With the development of the network, security has become a very serious problem, that is, to have a higher level of credibility in terms of security, in this way, users can be more secure when transmitting data over the internet. However, in Linux, openssl and gpg are mainly used to implement security mechanisms. The encryption technology can be classified into one-way encryption, symmetric encryption, and asymmetric encryption. If one-way encryption is used to calculate a piece of data, the signature value is unique. The data integrity is verified and the output length is fixed. Its common encryption algorithms include MD5 (128 bits) and SHA1 (160 bits). It seems that the verification code generated by SHA1 encryption will be longer than MD5, And the encryption effect will be better, however, because of the higher degree of encryption, the speed will be slow. Therefore, security and speed are two opposite concepts. Only by neutralization of the two concepts can the ultimate goal be better achieved. Symmetric encryption means that the encryption and decryption Parties use the same key, which will lead to faster encryption and decryption. However, if a user communicates with many users, this user must either remember a lot of keys or use some of the same keys, so that users who use the same key can use their own keys to decrypt the encrypted information of other users, to obtain others' information. Common encryption algorithms include DES (128 bits), AES (128, 192, 256 bits), and 3DES. Asymmetric encryption is not a password used for encryption and decryption. common algorithms include DSA (authentication supported) and RSA (authentication and encryption supported ). However, the IKE (internet key exchange) mechanism is used to enable two users to know each other's public key for the first time communication, in this way, when two users transmit data over the internet, they will know each other's public key, and then use the other's public key to decrypt the encrypted data sent, how to determine the identity of the other party in the communication process requires the use of PKI (Public Key Infrastructure), that is, the proof is presented by a third party, here, the certificate mechanism is used to verify the user information. Generally, a certificate contains the public key of the contact. So next we will start with encryption, and then issue a certificate to ultimately implement the verification experiment process. 1. First, the encryption algorithm mentioned here uses openssl to encrypt documents as follows # mkdir/opentest # cd/opentest # cp/etc/fstab. /# view the cat inittab file as follows: # openssl enc-des3-salt-a-in inittab-out inittab. in the des3 encryption algorithm, we will see the following content: if we extract the encrypted file, we can see that the document is still restored to the original format: # openssl enc-d-des3-salt-a-in inittab. des3-out inittab # cat inittab is shown in. If openssl-X (X is an arbitrary parameter) is used, the parameter information of openssl is displayed. This is simple encryption and decryption of the file. Computing file one-way encryption pattern # openssl dgst-sha inittab the original pattern value is unique, but I made some modifications to the inittab file, the first line adds a "#" and finds that the value of the signature is different. This is the so-called "avalanche effect, therefore, the pattern is used to verify the integrity of the information sent by a user. It can be seen whether the information is modified during transmission. In this way, the original file will not be reverse parsed Based on the obtained signature, which is the advantage of one-way encryption algorithm. Use openssl passwd-1 to generate the following encrypted password: [root @ server64 open] # openssl passwd-1
Password:
Verifying-Password:
$1 $ MECaB7dA $ FUqQcS1r. of course, LroaXLYgeQHl0 can use whatis passwd to view passwd information. Therefore, use man sslpasswd to view passwd information. If the sslpasswd has a-salt option, as long as-salt is the same, the encrypted password is the same: 2. Next we will introduce the certificate knowledge about the certificate, including the issuance of the certificate, the revocation of the certificate, a certificate organization wants to have the permission to issue the certificate, he also needs to gain the trust of others, so he must have his own key to show to everyone, but the public key can be easily obtained from the private key, next, let's talk about how to generate the private key and public key: # cd/opentest # (umask 66; openssl genrsa 1024> my. key) // generate the Private key # openssl rsa-in my. key-pubout-out my. pub // generate the public key and use # cat my. key and cat my. pub The contents of the two files are extracted from the private key, so the two files are closely integrated and appear in pairs. CA steps: first, the user must have a pair of public keys and keys, and then initiate a certificate request to the CA: But as a CA, you must also have your own certificate, therefore, you need to generate # cd/etc/pki/CA # (umask 66; openssl genrsa 2048> private/cakey. pem) // generate a certificate for yourself # openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 3650 and then execute the following interactive answer, and then generate a certificate. Next, you need to have a pair of public keys and keys. Next we will create a new pair of public keys and keys, # cd/tmp/opentest # (umask 66; openssl genrsa 1024> server. key) generate the key # openssl rsa-in server. key-pubout-out server. pub # openssl req-new-key server. key-out server. csr // CA application is then reviewed by the CA and then issued a certificate: # openssl ca-in/tmp/opentest/server. csr-out/tmp/opentest/server. crt-days 3650, but a series of settings need to be performed before the CA issues the certificate, such as editing/etc/pki/tls/openssl. the cnf file creates directories for some columns under/etc/pki/CA # mkdir certs newcerts crl // directory for creating certificates, new certificates, and certificate revocation # touch index.txt serial # echo 01> serial // initialize the serial number so that a simple CA is created, this article is from the "IT dream-qi-sharing" blog.