Linux Learning Notes: Security for Linux services and services

I. Data encryption and decryption

Inter-process communication:

Inter-process communication within the same host:

Send signal (signal),

Shared Memory (SHM),

Semaphore

Message queue, MQ, RabbitMQ

Inter-process communication between different hosts:

Socket-pair, socket pair child;

Three types of sockets:

Stream Sockets (Socket_stream): Sockets based on TCP protocol communication;

Datagram Sockets (Socket_dgram): Sockets based on UDP protocol communication;

Bare sockets, raw Sockets (Socket_raw): Sockets based on the underlying protocol communication

Socket Socket:IP:PORT

The address identification of the process;

A socket refers to a particular application on a particular host;

In most cases, network communication is from the client to the server communication, for the server, must have a socket listening mechanism, that is, the process of listening mode, and generally speaking, the process with this listening mode, called the daemon, or service process;

The socket resource that the service process listens to is registered with the kernel before it is started, and the socket resource is exclusive to all service process resources;

Port number:

0: Default is not used;

1~1023: Well-known ports, fixed ports;

1024~49151: Register Port

mysql:3306

memcached:11211

tomcat:8091

49152~65535: Dynamic port, a randomly selected port for client processes

The goal of secure implementation:

Confidentiality: Confidentiality to ensure that information is not disclosed

Integrity: Integrity to ensure that information is not tampered with

Availability: availability, guaranteeing the intrinsic value of information

Threat

Threat-Sensitive attack behavior:

Tapping

Sniffing

Scanning

Analysis of Traffic volume

Threat Integrity Attack Behavior:

Change

Disguise

Replay

Deny

Attack behavior that threatens availability:

Denial of service (DoS)

Security Solutions:

Technology: Encryption and decryption:

Traditional methods of encryption:

Alternative encryption algorithm;

Displacement encryption algorithm;

Modern encryption methods:

Block Encryption algorithm:

Services: Security Services:

Identity authentication;

access control mechanism;

Encryption Scheme:

encryption algorithms and keys;

Encryption algorithm:

Symmetric encryption algorithm

Public key encryption algorithm

One-way encryption algorithm

Key exchange algorithm

Symmetric encryption algorithm:

Encryption and decryption using the same key;

Characteristics:

1. Each communication host needs to maintain the same key for encryption and decryption;

2. Divide the original data into fixed-size blocks and encrypt them individually;

3. Faster encryption and decryption

Defects:

1. Encryption and decryption of the number of keys required to retain too much;

2. Key distribution is too difficult

Mainstream encryption algorithms:

Des:data Encryption Standard, data encryption standards, using 56bit key into 64bit blocks

NSA: U.S. National Security Agency

3DES:

aes:advanced Encryption Standard, advanced encryption standards;

Aes128bit,aes192bit,aes256bit

Current NSA mainstream options

Blowfish

Twofish

Idea

Rc4,rc6

Public Key encryption algorithm:

Encrypt with key pair

The key consists of the private key and the public key generated by the private key extraction;

Private key: 512bit,1024bit,2048bit,4096bit,8192bit,16384bit;

Characteristics:

1. Use key pair for encryption and decryption, data encrypted with private key, must be extracted from the public key decryption, using public key encryption, must use the relative private key to decrypt;

Private key: Creates a build from a specific tool, which is retained by the user and must ensure its private key; secret key or private key

Public key: Extract the generated from the private key, public key can be publicly used by everyone

2. The key length is longer, the security level of the data after encryption is high;

Defects:

When encrypting data, it consumes more system resources and time, which is seldom used to encrypt large quantities of data.

Main purpose of work:

Digital signature, mainly used to let the receiver confirm the identity of the sender, using the sender's private key to encrypt the data, after the receiver, using the sender's public key to decrypt the data;

Key exchange: The sending data side uses the receiver's public key to encrypt the symmetric key and then sends the encrypted symmetric key to the other party;

Data encryption: Usually used to encrypt small data;

Common public-key cryptography algorithms:

RSA: Data encryption, digital signature;

DSA: Digital Signature Algorithm, can only realize digital signature, sometimes this algorithm is also called DSS (digital signature Standard)

ELgamal: Algorithm for charging

One-way encryption algorithm:

Encryption cannot be decrypted, and password fingerprints are extracted from known data;

Characteristics:

1. Fixed-length output:

2. Avalanche effect:

Function:

Ensure the integrity of the data;

Common algorithms:

MD5: The fifth edition of the Information Digest algorithm

128bit fixed-length output;

SHA Series algorithm:

Sha-1: Secure hashing algorithm, 160bit fixed-length output

sha224

sha256

sha384

sha512

Key exchange algorithm: IKE

Public key encryption algorithm to achieve;

DH algorithm: Deffie-hellman

Federated Application of cryptographic algorithms:

1. Communication between the two parties to exchange certificates, and to the trust of the CA certificate certification;

2. The sender uses some kind of symmetric encryption algorithm to encrypt the data, the encrypted data uses one-way encryption to calculate its eigenvalues, and the sender encrypts the eigenvalue with its own private key to prove the reliable source of the data; The sender encrypts the symmetric key using the receiver's certificate;

3. After receiving the data, the receiver decrypts the symmetric key with its private key, decrypts the eigenvalue using the sender's public key, and then uses the same one-way encryption algorithm to re-settle the eigenvalue of the encrypted data; compare two eigenvalues; If the eigenvalues are consistent, the data is complete And decrypt the original data with the decrypted symmetric key;

The main contents of the certificate include:

The name of the owner;

The public key submitted by the owner;

Valid

The version number of the certificate;

The serial number of the certificate;

Issue the algorithm ID;

The name of the issuing CA;

Principal name;

The unique identity of the issuing person;

The digital signature of the issuing person;

Extended information

PKI: Public key infrastructure;

Certificate of Visa Authority: CA

Registration Authority: RA

Certificate Revocation list: CRL

Certificate Access library: CAB

How CA plays its part:

1. Communication between the two parties to exchange certificates;

2. Mutual consultation encryption algorithm;

3. Verify the authenticity of the certificate by both parties

4. Use the CA's public key to decrypt the certificate of the CA's signature, can decrypt the certificate source is reliable;

5. Encrypt the certificate with the same encryption algorithm, obtain the characteristic value, compare with the decrypted characteristic value, if want to be same, explain the certificate integrity is reliable;

6. Check whether the validity period of the certificate is within the legal time frame, and if it expires, the certificate is not recognized;

7. Check the subject name of the certificate and whether the target of this communication can correspond;

SSL: Secure Sockets Layer

In 1994, Netscape first stated and implemented the company;

TLS: Transport Layer Security Protocol;

IETF: Internet Engineering Project group presented in 1999

TLS V1.0

2006, TLS V1.1

2008, proposed the TLS V1.2, introduced the Elliptic Curve encryption algorithm to TLS; not yet applied

Layered design:

1. Lowest level: the implementation of primitive language of basic algorithm; Aes,md5,sha ...

2. Up one layer: the basic realization of various algorithms;

3. One more level: semi-finished products with various algorithm combinations;

4. The highest level, a variety of components assembled from a variety of product cryptography protocol software;

Four phases of the SSL/TLS handshake:

1. The client requests a certificate from the server and verifies the certificate;

Message content sent by Client hello

Versions of the supported protocols, such as: TLS V1.2

The client generates a random number and later the user generates the session key;

Supported cryptographic algorithms, such as: Aes,des,rsa, etc.

Supported compression algorithms

2. Both parties negotiate to generate the session key;

Message content sent by Server hello:

Confirm the version number of the encryption protocol used, such as: TLS V1.2

The server generates a random number that is later used to generate the session key

Confirm encryption algorithm and compression algorithm;

3. Both parties use the generated session key for secure encryption of the communication;

The client verifies the server certificate and, after confirming the error, takes out its public key;

Verify that the server certificate needs to verify the following:

Verify the issuing authority (CA);

Verifying the integrity of a certificate

Verify the holder information of the certificate;

Verify the certificate validity period

Verifying the revocation list for a certificate

The client sends information to the server side:

A random number for the public key encryption on the server;

The coding format change notification, indicating that the subsequent information will be encrypted with the two parties have negotiated encryption algorithm and key to send encryption;

Client handshake End:

4. Mutual notification of the end of the handshake information;

The server receives the third random number of the handshake phase sent by the client, Pre_master_key, computes the session key used to generate the session, and sends the relevant information to the client;

Code change notification, indicating that the subsequent information will be encrypted with the two parties have negotiated encryption algorithm and key to send encryption;

Server side handshake end;

Linux Learning Notes: Security for Linux services and services