OpenSSL for Linux Services (i)

OpenSSL (1)

Transport Layer protocol: TCP,UDP,SCTP

Port: Process address, the process registers with the kernel using a port (exclusive)

interprocess communication on the same host: IPC, Message queue, SHM, Semerphor

interprocess communication for different hosts: socket

Cip:port <----> sip:port

cip:55673 <----> sip:80

Listening mode: LISTEN (Ip:port)

Ssl:secure Sockets Layer

HTTP--SSL--and HTTPS

The goal of security:

Confidentiality: Confidentiality

Completeness: Integrity

Availability: Availability

Attack Type:

Threat privacy attacks: eavesdropping, traffic analysis;

Threat integrity attacks: change, disguise, replay, deny

Attack on threat Availability: Denial of service (DoS)

Solution:

Technology (encryption and decryption), services (services to protect against attacks, that is, security services specifically designed for the above-mentioned security objectives)

Encryption and decryption:

Traditional encryption Method: Alternative encryption method and substitution encryption method

Modern encryption Method: Modern Block encryption method

Service:

Authentication mechanism

Access control mechanism

Key algorithms and protocols

Symmetric encryption

Public Key Cryptography

One-way encryption

Authentication protocol

Linux systems: OpenSSL (SSL), GPG (PGP)

OpenSSL is made up of three parts:

Libencrypto Library

LIBSSL Library

OpenSSL multipurpose command-line tools

Cryptographic algorithms and protocols:

Symmetric encryption: Encryption and decryption using the same key;

Des:data Encryption Standard;

3des:triple DES;

aes:advanced Encryption Standard; (128bits, 192bits, 256bits, 384bits)

Blowfish

Twofish

Idea

RC6

CAST5

Characteristics:

1, encryption, decryption using the same key;

2, the original data is divided into fixed-size blocks, one by one encryption;

Defects:

1, too many keys;

2, key distribution difficulties;

Public key cryptography: keys are divided into public and private keys

Public key: Extracted from the private key; available to all; PubKey

Private key: Created by the tool, the user is retained by himself and must be kept private; secret key;

Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa;

Use:

Digital signature: The main purpose is to let the receiver confirm the identity of the sender;

Key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party;

Data encryption

Algorithms: RSA, DSA, ELGamal

Dss:digital Signature Standard

Dsa:digital Signature algorithm

One-way encryption: The data fingerprint is presented, can only be encrypted, not decrypted;

Characteristics: fixed-length output, avalanche effect;

function: completeness;

Algorithm:

Md5:message Digest 5, 128bits

Sha1:secure Hash algorithm 1, 160bits

sha224, sha256, sha384, sha512

Key exchange: IKE (Internet key Exchange)

Public Key Cryptography

DH (Deffie-hellman)

A:p, G

B:p, G

A:x

-P^x%g ==> B

A: (p^y%g) ^x=p^yx%g

B:y

-P^y%g ==> A

B: (p^x%g) ^y=p^xy%g

Pki:public Key Infrastructure

Public Key Infrastructure:

Visa agency: CA

Registration Authority: RA

Certificate Revocation list: CRL

Certificate Access Library:

X.509v3: Defines the structure of the certificate and the standard of the authentication protocol

Version number

Serial number

Signature Algorithm ID

Issuer Name

Validity period

Principal Name

Principal public key

Issuer's unique identity

The unique identity of the subject

Extended

Issuer's signature

Ssl:secure Sockets Layer

netscape:1994

V1.0, V2.0, V3.0

Tls:transport Layer Security

ietf:1999

V1.0, V1.1, V1.2, V1.3

Layered design:

1, the bottom: the implementation of the basic algorithm primitives, AES, RSA, MD5

2, up a layer: the realization of various algorithms;

3, and then up a layer: the combined algorithm to achieve semi-finished products;

4, with a variety of components assembled into a variety of product cryptography protocol software;

Open source implementation of the Agreement: OpenSSL

OpenSSL for Linux Services (i)