Openssl: The process of building a CA and implementing a network architecture for Web services based on HTTPS access

This article Environment RedHat 5.8

The main content of this blog: encryption algorithm, CA introduction and configuration, Web use CA authentication to build HTTPS secure transmission

1. There are two kinds of data transmission on the Internet: plaintext transmission and encrypted transmission. PlainText transport protocols are: FTP, HTTP, SMTP, Telnet. But for the integrity and security of the data, it was later referenced by encryption and other related means to ensure data security and integrity.

2, the confidentiality of data:

To ensure that the data we transmit is not visible to third parties, so we use encryption to ensure the confidentiality of the data, so that the data encryption after the transmission out ~ and then let the receiver use the relevant decryption tools to decrypt the encrypted ciphertext received, and then view, so as to ensure the confidentiality of the data.

Common cryptographic algorithms:

①, extracted data signatures: the use of all the characteristics of the data to extract a section of the signature, and then use this signature changes to ensure the integrity of the data, this algorithm has the following characteristics:

As input, the output must be the same.

Avalanche effect: A small change in input will result in a huge change in results

Fixed-length output: No matter how large the original data is, the result size is the same.

The encryption process is irreversible and cannot restore the original data according to the signature.

②, Negotiation generation password: Key exchange

Key exchange algorithm:

ab:p-large primes, G-generation number

A:x, B:y

A:g^x%p->b

B:g^y%p-->a

A: (g^y%p) ^x=g^yx%p

B: (g^x%p) ^y=g^xy%p

The result is the key!

③, public-key decryption algorithm: Asymmetric encryption algorithm

Key pair: Public key PublicKey private key Scritekey, public key is from private key

The sender encrypts the data with its own private key, which enables authentication

The sender uses the other's public key to encrypt the data, which guarantees the confidentiality of the data.

Public-key cryptography algorithms rarely use encrypted data, which is too slow to be used primarily for authentication.

④, symmetric encryption algorithm: DES encryption, 3DES, AES Advanced Encryption Standard, AES128 (password length), AES256, Blowfish.

One-way encryption: MD4, MD5 (128), SHA1 (160), SHA192, SHA384 (output length), CRC-32 (cyclic redundancy check code)

⑤, Public Key cryptography: Identity Authentication (digital signature), data encryption, key exchange

Public Key Cryptography algorithm: RSA: Can be encrypted or signed, DSA: can only sign

Tools for symmetric encryption: OpenSSL, GPG

3, Pki:public Key infrastructure

The PKI defines the CA and other information.

CA: Certification Authority, certificate Authority, Certificate Authority, is the core of PKI. The CA contains a certificate revocation list, a digital certificate has a different format, and the most popular format is the X509 format.

X509 certificate format includes: Public key and its expiration date, legal owner of certificate, how certificates are used, CA information, check code with CA signature

4, Openssl:ssl open source to achieve.

OpenSSL software Composition:

Libcrpto: Universal Encryption Library

LIBSSL:TLS/SSL implementation, based on the session, the realization of identity authentication, data confidentiality and session integrity of the TLS/SSL library

OpenSSL: A multipurpose command-line tool that enables private certification authorities to be implemented.