When the data is transmitted in a broadcast manner a route to the understanding of the host, when the heart of the people want to intercept our data, as long as the packet in the path of any link on the access to their device can be access to our communications information. We want to ensure the privacy of our communications, we need to encrypt the data we communicate, transmission to the other side of the decryption before we can see the normal communication information.
data encryption before we need to understand the flow of data transmission: Data transmission time is 4 layers, application layer, transport layer, network layer, the Internet layer. The next three layers are defined specifications, and our data has to be used to tamper with the application layer, when we need a software to encrypt the data before we send the data, and then package the packet transmission.
Now that there is a data encryption location, you need to define the encryption algorithm, data encryption is divided into three kinds:1 symmetric encryption,2 One-way encryption,3 asymmetric encryption. Since it is the encryption algorithm and everyone to use, then we need to publish the algorithm (do not publish the algorithm directly release software for others to use, this behavior is afraid to think, how to ensure that the release of the software people do not crack our data).
The algorithm is public so how to guarantee the data encryption, which requires the use of different keys, like the lock all use, but only our own keys can open their own home.
aone-way encryption
the role of one-way encryption is to ensure the uniqueness of the file, and sometimes we transfer a file we do not require that this must be confidential, but we require that the file must be identical to the publisher. At this time the publisher just put this one-way encrypted data on the Web page, we download the data after the use of one-way encryption to calculate once, compared to two times the results of one-way encryption can be. The nature of one-way encryption is to extract the file's signature, and the source file remains unchanged. An example:
OpenSSL dgst-md5 file #把FILE文件进行单向加密 md5sum file
detailed documentation of one-way encryption can be viewed in man dgst. Some common options for one-way encryption:
-md5# encryption algorithm, encryption algorithm and SHA1,sha224,sha256
each algorithm has a corresponding tool sha1sum,sha224sum,sha256sum
twoSymmetric encryption
Symmetric encryption means that data encryption and decryption use the same key, similar to the locks we normally use, and the same key is used to open and close the door. Method of implementation:
OPENSSLENC-E-des3-a-salt-in file-out FILE. S #使用这个命令加密数据, is to encrypt the file into FIEL.S, the encryption algorithm uses DES3. You need to enter a password after the command executes. opensslenc-d-des3-a-salt-in FILE. S-out FILE. s #这个命令是把FILE. s files are decrypted to file. The password that is entered when encryption is required
Gpg-c file #会生成FILE. GPG encrypted Files Gpg-o file-d file.gpg #解密FILE. gpg file for a detailed usage of file symmetric encryption can be used: Man enc view, some common parameters of symmetric encryption-e #对文 Pieces to encrypt-D #对文件进行解密-des3 #使用des3算法, the algorithm also has aes,blowfish,twofish-a #base64的编码方式-salt #这项是默认的, can not write, encrypt files when adding some other data
threeAsymmetric Encryption
Asymmetric Encryption is the focus of this section, and asymmetric encryption uses a pair of keys: the public key and the private key. The public key is placed on the internet to allow anyone to download it, and the private key is owned by only one host. Data encrypted with the public key can only be solved by the private key, and only the public key can be solved by the private key. An example:
using asymmetric encryption requires a private key, and then extracts the public key from the private key.
Opensslgenrsa-out FILE. Prive 2048 #生成一个2048为的私钥opensslrsa-in FILE. Prive-pubout-out FILE. PUB #从私钥FILE extract Public key file.pub in Prive.
These things are not important at all, we send data on the Internet when the use of encryption algorithms, when so laborious, encrypted files are used to use symmetric encryption to add a password to the file.
Gpg--gen-key #生成密钥对 gpg--list #查看公钥 gpg-a-export-o file.pubkey #导出公钥到FILE. pubkey file Gpg--import file.p Ubkey #导入公钥 gpg-e-r name file #使用NAME公钥加密FILE文件 gpg-d file #解密FILE文件, decryption requires the private key of the corresponding file Gpg--delect-keys NAME #删除NAME公钥 Gpg--delect-secret-keys NAME #删除NAME私钥 gpg detailed usage man GPG genrsa genrsa
FourEncryption Type comparison
|
encryption speed |
key number |
distribution difficulty |
key security |
symmetric encryption |
|
multiple |
difficult, many ways, very confusing |
security mechanism is not sound |
one-way encryption |
block |
none |
|
no security required |
Asymmetric encryption |
Slow |
Less |
in, through CA Distribution |
Have a sound security mechanism |
Encryption type Comparison table
a large number of private data, we generally take three kinds of encryption method of joint authentication transmission. If a sends data to B, the format of the data is as follows:key(date+sa(date)+PB(key)
PB Represents the public keyof B, the SA represents the private key of a, andkey represents a symmetric encrypted key. This method not only guarantees the security of the encryption, but also guarantees the speed of the encryption, and also knows who sent the data.
FiveKey authentication for asymmetric encryption
Asymmetric Encryption has a focus, if we want to communicate with a host B , we must have his public key to send private messages, if a website directly out of a public key that is the public key of host a , how do we prove that the public key is b 's public key. The internet on the construction of a number of certification authority CA, a service server to use encrypted data can go to CA certification, our operating system will be the public key certification of these agencies to download and import the system.
Sometimes the company constructs an internal use of the site does not provide services, but the internal use of the company and the need to ensure data security, then we can establish a the CA provides services to our company's website. Below we build a CA directlyand simulate the process of issuing a CA certificate. CA 's configuration file shi/etc/pki/tls/openssl.cnf
1The first step is to build aCa
cd /etc/pki/ca #切换到构建CA的目录 (umask 066;openssl genrsa -outprivate/cakey.pem 2048) #生成CA使用的2048位的私钥touch index.txt # Create the CA database echo 01 > serial #重置计数器, use it for the certificate number, This number should also be used when removing certificates openssl req -new -x509 -key private/cakey.pem-days 7300 -out cacert.pem #CA生成自签名证书, input this line command will enter the interactive interface, the interactive interface content as follows:country name (2 letter code) [xx]:cn #这一步是输入国家State or province name (full name) []:beijing # Designated Province locality name (eg, city) [DefaultCity]:haidian #指定市Organization Name (eg, company) [defaultcompany ltd]:oldking.org # Company Name organizational unit name (eg, section) []:d irectors #部门名称Common Name (Eg, your name or your server ' sHostName) []:oldking.org #服务器名字Email Address []:[email protected] #邮箱
2generate a Request authorization file
This is a command executed on another host, The CA requests a certificate file for the server to execute the command.
cd/etc/httpd/ssl/(umask 066;openssl genrsa-outhttpd.key 2048) #给当前主机创建私钥密钥openssl Req-new-key httpd.key-out httpd. Csr-days 730 #生成请求文件, this will also go into interactive mode: Country name (2 letter code) [Xx]:cnstate or province name (full name) []:beijinglocalit Y name (eg, city) [Defaultcity]:haidian Organization Name (eg, company) [Default companyltd]:oldking.orgorganizational Un It name (eg, section) []:itcommon name (eg, your name or your server ' sHostName) []:lw.orgemail Address []:P lease Enter the Following ' Extra ' attributesto is sent with your certificate Requesta challenge password []:an optional company name []:LW Is good
3 CAAuthorized
SCP HTTPD.CSR 172.16.29.1:/root #把请求文件发送到CA上openssl ca-in/root/httpd.csr-outcerts/httpd.crt-days 730 #这一步也要进入交互式模式, Authorization information
4 CArevoking a certificate
OpenSSL x509-in/path/from/cert_file-noout-serial-subject #查找授权文件的信息openssl CA-REVOKE/ETC/PKI/CA/NEWCERTS/SERIAL.P EM #吊销指定证书echo >/etc/pki/ca/crlnumber #生成吊销证书的编号 (Need to execute when a certificate is first revoked) OpenSSL CA-GENCRL-OUT/ETC/PKI/CA/CR L/CA.CRL #更新证书吊销列表openssl Crl-in/etc/pki/ca/crl/ca.crl-noout-text #查看crl文件
Summary
This section focuses on the simple use of three encryption methods to understand the advantages and disadvantages of cryptographic algorithms. Proficient in the process of CA authorization certificate, and can self-build CA and authorize other hosts.
This article is from "Lao Wang Linux Journey" blog, please be sure to keep this source http://oldking.blog.51cto.com/10402759/1882421
Security and encryption