/dev/random: Only random numbers are returned from the entropy pool, and random numbers are exhausted and blocked;
/dev/urandom: The random number is returned from the entropy pool, and the random number is exhausted, and the pseudo-random number is generated by the software, non-blocking;

Public key Private key production

#(umask 077;openssl genrsa 1024 >mykey.private)  # (umask 077;openssl genrsa -out mykey.private 1024)#生产私钥[[email protected] test]# (umask 077;openssl genrsa -out mykey.private 1024)   #（） 中的命令要在子shell中运行，  umask 077 不影响默认Generating RSA private key, 1024 bit long modulus....++++++....................................................++++++e is 65537 (0x10001)[[email protected] test]# ll mykey.private-rw-------. 1 root root 887 May  8 09:50 mykey.private#提取公钥  openssl  rsa  -in mykey.private -pubout  -out  mykey.public[[email protected] test]# openssl rsa  -in mykey.private -pubout > mykey.public  writing RSA key

[[email protected] test]# openssl rsautl -encrypt -inkey mykey.public -pubin -in w.txt -out w.en[[email protected] test]# openssl rsautl -decrypt -inkey mykey.private -in w.en -out w.de[[email protected] test]# diff w.txt w.de[[email protected] test]#

One-way encryption

Tool OpenSSL Dgst

[[email protected] test]# man dgst-c：打印出两个哈希结果的时候用冒号来分隔开。仅仅设置了[-hex]的时候有效。-hex：显示ASCII编码的十六进制摘要结果，默认选项。-d：打印出BIO调试信息值。-binary：以二进制的形式来显示摘要结果值。-r：用coreutils格式来输出摘要值。-out filename：输出对象，默认为标准输出。-sign filename：用filename中的私钥文件对数据进行签名。-keyform arg：filename中的证书格式，该命令中仅仅支持PEM以及ENGINE格式。-verify filename：用filename中的公钥文件对数据进行验证签名。输出结果仅仅是"Verification OK" 和 "Verification Failure"中的一种。-hmac key：用密钥“key”创建一个哈希值MAC。    很好用file：你要哈希的文件，如果没有指定，就使用标准输入。

String manipulation

  #字符串 #-----------------Shell--------------------------------[[email protected] test]# echo-n Zander|openssl dgst-md5 (stdin) = 4d484333d33a97eaf9c50d617301778b#----------------- Python--------------------------------Import hashlibhl = Hashlib.md5 () hl.update ("Zander". Encode (encoding= ' utf-8 ') ) Print (Hl.hexdigest ()) #4d484333d33a97eaf9c50d617301778b # strongly recommended for hmac#----------------- Shell--------------------------------[[email protected] test]# echo-n zander|openssl dgst-sha512-hmac ' abc ' ( stdin) = f358e2e97da822e152a2f946ac1e629d9adcf14d2f1b2aafabc357659a1ac8c8a9cc728f5f6cc6413ba836a888779e4789921ffdc932c4bd39ba36241 6a22703#-----------------python--------------------------------Import hashlib,hmachl = hmac.new (' abc '. ENCODE ( encoding= ' Utf-8 '), "Zander". Encode (encoding= ' utf-8 '), digestmod= ' sha512 ') print (Hl.hexdigest ()) # # f358e2e97da822e152a2f946ac1e629d9adcf14d2f1b2aafabc357659a1ac8c8a9cc728f5f6cc6413ba836a888779e4789921ffdc932c4bd39ba36241 6a22703  

File MD5

#文件md5值[[email protected] test]# openssl dgst -md5 fstabMD5(fstab)= df49cbcbbc00c2e8cf302a458eed1388[[email protected] test]# md5sum fstabdf49cbcbbc00c2e8cf302a458eed1388  fstab

MD5 encryption

#密码[[email protected] test]# man sslpasswd  #只支持 md5[[email protected] test]# echo zander|openssl passwd -1 -salt 88 -stdin$1$88$qMX4lD4kTYz5R5q/ZfKK1/

SSL handshake diagram

Analysis of network encryption process

Build an enterprise-level backend HTTPS two-way authentication backend

1. Build a private CA: Generate a self-visa book on the service that is configured as a CA, and provide the required directories and files for the CA;

# (1) Generate private key; [[email protected] sh]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096) [[email  Protected] sh]# LL/ETC/PKI/CA/PRIVATE/CAKEY.PEM-RW-------.  1 root root 3243 May 8 09:49/etc/pki/ca/private/cakey.pem# (2) Generate self-signed certificate; [[email protected] sh]# OpenSSL req-new-x509 -key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655You is about to being asked to enter information T Hat'll be Incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:cnstate or province name (full name) []:zhejianglocalit Y name (eg, city) [default city]:nborganization name (eg, company) [Default company ltd]:zanderorganizational Unit name (E g, section) []:opscommon name (eg, your name or your server ' s hostname) []:ca.zanDer.comemail Address []:[[email protected] sh]# ll/etc/pki/ca/cacert.pem-rw-r--r--. 1 root root 2004 May 8 10:00/etc/pki/ca/cacert.pem# (3) provide the required directories and files for the CA; [[email protected] sh]# mkdir-pv/etc/pki/c A/{certs,crl,newcerts}[[email protected] sh]# touch/etc/pki/ca/{serial,index.txt}[[email protected] sh] # echo >/etc/pki/ca/serial

2, client request Visa

#客户端 [[email protected] yii_test]# pwd/usr/local/www/nginx/conf/ssl/yii_test[[email protected] yii_test] # OpenSSL Req-new-key httpd.key-out httpd.csr-days 3650You is about to being asked to enter information that'll be Inc Orporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:cnstate or province name (full name) []:zhejianglocalit Y name (eg, city) [Default City]:nborganization Name (eg, company) [Default company Ltd]:zander #申请ca组织必须跟ca保持一致! Organizational Unit name (eg, section) []:opscommon name (eg, your name or your server ' s hostname) []:yii-test.localemail Address []:P lease Enter the following ' extra ' attributesto be sent with your certificate Requesta challenge password []:ab Cdan optional company name []: #发送给ca服务进行签证 [[EMail protected] yii_test]# SCP HTTPD.CSR [email protected]:~/ 

3, CA visa, and return

[[email protected] ~]# OpenSSL ca-in httpd.csr-out/etc/pki/ca/certs/yii-test.crt-days 3650Using configuration fr Om/etc/pki/tls/openssl.cnfcheck that the request matches the Signaturesignature okcertificate details:serial Numb Er:2 (0x2) Validity not Before:may 8 23:46:53 2018 GMT not after:may 5 23:46:53 2028 GM T Subject:countryname = CN stateorprovincename = zhejiang org Anizationname = Zander Organizationalunitname = Ops CommonName = yii-test                 . local X509v3 extensions:x509v3 Basic Constraints:CA:FALSE Netscape Comment: OpenSSL Generated Certificate x509v3 Subject Key identifier:ae:25:74:75:c3:ee:e 4:FF:B4:17:F6:28:B4:23:1F:61:67:55:35:DF x509v3 Authority Key IDENTIFIER:KEYID:F8:3B:8D:6B:EF:B 8:ae:13:9e:97:81:06:b3:e4:7c:a6:18:68:16:10certificate is to be certified until 5 23:46:53 2028 GMT (3650 days) sign the certificate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base updated[[email protected] ~]# cat/etc/pki/ca/index.txtr 28050 5142027Z 180508143504Z unknown/c=cn/st=zhejiang/o=zander/ou=ops/cn=www.zander.comv 280505234653Z unkn own/c=cn/st=zhejiang/o=zander/ou=ops/cn=yii-test.local# returns the client Visa certificate and the CA server's certificate [[email protected] ~]# Scp/etc/pki /CA/CERTS/YII-TEST.CRT [email protected]:/usr/local/www/nginx/conf/ssl/yii_test# server sends CA public key to client client authentication time required [[    Email protected] ~]# Scp/etc/pki/ca/cacert.pem [email protected]:/usr/local/www/nginx/conf/ssl/yii_test

4. Configure client Services with Nginx as an example

server {    charset utf-8;    client_max_body_size 128M;    listen 443;    server_name yii-test.local;    root    /mydata/code/php/yii-test.dev/web;    index       index.php;    ssl on;    ssl_certificate     /usr/local/www/nginx/conf/ssl/yii_test/yii-test.crt;    ssl_certificate_key  /usr/local/www/nginx/conf/ssl/yii_test/httpd.key;    ssl_client_certificate /usr/local/www/nginx/conf/ssl/yii_test/cacert.pem;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#    ssl_verify_client on;    location / {        try_files $uri $uri/ /index.php?$args;    }    location ~ \.php$ {        include fastcgi.conf;        fastcgi_pass   127.0.0.1:9000;        try_files $uri =404;    }    error_page 404 /404.html;        location ~ /\.(ht|svn|git) {        deny all;    }}

The above HTTPS configuration is complete.

5. Configure HTTPS bidirectional Authentication Client Configuration

[[email protected] yii_test]# openssl pkcs12 -export -clcerts -inkey httpd.key  -in yii-test.crt  -out yii-test.p12   #p12文件是客户端通过私钥跟以签证证书生产Enter Export Password:Verifying - Enter Export Password:[[email protected] yii_test]# lshttpd.key  yii-test.crt  yii-test.p12

6. Modify Nginx configuration file to open two-way authentication

    ssl on;    ssl_certificate     /usr/local/www/nginx/conf/ssl/yii_test/yii-test.crt;    ssl_certificate_key  /usr/local/www/nginx/conf/ssl/yii_test/httpd.key;    ssl_client_certificate /usr/local/www/nginx/conf/ssl/yii_test/cacert.pem;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    ssl_verify_client on;

Customer needs to install YII-TEST.P12 access

Linux Secure encrypted communication OpenSSL introduction