Types of data encryption and the creation and application of CA certificates

Types of data encryption and the creation and application of CA certificates

1. Data transmission over the Internet must be guaranteed by the following 3-point features:

Privacy: Encryption of data

Integrity: The data transfer process has not been modified.

Authentication: Confirm the identity of the other, prevent the man-in-the-middle camouflage attack

2. Privacy: Data encryption should use symmetric encryption, features fast

The representation algorithm is: Des,3des,aes,aes192,aes256,aes512,blowfish

3. Integrity: Through a one-way encryption algorithm, extracting data signatures, characterized by avalanche effect, fixed-length output, irreversible, etc.

The representation algorithm is: md5,sha1,sha192,sha256,sha384,crc-32 (test)

4. Authentication: public/Private key encryption: that is, asymmetric plus cipher algorithm, generate key pair, characterized by slow speed

The sender is encrypted with the other's public key, and the receiver decrypts it with its own private key, which guarantees the privacy of the data.

The sender encrypts it with its own private key, and the receiver decrypts it with the other's public key, which guarantees the authentication and privacy of the data.

The representative algorithms are: RSA (encryption/signature), DSA (signature)

5. There are 2 ways to transfer data:

First: The sender and the receiver through the IKE negotiation to generate a symmetric key , the sender or receiver on demand to generate a pair of asymmetric public key, and then the sender of the data to be sent, extract the signature, and use their own private key to encrypt the signature, you can guarantee the data authentication and privacy, Then through the symmetric key to the entire data and signature encryption, that is, send, the receiver with a negotiated symmetric key for data decryption, with the sender's public key to decrypt the signature code to verify the integrity and authentication

The second type: The sender randomly generates a random number , the sender or receiver on demand to generate a pair of asymmetric public key, and then the sender of the data to be sent, extract the signature, and use their own private key to encrypt the signature, you can guarantee the data authentication and privacy, Then the whole data and signature are encrypted by the random number just generated, and the random number is encrypted by the public key of the other party, and then sent together after the whole data, the receiver uses its own private key to decrypt, obtains the sender's random number , and then decrypts the data. Finally, the signature is decrypted with the sender's public key to verify the integrity and authentication

6.ca:certificate authority, referred to as CA certificate, or certificate authority

CA: Certificate format with X509 and PKCS12 format

X509 mainly includes: public key and expiration date, certificate legal owner, certificate use instruction, CA's own information, CA's signature

PKI is implemented in the following ways: Tls/ssl: also use x509 format

OPENGPG: Format similar to X509

The ssl:secure socket layer, which is a half layer between the application layer and the transport layer, is called the Secure Sockets tier, which is a library

For example, the HTTP plaintext protocol becomes an HTTPS encryption protocol by invoking the SSL library

Since SSL is a company developed and less open, and the internationalization standard organization is uncomfortable, should be shipped generates a more open encryption mechanism for TLS

Tls:transport layer Security, called transport

Version: TLSv1 quite SSLv3 version

7.OPENSSL Tools:

7.1.openssl? View Opessl simple help; Man enc View enc help

-E Encryption, default

-D Decryption

Enc specifying the encryption algorithm

-salt add salt to produce random numbers

-A:BASE64 encoding

Encrypt the Fstab file:

OpenSSL enc -des3-salt-a-in fstab-out fstab.des3

Decrypt the Fstab file:

OpenSSL enc-des3-d-salt-a-in fstab.des3-out fstab

7.2. Extracting fingerprint information and signature code:

Md5sum Fstab

Sha1sum Fstab

OpenSSL dgst -md5 fstab

OpenSSL dgst-sha1 Fstab

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/80/03/wKiom1c0LWmDJ7htAAIVBOcD1NQ839.jpg "title=" B22.jpg "alt=" Wkiom1c0lwmdj7htaaivbocd1nq839.jpg "/> 7.3. Encrypt or hash the password, because the salt is different, the same password causes the result of the encryption is not the same

-1 for MD5 encryption, man SSLPASSWD find help to know:

OpenSSL passwd -1

OpenSSL passwd-1

OpenSSL passwd-1-salt

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/80/03/wKiom1c0MDzgvylYAAGV-62ISLo307.jpg "title=" B22.jpg "alt=" wkiom1c0mdzgvylyaagv-62islo307.jpg "/> 7.4. Generate a random number of the specified number of digits, which can be used as a password

OpenSSL Rand -base64 10

OpenSSL rand-base64 50

OpenSSL rand-base64 100

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/80/03/wKiom1c0Ml6DamJJAAKzExhEgtk853.jpg "title=" B22.jpg "alt=" wkiom1c0ml6damjjaakzexhegtk853.jpg "/> 8.openssl Create a private CA: To issue a certificate to another organization, you must first have a certificate

8.1. Generate a pair of keys: Key file permissions preferably 600,man Genrsa view Help,

Here are three ways to generate a private key

OpenSSL genrsa 1024x768 > Server.key; chmod Server.key

OpenSSL genrsa-out Server.key 1024; chmod Server.key

(Umask 077; OpenSSL genrsa -out server.key 1024x768) #子shell运行 without affecting the parent shell

Extract Public key: Extract the public key from the private key

OpenSSL rsa-in Server.key-pubout

8.2. Generate a self-signed certificate

OpenSSL req -new-x509-key server.key-out server.crt-days 365

View the contents of the certificate: OpenSSL x509-text-in server.crt

8.3: Create a complete private certificate process and steps:

cd/etc/pki/ca/

(Umask 077; OpenSSL genrsa -out private/cakey.pem 1024x768) #生成私钥

OpenSSL req -new -x509 -key private/cakey.pem-out Cacert.pem #用私钥创建CA证书

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/80/04/wKioL1c0d-Di9smiAAK1pLIqixY433.jpg "title=" 1.jpg " alt= "Wkiol1c0d-di9smiaak1pliqixy433.jpg"/>

mkdir certs Newcerts CRL

Touch Index.txt

Touch serial

echo > Serial

Note: Use CAT/ETC/PKI/TLS/OPENSSL.CNF to view the environment required to create a private CA certificate

9.OPENSSL Application Certificate:

For example, to request a certificate for an HTTPS service, the following are simple steps:

Cd/etc/httpd/ssl

(Umask 077; OpenSSL genrsa -out httpd.key 2048) #生成私钥

OpenSSL req -new-key httpd.key-out HTTPD.CSR #用私钥申请证书, note no-x509

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/80/04/wKioL1c0d_ryzHGTAALFl1kgNro134.jpg "title=" 2.jpg " alt= "Wkiol1c0d_ryzhgtaalfl1kgnro134.jpg"/>

OpenSSL ca -in httpd.csr-out httpd.crt-days 365 #CA颁发机构对证书签名

This article is from the "Xavier Willow" blog, please be sure to keep this source http://willow.blog.51cto.com/6574604/1772810

Types of data encryption and the creation and application of CA certificates