The principle of data encryption and decryption and the construction and revocation of private CAs

Source: Internet
Author: User
Tags openssl enc openssl rsa openssl x509 sha1 asymmetric encryption

Simply list the basic commands and share only my thoughts!

First, the data addition / decryption principle explanation

both clients communicate on the Internet, in order to ensure the security of information, there is The SSL protocol is called a Secure Socket layer under the application layer above the TCP/IP model Transport layer. The goal is to encrypt the application layer's data to the client, and the software that implements this protocol or function on Linux is OpenSSL.

The principle is actually that both clients ' SSL layer to negotiate the application of which encryption / decryption method,OK, if the two sides SSL agreed, the upper application protocol is encrypted by SSL, Then the two sides on the internet transmission of data is encrypted, after the encrypted data arrives at the client, the client's SSL will use the corresponding "method" for data decryption and restore, then to the resource subnet (corresponding process) to process. This is shown in principle 1 .

650) this.width=650; "src=" Http:// "title=" SSL Secure Sockets Layer Principle 1.jpg "alt=" Wkiom1u88hdsqkzraahb3qd2qyw101.jpg "/>

Figure 1

Common cryptographic algorithms and protocols:

1, symmetric encryption: Encryption and confidentiality using the same key, the algorithm is public, but the key only communication only know, the common algorithm has DES (Data Encryption Standard) 56bits,AES( Advancedencryption)128bits/192bits/256bits/384bits/512bits,blowfish,twofish, idea et,2.

Features: Encryption and decryption using the same key, the data is divided into fixed-size blocks, encrypted one by one.

Permissions: How many clients communicate with how many keys, too many keys, and key distribution is also difficult.

650) this.width=650; "src=" Http:// "title=" Symmetric encryption 2.jpg "alt=" Wkiol1u8846i_jk5aac9gfvp_28957.jpg "/>

Figure 2

2. Asymmetric encryption: The public key and private key appear in pairs, the public key is extracted from the private key, the private key is only allowed for personal use, public key is public. Common algorithms are RSA(digital signature and key exchange),DSA(digital signature),ELGamal, etc.

Features: Data encrypted with public keys can only be decrypted by the corresponding private key, and vice versa, with a large key length of 512bits/2048bits/4096bits/8192bits.


Identity authentication: The private key owner is encrypted with its own private key and can only be decrypted with the corresponding public key.

Key exchange: Before the communication between the two sides, first obtain the other party's public key, generate a symmetric key, with the other party's public key to encrypt the symmetric key, only the other party's private key decryption, so the two sides using symmetric encryption can be.

Data encryption: Data encryption is seldom used, the key length is too large and the efficiency is very low.

3, one-way encryption: Extract the data signature. The algorithm has MD5,SHA1,SHA256,SHA512,SHA384.


Fixed-length output: The signature is the same length regardless of the level of the original data.

Irreversible: The data cannot be inferred from the signature code.

Avalanche effect: Small changes in raw data can make signatures completely different.

Use: Used for data integrity checking and digital signatures (cryptographic signatures with private keys are digitally signed).

said the data how to encrypt and how to decrypt, the following is how to encrypt data transmission, symmetric key encryption is generally used for confidential data, that is, "conscientious" does not understand, and the non-symmetric encryption is mainly to do digital signature to ensure the integrity of the data and the authenticity of the source, so, Key exchange is required first (ike:internet key Exchange, mainly through public key cryptography and the DH algorithm), both sides of the communication need to know this symmetric key to line, assuming both sides have already known the other party's public key, The encrypted data to be transmitted should be 3.

650) this.width=650; "src=" Http:// "title=" Data transmitted over the Internet 3.jpg "alt=" Wkiol1u886oq1ztraaerrkasygk110.jpg "/>

Figure 3

Figure 3 is the transmission of data when both parties know the other's public key, if the public key to ensure that both sides of the other, but also through the digital certificate of public key information to secure distribution, digital certificate (CA Visa Agency issued) format ( V3) is:

Version number

Serial Number: The CA is used to uniquely label this certificate.

Signature Algorithm flag: Verifies the validity of the certificate.

Publisher Name: the name of the CA itself.

Validity period: Start date and end date.

Certificate Principal holder: That is, the certificate owner.

Certificate principal Public key information: The certificate owner's own public key.

Publisher unique: Computers are more likely to recognize numbers.

Certificate Subject unique Designation

Extended information

Signature: The CA 's signature for this certificate.

Workflow 4 for the certificate is as follows:

650) this.width=650; "src=" Http:// "title=" Certificate legitimacy Verification 4.jpg "alt=" Wkiom1u88mrqcog1aajq2k-vdas700.jpg "/>

Figure 4

Note: In addition to viewing After the validity of the CA , it depends on whether the certificate has expired and is not in the revocation certificate list.

second, through OpenSSL Implementation of SSL command description

the components of OpenSSL:

(1),libcrypto: Encrypt, decrypt files.

(2),libssl: Implementation of SSL protocol

(3),OpenSSL: Multi-purpose command-line tools, each function has a corresponding sub-command implementation.

OpenSSL is divided into standard commands, Information digest commands, and cryptographic commands,5

650) this.width=650; "src=" Http:// "title=" OpenSSL command 5.jpg "alt=" Wkiol1u88-vjetsyaajbpp36vly834.jpg "/>

Figure 5

symmetric encryption / decryption implementations:

OpenSSL enc-ciphername [-in filename] [-out filename] [-d] [-a/-base64] [-salt]

-ciphername: Algorithm,des,AES,3DES, etc.

-salt: Plus random numbers, which is impurities.

-D: Decryption.

-E: Encryption.

-A: Processes databased on Base64, which is the text encoding format.

For example: The /tmp/passwd file is encrypted,6, including the algorithm used, you can choose from, the previous article has also said that the use of those symmetric encryption algorithm.

You can delete the/tmp/passwd file and decrypt the encrypted/tmp/passwd.key file,as shown in 7 .

650) this.width=650; "src=" Http:// "title=" Symmetric encryption 6.jpg "alt=" Wkiol1u89bognmvraavdnkl9xus903.jpg "/>

Figure 6

650) this.width=650; "src=" Http:// "title=" Symmetric decryption demo 7.jpg "alt=" Wkiom1u88uksuwiraat7s88sbqi920.jpg "/>

Figure 7

Extraction of file signatures:

OpenSSL dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-outfilename] [File ...]

The command is simple, the direct Figure 8, multiple times the same file extraction signature, the signature is the same.

650) this.width=650; "src=" Http:// "title=" Signature extraction 8.jpg "alt=" Wkiom1u88xsqlpzraagwwmhfooa682.jpg "/>

Figure 8

Public Key Cryptography implementation:

(1), generate an unencrypted private key:

OpenSSL genrsa [-out filename] [numbits]

The order is simple, the direct drawings 9.

650) this.width=650; "src=" Http:// "title=" Generate private key 9.jpg "alt=" Wkiol1u89lsi88mpaazlgrcsxo8894.jpg "/>

Figure 9

(2), extract the public key from the private key:

OpenSSL RSA [-in filename] [-pubout]

command simple, direct drawings .

650) this.width=650; "src=" Http:// "title=" Extract the public key 10.jpg "alt=" Wkiol1u89muxpnqkaagkw8-z3zu056.jpg "/>

Figure 10

How to build a private CA, build private CA working directory in /etc/pki/ca:

(1), generate the private key, one byone;

650) this.width=650; "src=" Http:// "title=" Create the certificate's private key 11.jpg "alt=" Wkiom1u884pb-ymfaaddw_2e4li476.jpg "/>

Figure 11

Note: The private key must be stored in the/etc/pki/ca/private directory, and the private key must end with a. Pem , which are all in the/etc/pki/tls/openssl.cnf Described in this configuration command, part of the following.

650) this.width=650; "src=" Http:// "title=" True 12.jpg "alt=" Wkiom1u886rse4q-aakgxzylhea837.jpg "/>

Figure 12

(2), generate self-signed certificate;

OpenSSL req-x509-key private key -out/etc/pki/ca/cacert.pem-days #(days),.

650) this.width=650; "src=" Http:// "title=" Correct 13.jpg "alt=" Wkiol1u89sti1n8laahnqaslsz0995.jpg "/>

Figure 13

Validation CA validity, the same host is both a CA and a certificate requester:

(1), the node application certificate, the steps are as follows:

A.on the host requesting the certificate, generate the private key

B, generate certificate signing requirements,14

The key generated by OpenSSL Req–new–key –out the certificate to be issued. CSR(must end with . CSR )

650) this.width=650; "src=" Http:// "title=" Certificate Request 14.jpg "alt=" Wkiom1u88-tyystjaasbxcz3oq8067.jpg "/>

Figure 14

C. Send the request to the CA

(2),CA issued certificate

A. Verify Requestor information

B, signing certificate,15

the certificate of the OpenSSL ca-in application. Csr-out approved certificate . Crt-days 360

650) this.width=650; "src=" Http:// "title=" Sign certificate 15.jpg "alt=" Wkiol1u89wvsmkdgaaw0x0th0_c259.jpg "/>

Figure 15

Note: When signing the certificate will be an error, according to the prompts to create index.txt ( certificate index file ) and serial file (define the next issue of the certificate serial number), you can look at the configuration file, I've already said it.

C, the signed certificate issued to the applicant

revoke a previously issued certificate (that is, httpd.crt):

get the serial number of the revoked certificate and compare it to Index.txt

OpenSSL X509-in/etc/httpd/ssl/httpd.crt-noout-serial-subject

To revoke a certificate:

OpenSSL ca-revoke/etc/httpd/ssl/httpd.crt(sent over to revoke the certificate)

Generate the number of the revocation certificate

echo > Crlnumber(not created by yourself)

Update certificate Revocation List

OpenSSL ca-gencrl-out diaoxiao.crl(can not be created by itself)

Note: Attach only one of the revoked, and compare the/etc/pki/tls/openssl.cnf to add the missing file.

650) this.width=650; "src=" "title=" revocation. jpg "alt=" Wkiom1u89eodqvqlaalqvizy0e0198.jpg "/>

Figure 16

have like-minded "comrades" can add me qq:865765761.

This article comes from "write-only feeling!" "Blog, be sure to keep this provenance

The principle of data encryption and decryption and the construction and revocation of private CAs

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.