Background: The
early Internet - 80s, we need to share data, transmission of data; data transmitted or shared by both the plaintext;
With the development of the Internet, security has become a strategic resource countries;
programming, operation and maintenance - handicraft ;
to study the safety of the algorithms are based on mathematical problems need to be - security is a form of scientific research
To ensure data security, we must satisfy the following four points:
1, the data must be encrypted
2, integrity check (hash, one-way encryption, fingerprint)
3, source authentication
4. System Certificate (openssl is used to implement the PKI architecture certificate, which contains the first three)
1, data encryption
data encryption to memorize
a symmetric encryption key
encrypted with a secret key, to be decrypted by a key;
advantages: high efficiency
disadvantages: secret key is maintained difficulty; key exchange is very difficult to
2, secret key asymmetric encryption
key pair (public, private)
a - B
a a private key public key
B may be encrypted data by using the public key a, and then transmitted to A;
advantages: easy maintenance key; data safer
shortcomings: low efficiency (very low), and symmetric encryption, the gap is about 1000 times
two encryption forms
1, stream encryption
2, the integrity check - fingerprint
integrity test data to ensure that data is not tampered with
the principles of: obtaining a hash value of data B of the machine, A machine data acquisition once again hash; A take their hash result, and acquired hash result B machines are compared;
if the same, then the data is complete; otherwise, the data can not be trusted;
hash features:
1, irreversibility - way cryptographic
2, avalanche effect - to modify a character completely different result output
3, source authentication
asymmetric secret key of a further effect:
the digital signature (the encrypted data (too slow, not use)), key exchange
was doing when the secret key exchange, we use the public key secret private key to decrypt
the digital signature private key encryption - public key to decrypt
only their own private key, the data with its private key encryption;
to use their public key to decrypt the end, if you can explain to decrypt the data source is correct; otherwise it can not be trusted
4, * certificate mechanism - PKI (openssl)
our infrastructure through PKI (public key infrastructure), to achieve the above three authentication mechanisms mentioned;
PKI include:
CA - certificate server CA server, used for certificates issued;
RA - agency bodies, registration certificate to build the CA;
CRL - certificate revocation list;
certificates: root certificate, personal certificates
OpenSSL
OpenSSL management tool
two encryption procedure call interface - a library file
Common file:
/ etc / pki / TLS
extensions: 1995 ssh 2.0 developed by Netscape
in 1996 ssh 3.0
in 1999. Netscape verge of bankruptcy to ssh to a total of tls1.0 maintenance organization
in 2006 developed a tls1.1
2008 developed tls1.2 // ssh current Internet environment commonly used / tls agreement
in 2018 to develop a tls1.3
/etc/pki/tls/openssl.cnf - default main configuration file
/ ur / bin / openssl - - command file
/ etc / pki / CA - certificate server certificate services root directory
/ etc / pki / CA / certs - the certificate store directory
/ etc / pki / CA / CRL -
/ etc / pki / CA / Private
index.txt // index of the certificate information file
serial // certificate serial number
cakey.pem // ca certificate request file
cacert.pem // ca root certificate file
ssh
parameter optimization ssh service terminal
C / S and as telnet, - openssl (a software program)
is capable of encrypting data (your password transmitted is encrypted)
SSH protocol means ssl / tls protocol to transfer data, the encrypted data;
before transmitting data,
ssh login process:
1, establish ssl tunnel
transmission public key
generated and transmitted random secret key information
to establish a tunnel
[above operations were carried out in the tunnel]
2, the server returns the login screen
3, the client to enter a password - the password is user password (root)
ssh authentication:
1, passed the password authentication
2, the certificate authentication mechanism - free keys
Push Pull scp
sftp
script: automate interactive interface is implemented by the Expect;
#! / usr / bin / expect
spawn -! expect to open a new session # / bin / bash
the send - Behavior
expect - matching strings
interact - timeout
expect "command" send {"yes"}
#!/bin/bash
expect << EOF
EOF
time expect the judge to execute multiple statements, use exp_continue;
on the 192.168.1.1 - 192.168.1.100 do no password:
# / bin / bash!
#
&& SSH - [-f /root/.ssh/id_rsa.pub!] -P -t RSA keygen '' -f '/root/.ssh/id_rsa'
Expect the EOF <<
the spawn-SSH-Copy ID -i /root/.ssh/id_rsa.pub [email protected]
Expect {
}
EOF