Nineth Week Assignment

1, detailed description of the process of encrypting communication, combined with the best diagram.

The TCP/IP protocol component enables communication between different networks and hosts of different operating systems. The TCP model is divided into four layers, as follows

1. Application layer (Application): Application layer is a very broad concept, there are some basic same system-level TCP/IP applications and application protocols, there are many enterprise business applications and Internet applications, such as the HTTP protocol.

2. Transport Layer (TRANSPort) : Transport layer includes UDP and tcp,udp almost no packet check, TCP provides error checking mechanism, TCP three handshake establishes connection, four handshake disconnects

     3. Network Layer (NETWOR k) : The network layer protocol consists of a series of protocols, including ICMP, IGMP, RIP, OSPF, IP (V4,V6), BGP, ISIS, and so on

4. Data link layer (link): also known as the Physical Data network interface layer, responsible for message transmission, define the specification of the physical interface

As above, we can see that in the TCP/IP model, the specification of data communication is defined, but TCP/IP does not provide a more secure encryption mechanism, so in network communication, it is necessary to join the SSL protocol to provide higher security for data communication. The SSL protocol can ensure that the data of the two sides is transmitted by ciphertext, and the third party can hardly crack it without the private key, thus reaching the purpose of secrecy. Let's look at how SSL two-way authentication works.

One: The browser sends a connection request to the server; the server returns its own certificate (including the server public key S_pukey), the symmetric encryption algorithm type, and other related information to the client;

Two: The client browser checks whether the server is routed to the CA certificate issued by its trusted CA center. If so, perform 4 steps; otherwise, give the customer a warning message: Ask whether to continue the visit.

Third: The client browser compares the information in the certificate, such as the certificate validity period, server domain name and public key S_PK, whether the information returned by the server is consistent, and if so, the browser completes the authentication to the server.

Four: The server requires clients to send client certificates (including client public key C_pukey), supported symmetric encryption schemes, and other related information. After receiving, the server carries the same authentication, and if it does not pass the authentication, the connection is refused;

Five: The server according to the client browser sent to the type of password, choose a maximum encryption scheme, with the client public key C_pukey encrypted after the notification to the browser;

Six: The client through the private key C_prkey decryption, learn the encryption scheme selected by the server, and select a Call key key, and then use the server public key S_pukey encrypted and sent to the server;

Seven: The server received the browser sent to the message, with the private key S_prkey decryption, to obtain a call key key

The data communication is then communicated through symmetric encryption.

Icon:

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/89/9B/wKiom1gYEqzTgn6wAAA1oXjtRX0285.png-wh_500x0-wm_3 -wmp_4-s_2966530150.png "title=" SSL bidirectional authentication. PNG "alt=" wkiom1gyeqztgn6waaa1oxjtrx0285.png-wh_50 "/>

2. Describes the process of creating a private CA, and a method certificate for the certificate request sent to the client.

Establishing a CA server

1. Initializing the Environment

[[email protected] ~]# cd/etc/pki/ca/[[email protected] ca]# Touch/etc/pki/ca/{index.txt,serial}[[email protected] CA] # echo >/etc/pki/ca/serial

2. Generate key

[[Email protected] ca]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 2048) generating RSA private key, 204 8 Bit long modulus.................................+++ ......................................................................................................................... ..... ..... ..... ..... ..... ..... ..... ....... .............. ..... ..... ..... ..... ..... ..... ............ ........... +++e is 65537 (0x10001)

3. Self-signed certificate

OpenSSL command:

Req: Generate certificate Signing request

-news: New Request

-key/path/to/keyfile: Specifying a private key file

-out/path/to/somefile:

-x509: Generate self-signed certificate

-days N: Active days

[[email protected] ca]# openssl req -new -x509 -key /etc/pki/ca/ Private/cakey.pem -out /etc/pki/ca/cacert.pem -days 3655you are about to  be asked to enter information that will be incorporatedinto  your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [XX]:CN                   #国家名State  or province&nbsP name  (Full name)  []:XJ               #省份Locality  Name  (eg, city)  [Default City]:WS             #城市名Organization  Name  (eg, company)  [Default  company ltd]:ytj           #公司名Organizational  unit  Name  (eg, section)  []:OPS                        #部门名Common  Name  (eg,  Your name or your server ' S hostname)  []:JYM         #主机名Email  Address []:[email protected]                                     #邮箱 

Client Request Certificate

4. Client-generated key pair

[Email protected] ~]# Mkdir/etc/httpd/ssl/[[email protected] ~]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.ke Y 2048) generating RSA private key, 2048 bit long modulus.......+++.....................+++e is 65537 (0x10001)

5. Generate a Certificate signing request

[[email protected] ~]# openssl req -new -key /etc/httpd/ssl/httpd.key  -out /etc/httpd/ssl/httpd.csryou are about to be asked to enter  Information that will be incorporatedinto your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [XX]:CNState or Province Name  (full name)  []: xjlocality name  (eg, city)  [Default City]:WSOrganization Name  (Eg,&nbsP;company)  [Default Company Ltd]:YTJOrganizational Unit Name  (eg, section)  []:OPSCommon Name  (Eg, your name or your server ' S hostname)  []:JYMEmail Address []:[email protected]    Please enter  the following  ' Extra '  attributesto be sent with your certificate  requesta challenge password []:123456               #一个加密的密码An  optional company name []:RA               #可选公司

6. Send the signature request file to the CA server

[Email protected] ssl]# SCP HTTPD.CSR [email protected]:/rootthe authenticity of host ' 192.168.101.129 (192.168.101.129) ' Can ' t be established. RSA Key fingerprint is e5:84:6c:f7:c0:60:3d:0b:39:b6:1e:12:0d:48:8b:07.are your sure you want to continue connecting (yes/n o)? Y[email protected] ' s PASSWORD:HTTPD.CSR 100% 1066 1.0kb/s 00:00

7.CA Server authentication information and signing certificate

[[email protected] ~]# openssl ca -in /root/httpd.csr -out /root/ Httpd.crt -days 365using configuration from /etc/pki/tls/openssl.cnfcheck that  the request matches the signatureSignature okCertificate Details:         Serial Number: 1  (0x1)          Validity            Not  before: oct 31 20:07:58 2016 gmt             Not After : Oct 31 20:07:58 2017 GMT         Subject:             countryname               =  cn            stateorprovincename       =  XJ            organizationName           = YTJ             organizationalUnitName    = OPS             commonName                 = JYM             emailAddress               = [email protected]        x509v3 extensions:             x509v3 basic constraints:                  ca:false             Netscape Comment:                  OpenSSL Generated Certificate             x509v3 subject key identifier :                  c4:ed: c0:ce:98:5a:b9:af:fe:e0:59:54:db:e1:2a:96:99:a4:b7:28             X509v3 Authority Key Identifier:                  keyid:c2:1a:de:02:69:35:41:af:98:eb:72:69:eb:ae : 74:49:72:52:2b:c6certificate is to be certified until oct 31 20:07:58  2017 GMT  (365 d ays) sign the certificate? [y/n]:y1 out of 1 certificate requests  certified, commit? [y/n]yWrite out database with 1 new  entriesdata base updated

8. Send the certificate signed by the CA server back to the client

[[Email protected] ~]# scp /root/httpd.crt [email protected]:/etc/httpd/ssl/the  authenticity of host  ' 192.168.101.130  (192.168.101.130) '  can ' t be  Established. Rsa key fingerprint is ef:85:f8:aa:1c:de:41:5a:fd:93:8d:9f:83:f7:a2:ff. are you sure you want to continue connecting  (yes/no)?  yPlease  type  ' yes '  or  ' no ': yeswarning: permanently added  ' 192.168.101.130 '   (RSA)  to the list of known hosts. nasty ptr record  "192.168.101.130"  is set up for 192.168.101.130,  ignoring[email protected] ' s password: httpd.crt                                             100% 4491     4.4kb/s   00:00 

3, build a set of DNS server, responsible for resolving magedu.com domain name (host name and IP)

(1), able to some host names for forward parsing and reverse parsing;

http://jiayimeng.blog.51cto.com/10604001/1852025

(2), sub-domain cdn.magedu.com subdomain authorization, subdomain is responsible for resolving the host name in the corresponding subdomain;

(3), in order to ensure the high availability of the DNS service system, please design a set of programs, and write a detailed implementation process

This article is from the "Linux Sailing" blog, make sure to keep this source http://jiayimeng.blog.51cto.com/10604001/1868015

Nineth Week Assignment