溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
3.1、加密算法的分類
加密是以某種特殊的算法改變原有的信息數據使得未授權的用戶即使獲得了已加密的信息但因不知解密的方法仍然無法了解信息的內容。在互聯網上對數據的加密主要是保證三個方面內容數據的保密性、完整性以及對方的身份驗證。
加密類型分為兩種對稱加密與非對稱加密。
對稱加密雙方采用共同密常見算法有DES、3DES、AES等 特性加密、解密使用同一個密鑰將原始數據分割成固定大小的塊逐個進行加密。 缺陷密鑰過多密鑰分發。 |
非對稱加密密鑰是成對兒出現常見算法有RSA, DSA, ELGama等 公鑰公開給所有人pubkey 私鑰自己留存必須保證其私密性secret key 特點用公鑰加密的數據只能使用與之配對兒的私鑰解密 主要應用 數字簽名主要在于讓接收方確認發送方身份 密鑰交換發送方用對方的公鑰加密一個對稱密鑰并發送給對方 數據加密加密數據信息 |
單向加密常見算法MD5,SHA1等。 只能加密不能解密提取數據指紋 特性定長輸出、雪崩效應原數據的微小改變導致加密后的數據指紋完全變化。 |
在互聯網上進行上方的數據交互時為了保證數據的保密性與完整性以及確認對方的身份需要進行一套復雜的加密算法。
1、對需要發送的數據采用單向加密算法提取摘要信息利用A的私鑰加密摘要信息加密后的摘要信息成為數字簽名放在明文之后。 2、在利用A的私密加密成為密文。 3、再使用對稱加密使用B公鑰加密密碼成為數據信封完成保密性。 |
3.2、SSL協議與openssl
SSL(Secure Sockets Layer 安全套接層),及其繼任者傳輸層安全Transport Layer SecurityTLS是為網絡通信提供安全及數據完整性的一種安全協議。TLS與SSL在傳輸層對網絡連接進行加密。主要提供的服務為認證用戶和服務器確保數據發送到正確的客戶機和服務器加密數據以防止數據中途被竊取維護數據的完整性確保數據在傳輸過程中不被改變。
OpenSSL 是一個安全套接字層密碼庫囊括主要的密碼算法、常用的密鑰和證書封裝管理功能及SSL協議并提供豐富的應用程序供測試或其它目的使用。
Openssl的組成主要可以分為三個部分
libcrypto: 加密庫
libssl: TLS/SSL實現基于會話的、實現身份認證、數據機密性和會話完整性的TLS/SSL庫
openssl: 多用途命令行工具實現加密的工具。
openssl命令的用法
openssl command [ command_opts ] [ command_args ] openssl [ list-standard-commands | list-message-digest-commands | list-cipher-commands| list-cipher-algorithms | list-message-digest-algorithms | list-public-key-algorithms]
STANDARD COMMANDS asn1parse、ca、ciphers、cms、crl、crl2pkcs7、dgst、dh、dhparam、dsa、dsaparam ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkey pkeyparam pkeyutl rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac ts verify x509 MESSAGE DIGEST COMMANDS md2 md5 mdc2 rmd160 sha sha1 sha224 sha256 sha384 sha512 ENCODING AND CIPHER COMMANDS base64 Base64 Encoding bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb |
對稱加密
openssl enc -des3 -a -salt -in /path/to/input_file -out cipher_file #加密 openssl enc -d -des3 -a -salt -in /path/to/cipher_file -out clear_file #解密 |
[root@mylinux home]# cat test.py #查看文件內容 #!/usr/bin/python3 def add(num1,num2): ''' >>> add(12,23) 35 ''' return num1+num2 if __name__ == '__main__': import doctest doctest.testmod() [root@mylinux home]# openssl enc -des3 -a -salt -in test.py -out cipher.py #對文件加密 enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: [root@mylinux home]# cat cipher.py #加密后的文檔 U2FsdGVkX1/UmevKTgGU4h+9lzx024oU9uI9ifaddQZ008Sg+FGEpFVXMZe77/NH REcx8lgonK+05Qilx9lbFtIO0qY8jsEQF9yyiQEF4H0sYzIVnh6W5fq6k3RvZRfF pPaIw0L3OMdj+N8i5hxLsjusD/aPvpAtzial/VDOFZ8TJulXotzpRMjUvlKum8Og MUxzTNwAHKZbAaPL2vdQoPpvLuM3bL2VYTkJyn/tWv0= [root@mylinux home]# openssl enc -d -des3 -a -salt -in cipher.py -out test1.py #解密 enter des-ede3-cbc decryption password: [root@mylinux home]# cat test1.py #解密后的文檔 #!/usr/bin/python3 def add(num1,num2): ''' >>> add(12,23) 35 ''' return num1+num2 if __name__ == '__main__': import doctest doctest.testmod() [root@mylinux home]#
單向加密
openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-out filename] somefile |
[root@mylinux home]# ls date loganalyzer-3.6.6 python_web shell wswp-code dow.zip __pycache__ samba test.py [root@mylinux home]# openssl md5 test.py #提取test.py的md5特征碼 MD5(test.py)= cafc9ca93649c2b9d67f33075402ce24
公鑰加密公鑰加密(一般不會用來加密數據)私鑰解密數據
密鑰交換獲得對方的公鑰、數據加密使用對方的公鑰、身份認證使用自己的私鑰
openssl genrsa -out /PATH/TO/KEYFILENAME NUMBITS 生成私鑰rsa openssl rsa -in /PATH/TO/KEYFILENAME -pubout提取公鑰 |
[root@mylinux home]# openssl genrsa -out private.pem 2048 #生成私鑰
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.................................................+++
e is 65537 (0x10001)
[root@mylinux home]# openssl rsa -in private.pem -pubout -out pub.pem #私鑰中提取公鑰
writing RSA key
[root@mylinux home]# ls
cipher.py dow.zip private.pem __pycache__ samba test.py
date loganalyzer-3.6.6 pub.pem python_web shell wswp-code
[root@mylinux home]# cat date
ls -l
date
[root@mylinux home]# openssl rsautl -encrypt -in date -inkey pub.pem -pubin -out date.en #利用公鑰加密date文件
[root@mylinux home]# cat date.en #加密后文件
)L:vsnWiyc$[%v4,ogqNwktU1]W}YB&u$q {F[root@mylinux home]#
[root@mylinux home]# openssl rsautl -decrypt -in date.en -inkey private.pem -out date.de #使用私鑰解密文件
[root@mylinux home]# cat date.de #解密后文件
ls -l
date3.3、簽發證書與CA
在網上通信時,通常需要將數據進行加密,對于一個使用了SSL的web網站擁有者必須要產生一個CSR(Certificate Signing Request,簽發證書請求),CSR是一個數字文件,其中包含一個公鑰和一個公司名稱,'證書'必須由一個稱為CA(Certificate Authority,證書授權機構)的可信來源簽發。
CA服務器的生成:
1、確定CA的工作目錄
[root@promote CA]# vim /etc/pki/tls/openssl.cnf certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL ... [ CA_default ] dir = /etc/pki/CA # Where everything is kept #工作目錄 ...
2、自簽證書
[root@promote ~]# cd /etc/pki/CA/ [root@promote CA]# ls certs crl newcerts private [root@promote CA]# umask 077 [root@promote CA]# openssl genrsa -out private/cakey.pem 2048 #生成私鑰 Generating RSA private key, 2048 bit long modulus .......................+++ ...............................................................+++ e is 65537 (0x10001) [root@promote CA]# openssl rsa -in private/cakey.pem -text -noout #可以查看公鑰 Private-Key: (2048 bit) modulus: 00:a3:a5:32:18:d8:3f:8a:6a:b7:8c:f2:3f:85:b9: d5:ea:d4:21:47:c3:11:9c:1b:65:22:b8:02:ac:2f: 51:e0:d5:0a:bd:e1:d9:5c:de:cd:80:3a:3a:b3:15: c0:38:db:b4:b7:4d:34:32:6f:7a:90:85:8a:b5:68: c2:04:9c:71:e9:0f:5a:e4:06:77:93:ef:5b:be:32: ba:0f:d8:aa:90:19:b0:2f:f2:13:06:a2:7b:a3:72: c7:28:34:a3:d9:0f:d7:35:1b:28:4e:73:cf:5c:ca: 7e:4d:56:c1:56:82:83:c2:c7:d9:31:f5:9a:0d:9a: 53:63:21:40:99:81:ee:6a:80:37:47:4a:b0:4f:5e: 7c:3b:e1:79:85:de:99:d7:85:fd:f8:5c:c8:c7:16: 7f:d3:b6:36:1e:54:08:be:7a:27:a2:3c:c4:7c:c2: 76:e8:26:56:17:24:3c:f4:cb:ba:80:97:f1:17:11: 6b:2d:b5:93:df:04:54:14:dc:1f:cf:49:43:31:f7: fe:ae:99:a0:34:cc:d1:85:61:c5:55:e7:27:4b:60: 3d:6e:a4:71:1a:43:58:9b:3f:27:29:66:04:41:c4: 7e:41:bb:08:82:be:ec:68:56:37:b1:fa:7d:53:09: 10:8a:4c:39:81:28:c2:83:33:88:63:f0:3e:bb:f4: bb:37 ... [root@promote CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365 #生成證書 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CH State or Province Name (full name) []:AH Locality Name (eg, city) [Default City]:AQ Organization Name (eg, company) [Default Company Ltd]:UJS Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []:
3、創建需要的文件:
[root@promote CA]# touch index.txt serial crlnumber [root@promote CA]# echo 01 > serial [root@promote CA]# ls cacert.pem certs crl crlnumber index.txt newcerts private serial
證書申請方:
1、為某服務生成密鑰:
[root@promote CA]# cd /etc/ssh/ [root@promote ssh]# ls moduli ssh_host_dsa_key ssh_host_key.pub ssh_config ssh_host_dsa_key.pub ssh_host_rsa_key sshd_config ssh_host_key ssh_host_rsa_key.pub [root@promote ssh]# mkdir ssh [root@promote ssh]# cd ssh [root@promote ssh]# umask 077 [root@promote ssh]# openssl genrsa 1024 >ssh.key #生成秘鑰 Generating RSA private key, 1024 bit long modulus ....................++++++ .............++++++ e is 65537 (0x10001) [root@promote ssh]# openssl req -new -key ssh.key -out ssh.csr #生成證書簽署請求 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CA State or Province Name (full name) []:AH Locality Name (eg, city) [Default City]:AQ Organization Name (eg, company) [Default Company Ltd]:UJS Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.mylinux.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:mylinux
2、將此請求通過某方式傳遞給CA服務器
#scp ssh.csr USERNAME@HOST:/path/to/somewhere(復制到CA服務器)
3、CA簽署證書(在CA服務器上操作),再發送給申請方
[root@promote ssh]# openssl ca -in ssh.csr -out ssh.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 16 20:22:46 2017 GMT Not After : May 16 20:22:46 2018 GMT Subject: countryName = CA stateOrProvinceName = AH organizationName = UJS commonName = www.mylinux.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 02:46:26:FF:10:D9:7F:8A:70:68:41:52:E1:6F:35:46:7C:FF:A6:BB X509v3 Authority Key Identifier: keyid:0A:04:7A:44:C6:8B:69:FD:7E:B0:F3:E4:5A:90:F4:DE:83:9B:A1:95 Certificate is to be certified until May 16 20:22:46 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@promote ssh]# ls ssh.crt ssh.csr ssh.key # scp vsftpd.crt USERNAME@HOST:/path/to/somewhere(復制到申請方)
openssl中有各后綴名的文件的含義
.key格式:私有的密鑰
.crt格式:證書文件,certificate的縮寫
.csr格式:證書簽名請求(證書請求文件),含有公鑰信息,certificate signing request的縮寫
.crl格式:證書吊銷列表,Certificate Revocation List的縮寫
.pem格式:用于導出,導入證書時候的證書的格式,有證書開頭,結尾的格式
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
