Linux Secure encrypted communication OpenSSL introduction

Source: Internet
Author: User
Tags decrypt hmac openssl openssl enc openssl rsa stdin yii asymmetric encryption

Let's introduce the next three encryption methods:

    1. Symmetric encryption
    2. Public Key Cryptography
    3. One-way encryption
Symmetric encryption

Implementation Tool OpenSSL ENC introduction

[[email protected] sh]# man encenc - symmetric cipher routines   对称密码-in filename  -out filename-salt-S   十六进制salt-nosalt-e  加密 encrypt the input data-d  解密decrypt the input data.-a  -base64  加密得到base64-A  得到一行的base64-p  print out the key and IV used.错误的话会报错-P  print out the key and IV used.错误的话会不会输出 明文-z  压缩-pass pass:"123"      #密码是123  -pass pass:123        #密码是123  -pass evn:VAR         #密码从环境变量VAR中去  -pass file:p.txt      #密码从文件p.txt第一行去,不包括换行符,注意DOS格式的^M及回车符。  -pass fd:3            #密码从文件描述符3中读  -pass stdin           #标准输入  

String Encryption decryption

#默认salt  des3[[email protected] sh]# echo ‘zander‘|openssl enc -e  -des3 -salt -pass pass:"99" -aU2FsdGVkX194kB7nt8HybghJn3KAHoIo[[email protected] sh]# echo "U2FsdGVkX194kB7nt8HybghJn3KAHoIo"| openssl enc -d -des3 -salt -pass pass:"99" -azander#指定salt  aes256[[email protected] sh]# echo ‘zanderzanderzander‘|openssl enc -e  -aes256 -S 012F -pass pass:"99" -aU2FsdGVkX18BLwAAAAAAAFPXPKSxoUEf7dQpfiY73AwBz3aaH00+pVnf+W54DT0k[[email protected] sh]# echo "U2FsdGVkX18BLwAAAAAAAFPXPKSxoUEf7dQpfiY73AwBz3aaH00+pVnf+W54DT0k"| openssl enc -d -aes256 -S 012F -pass pass:"99" -azanderzanderzander

File operations

#保存到文件 [[email protected] test]# OpenSSL enc-e-des3-a-salt-in fstab-out fstab.cipher-pass pass:abc[[email  Protected] test]# Cat fstab.cipheru2fsdgvkx1/wiszajnpysk94ra0wkxt3sjk/27b9fh10xwsrjpplpk8bgia58ojh/ crbiiqpg6dxje3cvmkd0te++9txs8sdkue6ray+a5yancyyxhwjwvxsewzgoqu0gbzuxvvlsndpalp7gjohrsqxdguaz+ 2s9znivwpqh0jcwuszjqb6uea4jbljjy3krs2t3ixuqpknakvvwhxcub0wz/yevhbchakvxglh4vzkk2ee9pryzhmvy8svoisp4p/yebpnih+ 7ynim6go5w2/bong+ 2nabh3vvcsmpauqbgjwqbhuqg3b58etuded0sxsuz2tjhdmgz2cuq0uptyvlkaxj9jc2swkersb39xkfczpohzvzpr2ffr8iopkp5ptgbvgfs6dpt3ayvzuwk eauloxhwysgbbumwlphdnx6ndb1m1vcntcw0rhijvlhdpqi/85b5ngh2mn7lpef8u+2h+/ 3ukdecp3cfkvswhcvve3ls684xdwal2xdxu5ue8jun+8yfkk86zpqmgb5rehbvcguh6ikginlf2jcogbg/ Fnjg0as8a16lw7pjx5evs7nbnhwld7o7lhx1/39m9zdfejbfclh9pvaefvouubsqcadvsj2gtisihdjimrtbkte6wl0blhiq/9yz+ne+ rgiv4yffqbmyt93iict4ywtwrxbk5aeqw== #解密 [[email protected] test]# OpenSSL enc-d-des3-a-salt-in fstab.cipher-out Fstab.decrypt-pass pass:abc[[email protected] test]# cat fstab.decrypt##/etc/fstab# Created by Anaconda on Sun April 06:26:44 2018## Accessible filesystems, by reference, is M aintained under '/dev/disk ' # See mans Pages Fstab (5), Findfs (8), mount (8) and/or Blkid (8) for more info#uuid=7ceb028a-a8b8-                   467C-B6D4-36910C06C5AC/XFS Defaults 0 0uuid=3d81b92c-abeb-41f5-8de0-b46d3ffbcf4c/boot XFS defaults 0 0uuid=943c7e04-b733-42fe-a1e2-eabf93693f6b swap swap def Aults 0 0[[email protected] test]# diff fstab Fstab.decrypt
Public Key Cryptography

Public key cryptography is also called asymmetric encryption, and private key production relies on random numbers
/dev/random: Only random numbers are returned from the entropy pool, and random numbers are exhausted and blocked;
/dev/urandom: The random number is returned from the entropy pool, and the random number is exhausted, and the pseudo-random number is generated by the software, non-blocking;

Public key Private key production

#(umask 077;openssl genrsa 1024 >mykey.private)  # (umask 077;openssl genrsa -out mykey.private 1024)#生产私钥[[email protected] test]# (umask 077;openssl genrsa -out mykey.private 1024)   #() 中的命令要在子shell中运行,  umask 077 不影响默认Generating RSA private key, 1024 bit long modulus....++++++....................................................++++++e is 65537 (0x10001)[[email protected] test]# ll mykey.private-rw-------. 1 root root 887 May  8 09:50 mykey.private#提取公钥  openssl  rsa  -in mykey.private -pubout  -out  mykey.public[[email protected] test]# openssl rsa  -in mykey.private -pubout > mykey.public  writing RSA key
[[email protected] test]# openssl rsautl -encrypt -inkey mykey.public -pubin -in w.txt -out w.en[[email protected] test]# openssl rsautl -decrypt -inkey mykey.private -in w.en -out w.de[[email protected] test]# diff w.txt w.de[[email protected] test]#
One-way encryption

Tool OpenSSL Dgst

[[email protected] test]# man dgst-c:打印出两个哈希结果的时候用冒号来分隔开。仅仅设置了[-hex]的时候有效。-hex:显示ASCII编码的十六进制摘要结果,默认选项。-d:打印出BIO调试信息值。-binary:以二进制的形式来显示摘要结果值。-r:用coreutils格式来输出摘要值。-out filename:输出对象,默认为标准输出。-sign filename:用filename中的私钥文件对数据进行签名。-keyform arg:filename中的证书格式,该命令中仅仅支持PEM以及ENGINE格式。-verify filename:用filename中的公钥文件对数据进行验证签名。输出结果仅仅是"Verification OK" 和 "Verification Failure"中的一种。-hmac key:用密钥“key”创建一个哈希值MAC。    很好用file:你要哈希的文件,如果没有指定,就使用标准输入。

String manipulation

  #字符串 #-----------------Shell--------------------------------[[email protected] test]# echo-n Zander|openssl dgst-md5 (stdin) = 4d484333d33a97eaf9c50d617301778b#----------------- Python--------------------------------Import hashlibhl = Hashlib.md5 () hl.update ("Zander". Encode (encoding= ' utf-8 ') ) Print (Hl.hexdigest ()) #4d484333d33a97eaf9c50d617301778b # strongly recommended for hmac#----------------- Shell--------------------------------[[email protected] test]# echo-n zander|openssl dgst-sha512-hmac ' abc ' ( stdin) = f358e2e97da822e152a2f946ac1e629d9adcf14d2f1b2aafabc357659a1ac8c8a9cc728f5f6cc6413ba836a888779e4789921ffdc932c4bd39ba36241 6a22703#-----------------python--------------------------------Import hashlib,hmachl = hmac.new (' abc '. ENCODE ( encoding= ' Utf-8 '), "Zander". Encode (encoding= ' utf-8 '), digestmod= ' sha512 ') print (Hl.hexdigest ()) # # f358e2e97da822e152a2f946ac1e629d9adcf14d2f1b2aafabc357659a1ac8c8a9cc728f5f6cc6413ba836a888779e4789921ffdc932c4bd39ba36241 6a22703  

File MD5

#文件md5值[[email protected] test]# openssl dgst -md5 fstabMD5(fstab)= df49cbcbbc00c2e8cf302a458eed1388[[email protected] test]# md5sum fstabdf49cbcbbc00c2e8cf302a458eed1388  fstab

MD5 encryption

#密码[[email protected] test]# man sslpasswd  #只支持 md5[[email protected] test]# echo zander|openssl passwd -1 -salt 88 -stdin$1$88$qMX4lD4kTYz5R5q/ZfKK1/
SSL handshake diagram

Analysis of network encryption process

Build an enterprise-level backend HTTPS two-way authentication backend

1. Build a private CA: Generate a self-visa book on the service that is configured as a CA, and provide the required directories and files for the CA;

# (1) Generate private key; [[email protected] sh]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096) [[email  Protected] sh]# LL/ETC/PKI/CA/PRIVATE/CAKEY.PEM-RW-------.  1 root root 3243 May 8 09:49/etc/pki/ca/private/cakey.pem# (2) Generate self-signed certificate; [[email protected] sh]# OpenSSL req-new-x509 -key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655You is about to being asked to enter information T Hat'll be Incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:cnstate or province name (full name) []:zhejianglocalit Y name (eg, city) [default city]:nborganization name (eg, company) [Default company ltd]:zanderorganizational Unit name (E g, section) []:opscommon name (eg, your name or your server ' s hostname) []:ca.zanDer.comemail Address []:[[email protected] sh]# ll/etc/pki/ca/cacert.pem-rw-r--r--. 1 root root 2004 May 8 10:00/etc/pki/ca/cacert.pem# (3) provide the required directories and files for the CA; [[email protected] sh]# mkdir-pv/etc/pki/c A/{certs,crl,newcerts}[[email protected] sh]# touch/etc/pki/ca/{serial,index.txt}[[email protected] sh] # echo >/etc/pki/ca/serial

2, client request Visa

#客户端 [[email protected] yii_test]# pwd/usr/local/www/nginx/conf/ssl/yii_test[[email protected] yii_test] # OpenSSL Req-new-key httpd.key-out httpd.csr-days 3650You is about to being asked to enter information that'll be Inc Orporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:cnstate or province name (full name) []:zhejianglocalit Y name (eg, city) [Default City]:nborganization Name (eg, company) [Default company Ltd]:zander #申请ca组织必须跟ca保持一致! Organizational Unit name (eg, section) []:opscommon name (eg, your name or your server ' s hostname) []:yii-test.localemail Address []:P lease Enter the following ' extra ' attributesto be sent with your certificate Requesta challenge password []:ab Cdan optional company name []: #发送给ca服务进行签证 [[EMail protected] yii_test]# SCP HTTPD.CSR [email protected]:~/ 

3, CA visa, and return

[[email protected] ~]# OpenSSL ca-in httpd.csr-out/etc/pki/ca/certs/yii-test.crt-days 3650Using configuration fr Om/etc/pki/tls/openssl.cnfcheck that the request matches the Signaturesignature okcertificate details:serial Numb Er:2 (0x2) Validity not Before:may 8 23:46:53 2018 GMT not after:may 5 23:46:53 2028 GM T Subject:countryname = CN stateorprovincename = zhejiang org Anizationname = Zander Organizationalunitname = Ops CommonName = yii-test                 . local X509v3 extensions:x509v3 Basic Constraints:CA:FALSE Netscape Comment: OpenSSL Generated Certificate x509v3 Subject Key identifier:ae:25:74:75:c3:ee:e 4:FF:B4:17:F6:28:B4:23:1F:61:67:55:35:DF x509v3 Authority Key IDENTIFIER:KEYID:F8:3B:8D:6B:EF:B 8:ae:13:9e:97:81:06:b3:e4:7c:a6:18:68:16:10certificate is to be certified until 5 23:46:53 2028 GMT (3650 days) sign the certificate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base updated[[email protected] ~]# cat/etc/pki/ca/index.txtr 28050 5142027Z 180508143504Z unknown/c=cn/st=zhejiang/o=zander/ou=ops/cn=www.zander.comv 280505234653Z unkn own/c=cn/st=zhejiang/o=zander/ou=ops/cn=yii-test.local# returns the client Visa certificate and the CA server's certificate [[email protected] ~]# Scp/etc/pki /CA/CERTS/YII-TEST.CRT [email protected]:/usr/local/www/nginx/conf/ssl/yii_test# server sends CA public key to client client authentication time required [[    Email protected] ~]# Scp/etc/pki/ca/cacert.pem [email protected]:/usr/local/www/nginx/conf/ssl/yii_test

4. Configure client Services with Nginx as an example

server {    charset utf-8;    client_max_body_size 128M;    listen 443;    server_name yii-test.local;    root    /mydata/code/php/yii-test.dev/web;    index       index.php;    ssl on;    ssl_certificate     /usr/local/www/nginx/conf/ssl/yii_test/yii-test.crt;    ssl_certificate_key  /usr/local/www/nginx/conf/ssl/yii_test/httpd.key;    ssl_client_certificate /usr/local/www/nginx/conf/ssl/yii_test/cacert.pem;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#    ssl_verify_client on;    location / {        try_files $uri $uri/ /index.php?$args;    }    location ~ \.php$ {        include fastcgi.conf;        fastcgi_pass   127.0.0.1:9000;        try_files $uri =404;    }    error_page 404 /404.html;        location ~ /\.(ht|svn|git) {        deny all;    }}


The above HTTPS configuration is complete.

5. Configure HTTPS bidirectional Authentication Client Configuration

[[email protected] yii_test]# openssl pkcs12 -export -clcerts -inkey httpd.key  -in yii-test.crt  -out yii-test.p12   #p12文件是客户端通过私钥跟以签证证书生产Enter Export Password:Verifying - Enter Export Password:[[email protected] yii_test]# lshttpd.key  yii-test.crt  yii-test.p12

6. Modify Nginx configuration file to open two-way authentication

    ssl on;    ssl_certificate     /usr/local/www/nginx/conf/ssl/yii_test/yii-test.crt;    ssl_certificate_key  /usr/local/www/nginx/conf/ssl/yii_test/httpd.key;    ssl_client_certificate /usr/local/www/nginx/conf/ssl/yii_test/cacert.pem;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    ssl_verify_client on;

Customer needs to install YII-TEST.P12 access

Linux Secure encrypted communication OpenSSL introduction

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.