Encryption and decryption technology infrastructure, PKI and create a private CA
-
Cryptographic algorithms and protocols:
1. Symmetric encryption: encryption and decryption using the same keyDES:Data Encryption Standard; 3DES:Triple DES; AES:Advanced Encryption Standard; (128bits, 192bits, 256bits, 384bits) Blowfish Twofish IDEA RC6 CAST5 特性: (1)加密、解密使用同一个密钥; (2)将原始数据分割成为固定大小的块,逐个进行加密; 缺陷: (1)密钥过多; (2)密钥分发困难;
2. The public-key cryptography: key divided into public and private keys
公钥:从私钥中提取产生;可公开给所有人;pubkey 私钥:通过工具创建,使用者自己留存,必须保证其私密性;secret key; 特点:用公钥加密的数据,只能使用与之配对儿的私钥解密;反之亦然; 用途: 数字签名:主要在于让接收方确认发送方的身份; 密钥交换:发送方用对方公钥加密一个对称密钥,并发送给对方; 数据加密 算法:RSA, DSA, ELGamal DSS: Digital Signature Standard DSA:Digital Signature Algorithm
3-way encryption: namely that the fingerprint data; only encryption can not be decrypted;
特性:定长输出、雪崩效应; 功能:完整性; 算法: md5:Message Digest 5, 128bits sha1:Secure Hash Algorithm 1, 160bits sha224, sha256, sha384, sha512
4. Key Exchange: IKE (Internet Key Exchange)
公钥加密 DH(Deffie-Hellman) 例如: A:p, g B:p, g A: x--> p^x%g ==> B A: (p^y%g)^x=p^yx%g B: y--> p^y%g ==> A B: (p^x%g)^y=p^xy%g
The primary encryption communication process:
A: (. 1): 128bit encryption signature unidirectional digital digest
(2): The foregoing summary and description together with the digital private key of A
(3): A feature of the private key and symmetric encryption code
(4) in front of a symmetric encryption together with B's public key
B: (. 1): B with its own private key to obtain decrypted symmetric space
(2): decrypting the encrypted content with a symmetric key
(3): with a, generating a public one-way encryption signature
(4): with this comparison whether the original pattern and the same - PKI and SSL sessions
- PKI: Public Key Infrastructure
visa agency: CA
Registration Authority: RA
certificate revocation list: CRL
Certificate access library
X.509: define the structure and certificate of authentication protocol standard
version; serial number; signature algorithm ID; name of the issuer; expiration date; principal name; subject public key; uniquely identifies the issuer; uniquely identify the body; expansion; issuer's signature
2.SSL session mainly three steps:
the client to the server and ask for regular inspection certificate;
both parties generation " session key ";
both a" session key "to perform cryptographic communication;
the SSL Handshake protocol:
the first stage: ClientHello:
protocol version supported, such as tls 1.2;
client generates a random number, generates a user later" session key "
supported encryption algorithms, such as AES, 3DES, RSA;
compression algorithms supported;
second stage: ServerHello
confirm the encryption communication protocol version to use, such tls 1.2;
server generates a random number, used later to generate a" session secret key "
confirm encryption method; the
server certificate;
third stage:
test positive server certificate, its public key removed after confirmation; (issued Institutions, the integrity of the certificate, the certificate holder, the certificate is valid, revocation list)
to send the following information to the server:
a random number;
coding change notice that the following information will be sent with a mutually agreed encryption method and key
clients handshake completion notification;
Phase IV:
After receiving the client to the third random number pre-master-key, the cost of raw computing all sessions to the "session key";
sending the following information to the client side:
encoding change notification, means that the subsequently the information will be sent with a mutually agreed encryption method and key;
the server handshake completion notification;
- PKI: Public Key Infrastructure
- Creating a private CA
1. build a private CA:
determining configured to generate a service on CA's self-signed certificate, and provide directories and files needed for the CA to步骤: (1)生成私钥: (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) ():作用域子shell进程 (2) 生成自签证书; openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655 -new:生成新证书签署请求; -x509:生成自签格式证书,专用于创建私有CA时; -key:生成请求时用到的私有文件路径; -out:生成的请求文件路径;如果自签操作将直接生成签署过的证书; -days:证书的有效时长,单位是day; (3)为CA提供所需的目录及文件; mkdir -pv /etc/pki/CA/{certs,crl,newcerts} touch /etc/pki/CA/{serial,index.txt} echo 01 > /etc/pki/CA/serial
2. server to use certificates for secure communication, you need to request CA-signed certificate
步骤:(以nginx为例) (1) 用到证书的主机生成私钥; mkdir /etc/nginx/ssl cd /etc/nginx/ssl (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) (2) 生成证书签署请求 openssl req -new -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr -days 365 (3) 将请求通过可靠方式发送给CA主机; scp /etc/nginx/ssl/nginx.csr [email protected]:/tmp/ (4) 在CA主机上签署证书; openssl ca -in /tmp/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365 (5)查看证书中的信息: openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject [root@localhost /]# openssl x509 -in /etc/pki/CA/certs/nginx.crt -noout - serial -subject serial=01 subject=/C=CN/ST=Shanghai/O=cern/OU=devops/CN=devops.com
3. revoke the certificate:
Step:(1) 客户端获取要吊销的证书的serial(在使用证书的主机执行): openssl x509 -in /etc/pki/CA/certs/nginx.crt -noout -serial -subject (2) CA主机吊销证书: 先根据客户提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致; 吊销: openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem 其中的SERIAL要换成证书真正的序列号; (3) 生成吊销证书的吊销编号(第一次吊销证书时执行) echo 01 > /etc/pki/CA/crlnumber (4) 更新证书吊销列表 openssl ca -gencrl -out thisca.crl