**加密解密基础、PKI及SSL、创建私有CA**
生活随笔
收集整理的這篇文章主要介紹了
**加密解密基础、PKI及SSL、创建私有CA**
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
進程間通信
socket通信
客戶端-->請求--> 路由轉發 --> 服務端,取出資源 --> 封裝為可響應給客戶端的請求報文從接收請求端口發出
SSL/TLS協議的實現 OpenSSL
OpenSSL程序組件
| 1 2 3 4 | [root@localhost?CA]#?rpm?-ql?openssl? /usr/lib/libcrypto.so.10??//加密解密庫?(C,C++程序員調用的庫) /usr/lib/libssl.so.10????//ssl/tls實現?(C,C++程序員調用的庫)?HTTP?-->?HTTPS /usr/bin/openssl????????//命令行工具 |
SSL Secure Socket Layer 安全的套接字層
TLS Transfer Layer Secure ?傳輸層安全
SSL分層
| 1 2 3 4 | 用組件拼裝而成的密碼學協議軟件(TLS,?SSL) 標準算法組合成半成品 算法實現:AES-128-CBC-PKCS7 算法原語:AES(對稱加密),RSA(非對稱加密),MD5(單向加密) |
NIST制定的安全標準:保密性、完整性、可用性
SOCKET通信模型中面臨的風險:竊聽、偽裝、重放、消息篡改、拒絕服務
保證安全的手段(安全機制):加密、身份認證、訪問控制、完整性校驗、路由控制、公證
提供安全機制的服務:認證、訪問控制、保密性、完整性、不可否認性
保證服務的安全(算法和協議):對稱、非對稱、單向、密鑰交換
加密解密的基礎原理
對稱加密、非對稱加密、單向加密、密鑰交換
證書頒發機構CA、證書的作用
PKI
證書的規范
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 | #?openssl?x509?-in?/etc/pki/CA/certs/httpd.crt?-noout?-text?-subject?-serial Certificate: ????Data: ????????Version:?3?(0x2)????//版本號 ????????Serial?Number:?1?(0x1)?//序列號(每個從的惟一標識) ????Signature?Algorithm:?sha1WithRSAEncryption???//簽名算法ID ????????Issuer:?C=CD,?ST=CD,?L=ChengDu???????????//CA名稱 ?????????????????????????????????????????????????//證書有效期 ????????????Not?Before:?Sep?21?07:16:20?2017?GMT ????????????Not?After?:?Sep?21?07:16:20?2018?GMT ????????Subject:?C=CD,?ST=CD,?O=MageEdu,????????//主體名稱(主機名) ????????Subject?Public?Key?Info:????????????????//主體公鑰 ????????????????Modulus: ????????????????????00:eb:bd:58:2d:05:54:49:6d:ac:42:98:ee:cb:fb: ????????????????????ec:62:20:e1:1e:e4:64:ef:a3:0f:23:17:5b:fb:66: ????????????????????6d:a9:ce:81:c3:53:b5:f8:d9:87:da:c5:f3:2d:77: ????????????????????f2:de:3b:ed:92:81:a5:6c:73:f6:83:3c:c2:e5:71: ????????????????????49:02:02:ae:45:d0:e0:45:f2:41:34:f8:25:87:41: ????????????????????82:aa:27:e2:17:ca:fc:74:f3:50:98:b0:6c:b0:26: ????????????????????8b:a5:0d:a7:ca:4b:f5:72:f9:44:87:8b:15:51:ea: ????????????????????9a:84:6d:22:aa:fe:84:62:5a:59:33:c3:ff:29:51: ????????????????????a9:1a:56:c3:63:22:9a:6d:2c:65:10:a0:57:78:c2: ????????????????????aa:70:3d:32:eb:59:dc:f7:a9:0c:ea:e5:8e:29:1c: ????????????????????2f:27:0d:53:87:e1:2b:eb:fe:f8:8f:61:8f:86:ab: ????????????????????f1:9c:ee:29:11:c1:71:ca:41:24:3e:1d:e1:3c:84: ????????????????????60:8a:d8:4d:ad:4c:b2:ca:8f:25:29:8a:11:1a:6f: ????????????????????1c:03:88:4a:66:99:73:34:7d:76:da:85:77:da:65: ????????????????????3a:e5:d3:ca:58:9f:8c:3a:3b:d5:e2:9e:77:1e:b2: ????????????????????f3:c8:5a:b6:2d:2b:68:71:20:9f:94:41:0c:4b:2f: ????????????????????93:f5:11:4c:89:9e:d9:48:ac:de:62:d9:5e:16:73: ????????????????????5d:39 ????????????????Exponent:?65537?(0x10001) ????????X509v3?extensions:??????????//擴展信息 ????????????X509v3?Subject?Key?Identifier:???//發行者的惟一標識 ????????????????C5:AE:93:32:58:BC:DC:F4:97:E5:D7:52:15:37:11:4D:ED:4C:B1:8E ????????????X509v3?Authority?Key?Identifier:??//主體的惟一標識 ????????????????keyid:D4:F7:60:6F:E8:F4:2D:A6:F7:5D:09:55:D2:5D:56:DE:1F:93:91:33 ????Signature?Algorithm:?sha1WithRSAEncryption?????//發行者簽名,簽名算法 ?????????3c:90:f8:cf:d6:91:36:ab:4b:12:27:22:78:85:7f:32:15:4e: ?????????ac:60:30:63:65:fe:91:be:1b:e5:22:65:34:4d:f0:b2:2c:d9: ?????????43:38:b9:76:1e:10:ca:27:ab:e9:db:00:bd:d9:87:96:b5:a9: ?????????ee:34:34:01:05:88:fc:59:ef:1d:9b:3f:8e:49:fa:e8:c9:54: ?????????15:d0:63:14:7d:51:e9:c8:8c:50:77:81:5c:f2:56:f8:c2:ba: ?????????16:46:cc:7f:e2:72:27:56:4e:a7:c4:2c:b4:64:44:9a:84:bc: ?????????b2:19:5e:dd:3c:20:1c:a9:8c:93:ae:94:e4:8d:8e:d1:b7:47: ?????????3a:c5:f6:df:42:6f:d9:66:d8:25:97:03:94:01:60:f5:a7:60: ?????????c3:33:55:c3:cb:12:f8:14:1e:df:17:00:26:49:ce:74:fc:8f: ?????????56:16:10:b3:16:6e:09:06:8c:8f:84:e9:ec:e2:84:06:82:ac: ?????????27:8d:c5:f6:83:d8:3d:8d:de:d9:3e:e7:ae:15:41:a9:8d:42: ?????????e9:9d:8d:b8:d7:29:47:21:45:3c:39:49:7a:96:31:bb:95:93: ?????????7b:1b:29:07:dc:fe:ad:7c:f0:28:c5:cb:b5:65:8f:1f:7e:60: ?????????a3:86:50:9f:c3:da:53:1f:6b:ec:ab:7c:1a:7e:39:40:37:23: ?????????83:17:39:54 subject=?/C=CD/ST=CD/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=lccnx.foxmail.com serial=01 1、找到CA名,和簽名算法? 2、找到信任機構的CA證書 3、用證書中的公鑰解密加密的數字簽名?????//身份認證 4、用相同的簽名算法對證書提取特征碼?????//完整性檢驗 5、比對特征碼是否相同 |
基于公鑰加密通信機制
SSL Hand shark:?一個IP地址只能建立一個SSL會話
openssl工具使用
對稱加密
使用示例
| 1 2 3 4 5 6 7 8 9 | 使用示例: 1、創建臨時文件 #?mktemp?-p?/tmp?lcc.XXXX /tmp/lcc.hFdo 2、加密 ????#?openssl?enc?-e?-seed-cfb?-a?-salt?-in?lcc.hFdo?-out?lcc.ciphertext 3、解密 ????#?openssl?enc?-d?-seed-cfb?-a?-salt?-in?lcc.ciphertext?-out?lcc.txt |
單向加密
使用示例
| 1 2 3 4 5 | #?sha1sum?lcc.txt? 5448d7dc19288c6ee87a25d4e2e990f72d786971??lcc.txt #?openssl?dgst?-sha1?-hex?lcc.txt? SHA1(lcc.txt)=?5448d7dc19288c6ee87a25d4e2e990f72d786971 |
生成用戶密碼
使用示例
| 1 2 | #?openssl?passwd?-1?-salt?$(openssl?rand?-hex?4)? #?openssl?passwd?-1?-salt?$(openssl?rand?-hex?4)?123 |
生成隨機數
使用示例
| 1 2 | #?openssl?rand?-hex?4??????(8位) #?openssl?rand?-base64?16?|?tr?-d?'=' |
生成密鑰對
使用示例
# openssl genrsa ?-out lcc.private 1024
# openssl ?rsa ?-in lcc.private -out lcc.pubkey -pubout
私有網絡安全通信的實現方案
構建私有CA
| 1 2 3 4 5 6 | #??echo?"01"?>?/etc/pki/CA/serial????????//必須為01,否則簽發不了 #??touch?/etc/pki/CA/index.txt #?cd?/etc/pki/CA #?(umask?077;openssl?genrsa?-out?private/cakey.pem?1024) #?openssl?req?-new?-x509?-key??private/cakey.pem?-out?cacert.pem?-days?7300 |
申請請求
| 1 2 3 4 5 | #?install?-d?/etc/httpd/ssl #?cd?/etc/httpd/ssl #?(umask?077;openssl?genrsa?-out?httpd.key?1024) #?openssl?req?-new?-key?httpd.key?-out?httpd.csr?-days?365 |
傳給CA
CA所在的主機必須有軟件能得以實現SSH協議<dropbear, telnet, openssh-server>,才能使用客戶端工具<scp, sftp, ssh>
| 1 | #?scp?-P?9999?/etc/httpd/ssl/httpd.csr?root@192.168.80.129 |
CA驗證
CA簽發
| 1 | #?openssl?ca?-in?/tmp/httpd.csr?-out?/tmp/httpd.crt?-days?365 |
從證書存取庫中獲取證書
| 1 | #?scp?-P?9999?root@192.168.80.129:/etc/pki/CA/certs/httpd.crt?/etc/httpd/ssl/ |
驗證證書
| 1 2 3 | #?openssl?x509?-in?certs/httpd.crt?-noout?-serial?-subject serial=01 subject=?/C=CD/ST=CD/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=lccnx.foxmail.com |
在客戶端進行吊銷證書
1、獲取serial
| 1 | #?openssl?x509?-in?/etc/httpd/ssl/httpd.crt?-noout?-serial?-subject |
2、在CA,index.txt中查看serial與客戶端是否相同
吊銷
| 1 2 3 4 | #?openssl?ca?-revoke?newcerts/01.pem? Using?configuration?from?/etc/pki/tls/openssl.cnf Revoking?Certificate?01. Data?Base?Updated |
3、生成吊銷證書編號
| 1 | #?echo?"01"?>?/etc/pki/CA/crlnumber |
4、更新吊銷列表?
| 1 2 | #?openssl?ca?-gencrl?-out?thisca.crl Using?configuration?from?/etc/pki/tls/openssl.cnf |
5、查看crl文件
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | #?openssl?crl?-in?thisca.crl?-noout?-text Certificate?Revocation?List?(CRL): ????????Version?2?(0x1)????????//版本號 ????Signature?Algorithm:?sha1WithRSAEncryption???????//簽名算法 ????????Issuer:?/C=CD/ST=CD/L=ChengDu/O=MageEdu/OU=Ops/CN=ca.magedu.com/emailAddress=lccnx@foxmail.com ????????Last?Update:?Sep?21?08:14:35?2017?GMT?有效期 ????????Next?Update:?Oct?21?08:14:35?2017?GMT ????????CRL?extensions:????擴展信息 ????????????X509v3?CRL?Number:??吊銷號碼 ????????????????1 Revoked?Certificates: ????Serial?Number:?01 ????????Revocation?Date:?Sep?21?08:12:49?2017?GMT ????Signature?Algorithm:?sha1WithRSAEncryption ?????????5d:9e:a2:60:e3:78:9d:24:42:92:b6:72:81:92:43:d7:02:12: ?????????54:f0:8e:08:21:d8:55:34:1c:70:53:8d:ac:bd:44:15:37:30: ?????????ba:ef:d2:79:24:52:83:a1:bb:39:70:af:93:10:64:06:b6:e6: ?????????76:fd:12:cf:b5:f7:07:16:c6:cd:08:a9:46:d3:76:64:24:93: ?????????7d:b4:5a:6d:da:38:08:31:7b:6e:76:a6:4e:5a:c2:cc:e6:24: ?????????be:76:b9:38:46:ed:c7:16:61:88:8c:ac:90:bd:4e:c9:9d:e5: ?????????73:8a:76:c4:57:82:80:29:06:c8:81:cd:7b:37:08:ee:81:25: ?????????d6:04:8e:dd:dd:d8:1b:47:44:e4:bb:bc:3c:7f:cb:97:68:27: ?????????b0:32:ea:fb:d1:84:91:7e:50:05:14:0a:1d:65:2a:5e:ba:41: ?????????1d:dd:a4:39:e5:d2:b5:2b:33:b0:56:b3:78:cc:99:69:c9:89: ?????????0e:a0:71:f1:5f:ca:40:57:73:72:4d:f0:3d:ea:57:d7:53:6d: ?????????90:ca:59:57:65:1b:ec:b5:4d:6f:7e:41:64:c1:c6:d4:ab:b1: ?????????01:b5:a3:e3:67:0c:59:c9:bc:e6:6c:d1:ae:20:05:3f:85:87: ?????????32:f8:bf:3c:9a:ba:e8:c2:e9:fd:e8:b8:54:92:86:45:95:ca: ?????????c3:53:13:41 |
本文轉自 lccnx 51CTO博客,原文鏈接:http://blog.51cto.com/sonlich/1965404,如需轉載請自行聯系原作者
總結
以上是生活随笔為你收集整理的**加密解密基础、PKI及SSL、创建私有CA**的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 梦到别人抬棺材出殡是什么意思
- 下一篇: JPDA 架构研究5 - Agent利用