Today we talk about OpenSSL, so what is OpenSSL?
OpenSSL is a set of security tools and also provides an open source library. It supports SSL(secure Sockets layer, V2/V3), TLS (Transport layer Secure, v1). This set of tools has a very wide range of applications
OpenSSL consists of three parts: Libencrypto Library, Libssl Library, OpenSSL Multipurpose command line tool
Then let's talk about cryptographic algorithms and protocols:
1, symmetric encryption: Encryption and decryption using the same key;
Features:
(1), encryption, decryption using the same key;
(2), the original data is divided into fixed-size blocks, one by one encryption;
Defects:
(1), too many keys;
(2), Key distribution difficulties;
Public key: extracted from the private key, publicly available to all; PubKey
Private key: Created by the tool and retained by the user, must be kept private; secret key;
Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa;
,
Use:
Digital signature: The main purpose is to let the receiver confirm the identity of the sender;
Key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party;
Data encryption
Algorithms: RSA, DSA, ELGamal
Dss:digital Signature Standard
Dsa:digital Signature algorithm
3, one-way encryption: That is, the data fingerprint is presented; can only be encrypted, not decrypted ;
Features: fixed-length output, avalanche effect;
Features: integrity,
algorithm:
md5:message Digest 5, 128bits
sha1:secure Hash algorithm 1, 160bits
& nbsp; sha224, sha256, sha384, sha512
4, Key Exchange
Public Key cryptography: data is encrypted by obtaining the other's public key, and only the other's private key can be decrypted
DH Algorithm (Deffie-hellman): consists of two names
Then let's talk about the encryption and decryption process:
Encryption process:
The first step: the sender first use a one-way encryption algorithm to calculate the signature of the data, and then use their own private key to encrypt the signature, and the results attached to the data behind,
Second step: Then generate a temporary symmetric key, and use this symmetric key to encrypt the entire data,
Step three: Then use the recipient's public key to encrypt the temporary symmetric key, appended to the data, and sent to the recipient
Decryption process:
First step: After receiving the data, the recipient first decrypts the data with his private key, obtains the symmetric encrypted key, decrypts its symmetric encrypted data,
The second step: then use the sender's public key to decrypt the signature code, can be decrypted, the identity of the sender is certified
The third step: the recipient then uses the same one-way encryption calculation method to calculate the data, and the decryption of the signature to compare, if the signature is the same, the data integrity is certified
Each cryptographic Algorithm management command
OpenSSL: Default on CentOS 7 is installed by default, can be used directly, there are many sub-commands can be managed separately.
Sub-commands are divided into three categories:
Standard commands
Information Summary command (DGST command)
Encrypt command (ENC subcommand)
Standard command: ENC,CA,REQ,GENRSA, etc.
Tools: OpenSSL enc, GPG
supported algorithms: 3DES, AES, Blowfish, towfish
Enc command:
encrypt: ~]# openssl enc -e -des3 -a -salt -in fstab-out fstab.ciphertext
decryption: ~]# openssl enc -d -des3 -a -salt -out fstab-in FS Tab.ciphertext
One-way encryption:
Tools: OpenSSL dgst, md5sum, Sha1sum, Sha224sum,sha512sum ...
dgst command:
~]# openssl dgst -md5 /path/to/somefile (md5sum/ Path/to/somefile)
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7F/84/wKioL1chmgrh2Li0AAA34msFJMI558.png "title=" Qq20160428125942.png "alt=" wkiol1chmgrh2li0aaa34msfjmi558.png "/> Generate user password:
Tools: passwd, OpenSSL passwd
OpenSSL passwd-1-salt Salt
Generate random Number:
Tool: OpenSSL Rand
~]# OpenSSL Rand-hex NUM
~]# OpenSSL rand-base NUM
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7F/84/wKioL1chmRfQlZpWAAAYLTfCIFs035.png "title=" Qq20160428125659.png "alt=" Wkiol1chmrfqlzpwaaayltfcifs035.png "/>
Public Key cryptography:
Generate private key: ~]# (umask 077; OpenSSL genrsa-out/path/to/private_key_file num_bits (2 of the Second party))
~]# (umask 077; OpenSSL genrsa-out/tmp/hello.txt 1024)
Proposed public key: ~]# OpenSSL rsa-in/path/from/private_key_file-pubout
~]# OpenSSL Rsa-in/tmp/hello.txt-pubout
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7F/86/wKiom1chmzaD4yhnAABpxcpSCO4015.png "title=" Qq20160428130929.png "alt=" Wkiom1chmzad4yhnaabpxcpsco4015.png "/>
PKI and creating Private CAs
PKI: Public Key Infrastructure (publicly key Infrastructure)
Visa agency: CA
Registration Authority: RA
certificate Revocation list: CRL
Integer Access Library
OpenSSL command:
Configuration file:/etc/pki/tls/openssl.cnf
To build a private CA:
Generate a self-visa book on the service that is configured as a CA, and provide the required directories and files for the CA;
Steps:
(1) Generate the private key;
~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096)
(2) Generate self-signed certificate;
~]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655
-new: Generate a new certificate signing request;
-x509: Generate a self-signed format certificate, designed to create a private CA;
-key: The private file path used to generate the request;
-out: The generated request file path, or if the self-signed operation will generate a signed certificate directly;
-days: The valid duration of the certificate, the Unit is day;
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7F/86/wKiom1chnuKztjK6AACNt2i8MYs539.png "title=" Qq20160428132507.png "alt=" Wkiom1chnukztjk6aacnt2i8mys539.png "/>
(1) Use the certificate's host to generate the private key;
~]# mkdir /etc/httpd/ssl
~]# cd /etc/httpd/ssl
~]# (umask 077; openssl& nbsp genrsa-out httpd.key 2048)
(2) Generate certificate signing request
]# OpenSSL req-new-key httpd.key-out httpd.csr-days 365
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7F/84/wKioL1cho2rQB_NsAACrUTk4bDc341.png "title=" Qq20160428134106.png "alt=" Wkiol1cho2rqb_nsaacrutk4bdc341.png "/>
(3) Send the request to the CA host in a reliable manner;
SCP certs/httpd.csr [Email protected]:/tmp
(4) sign the certificate on the CA host;
~]# OpenSSL ca -in /tmp/httpd.csr -out /etc/pki/ca/certs/httpd.crt -days 365
(5) Send to server host after signing certificate
~]# scp/etc/pki/ca/certs/httpd.crt [email PROTECTED]:/ETC/HTTPD/SSL/HTTPD.CRT
View the information in the certificate:
~]# openssl x509 -in/etc/pki/ca/certs/httpd.crt - noout -serial -subject
To revoke a certificate:
Steps:
(1) The client obtains the serial of the certificate to be revoked (performed on the host using the certificate):
~]# OpenSSL X509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subject
(2) CA host Revocation Certificate
According to the serial and subject information submitted by the customer, the consistency of the data stored in the index.txt of the native database is compared.
Revocation: # OpenSSL CA-REVOKE/ETC/PKI/CA/NEWCERTS/SERIAL.PEM
This article is from the "11295442" blog, please be sure to keep this source http://11305442.blog.51cto.com/11295442/1768566
Openssl encryption, decryption, CA authentication